{"id":17969582,"url":"https://github.com/biswa96/traceevent","last_synced_at":"2025-03-25T10:32:48.088Z","repository":{"id":113843475,"uuid":"148499332","full_name":"Biswa96/TraceEvent","owner":"Biswa96","description":"Trace events in real time sessions","archived":false,"fork":false,"pushed_at":"2023-08-25T15:00:16.000Z","size":89,"stargazers_count":44,"open_issues_count":1,"forks_count":12,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-20T01:41:27.527Z","etag":null,"topics":["c","reverse-engineering","reversing","telemetry","trace","trace-events","tracelog","undocumented","windows"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Biswa96.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-12T15:10:04.000Z","updated_at":"2025-01-16T17:26:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"9e6954d5-dc56-433e-a00c-f6a228820a7c","html_url":"https://github.com/Biswa96/TraceEvent","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Biswa96%2FTraceEvent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Biswa96%2FTraceEvent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Biswa96%2FTraceEvent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Biswa96%2FTraceEvent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Biswa96","download_url":"https://codeload.github.com/Biswa96/TraceEvent/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245444560,"owners_count":20616403,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","reverse-engineering","reversing","telemetry","trace","trace-events","tracelog","undocumented","windows"],"created_at":"2024-10-29T15:00:31.656Z","updated_at":"2025-03-25T10:32:48.078Z","avatar_url":"https://github.com/Biswa96.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# TraceEvent\n\n[![Licence](https://img.shields.io/github/license/Biswa96/TraceEvent.svg?style=for-the-badge)](https://www.gnu.org/licenses/gpl-3.0.en.html)\n[![Top Language](https://img.shields.io/github/languages/top/Biswa96/TraceEvent.svg?style=for-the-badge)](https://github.com/Biswa96/TraceEvent.git)\n[![Code size](https://img.shields.io/github/languages/code-size/Biswa96/TraceEvent.svg?style=for-the-badge)]()\n\nTrace Events with real time sessions using (un)documented Windows APIs and NT APIs.\n\n## What is Event Tracing\n\nSee this Microsoft Documentation: [Event Tracing](https://docs.microsoft.com/en-us/windows/desktop/etw/event-tracing-portal)\n\n## How to build\n\nClone this repository. Open the solution (.sln) or project (.vcxproj) file in Visual Studio and build it. Alternatively, run Visual Studio developer command prompt, go to the cloned folder and run `msbuild` command. You can also build with mingw-w64 toolchain. Go to the folder in terminal run `make` command for mingw-w64/msys2. \n\n## How to use\n\nDownload the executable from [Release Page](https://github.com/Biswa96/TraceEvent/releases). Run this program as administrator every time. Here are the options. \n\n```\nUsage: TraceEvent.exe [--] [option] [argument]\nOptions:\n\n    -E,  --enumguidinfo                      Enumerate registered trace GUIDs with all PID and Logger ID. \n    -e,  --enumguid                          Enumerate registered trace GUIDs. \n    -g,  --guid        \u003cProviderGUID\u003e        Add Event Provider GUID with trace session. \n    -L,  --list                              List all registered trace sessions with details. \n    -l,  --log         \u003cLoggerName\u003e          Log events in real time. \n    -q,  --query       \u003cLoggerName\u003e          Query status of \u003cLoggerName\u003e trace session. \n    -S,  --start       \u003cLoggerName\u003e          Starts the \u003cLoggerName\u003e trace session. \n    -s,  --stop        \u003cLoggerName\u003e          Stops the \u003cLoggerName\u003e trace session. \n    -h,  --help                              Display this usage information. \n```\n\n### Start a session\n\nRun this command as administrator: `TraceEvent.exe --start \u003cSession Name\u003e --guid \u003cEvent Provider GUID\u003e`. Always use an unique session name otherwise this will show error. Event provider GUIDs can be found from this Powershell cmdlet: `Get-EtwTraceProvider`. **Always use curly brackets** to specify GUID strings. Find more GUIDs in [**Event Providers list**](docs/Event_Providers.md). For example: `TraceEvent.exe --start MyTrace --guid {12345678-1234-1234-1234-123457890ABCD}`\n\n### Log events\n\nRun this command as administrator: `TraceEvent.exe --log \u003cSession Name\u003e`. Only use session names which are started previously. If CPU usage becomes high then redirect output to a file. e.g. `TraceEvent.exe --log MyTrace \u003e FileName.txt` \n\n### Stop a session\n\nRun this command as administrator: `TraceEvent.exe --stop \u003cSession Name\u003e`. Stop only the previously opened tracing session. Using an already stopped session will show error. For example user this command to stop previously opened 'MyTrace' session: `TraceEvent.exe --stop MyTrace`. \n\n## Project Overview\n\nHere are the overview of source files according to their dependencies:\n\n```\nTraceEvent\\\n    |\n    +-- WinInternal: Crafted TRACE_CONTROL_FUNCTION_CLASS and NT API's definitions\n    +-- PrintProperties: Display Event session details and it's security properties\n    +-- CallBacks: Callback functions to log events messages\n        |\n        |   +-- Log: Helper functions to Log status and convert GUID to string\n        |   +-- Helpers: Helper/Auxiliary functions for SecHost functions\n        |   +-- SecHost: Internal functions from SecHost.dll, Advapi32.dll etc.\n        |   |\n        +-- TraceEvent: Functions to start, stop, log and other tasks\n            |\n            |    +-- wgetopt: Converted from Cygwin getopt file for wide characters\n            |    |\n            +-- main: Main function with option processing\n```\n\n## Further Readings\n\n* [Event Tracing for Windows (ETW)](https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/event-tracing-for-windows--etw-) \n* [Retrieving Event Data Using TDH](https://docs.microsoft.com/en-us/windows/desktop/etw/retrieving-event-data-using-tdh) \n* [Configuring and Starting an Event Tracing Session](https://docs.microsoft.com/en-us/windows/desktop/etw/configuring-and-starting-an-event-tracing-session) \n\n## Acknowledgments\n\nThanks to:\n\n* ProcessHacker's collection of [native API header file](https://github.com/processhacker/processhacker/tree/master/phnt) \n* wbenny's [pedbex](https://github.com/wbenny/pdbex) tool \n* RedPlait Blog: [NtTraceControl](https://redplait.blogspot.com/2011/02/nttracecontrol.html) \n* Geoff Chappell: [NtTraceControl](http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/traceapi/control/index.htm) \n\n## License\n\nThis project is licensed under [GPLv3+](LICENSE). This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions.\n\n```\nTraceEvent -- (c) Copyright 2018-19 Biswapriyo Nath\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU General Public License as published by\nthe Free Software Foundation, either version 3 of the License, or\n(at your option) any later version.\n\nThis program is distributed in the hope that it will be useful,\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\nGNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License\nalong with this program.  If not, see \u003chttps://www.gnu.org/licenses/\u003e.\n```\n\n\u003c!-- END of README --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbiswa96%2Ftraceevent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbiswa96%2Ftraceevent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbiswa96%2Ftraceevent/lists"}