High-performance ETW (Event Tracing for Windows) consumer library for Python

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for m96-chan from gravatar.com m96-chan

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: m96-chan
  • Tags etw , windows , tracing , events , monitoring , logging
  • Requires: Python >=3.9
  • Provides-Extra: dev , export , docs
Classifiers
Report project as malware

Project description

PyETWkit

PyPI version Python License: MIT CI codecov

A modern, high-performance ETW (Event Tracing for Windows) toolkit for Python, powered by a Rust backend.

Features

  • Real-time ETW streaming (sync & async)
  • Kernel providers: process, thread, registry, file, disk, network...
  • User providers: NDIS, Media Foundation, WASAPI, DXGI, Audio...
  • Filtering: provider / event ID / PID / opcode
  • Rust backend (pyo3) for high throughput & zero-copy event delivery
  • Windows 10 / 11 / Server supported
  • Modern, simple Python API (no ctypes hell)

Installation

pip install pyetwkit

Note: We recommend starting with TestPyPI releases during early development.

Quick Start

Listen to process events

from pyetwkit import EtwListener

listener = EtwListener("Microsoft-Windows-Kernel-Process")

for event in listener.events():
    print(event.timestamp, event.process_id, event.event_name)

Async streaming

import asyncio
from pyetwkit import EtwStreamer

async def main():
    async for e in EtwStreamer("Microsoft-Windows-Kernel-Network"):
        print(e)

asyncio.run(main())

Filter by PID

listener = EtwListener("Microsoft-Windows-Kernel-Process", pid=1234)

for e in listener:
    print("Process event:", e)

Architecture

Python API
  ↓
Rust backend (pyo3)
  ↓
Windows ETW subsystem
  • Rust handles real-time ETW session processing
  • Fast and safe struct passing to Python
  • Strong backpressure handling with minimal latency

Providers (Examples)

Provider Description
Microsoft-Windows-Kernel-Process Process create/exit
Microsoft-Windows-Kernel-Thread Thread lifecycle
Microsoft-Windows-Kernel-File File I/O
Microsoft-Windows-Kernel-Network TCP/UDP events
Microsoft-Windows-Kernel-Registry Registry operations
Microsoft-Windows-Win32k UI subsystem

User providers (MF, Audio, DXGI, NDIS, WASAPI) are also available.

Rust Backend (WIP)

Rust crate structure:

pyetwkit-core/
 ├─ src/
 │   ├─ lib.rs
 │   ├─ consumer.rs
 │   ├─ provider.rs
 │   └─ event.rs
 ├─ Cargo.toml

Python binding via pyo3:

#[pyfunction]
fn start_provider(provider: String) -> PyResult<()> {
    // Start ETW session
}

Roadmap

  • Minimal Rust ETW consumer
  • Provider auto-discovery
  • Schema loader (manifest reader)
  • Parquet / Arrow / Pandas export
  • pyetwkit-cli (live viewer)
  • Provider profiles for Audio / VRChat / OBS

Contributing

Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add some amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

License

MIT

Author

m96-chan

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for m96-chan from gravatar.com m96-chan

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: m96-chan
  • Tags etw , windows , tracing , events , monitoring , logging
  • Requires: Python >=3.9
  • Provides-Extra: dev , export , docs
Classifiers

Release history Release notifications | RSS feed

3.0.1

2.0.0

1.1.0

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyetwkit-1.0.0.tar.gz (48.8 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

pyetwkit-1.0.0-cp313-cp313-win_amd64.whl (394.8 kB view details)

Uploaded CPython 3.13Windows x86-64

pyetwkit-1.0.0-cp312-cp312-win_amd64.whl (395.0 kB view details)

Uploaded CPython 3.12Windows x86-64

pyetwkit-1.0.0-cp311-cp311-win_amd64.whl (394.7 kB view details)

Uploaded CPython 3.11Windows x86-64

pyetwkit-1.0.0-cp310-cp310-win_amd64.whl (394.6 kB view details)

Uploaded CPython 3.10Windows x86-64

pyetwkit-1.0.0-cp39-cp39-win_amd64.whl (395.3 kB view details)

Uploaded CPython 3.9Windows x86-64

File details

Details for the file pyetwkit-1.0.0.tar.gz.

File metadata

  • Download URL: pyetwkit-1.0.0.tar.gz
  • Upload date:
  • Size: 48.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.0.0.tar.gz
Algorithm Hash digest
SHA256 63a9ae5c0d4661d621c7449e0006a84c95222c87dc7b71607734a59ae1a1960a
MD5 152c04de44dd073a6167c4197a191c1d
BLAKE2b-256 f855c73b753e4affd74858be28ded78226fc5259ac485231d5ee0e0d14bb0341

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.0.0.tar.gz:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.0.0-cp313-cp313-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.0.0-cp313-cp313-win_amd64.whl
  • Upload date:
  • Size: 394.8 kB
  • Tags: CPython 3.13, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.0.0-cp313-cp313-win_amd64.whl
Algorithm Hash digest
SHA256 965e30669632c6c74814a036d758a989ffccda3dadfe3b65555c10172ae550f2
MD5 e1e113e5dc3a4dbf78f641ad397c95d6
BLAKE2b-256 a1b9a50b57f3948d3b30e31adbe775f0cb6a17e36f3da7373247b32c11e26278

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.0.0-cp313-cp313-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.0.0-cp312-cp312-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.0.0-cp312-cp312-win_amd64.whl
  • Upload date:
  • Size: 395.0 kB
  • Tags: CPython 3.12, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.0.0-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 d9d6e5efbb33ae111070377cf918110ab42ad9625d2412c8ebf89e01eefc5bf4
MD5 43268543105149c6b6f5484f4d5f1d8e
BLAKE2b-256 192ed4da726d244cc786f939d5f906451602a0838b1ab4be40035780fe0977a2

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.0.0-cp312-cp312-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.0.0-cp311-cp311-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.0.0-cp311-cp311-win_amd64.whl
  • Upload date:
  • Size: 394.7 kB
  • Tags: CPython 3.11, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.0.0-cp311-cp311-win_amd64.whl
Algorithm Hash digest
SHA256 9f31c902d0a8516d2cf71a0d354324da6b88496cb9d10cd5ecb61831abed97d2
MD5 80ea7f608824785146c757ffc4e8c128
BLAKE2b-256 b33ec44af4fde461334fb8f08f324fd81d146ca1b8a143f630eacf748d66e68c

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.0.0-cp311-cp311-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.0.0-cp310-cp310-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.0.0-cp310-cp310-win_amd64.whl
  • Upload date:
  • Size: 394.6 kB
  • Tags: CPython 3.10, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.0.0-cp310-cp310-win_amd64.whl
Algorithm Hash digest
SHA256 4e5aa256cd6aecc93d941ad3794bb6bf326724afc74e9ab57ef0ff68cb615bc0
MD5 b45cd7af1a7d473887c03acf6c06d872
BLAKE2b-256 ba59850f8c559005434b66f314af1b6fb009d57a8f252515ae20e7c1fec406e9

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.0.0-cp310-cp310-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.0.0-cp39-cp39-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.0.0-cp39-cp39-win_amd64.whl
  • Upload date:
  • Size: 395.3 kB
  • Tags: CPython 3.9, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.0.0-cp39-cp39-win_amd64.whl
Algorithm Hash digest
SHA256 042ff013d051e7139b502dae03178792e24ecbe0b8a7c6711ab5f0a28151923e
MD5 2fd24d4fb7b4386a9ee549563986b3e3
BLAKE2b-256 0e5525793a68e6c594544845695ffc630474a3e94e09bb487f6a0521e5fc70b2

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.0.0-cp39-cp39-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page