Instantly share code, notes, and snippets.

Embed
What would you like to do?
AMSI ETW provider manifest extracted with perfview.exe
<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">
<instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">
<events>
<provider name="Microsoft-Antimalware-Scan-Interface" guid="{2a576b87-09a7-520e-c21a-4942f0271d67}" resourceFileName="Microsoft-Antimalware-Scan-Interface" messageFileName="Microsoft-Antimalware-Scan-Interface" symbol="MicrosoftAntimalwareScanInterface" source="Xml" >
<keywords>
<keyword name="Event1" message="$(string.keyword_Event1)" mask="0x1"/>
</keywords>
<tasks>
<task name="task_0" message="$(string.task_task_0)" value="0"/>
</tasks>
<events>
<event value="1101" symbol="task_0" version="0" task="task_0" level="win:Informational" keywords="Event1" template="task_0Args"/>
</events>
<templates>
<template tid="task_0Args">
<data name="session" inType="win:Pointer"/>
<data name="scanStatus" inType="win:UInt8"/>
<data name="scanResult" inType="win:UInt32"/>
<data name="appname" inType="win:UnicodeString"/>
<data name="contentname" inType="win:UnicodeString"/>
<data name="contentsize" inType="win:UInt32"/>
<data name="originalsize" inType="win:UInt32"/>
<data name="content" inType="win:Binary" length="contentsize"/>
<data name="hash" inType="win:Binary"/>
<data name="contentFiltered" inType="win:Boolean"/>
</template>
</templates>
</provider>
</events>
</instrumentation>
<localization>
<resources culture="en-US">
<stringTable>
<string id="keyword_Event1" value="Event1"/>
<string id="task_task_0" value="task_0"/>
</stringTable>
</resources>
</localization>
</instrumentationManifest>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment