I am trying to use software like "Message Analyzer" and "TraceView" to receive event from "Microsoft-Windows-Security-Auditing" or "Microsoft-Windows-Eventlog" Providers, but I had no luck with receiving any events.
What I have done:
- I tested these software in Windows 10 and 7
- software executed as administrator
- also as SYSTEM account
Other observation and input:
I could get other events for example kernel events or NDIS events but not the mentioned providers which I specifically configured to receive.
I am interested in the approach which the mentioned software using (making a real-time trace session) and no other solution like querying the events ...
UPDATE 1
The provider GUIDs I used in the mentioned software
Microsoft-Windows-Security-Auditing: {54849625-5478-4994-A5BA-3E3B0328C30D}
Microsoft-Windows-Eventlog: {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}
UPDATE 2
I also did more investigation with EventLogChannelsView from NirSoft and some other tools, I realized there are some Channels and Providers/Publishers. Providers notify any Consumers who want to know about new events on the channels.
Interestingly the EventLogChannelsView didn't event list the name of some of the Providers which probably mean there are not active at all (like the one I mentioned). And also there are channels which don't have any Provider.
I was curious how Event Viewer become aware of new events because it instantly show the message 'New events available'. Well I find out Event Viewer using EvtSubscribe API to receive events on channels instead of providers.
I don't know why software like 'Message Analyzer' and 'TraceView' which both created by Microsoft are act very numb about the state of Providers.