CODEWITHSUNDEEP
windowsoperating-systemetw
zepta
zepta

Reputation: 1

Keyboard usb logging through Windows ETW has no data

I am trying to log every user's keypress through Windows 11 ETW. All the keypresses get registered and I can watch the packets. The problem is that the data containing the keystroke information(like key code) is missing. For reference I'm using this project: ETW POC So my question is, has the details about the keystroke been removed in Windows 11 since it seems to work in the POC but not for me?

I've tried to inspect the packets through Windows netmon and dumped the whole ETW log to examine the data manually. Nowhere can I find information about the keycode.

Here is a dump of one of the packets when pressing the 'a' key.

<Event MSec=  "1190,2617" PID="4272" PName=        "" TID="28176" EventName="URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER/Start"
  TimeStamp="06-17-24 23:01:34.279214" ID="26" Version="0" Keywords="0x80000000000001C0" TimeStampQPC="132 489 517 768"
  Level="Informational" ProviderName="Microsoft-Windows-USB-UCX" ProviderGuid="36da592d-e43a-4e28-af6f-4bc57c5a11e8" ClassicProvider="False"
  Opcode="1" Task="21" Channel="16" PointerSize="8"
  CPU="0" EventIndex="1682" TemplateType="DynamicTraceEventData">
  <Payload Length="168">
       0:   8 65 f9 2d 75 43  0  0 | e8 f3 3d 2d 75 43  0  0   .e.-uC.. ..=-uC..
      10:   0 b9 46 dd 8a bc ff ff | 50 f0 51 dd 8a bc ff ff   ..F..... P.Q.....
      20:  a0 6e 87 f5 8a bc ff ff | 80  0  9  0  0  0  0 40   .n...... .......@
      30:  e8 f3 3d 2d 75 43  0  0 |  0  0  0  0  0  0  0  0   ..=-uC.. ........
      40:   0 b9 46 dd 8a bc ff ff |  3  0  0  0  c  0  0  0   ..F..... ........
      50:  b0 fe  f dd 8a bc ff ff |  0  0  0  0  0  0  0  0   ........ ........
      60:   0  0  0  0  0  0  0  0 |  0  0  0  0  0  0  0  0   ........ ........
      70:   0  0  0  0  0  0  0  0 |  0  0  0  0  0  0  0  0   ........ ........
      80:   0  0  0  0  0  0  0  0 |  0  0  0  0  0  0  0  0   ........ ........
      90:   0  0  0  0  0  0  0  0 |  0  0  0  0  0  0  0  0   ........ ........
      a0:   0  0  0  0  0  0  0  0 |                           ........
  </Payload>
</Event>

Upvotes: 0

Views: 37

Answers (0)

Related Questions