detection.wiki
Blog

Microsoft-Windows-EtwCollector

3 events across 1 channel

Event IDTitleChannel
1Profiling for target ({ProcessID}) has started.Operational
2Profiling for target ({ProcessID}) has stopped.Operational
5Machine [Name: {Name}] [OS Description: {OSDescription}] [Architecture: …Operational

Event ID 1 — Profiling for target ({ProcessID}) has started.

Provider
Microsoft-Windows-EtwCollector
Channel
Operational

Message

Profiling for target ({ProcessID}) has started.

Fields

NameDescription
ProcessID

Event ID 2 — Profiling for target ({ProcessID}) has stopped.

Provider
Microsoft-Windows-EtwCollector
Channel
Operational

Message

Profiling for target ({ProcessID}) has stopped.

Fields

NameDescription
ProcessID

Event ID 5 — Machine [Name: {Name}] [OS Description: {OSDescription}] [Architecture: {Architecture}].

Provider
Microsoft-Windows-EtwCollector
Channel
Operational

Message

Machine [Name: {Name}] [OS Description: {OSDescription}] [Architecture: {Architecture}]

Fields

NameDescription
Name
OSDescription
Architecture