High-performance ETW (Event Tracing for Windows) consumer library for Python

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for m96-chan from gravatar.com m96-chan

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: m96-chan
  • Tags etw , windows , tracing , events , monitoring , logging
  • Requires: Python >=3.9
  • Provides-Extra: dev , export , docs
Classifiers
Report project as malware

Project description

PyETWkit

PyPI version Python License: MIT CI

A modern, high-performance ETW (Event Tracing for Windows) toolkit for Python, powered by a Rust backend.

Features

  • Real-time ETW streaming with sync API
  • Kernel providers: process, thread, registry, file, disk, network
  • User providers: DNS, Audio, and more via profiles
  • Filtering: by provider, event ID, trace level
  • ETL file reading: Parse existing trace logs
  • Export: CSV, JSON, JSONL, Parquet, Arrow formats
  • CLI tool: pyetwkit command for quick monitoring
  • Provider discovery: Search and list available providers
  • Pre-configured profiles: Audio, network, security scenarios
  • Rust backend (pyo3): High throughput, zero-copy event delivery
  • Windows 10 / 11 / Server supported

Installation

pip install pyetwkit

Quick Start

CLI Usage

# List available providers
pyetwkit providers
pyetwkit providers --search Kernel

# List profiles
pyetwkit profiles

# Listen to events (requires admin)
pyetwkit listen Microsoft-Windows-DNS-Client
pyetwkit listen --profile network

# Export ETL file
pyetwkit export trace.etl -o events.csv
pyetwkit export trace.etl -o events.parquet -f parquet

Python API

from pyetwkit._core import EtwProvider, EtwSession

# Create session
session = EtwSession("MySession")

# Add provider
provider = EtwProvider(
    "Microsoft-Windows-DNS-Client",
    "DNS-Client"
)
provider = provider.with_level(4)  # Info level
session.add_provider(provider)

# Start and process events
session.start()

try:
    while True:
        event = session.next_event_timeout(1000)
        if event:
            print(f"Event {event.event_id}: {event.provider_name}")
except KeyboardInterrupt:
    pass
finally:
    session.stop()

Kernel Tracing

from pyetwkit._core import PyKernelFlags, PyKernelSession

flags = PyKernelFlags()
flags = flags.with_process()  # Enable process events

session = PyKernelSession(flags)
session.start()

for _ in range(10):
    event = session.next_event_timeout(1000)
    if event and event.event_id == 1:  # Process start
        props = event.to_dict().get("properties", {})
        print(f"Process: {props.get('ImageFileName')}")

session.stop()

Provider Discovery

from pyetwkit._core import list_providers, search_providers

# List all providers
for p in list_providers()[:10]:
    print(f"{p.name}: {p.guid}")

# Search by name
for p in search_providers("Kernel"):
    print(p.name)

Export Events

from pyetwkit._core import EtlReader
from pyetwkit.export import to_csv, to_parquet

# Read ETL file
reader = EtlReader("trace.etl")
events = list(reader.events())

# Export to various formats
to_csv(events, "events.csv")
to_parquet(events, "events.parquet")

Architecture

Python API / CLI
  ↓
pyetwkit (Python package)
  ↓
pyetwkit._core (Rust/pyo3)
  ↓
ferrisetw (Rust ETW library)
  ↓
Windows ETW subsystem

Documentation

Roadmap

Completed

  • Rust ETW consumer (ferrisetw backend)
  • Provider discovery and enumeration
  • User-mode ETW sessions
  • Kernel-mode tracing (process, thread, image load)
  • Event schema and property parsing
  • ETL file reading
  • Export to CSV, JSON, JSONL, Parquet, Arrow
  • CLI tool (pyetwkit command)
  • Provider profiles (audio, network, security)
  • Stack trace capture support
  • Session statistics

Planned

v1.1 - Enhanced Core

v2.0 - Enterprise Features

v3.0 - Advanced Analysis

Examples

See the examples/ directory for complete sample scripts:

  • basic_session.py - Simple ETW session
  • kernel_trace.py - Kernel-level process monitoring
  • export_events.py - Capture and export events
  • provider_discovery.py - Find ETW providers
  • profiles.py - Use pre-configured profiles
  • read_etl.py - Read ETL files

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add some amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

License

MIT

Author

m96-chan

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for m96-chan from gravatar.com m96-chan

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT License (MIT)
  • Author: m96-chan
  • Tags etw , windows , tracing , events , monitoring , logging
  • Requires: Python >=3.9
  • Provides-Extra: dev , export , docs
Classifiers

Release history Release notifications | RSS feed

3.0.1

This version

2.0.0

1.1.0

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyetwkit-2.0.0.tar.gz (66.5 kB view details)

Uploaded Source

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

pyetwkit-2.0.0-cp313-cp313-win_amd64.whl (414.4 kB view details)

Uploaded CPython 3.13Windows x86-64

pyetwkit-2.0.0-cp312-cp312-win_amd64.whl (414.7 kB view details)

Uploaded CPython 3.12Windows x86-64

pyetwkit-2.0.0-cp311-cp311-win_amd64.whl (414.4 kB view details)

Uploaded CPython 3.11Windows x86-64

pyetwkit-2.0.0-cp310-cp310-win_amd64.whl (414.6 kB view details)

Uploaded CPython 3.10Windows x86-64

pyetwkit-2.0.0-cp39-cp39-win_amd64.whl (415.2 kB view details)

Uploaded CPython 3.9Windows x86-64

File details

Details for the file pyetwkit-2.0.0.tar.gz.

File metadata

  • Download URL: pyetwkit-2.0.0.tar.gz
  • Upload date:
  • Size: 66.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-2.0.0.tar.gz
Algorithm Hash digest
SHA256 e2a0d28a540a345a031b3f3c8207994201ec9085c25ec3b746d12278fe5c73e4
MD5 cfbe4846943be726a83d24c2c6c293f0
BLAKE2b-256 e4e90f109715546e12375700696c38ad2129ff1bb4c9a76e9c84f5397f4677b2

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-2.0.0.tar.gz:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-2.0.0-cp313-cp313-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-2.0.0-cp313-cp313-win_amd64.whl
  • Upload date:
  • Size: 414.4 kB
  • Tags: CPython 3.13, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-2.0.0-cp313-cp313-win_amd64.whl
Algorithm Hash digest
SHA256 d3d3075782fe731348a974915d9e6f84032865a3f918b14c82642b6ad4e6de72
MD5 10cf3d20fb368d48131537c87aa7c18d
BLAKE2b-256 254a6551ce3f3aa72b1387c98d6e1d096517e6212174f4f4c1d16718c21bd5ef

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-2.0.0-cp313-cp313-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-2.0.0-cp312-cp312-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-2.0.0-cp312-cp312-win_amd64.whl
  • Upload date:
  • Size: 414.7 kB
  • Tags: CPython 3.12, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-2.0.0-cp312-cp312-win_amd64.whl
Algorithm Hash digest
SHA256 f63bda16d4bce3934ce429734fc3444783e674ced5ec6ef87ff6470f026fdb6b
MD5 8226823eeea9f89c1c84d98fd4d6916b
BLAKE2b-256 778b535330154075bfc662e5ccab63da9e130e41558c5a3233788111ab7de1c2

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-2.0.0-cp312-cp312-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-2.0.0-cp311-cp311-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-2.0.0-cp311-cp311-win_amd64.whl
  • Upload date:
  • Size: 414.4 kB
  • Tags: CPython 3.11, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-2.0.0-cp311-cp311-win_amd64.whl
Algorithm Hash digest
SHA256 e981c551c47cd9c0830585ee8b06c19fedc3199f5a04bbfb708b4b5571ac8f4b
MD5 8b21c1d7d7ffa6fa206e6ef6fbec31fa
BLAKE2b-256 502bcfdf8a5798a1b4da6bc098969088e17b6620b7bfdd29520fc6dc374a8a80

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-2.0.0-cp311-cp311-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-2.0.0-cp310-cp310-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-2.0.0-cp310-cp310-win_amd64.whl
  • Upload date:
  • Size: 414.6 kB
  • Tags: CPython 3.10, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-2.0.0-cp310-cp310-win_amd64.whl
Algorithm Hash digest
SHA256 2e88f1df90bf1fd39fe943f1dedc655f5e80760c8e0a535b56500429a827c981
MD5 8cc69b54d3de2aadeb2d79ed1d7fb4a3
BLAKE2b-256 0a8810804581c5404ecdd56a51cceadfb61ae97e4e67e7b9d9bc29ecc8ba7e14

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-2.0.0-cp310-cp310-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pyetwkit-2.0.0-cp39-cp39-win_amd64.whl.

File metadata

  • Download URL: pyetwkit-2.0.0-cp39-cp39-win_amd64.whl
  • Upload date:
  • Size: 415.2 kB
  • Tags: CPython 3.9, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pyetwkit-2.0.0-cp39-cp39-win_amd64.whl
Algorithm Hash digest
SHA256 587fce6e489589500b95005158a018c545ac532f05d5f2e791af99870663af63
MD5 736b638a00036393546cf9d71abd5f2d
BLAKE2b-256 ff20a20102926e4cbbbf61dde979d31f05b99cbab34552ae5ca5c594e39678c8

See more details on using hashes here.

Provenance

The following attestation bundles were made for pyetwkit-2.0.0-cp39-cp39-win_amd64.whl:

Publisher: release.yml on m96-chan/PyETWkit

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page