ETL Logs
Overview
Evidence: ETL Description: Collect ETL Log Category: Other Evidence Platform: Windows Short Name: etl Is Parsed: No - Raw ETL files are collected Sent to Investigation Hub: Yes Collect File(s): No
Background
Event Trace for Windows (ETW) is a high-performance event tracing mechanism built into Windows. ETL (Event Trace Log) files store trace data captured by ETW providers. These files contain detailed system and application event information that can be more granular than standard Windows Event Logs.
ETL files are used for diagnostics, performance analysis, and troubleshooting. They can contain valuable forensic information about system behavior, application activity, and performance metrics.
Data Collected
Name
Artifact name
ETL Log
Type
File or Folder
File
SourcePath
Original file path
C:\Windows\System32\WDI\LogFiles\trace.etl
Path
Relative path in evidence
Other/trace.etl
Collection Method
This collector collects ETL files from the following locations:
Windows\System32\WDI\LogFiles\*.etlWindows\System32\LogFiles\WMI\*.etlWindows\System32\WDI\*\*\*.etlProgramdata\Microsoft\Windows\Power Efficiency Diagnostics(directory)Windows\Panther\*.etlUsers\*\AppData\Local\Microsoft\Windows\Explorer\*.etl
Usage
ETL logs provide detailed diagnostic and performance data that can reveal system behavior and application activity. Investigators use this data to analyze system performance issues, track application behavior, investigate diagnostic events, detect anomalous system activity, and reconstruct detailed system timelines.
Known Limitations
Requires specialized tools to parse ETL files
ETL file format is complex and binary
Not all ETL files may be present on all systems
Some ETL files may be in use and locked
Notes
ETL files can be analyzed with tools like Windows Performance Analyzer (WPA), Message Analyzer, or specialized ETW parsing utilities.
Last updated
Was this helpful?