ProvMon - ETW Provider Monitor

A specialized ETW (Event Tracing for Windows) monitoring tool that traces the Microsoft-Windows-Kernel-EventTracing provider for Event ID 8.

This event shows the registration of an ETW provider by a specific process.

Features

• Monitors the Microsoft-Windows-Kernel-EventTracing provider (GUID: {b675ec37-bdb6-4648-bc92-f3fdc74d3ca2})
• Filters events to only show Event ID 8
• Extracts and displays specific fields: ProviderGuid, ProviderName, ProcessID, ProcessName, and RegisteredAt
• Interactive table interface with real-time updates, search, and auto-scroll
• Optional file output support
• Optional Windows Event Log integration (silent background operation)
• Process name resolution from Process IDs, when the process lives long enough.
• Provider name resolution from GUIDs, if the provider is known and registered.

Usage

Interactive Table Interface (Default)

# Run the tool with interactive table interface (requires elevated privileges for full functionality)
./provmon.exe

# Table interface controls:
# - Arrow keys: Navigate table
# - /: Start search (searches across Provider Name, Provider GUID, Process Name, and Process ID)
# - ESC: Cancel search
# - Enter: Confirm search
# - ,: Toggle auto-scroll on/off
# - q: Quit

Save Output to File

# Save events to a file (disables TUI)
./provmon.exe -output events.json

Windows Event Log (Silent Mode)

# Write events to Windows Event Log only (no console output, no TUI)
./provmon.exe -eventlog

# Enable debug output with event logging
./provmon.exe -eventlog -debug

# Combine file output with event logging
./provmon.exe -output events.json -eventlog

Output Format

The tool outputs JSON objects with the following structure:

{
  "ProviderGuid": "{e4b70372-261f-4c54-8fa6-a5a7914d73da}",
  "ProviderName": "Microsoft-Windows-Kernel-EventTracing",
  "ProcessID": 3356,
  "ProcessName": "C:\\Windows\\System32\\svchost.exe",
  "RegisteredAt": "2025-08-13T17:16:57.8925919Z"
}

Table Interface Features

Auto-Scroll

• Default: Auto-scroll is enabled by default, automatically showing the latest events
• Toggle: Press , (comma) to toggle auto-scroll on/off
• Smart Behavior: Auto-scroll is automatically disabled when searching
• Visual Indicator: Current auto-scroll state is shown in help text and status bar

Search Functionality

• Multi-field Search: Searches across Provider Name, Provider GUID, Process Name, and Process ID
• Case-insensitive: Search is not case-sensitive
• Real-time Filtering: Results update as you type
• Substring Matching: Finds partial matches in any field

Table Columns

• Time: Event timestamp (HH:MM:SS format)
• Provider Name: Human-readable provider name (resolved from GUID)
• Provider GUID: Provider's unique identifier
• Process ID: Numerical process identifier
• Process Name: Full path to the executable

Requirements

• Windows 10/11
• Elevated privileges (Administrator) for full functionality
• Go 1.24.0 or later (for building from source)

Notes

• The tool specifically monitors Event ID 8 from the Microsoft-Windows-Kernel-EventTracing provider
• Running with elevated privileges is recommended to capture all events
• Use Ctrl+C to stop the monitoring
• ProviderName field shows the resolved name of the provider being registered (from ProviderGuid)
• Windows Event Log integration creates a separate "Provmon" log source in Event Viewer with Event ID 1
• When using -eventlog flag, the tool runs silently with no console output
• Auto-scroll can be toggled with the comma key to browse historical events
• Search functionality works across all major fields for easy event discovery