Feature request: Provide a simple command line interface

Question

Feature request: Provide a simple command line interface

Closed this issue 6 years ago · 5 comments

I want to run:

c:\> pywintrace --type=CreateProcess --path=whatever

And get an infinite output of all the events that match my criteria.

Answer 1 · 2018-10-13T13:25:27.000Z

If you know of a different project that supplies something like that, I'll be happy if you could refer me.

Answer 2 · 2018-10-16T14:10:52.000Z

Unsure what you mean exactly. You can modify one of the examples to do this using the kernel process provider.

Answer 3 · 2018-10-16T14:15:37.000Z

What I mean is a CLI utility that one could use to track Windows events from the command line, without needing to know how pywintrace works and without having to develop a solution. That's a pretty big ask so if it's out of the scope of this project, I'd understand.

Answer 4 · 2018-10-16T14:43:05.000Z

I would say it is out of scope. Events in ETW are relative to the provider that is emitting them. As such, I couldn't just say "events" because that is ambiguous (two providers may emit the equivalent events, etc). It sounds like your asking for a solution that would filter on events, without knowledge of the related provider. As there are hundreds of registered providers (and likely thousands of event types), it isn't something that sounds reasonable. However, you can use pywintrace to do what you propose with knowledge of the provider/events you want.

Answer 5 · 2019-03-13T17:49:50.000Z

Closing issue.