ETW

Event Tracking for Windows

Event Tracking for Windows (ETW)

C:\Remove-EtwTraceProvider -AutologgerName EventLog-Application -Guid '{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'

This command will delete the register key, in other word it disables the ETW

Remove the provider ETW in a session:

C:\logman update trace EventLog-Application --p Microsoft-Windows-PowerShell -ets
PreviousNotesNextAMSI Bypass

Last updated