adanto

adanto / EtwTiViewer

Public

Live ETW-TI event viewer for Windows kernel threat-intelligence telemetry. Research tool for exploring the same signals commercial EDRs rely on.

123
16
69% credibility
Found Apr 14, 2026 at 90 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C++
AI Summary

EtwTiViewer is a research tool that visualizes live Windows threat intelligence telemetry events for studying low-level security operations like process injection and memory manipulation.

How It Works

1
🔍 Discover the Tool

You hear about a special viewer that lets researchers peek into Windows' hidden security alerts for studying sneaky attacks.

2
🖥️ Set Up Safe Playground

You create an isolated virtual machine on your computer to safely test without risking your main setup.

3
🔧 Prepare the Pieces

Using simple build instructions, you assemble the watching helper and viewer app on your test machine.

4
🚀 Install Helper

You place the background helper into your test machine so it can watch system happenings.

5
📱 Launch Viewer

You open the colorful viewer window, and colorful status lights show if everything connects smoothly.

6
🔓 Unlock Special View

With a quick tweak using a debugging helper while the viewer runs, you gain permission to see the secret security stream.

7
▶️ Start Watching

You pick which security alerts interest you, click start, and live events begin streaming into the table.

👀 See Attacks Unfold

You watch real-time alerts about memory tricks and injections, logging them if needed, advancing your research safely.

Sign up to see the full architecture

6 more

Sign Up Free

Star Growth

See how this repo grew from 90 to 123 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is EtwTiViewer?

EtwTiViewer is a C++ research tool that delivers a live, real-time viewer for Windows kernel threat-intelligence telemetry from the ETW-TI provider—the same signals commercial EDRs rely on for detecting in-memory attacks, process injections, and memory manipulations. Launch the ImGui-based UI, select event keywords like ALLOCVM_REMOTE or PROTECTVM_REMOTE, and stream events with filtering, JSONL logging, and stats on throughput or drops. It bypasses ETW-TI's antimalware protections via a kernel debug patch, capturing cross-process memory ops, thread injections, and process freezes in isolated VMs.

Why is it gaining traction?

Unlike static ETW log parsers, EtwTiViewer offers a responsive live view of kernel events that EDRs use, letting you explore RWX markings or APC queues as they happen without spinning up full commercial tools. The UI's keyword panels, color-coded rows for remote ops, and pipe-forwarded process/image events make prototyping detections intuitive. With 87 stars, developers grab it to validate telemetry coverage hands-on.

Who should use this?

Windows security researchers reverse-engineering kernel injections, EDR devs testing signal fidelity against real attacks, or blue-teamers exploring ETW-TI for custom detection rules. Ideal for VM-based experiments where you need live kernel event streams to mimic commercial EDR pipelines.

Verdict

Grab EtwTiViewer if you're deep in Windows threat research—its live ETW-TI capture shines for education, but the 0.7% credibility score and 87 stars signal early-stage maturity with solid docs. Run it in VMs only; not production-ready without your own hardening.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.