EtwInspector
1.2.0
EtwInspector is a toolkit to research ETW components
Minimum PowerShell version
5.0
Installation Options
Owners
Copyright
(c) 2025 Jonathan Johnson. All rights reserved.
Package Details
Author(s)
- Jonathan Johnson
Tags
Cmdlets
Get-EtwProviders Get-EtwSecurityDescriptor Get-EtwTraceSessions Start-EtwCapture Stop-EtwCapture Export-EtwSnapshot Compare-EtwSnapshot
Dependencies
This module has no dependencies.
Release Notes
v1.2.0
* Export-EtwSnapshot now includes TraceLogging providers by default. Scans C:\Windows\System32 and C:\Windows\System32\drivers for the embedded ETW0 metadata, merges the same provider across the binaries it appears in, and records every source path on a new Sources[] field on the provider record
* New parameters: -SkipTraceLogging for the fast Manifest+MOF-only path, -ScanPath <string[]> to add custom directories to the TraceLogging scan
* Snapshot SchemaVersion bumped to 1.1 (adds the Sources[] field; older readers that ignore unknown fields keep working)
v1.1.0
* Added Export-EtwSnapshot and Compare-EtwSnapshot for diffing provider state across machines or across Windows updates
* Snapshots support both pretty JSON (.json) and newline-delimited JSON (.ndjson / .jsonl); NDJSON diffs cleanly per provider and is ideal for stream-ingestion
* Snapshot output is now deterministic - providers sorted by name, events sorted by (Id, Version) - so identical state produces byte-stable files
* Sped up MOF provider enumeration by indexing .mof files once instead of per-provider
v1.0.0
* Initial release of package
* Cmdlets: Get-EtwProviders, Get-EtwSecurityDescriptor, Get-EtwTraceSessions, Start-EtwCapture, Stop-EtwCapture
FileList
- EtwInspector.nuspec
- EtwInspector.psd1
- EtwInspector.psm1
- bin\EtwInspector.dll
- bin\EtwInspector.dll-Help.xml
Version History
| Version | Downloads | Last updated |
|---|---|---|
| 1.2.0 (current version) | 8 | 5/9/2026 |
| 1.0.0 | 4 | 5/9/2026 |