Skip to main content

SystemProvider

windows_erg::etw

Enum SystemProvider 

Source 
pub enum SystemProvider {
    Process,
    Registry,
    Network,
    FileIo,
    ImageLoad,
}
Expand description

System-level event sources for kernel tracing.

Each variant represents a category of events emitted by the Windows kernel. Because these providers operate inside the kernel, they capture activity from all processes on the machine without any instrumentation in the target application.

§Privileges

Enabling any SystemProvider requires Administrator privileges. The underlying trace session uses the NT Kernel Logger — a Windows-reserved name for kernel providers — so only one kernel session can be active at a time.

Variants§

§

Process

Process and thread creation/termination events.

Emits an event whenever any process or thread starts or stops system-wide.

§

Registry

Registry key and value operations.

Emits an event for every registry read, write, create, and delete across all processes. Can be high-volume on busy systems.

§

Network

TCP/IP network connections and data transfer.

Emits events for TCP connections, UDP sends/receives, and connection failures. Covers both IPv4 and IPv6.

§

FileIo

File I/O operations (create, read, write, delete).

Emits an event for every file system operation. Very high volume — consider using next_batch_with_filter to focus on relevant paths.

§

ImageLoad

DLL and EXE image load/unload events.

Emits an event whenever any executable or library is mapped into or unmapped from a process. Useful for detecting code injection.

Trait Implementations§

Source§

impl Clone for SystemProvider

Source§

fn clone(&self) -> SystemProvider

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for SystemProvider

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl PartialEq for SystemProvider

Source§

fn eq(&self, other: &SystemProvider) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Copy for SystemProvider

Source§

impl Eq for SystemProvider

Source§

impl StructuralPartialEq for SystemProvider

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.