Tested on Windows10 19042 and Windows Server 2012, I want to use etw to log clear log event (1102), but it doesn't work. The project I use is called krabsetw, which belongs to Microsoft.
The target provider is Microsoft-Windows-Eventlog, corresponding to GUID {FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}, and here is my source code:
void user_trace_001::start()
{
krabs::user_trace trace;
krabs::provider<> provider(krabs::guid(L"{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}"));
provider.any(0xf8200000001e0000);
provider.add_on_event_callback([](const EVENT_RECORD &record, const krabs::trace_context &trace_context) {
krabs::schema schema(record, trace_context.schema_locator);
std::wcout << L"Event " << schema.event_id();
std::wcout << L"(" << schema.event_name() << L") received." << std::endl;
});
trace.enable(provider);
trace.start();
}
It is expected to print an event id and an event name whenever it gets a log. So far, it can log the event ids 100, 201, 202, 203, 204, 205, not my target 1102 though.
The way I used to clear the logs are event viewer and command line with wevtutil.
command line: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
I have also tried to use logman to log the event from provider Microsoft-Windows-Eventlog, but it can't log 1102 either.
Any advice would be thankful!
After reversing wevtsvc.dll, I found that it doesn't call any ETW function when log clear event is triggered. It just try to create and write a record to C:\Windows\System32\winevt\Logs\Security.evtx, so it is why we cannot log 1102 event when using logman or krabsetw
In fact, we can see in ida that there are ETW functions like EventWrite and EventWriteTransfer in the Channel::ClearChannelLog function. However, when I use x64dbg to attach to the process, it didn't walk to the addresses of ETW functions.
