After reading this article I was curious which info Mocrosoft gather in it`s telemetry. There is some theoretical possibility to ask Microsoft via MVI but link to "apply for membership" gives 404, lol. So as usually run IDA Pro and start with KeInsertQueueApc function
We can see that code checks EtwThreatIntProvRegHandle and somewhere inside function calls etw logger function EtwTiLogInsertQueueUserApc. So lets collect other etw loggers reffered to
EtwThreatIntProvRegHandle (and EtwSecurityMitigationsRegHandle too)
We can see that code checks EtwThreatIntProvRegHandle and somewhere inside function calls etw logger function EtwTiLogInsertQueueUserApc. So lets collect other etw loggers reffered to
EtwThreatIntProvRegHandle (and EtwSecurityMitigationsRegHandle too)
- EtwThreatIntProvRegHandle - called from KeInsertQueueApc and IopfCompleteRequest
- EtwTiLogSetContextThread - called from PspWow64SetContextThread & PspSetContextThreadInternal
- EtwTiLogAllocExecVm - called from MiAllocateVirtualMemory
- EtwTiLogProtectExecVm - called from NtProtectVirtualMemory
- EtwTiLogReadWriteVm - called from MiReadWriteVirtualMemory
- EtwTiLogDeviceObjectLoadUnload - called from IoDeleteDevice & IoCreateDevice
- EtwTiLogDriverObjectLoad - called from IopLoadDriver & IoCreateDriver
- EtwTiLogMapExecView - called from NtMapViewOfSection & MiMapViewOfSectionExCommon
- EtwTiLogSuspendResumeProcess - called from PsThawProcess, PsFreezeProcess, PsResumeProcess & PsSuspendProcess
- EtwTiLogSuspendResumeThread - called from PsSuspendThread & PsResumeThread
- EtwpTimLogMitigationForProcess - called from MiAllowImageMap
- EtwTimLogProhibitDynamicCode - called from MiArbitraryCodeBlocked
- EtwTimLogProhibitWin32kSystemCalls - called from PsConvertToGuiThread
- EtwTimLogProhibitNonMicrosoftBinaries - called from MiValidateSectionSigningPolicy
- EtwTimLogProhibitChildProcessCreation - called from SeSubProcessToken
- EtwTimLogProhibitLowILImageMap - called from MiAllowImageMap