> For the complete documentation index, see [llms.txt](https://spikysabra.gitbook.io/kernelcactus/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://spikysabra.gitbook.io/kernelcactus/pocs/etw-provider-toggling.md).

# ETW Provider Toggling

ETW Microsoft-Windows-Threat-Intelligence provider is an ETW provider that has been introduced in windows 10.

This provider logs information regarding a nice amount of API’s that are commonly used in malicious activities.

The actions logged by this provider may be observed using Pavel Yosifovch’s tool – ETW Explorer:

<figure><img src="/files/BzPrh52t7gEVagbJpbvY" alt=""><figcaption></figcaption></figure>

As you can see, most malicious activities would include an action logged by this provider one way or another.

In order to turn off the provider the following steps must be taken:

1.Jump to KernelBase + EtwThreatIntProvRegHandle offset to receive a \_ETW\_REG\_ENTRY which represents the TI Provider

2.In the \_ETW\_REG\_ENTRY locate the \_ETW\_GUID\_ENTRY member called GuidEntry

3.Inside GuidEntry locate ProviderEnableInfo of type \_TRACE\_ENABLE\_INFO

4.The first member of \_TRACE\_ENABLE\_INFO is IsEnabled – write 0 / 1 to turn on and off accordingly

The code looks like this:

<figure><img src="/files/6o5cYwCKrEz2JWsLqJKK" alt=""><figcaption></figcaption></figure>

Lazarus attacks carried on the Autumn of 2021 have used this very technique in order to turn off ETW providers in their victim machines, using a number of additional providers, which are only different “RegHnadles”.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://spikysabra.gitbook.io/kernelcactus/pocs/etw-provider-toggling.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.