Signal Reconstruction

Event Tracing

Telemetry, provider behavior, and system activity reconstructed from event streams.

ETW-centric notes that focus on providers, collection pivots, and the kinds of traces defenders can actually build around.

Notes3

Latest Update2025-04-08

Route/research/categories/event-tracing

etwtelemetrydetection-engineeringdfir

Category Index

All research filed under this constellation.

Latest notes appear first so the category stays useful as a focused, living archive rather than a dead taxonomy page.

Event Tracing

2025-04-08

etw

ETW - Microsoft-Windows-SMBClient - Address Event Field Details

Detailed breakdown of the fields in Microsoft-Windows-SMBClient ETW events. Includes address field decoding for network-related events.

ConstellationEvent Tracing · etw

etwwindowstelemetry

Read note

Event Tracing

2024-01-18

etw

ETW - Microsoft-Windows-Kernel-General - Event Details

Deep dive into the Microsoft-Windows-Kernel-General ETW provider events.

ConstellationEvent Tracing · etw

etwwindowstelemetry

Read note

Event Tracing

2023-04-21

etw

ETW - Microsoft-Windows-Windows Firewall With Advanced Security - DFIR/Detection Updates

New Event IDs added to the Microsoft-Windows-Windows Firewall With Advanced Security ETW provider in Windows 11. Deep dive into the changes and their implications for DFIR and detection engineering.

ConstellationEvent Tracing · etw

etwwindowstelemetry

Read note