# ETW Provider Toggling

ETW Microsoft-Windows-Threat-Intelligence provider is an ETW provider that has been introduced in windows 10.

This provider logs information regarding a nice amount of API’s that are commonly used in malicious activities.

The actions logged by this provider may be observed using Pavel Yosifovch’s tool – ETW Explorer:

<figure><img src="https://3225596869-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfhLztwDgT7iE72rxX2cz%2Fuploads%2FlXUQ9R4dVkgNWtFGYarn%2Fimage.png?alt=media&#x26;token=526693c8-37fe-49ba-822c-5336f38f58c2" alt=""><figcaption></figcaption></figure>

As you can see, most malicious activities would include an action logged by this provider one way or another.

In order to turn off the provider the following steps must be taken:

1.Jump to KernelBase + EtwThreatIntProvRegHandle offset to receive a \_ETW\_REG\_ENTRY which represents the TI Provider

2.In the \_ETW\_REG\_ENTRY locate the \_ETW\_GUID\_ENTRY member called GuidEntry

3.Inside GuidEntry locate ProviderEnableInfo of type \_TRACE\_ENABLE\_INFO

4.The first member of \_TRACE\_ENABLE\_INFO is IsEnabled – write 0 / 1 to turn on and off accordingly

The code looks like this:

<figure><img src="https://3225596869-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfhLztwDgT7iE72rxX2cz%2Fuploads%2FzzhrblFSZZHMKa2YxhjM%2Fimage.png?alt=media&#x26;token=7edf2e95-8278-47fc-a95a-7155c543c720" alt=""><figcaption></figcaption></figure>

Lazarus attacks carried on the Autumn of 2021 have used this very technique in order to turn off ETW providers in their victim machines, using a number of additional providers, which are only different “RegHnadles”.