Is it possible to monitor calls to specific DLL functions in ETW? I am still new to ETW, so is there any good site or procedure that might be helpful to me?
It would be great to be able to run it from powershell using the logman command.
Sorry for the messy question. But I am in trouble.... Thanks for reading.
I am now looking into whether this might work.
> logman query providers "{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"
providers GUID
-------------------------------------------------------------------------------
Microsoft-Windows-Kernel-Process {22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}
値 キーワード 説明
-------------------------------------------------------------------------------
0x0000000000000010 WINEVENT_KEYWORD_PROCESS
0x0000000000000020 WINEVENT_KEYWORD_THREAD
0x0000000000000040 WINEVENT_KEYWORD_IMAGE
0x0000000000000080 WINEVENT_KEYWORD_CPU_PRIORITY
0x0000000000000100 WINEVENT_KEYWORD_OTHER_PRIORITY
0x0000000000000200 WINEVENT_KEYWORD_PROCESS_FREEZE
0x0000000000000400 WINEVENT_KEYWORD_JOB
0x0000000000000800 WINEVENT_KEYWORD_ENABLE_PROCESS_TRACING_CALLBACKS
0x0000000000001000 WINEVENT_KEYWORD_JOB_IO
0x0000000000002000 WINEVENT_KEYWORD_WORK_ON_BEHALF
0x0000000000004000 WINEVENT_KEYWORD_JOB_SILO
0x8000000000000000 Microsoft-Windows-Kernel-Process/Analytic