- 1 year ago
Where are ETW providers stored?
Comment
1 / 1
The ETW (Event Tracing for Windows) providers are typically defined in the event source code and compiled into the event source binary. The event source binary can then be registered on the system with the wevtutil
command-line tool or programmatically using the Windows Event Log API.
Once an ETW provider is registered, its information, including the GUID of the provider and its configuration, is stored in the Windows Event Log service. The information can be accessed using the EventLogSession
class in the Windows Event Log API or the wevtutil
command-line tool.