High-performance ETW (Event Tracing for Windows) consumer library for Python

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for m96-chan from gravatar.com m96-chan

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: m96-chan
  • Tags etw , windows , tracing , events , monitoring , logging
  • Requires: Python >=3.9
  • Provides-Extra: dev , export , docs
Classifiers
Report project as malware

Project description

PyETWkit

PyPI version Python License: MIT CI

A modern, high-performance ETW (Event Tracing for Windows) toolkit for Python, powered by a Rust backend.

Features

  • Real-time ETW streaming with sync API
  • Kernel providers: process, thread, registry, file, disk, network
  • User providers: DNS, Audio, and more via profiles
  • Filtering: by provider, event ID, trace level
  • ETL file reading: Parse existing trace logs
  • Export: CSV, JSON, JSONL, Parquet, Arrow formats
  • CLI tool: pyetwkit command for quick monitoring
  • Provider discovery: Search and list available providers
  • Pre-configured profiles: Audio, network, security scenarios
  • Rust backend (pyo3): High throughput, zero-copy event delivery
  • Windows 10 / 11 / Server supported

Installation

pip install pyetwkit

Quick Start

CLI Usage

# List available providers
pyetwkit providers
pyetwkit providers --search Kernel

# List profiles
pyetwkit profiles

# Listen to events (requires admin)
pyetwkit listen Microsoft-Windows-DNS-Client
pyetwkit listen --profile network

# Export ETL file
pyetwkit export trace.etl -o events.csv
pyetwkit export trace.etl -o events.parquet -f parquet

Python API

from pyetwkit._core import EtwProvider, EtwSession

# Create session
session = EtwSession("MySession")

# Add provider
provider = EtwProvider(
    "Microsoft-Windows-DNS-Client",
    "DNS-Client"
)
provider = provider.with_level(4)  # Info level
session.add_provider(provider)

# Start and process events
session.start()

try:
    while True:
        event = session.next_event_timeout(1000)
        if event:
            print(f"Event {event.event_id}: {event.provider_name}")
except KeyboardInterrupt:
    pass
finally:
    session.stop()

Kernel Tracing

from pyetwkit._core import PyKernelFlags, PyKernelSession

flags = PyKernelFlags()
flags = flags.with_process()  # Enable process events

session = PyKernelSession(flags)
session.start()

for _ in range(10):
    event = session.next_event_timeout(1000)
    if event and event.event_id == 1:  # Process start
        props = event.to_dict().get("properties", {})
        print(f"Process: {props.get('ImageFileName')}")

session.stop()

Provider Discovery

from pyetwkit._core import list_providers, search_providers

# List all providers
for p in list_providers()[:10]:
    print(f"{p.name}: {p.guid}")

# Search by name
for p in search_providers("Kernel"):
    print(p.name)

Export Events

from pyetwkit._core import EtlReader
from pyetwkit.export import to_csv, to_parquet

# Read ETL file
reader = EtlReader("trace.etl")
events = list(reader.events())

# Export to various formats
to_csv(events, "events.csv")
to_parquet(events, "events.parquet")

Architecture

Python API / CLI
  ↓
pyetwkit (Python package)
  ↓
pyetwkit._core (Rust/pyo3)
  ↓
ferrisetw (Rust ETW library)
  ↓
Windows ETW subsystem

Documentation

Roadmap

Completed

  • Rust ETW consumer (ferrisetw backend)
  • Provider discovery and enumeration
  • User-mode ETW sessions
  • Kernel-mode tracing (process, thread, image load)
  • Event schema and property parsing
  • ETL file reading
  • Export to CSV, JSON, JSONL, Parquet, Arrow
  • CLI tool (pyetwkit command)
  • Provider profiles (audio, network, security)
  • Stack trace capture support
  • Session statistics

Planned

v1.1 - Enhanced Core

v2.0 - Enterprise Features

v3.0 - Advanced Analysis

Examples

See the examples/ directory for complete sample scripts:

  • basic_session.py - Simple ETW session
  • kernel_trace.py - Kernel-level process monitoring
  • export_events.py - Capture and export events
  • provider_discovery.py - Find ETW providers
  • profiles.py - Use pre-configured profiles
  • read_etl.py - Read ETL files

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add some amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

License

MIT

Author

m96-chan

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for m96-chan from gravatar.com m96-chan

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: m96-chan
  • Tags etw , windows , tracing , events , monitoring , logging
  • Requires: Python >=3.9
  • Provides-Extra: dev , export , docs
Classifiers

Release history Release notifications | RSS feed

3.0.1

2.0.0

This version

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyetwkit-1.1.0.tar.gz (57.5 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

pyetwkit-1.1.0-cp313-cp313-win_amd64.whl (404.6 kB view details)

Uploaded CPython 3.13Windows x86-64

pyetwkit-1.1.0-cp312-cp312-win_amd64.whl (404.9 kB view details)

Uploaded CPython 3.12Windows x86-64

pyetwkit-1.1.0-cp311-cp311-win_amd64.whl (404.6 kB view details)

Uploaded CPython 3.11Windows x86-64

pyetwkit-1.1.0-cp310-cp310-win_amd64.whl (404.7 kB view details)

Uploaded CPython 3.10Windows x86-64

pyetwkit-1.1.0-cp39-cp39-win_amd64.whl (405.3 kB view details)

Uploaded CPython 3.9Windows x86-64

File details

Details for the file pyetwkit-1.1.0.tar.gz.

File metadata

  • Download URL: pyetwkit-1.1.0.tar.gz
  • Upload date:
  • Size: 57.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.1.0.tar.gz
Algorithm Hash digest
SHA256 b27d390418a13f01787e354e1b784c292dafe039e38fc7162bdf5f3df7580c19
MD5 7e3da003366c0a993f5d51afcb247ae0
BLAKE2b-256 410a7e57249ec13757bb6d7085859f3b9ed33a469ed0188e53e006fca65a0056

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.1.0.tar.gz:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.1.0-cp313-cp313-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.1.0-cp313-cp313-win_amd64.whl
  • Upload date:
  • Size: 404.6 kB
  • Tags: CPython 3.13, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.1.0-cp313-cp313-win_amd64.whl
Algorithm Hash digest
SHA256 e378493672fe4d88bf530c6845d412c624005dc35a0cb0ddb0800e8608cbd093
MD5 1f03e4ee40453d9c61aa9c45a0d78a10
BLAKE2b-256 c06a8db7766083cb27665b4809a9fbd94cab6d23a8a4e6aa3ed82fbc04b23dcd

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.1.0-cp313-cp313-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.1.0-cp312-cp312-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.1.0-cp312-cp312-win_amd64.whl
  • Upload date:
  • Size: 404.9 kB
  • Tags: CPython 3.12, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.1.0-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 b6481c51477a9aea0f69b9e17f153a35a628ee218fd8988bd83a1dc7d115f844
MD5 d4e51a6ac91c128a9ac61fc74c8ac3f2
BLAKE2b-256 3ff2f2c88565c109a1be08237785917838b82149bdfbdfae3382fc09d1aedfe9

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.1.0-cp312-cp312-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.1.0-cp311-cp311-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.1.0-cp311-cp311-win_amd64.whl
  • Upload date:
  • Size: 404.6 kB
  • Tags: CPython 3.11, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.1.0-cp311-cp311-win_amd64.whl
Algorithm Hash digest
SHA256 f189ac70b07d576e5e45be60a07abaa0310a59720346319bb9f37989c0031a73
MD5 44b5ae62bb639bdb9b7c1fb485793d7c
BLAKE2b-256 7634d049fb7eb6e16043568a3a016faa8a4a9f673ff4daeb98de3476c94b0a81

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.1.0-cp311-cp311-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.1.0-cp310-cp310-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.1.0-cp310-cp310-win_amd64.whl
  • Upload date:
  • Size: 404.7 kB
  • Tags: CPython 3.10, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.1.0-cp310-cp310-win_amd64.whl
Algorithm Hash digest
SHA256 bc11b8161ed23f62433fa732931017eea5374e809e786bf1e7e4f2c1efc6bed0
MD5 37f14ec526adbaa2f266257d68d73e49
BLAKE2b-256 1c29d061988861c2ff6d1562f72b237efa18ac3db6b3ba100a82cb1b6865a15d

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.1.0-cp310-cp310-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-1.1.0-cp39-cp39-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-1.1.0-cp39-cp39-win_amd64.whl
  • Upload date:
  • Size: 405.3 kB
  • Tags: CPython 3.9, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-1.1.0-cp39-cp39-win_amd64.whl
Algorithm Hash digest
SHA256 2ad994c102e87a7f1cf0161b31f3d04c35c2ccae87c0ec94ee579d65a92c999c
MD5 7581be96e6eed7c7588464dcd0d9dd6c
BLAKE2b-256 ba30a3981948da7e3f970a1ba80d53e901dc7296e6752dbdd2382ec3fa9c9f06

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-1.1.0-cp39-cp39-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page