Open Access

Thomas Schlabach

• The core logging and tracing facility in Windows operating system is called Event Tracing for Windows (ETW). Data sources providing events for ETW are instrumented all over the operating system. That means most hard- and software assets in a Windows system are instrumented with ETW and so are able to contribute low-level information. ETW can be used by developers and administrators to getThe core logging and tracing facility in Windows operating system is called Event Tracing for Windows (ETW). Data sources providing events for ETW are instrumented all over the operating system. That means most hard- and software assets in a Windows system are instrumented with ETW and so are able to contribute low-level information. ETW can be used by developers and administrators to get low-level information about operating system's activity. We describe existing tools to interact with the ETW faciltity and evaluate them based on defined criteria. Based on relevant application scenarios, we show the richness of informational content for debugging or detecting security incidents with ETW. The widely used instrumentation of ETW in the operating system and its application results also in security risks according to confidentiality. Based on common ETW providers we show the impact to confidentiality what ETW offers an adversary. At the end we evaluate solutions and approaches for a customizable telemetry infrastructure using ETW in large-scale environments.…