The Payload Podcast 006

The Payload Podcast episode 006 dives deep into Event Tracing for Windows (ETW), a native Windows telemetry framework that captures granular system activity with minimal performance impact. Hosts Johnny and John discuss their recent research, announce the release of an open‑source utility called ETW Inspector, and explore how ETW powers the Windows Event Viewer while offering far richer data than most administrators realize.

They explain ETW’s architecture: providers emit events, consumers subscribe via trace sessions stored in memory, and the mechanism operates inline, avoiding the overhead of traditional function hooking. This efficiency makes ETW attractive for both defensive use—feeding endpoint detection and response (EDR) pipelines—and offensive tactics, such as stealthy command‑and‑control channels or remote data harvesting via the Performance Log Analytics (PLA) interface.

John highlights concrete examples: using PLA to create remote trace sessions without installing a disk‑based agent, and leveraging the tool to enumerate providers, capture NTFS and security‑audit events, and even patch ETW to suppress logging. He also credits James Forshaw’s “in‑object‑manager” PowerShell module as inspiration for building a PowerShell‑friendly ETW Inspector that mirrors the flexibility of Forshaw’s toolset.

The discussion underscores that ETW is a double‑edged sword. Security teams can gain unprecedented visibility into every system call, registry change, or file operation, dramatically improving detection and forensic capabilities. Conversely, threat actors can weaponize the same interface for covert monitoring and data exfiltration, making awareness and proper configuration of ETW providers essential for modern Windows security.