etl.etl

$ target-query <path/to/target> -f etl.etl

Details

Module	dissect.target.plugins.os.windows.log.etl.EtlPlugin
Output	records

Module documentation

Plugin for parsing Windows ETL Files (*.etl).

Function documentation

Return the contents of the ETL files generated at last boot and last shutdown.

An event trace log (.etl) file, also known as a trace log, stores the trace messages generated during one or more trace sessions. A trace session is period in which a trace provider (a component of a user-mode application or kernel-mode driver that uses Event Tracing for Windows (ETW) technology to generate trace messages or trace events) is generating trace messages.

References:

• https://www.hecfblog.com/2018/06/etw-event-tracing-for-windows-and-etl.html

• https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-log

Yields dynamically created records based on the fields inside an ETL event. At least contains the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): The TimeCreated_SystemTime field of the event.
Provider_Name (string): The Provider_Name field of the event.
EventType (string): The type of the event defined by the manifest file.