High-performance ETW (Event Tracing for Windows) consumer library for Python

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for m96-chan from gravatar.com m96-chan

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: m96-chan
  • Tags etw , windows , tracing , events , monitoring , logging
  • Requires: Python >=3.9
  • Provides-Extra: dev , export , docs , dashboard
Classifiers
Report project as malware

Project description

PyETWkit

PyPI version Python License: MIT CI

A modern, high-performance ETW (Event Tracing for Windows) toolkit for Python, powered by a Rust backend.

Features

Core

  • Real-time ETW streaming with sync API
  • Kernel providers: process, thread, registry, file, disk, network
  • User providers: DNS, Audio, and more via profiles
  • ETL file reading: Parse existing trace logs
  • Rust backend (pyo3): High throughput, zero-copy event delivery
  • Windows 10 / 11 / Server supported

v2.0 - Enterprise Features

  • Multi-session support: Run multiple ETW sessions simultaneously
  • Manifest-based typed events: Parse ETW manifests for structured event data
  • Rust-side filtering: High-performance event filtering in Rust
  • Provider discovery: Search and list available providers
  • Pre-configured profiles: Audio, network, security scenarios

v3.0 - Advanced Analysis

  • Live Dashboard: Browser-based real-time visualization with Gradio
  • Event Correlation Engine: Auto-correlate events by PID/TID/Handle
  • Recording & Replay: Capture and replay ETW sessions (.etwpack format)
  • OpenTelemetry Exporter: Export events to OTLP (Jaeger, Grafana, Datadog)

Export Formats

  • CSV, JSON, JSONL, Parquet, Arrow

Installation

pip install pyetwkit

# Optional: Dashboard support
pip install pyetwkit[dashboard]

# Optional: Export to Parquet/Arrow
pip install pyetwkit[export]

Quick Start

CLI Usage

# List available providers
pyetwkit providers
pyetwkit providers --search Kernel

# List profiles
pyetwkit profiles

# Listen to events (requires admin)
pyetwkit listen Microsoft-Windows-DNS-Client
pyetwkit listen --profile network

# Launch live dashboard (requires admin)
pyetwkit dashboard Microsoft-Windows-Kernel-Process
pyetwkit dashboard --profile network --port 8080

# Export ETL file
pyetwkit export trace.etl -o events.csv
pyetwkit export trace.etl -o events.parquet -f parquet

Python API

from pyetwkit._core import EtwProvider, EtwSession

# Create session
session = EtwSession("MySession")

# Add provider
provider = EtwProvider(
    "Microsoft-Windows-DNS-Client",
    "DNS-Client"
)
provider = provider.with_level(4)  # Info level
session.add_provider(provider)

# Start and process events
session.start()

try:
    while True:
        event = session.next_event_timeout(1000)
        if event:
            print(f"Event {event.event_id}: {event.provider_name}")
except KeyboardInterrupt:
    pass
finally:
    session.stop()

Live Dashboard

from pyetwkit import Dashboard

# Create and launch dashboard
dashboard = Dashboard(port=7860)
dashboard.add_provider("Microsoft-Windows-Kernel-Process")
dashboard.add_provider("Microsoft-Windows-DNS-Client")

# Opens browser at http://localhost:7860
dashboard.launch()

Event Correlation

from pyetwkit import CorrelationEngine

# Create correlation engine
engine = CorrelationEngine()
engine.add_provider("Microsoft-Windows-Kernel-Process")
engine.add_provider("Microsoft-Windows-Kernel-Network")

# Add events from your ETW session
for event in events:
    engine.add_event(event)

# Correlate events by process ID
correlated = engine.correlate_by_pid(1234)
for event in correlated:
    print(f"Event {event.event_id} from {event.provider_name}")

# Export to timeline JSON
timeline = engine.to_timeline_json(pid=1234)

Recording & Replay

from pyetwkit import Recorder, Player, CompressionType, RecorderConfig

# Record events
config = RecorderConfig(compression=CompressionType.ZSTD)
recorder = Recorder("session.etwpack", config=config)
recorder.add_provider("Microsoft-Windows-DNS-Client")
recorder.start()

# ... capture events ...
recorder.stop()

# Replay events
player = Player("session.etwpack")
print(f"Duration: {player.duration:.2f}s, Events: {player.event_count}")

for event in player.events():
    print(f"Event {event['event_id']}")

OpenTelemetry Export

from pyetwkit import OtlpExporter, SpanMapper

# Configure exporter
exporter = OtlpExporter(
    endpoint="http://collector:4317",
    service_name="my-service",
    resource_attributes={
        "deployment.environment": "production",
    },
)

# Map ETW events to spans
mapper = SpanMapper()
mapper.add_rule(
    provider="Microsoft-Windows-Kernel-Process",
    event_id=1,
    span_name="process.start",
    attributes=["ProcessId", "ImageFileName"],
)

# Export events
for event in events:
    exporter.export(event)
exporter.flush()

Kernel Tracing

from pyetwkit._core import PyKernelFlags, PyKernelSession

flags = PyKernelFlags()
flags = flags.with_process()  # Enable process events

session = PyKernelSession(flags)
session.start()

for _ in range(10):
    event = session.next_event_timeout(1000)
    if event and event.event_id == 1:  # Process start
        props = event.to_dict().get("properties", {})
        print(f"Process: {props.get('ImageFileName')}")

session.stop()

Provider Discovery

from pyetwkit._core import list_providers, search_providers

# List all providers
for p in list_providers()[:10]:
    print(f"{p.name}: {p.guid}")

# Search by name
for p in search_providers("Kernel"):
    print(p.name)

Export Events

from pyetwkit._core import EtlReader
from pyetwkit.export import to_csv, to_parquet

# Read ETL file
reader = EtlReader("trace.etl")
events = list(reader.events())

# Export to various formats
to_csv(events, "events.csv")
to_parquet(events, "events.parquet")

Architecture

Python API / CLI
  ↓
pyetwkit (Python package)
  ↓
pyetwkit._core (Rust/pyo3)
  ↓
ferrisetw (Rust ETW library)
  ↓
Windows ETW subsystem

Documentation

Changelog

v3.0.0 (2024-12)

  • Live Dashboard: Gradio-based real-time UI (pyetwkit dashboard CLI)
  • Event Correlation Engine: Link events by PID/TID/Handle with timeline export
  • Recording & Replay: Capture sessions to .etwpack format with compression
  • OpenTelemetry Exporter: Export to OTLP endpoints (Jaeger, Grafana, etc.)

v2.0.0 (2024-12)

  • Multi-session support: Run multiple ETW sessions simultaneously
  • Manifest-based typed events: Parse ETW provider manifests
  • Rust-side filtering: High-performance filtering with RustEventFilter
  • Enhanced CLI: Provider profiles, export options

v1.0.0 (2024-12)

  • Initial release
  • Real-time ETW streaming
  • Kernel and user-mode providers
  • ETL file reading
  • Export to CSV, JSON, JSONL, Parquet, Arrow
  • CLI tool with provider discovery

Examples

See the examples/ directory for complete sample scripts:

  • basic_session.py - Simple ETW session
  • kernel_trace.py - Kernel-level process monitoring
  • export_events.py - Capture and export events
  • provider_discovery.py - Find ETW providers
  • profiles.py - Use pre-configured profiles
  • read_etl.py - Read ETL files
  • demo_v2_features.py - v2.0 features demo
  • demo_v3_features.py - v3.0 features demo

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add some amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

License

MIT

Author

m96-chan

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for m96-chan from gravatar.com m96-chan

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: m96-chan
  • Tags etw , windows , tracing , events , monitoring , logging
  • Requires: Python >=3.9
  • Provides-Extra: dev , export , docs , dashboard
Classifiers

Release history Release notifications | RSS feed

This version

3.0.1

2.0.0

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyetwkit-3.0.1.tar.gz (79.7 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

pyetwkit-3.0.1-cp313-cp313-win_amd64.whl (431.1 kB view details)

Uploaded CPython 3.13Windows x86-64

pyetwkit-3.0.1-cp312-cp312-win_amd64.whl (431.4 kB view details)

Uploaded CPython 3.12Windows x86-64

pyetwkit-3.0.1-cp311-cp311-win_amd64.whl (431.1 kB view details)

Uploaded CPython 3.11Windows x86-64

pyetwkit-3.0.1-cp310-cp310-win_amd64.whl (431.2 kB view details)

Uploaded CPython 3.10Windows x86-64

pyetwkit-3.0.1-cp39-cp39-win_amd64.whl (431.8 kB view details)

Uploaded CPython 3.9Windows x86-64

File details

Details for the file pyetwkit-3.0.1.tar.gz.

File metadata

  • Download URL: pyetwkit-3.0.1.tar.gz
  • Upload date:
  • Size: 79.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-3.0.1.tar.gz
Algorithm Hash digest
SHA256 186f0a693563d91fc6a3a79d28d418dd6394a4027155dd0a6108a76fee9d623f
MD5 d622d2f473012a539e1cced8f12212f9
BLAKE2b-256 15b4d2597c57aaa2340e63862590d4bcb9cbd9aa6fd0f443fa1f3ce7ee4603bd

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-3.0.1.tar.gz:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-3.0.1-cp313-cp313-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-3.0.1-cp313-cp313-win_amd64.whl
  • Upload date:
  • Size: 431.1 kB
  • Tags: CPython 3.13, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-3.0.1-cp313-cp313-win_amd64.whl
Algorithm Hash digest
SHA256 173eaf10cf69f91661b1ea11ea8e3eac28fb890a8ac80fb7e2f8335dff73a23f
MD5 b22c1850a615ccd477a72475e8e8e480
BLAKE2b-256 d7647eec7a0f3727b309b774ab425d0296efdeecb9039e50c54f113d98fe6ffe

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-3.0.1-cp313-cp313-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-3.0.1-cp312-cp312-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-3.0.1-cp312-cp312-win_amd64.whl
  • Upload date:
  • Size: 431.4 kB
  • Tags: CPython 3.12, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-3.0.1-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 aaf4452db65838fa1c7a8ce1db83f448e6fa6000c1d80ad61dcabeef7b7d01f4
MD5 cbaf2681ca8160d1226ff15eadb69ad6
BLAKE2b-256 da7a717b5d6e9ac7b9378cf870213604dffdf4c98c7c337749025ad08dc1f0b4

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-3.0.1-cp312-cp312-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-3.0.1-cp311-cp311-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-3.0.1-cp311-cp311-win_amd64.whl
  • Upload date:
  • Size: 431.1 kB
  • Tags: CPython 3.11, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-3.0.1-cp311-cp311-win_amd64.whl
Algorithm Hash digest
SHA256 32fba7a87108e9cda17922e2f524db712b8fdf4027acb6bca3858325ef332df2
MD5 217bb20e007db228ad219759c41975b9
BLAKE2b-256 9b00c02422f85655b4ebae8b927a8e3cc487de55dac91edb4ffc3fe9929090b6

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-3.0.1-cp311-cp311-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-3.0.1-cp310-cp310-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-3.0.1-cp310-cp310-win_amd64.whl
  • Upload date:
  • Size: 431.2 kB
  • Tags: CPython 3.10, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-3.0.1-cp310-cp310-win_amd64.whl
Algorithm Hash digest
SHA256 093becc436d07880a44651f8165a7f2f07d94fed03262bff61c030f44892c84e
MD5 ceed9b23eb81a04fbedfe9015e6db399
BLAKE2b-256 f8746e344101e918b5e40fb6f7e29047d3a8011e45b7142bb305b000641d65e1

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-3.0.1-cp310-cp310-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-3.0.1-cp39-cp39-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-3.0.1-cp39-cp39-win_amd64.whl
  • Upload date:
  • Size: 431.8 kB
  • Tags: CPython 3.9, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-3.0.1-cp39-cp39-win_amd64.whl
Algorithm Hash digest
SHA256 5e0e245c37444042ac26ec43b7ec1d2f9a44abb42952495fd91c534a0805a210
MD5 73a6d32fda432a73d5218c55d07d5ce1
BLAKE2b-256 928b069e072b69de64e2ec68cc6ee8e57a5e8a1c1455c541d00fda535cbade58

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-3.0.1-cp39-cp39-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page