Professional Rootkits (Programmer to Programmer)

There are only a few Etw routines (33 in Windows 2003 Server). This group includes the following:

• EtwTraceEvent

• EtwEnableTrace

• EtwGetTraceEnableLevel

• EtwGetTraceEnableFlags

If you are hooking trace operations, you will need to look further into the Etw functional group.