5
> wevtutil.exe gp <provider-name> /ge /gm /f:xml

prints the manifest given a provider, except for its data templates. Is there a tool I am missing that would display the templates defined in an installed provider's manifest? They must be out there in the binary WEVT_TEMPLATE resource, since the Tdh* functions seem to know about them.

kkm inactive - support strike
  • 5,190
  • 2
  • 32
  • 59

2 Answers2

7

Perfview can do this with this command:

PerfView userCommand DumpRegisteredManifest <provider-name>

This dumps the complete manifest into an XML.

magicandre1981
  • 27,895
  • 5
  • 86
  • 127
  • Bingo! Thanks a lot! – kkm inactive - support strike Aug 23 '16 at 05:14
  • perfview internally calls the Tdh functions to decode the data (GetManifestForRegisteredProvider in RegisteredTraceEventParser class from TraceEvent lib) – magicandre1981 Aug 23 '16 at 14:32
  • Interesting, I also looked at the tool's code with a .NET decompiler and seen this call, but its implementation seems to be in the native code. Anyway, I did not dig deeper as my intention was to simply examine a few Microsoft's own manifests to get a sense of some template practices (e. g. binary data storage). This time I can just use the tool without understanding how it works. :) – kkm inactive - support strike Aug 23 '16 at 19:06
  • i ran PerfView userCommand DumpRegisteredManifest "IIS: WWW Server" which is a MOF based provider and i got the following error: Error: Could not find provider with at GUID of 3a2a4e84-4c21-4981-ae10-3fda0d9b0f83 logman can list events just fine for this well known provider – Anirudh Goel Sep 20 '18 at 13:46
  • @AnirudhGoel I have no idea, because I never tried to view the IIS events – magicandre1981 Sep 20 '18 at 15:35
  • I think I will have to compile perfview with private flags – Anirudh Goel Sep 20 '18 at 16:09
  • @AnirudhGoel you can also create an issue on github about it to get more details/help. – magicandre1981 Sep 21 '18 at 14:05
2

Resource Hacker allows the display of WEVT_TEMPLATE structure.

KeyC0de
  • 4,728
  • 8
  • 44
  • 68
  • 1
    Yea it's good to see if an executable has the resource, but it doesn't parse/format the BIN block yet. – Sirmabus Aug 23 '19 at 21:30