EtwInspector

1.2.0

EtwInspector.psd1

                                #

# Module manifest for module 'EtwInspector'

#

# Generated by: Jonathan Johnson

#

# Generated on: 4/23/2025

#

@{

# Script module or binary module file associated with this manifest.

RootModule = 'EtwInspector.psm1'

# Version number of this module.

ModuleVersion = '1.2.0'

# ID used to uniquely identify this module

GUID = 'd63ab890-2557-4c12-8af4-a4366cc1536f'

# Author of this module

Author = 'Jonathan Johnson'

# Company or vendor of this module

CompanyName = 'Johnson Security Research'

# Copyright statement for this module

Copyright = '(c) 2025 Jonathan Johnson. All rights reserved.'

# Description of the functionality provided by this module

Description = 'EtwInspector is a toolkit to research ETW components'

# Minimum version of the Windows PowerShell engine required by this module

PowerShellVersion = '5.0'

# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess

NestedModules = @('.\bin\EtwInspector.dll')

# Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export.

FunctionsToExport = @()

# Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export.

CmdletsToExport = 'Get-EtwProviders',

                  'Get-EtwSecurityDescriptor',

                  'Get-EtwTraceSessions',

                  'Start-EtwCapture',

                  'Stop-EtwCapture',

                  'Export-EtwSnapshot',

                  'Compare-EtwSnapshot'

# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.

PrivateData = @{

    PSData = @{

        # Tags applied to this module. These help with module discovery in online galleries.

        Tags = @('Security', 'Research', 'ETW')

        # A URL to the license for this module.

        LicenseUri = 'https://github.com/jonny-jhnson/ETWInspector/blob/main/LICENSE'

        # A URL to the main website for this project.

        ProjectUri = 'https://github.com/jonny-jhnson/ETWInspector'

        # A URL to an icon representing this module.

        # IconUri = ''

        # ReleaseNotes of this module

        ReleaseNotes = @'

v1.2.0

* Export-EtwSnapshot now includes TraceLogging providers by default. Scans C:\Windows\System32 and C:\Windows\System32\drivers for the embedded ETW0 metadata, merges the same provider across the binaries it appears in, and records every source path on a new Sources[] field on the provider record

* New parameters: -SkipTraceLogging for the fast Manifest+MOF-only path, -ScanPath <string[]> to add custom directories to the TraceLogging scan

* Snapshot SchemaVersion bumped to 1.1 (adds the Sources[] field; older readers that ignore unknown fields keep working)

v1.1.0

* Added Export-EtwSnapshot and Compare-EtwSnapshot for diffing provider state across machines or across Windows updates

* Snapshots support both pretty JSON (.json) and newline-delimited JSON (.ndjson / .jsonl); NDJSON diffs cleanly per provider and is ideal for stream-ingestion

* Snapshot output is now deterministic - providers sorted by name, events sorted by (Id, Version) - so identical state produces byte-stable files

* Sped up MOF provider enumeration by indexing .mof files once instead of per-provider

v1.0.0

* Initial release of package

* Cmdlets: Get-EtwProviders, Get-EtwSecurityDescriptor, Get-EtwTraceSessions, Start-EtwCapture, Stop-EtwCapture

'@

    } # End of PSData hashtable

} # End of PrivateData hashtable

}