MSO-Scripts Goals for Security and Reliability

Present some straightforward ideas for how to use ETW to analyze & track security and reliability issues.
Expose some of the existing AutoLogger (etc.) sessions, and how to analyze them (not always WPA).
Show how to create a custom AutoLogger session in filemode with a maximum/circular file, and how to analyze it.
Show how to track the activity of specific processes without filling the disk with ETW traces.

Key ETW Providers

Circular Kernel Context Logger (CKCL)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance
ETW Event Tracing for Windows ... not Microsoft
What is the Boot CKCL ETL File? not Microsoft
Extracting Data with ETW Tracing for Windows not Microsoft
Threat Hunting with ETW Events not Microsoft
Uncovering Windows Events Part 1 Part 2 Part 3 (Not MS)
The Windows Security Log Revealed (Not MS)

Key ETW Providers for Reliability and Security
How to Create Your Own Automatic Data Logger (without straining system resources)
How to Examine the Data (even after a system hang or crash)
Built-in, Automatic Data Loggers
- How to determine what data they log
- How to view the data they log
  - Flush the log
  - Merge the log
  - What data is needed by WPA
  - Alternatives to WPA