How to capture events from ETW provider "Microsoft-Windows-Security-Auditing" in real time session?

Question

I'm recently using ETW to collect events from builtin providers. I use logman to consume events and save them to a .etl file, like this:

logman create trace evt -p Microsoft-Windows-RPC -ets

...After some operation

logman stop evt -ets

Then I got a evt.etl file that contains events from this provider.

PS > Get-WinEvent -Path .\evt.etl -Oldest | Select-Object Id, Message

Id Message

---------

0
5 Client RPC call started.     InterfaceUuid:  {e60c73e6-88f9-11cf-9af1-0020af6e72f4}  OpNum:  0x8     Protocol:      LRPC     N...
4 RPC Log Event. ...
...

But when I do the same thing to "Microsoft-Windows-Security-Auditing", after stopping the session, I got nothing in the evt.etl file.

PS > logman start trace evt -p Microsoft-Windows-Security-Auditing -ets
 The command completed successfully.

Then sign out and log in to produce events

PS C:\Advs> logman stop evt -ets 
The command completed successfully.

But I got nothing in the generated evt.etl file.

PS \> Get-WinEvent -Path .\evt.etl -Oldest
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1

+ Get-WinEvent -Path .\\evt.etl -Oldest
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (:) [Get-WinEvent], Exception
    + FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Comma
   nds.GetWinEventCommand`
  
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

However, I can see the events in eventvwr, in "Windows Logs" - "Security", and the events detail shows their source are "Microsoft-Windows-Security-Auditing".

System
    Provider
        [ Name]  Microsoft-Windows-Security-Auditing         
        [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D} 
...

I searched and got some solutions, but they don't work.

Using "Microsoft Windows Security Auditing" provider in real-time consumer with ETW (Event Tracing for Windows)

https://serverfault.com/questions/599169/how-can-i-get-sesecurityprivilege-enabled

http://social.msdn.microsoft.com/Forums/sqlserver/en-US/2fb8b309-e205-4362-9345-75fe4a13fc92/rule-setup-account-privileges-failed-on-sql-server-2008-sp-3?forum=sqlsetupandupgrade

http://support.microsoft.com/kb/2000257 ...

I thought this might be a privilege problem, so I consult above question, run as system and got my SeSecurityPrivilege enabled(and all other privileges listed).

PS \> whoami
nt authority\\system
PS \> whoami /priv
...
SeSecurityPrivilege             Manage auditing and security log          Enabled
...                                                                       Enabled
# All privileges enabled

But after do these, I still got no events.

This is a Windows Server 2012 R2 machine. After failed I tried exactly the same thing on another Windows 10 machine, got the same result.

Thanks for any help.

Answer 1

Thanks to my mentor, he providers me the solution.

It turned out to be this provider is protected, and only the trace created by Windows can read from it. You can't create a trace with it, but you can open the existing trace created by Windows. Also, run as SYSTEM is required.

Reference:

• https://github.com/microsoft/krabsetw/blob/master/examples/ManagedExamples/UserTrace005.cs

• https://github.com/microsoft/krabsetw/issues/5

• https://github.com/microsoft/krabsetw/issues/79