ETW/ETL Trace Files (DiagTrack/AutoLogger)
WindowsExecution EvidenceDisk Image
Location
C:\Windows\System32\WDI\LogFiles\ and C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\Description
Event Tracing for Windows (ETW) binary trace files (.etl) generated by AutoLogger sessions and diagnostic providers. Includes AutoLogger-DiagTrack-Listener.etl and various WDI trace files containing detailed system telemetry.
Forensic Value
ETL trace files contain process execution evidence, network connection data, and system diagnostic information that is rarely cleaned by attackers because these files are not well-known forensic artifacts. AutoLogger-DiagTrack-Listener.etl may contain evidence of executed processes including their paths and command lines. These traces persist across reboots and can fill gaps when standard event logs have been cleared.
Tools Required
KAPEtracerptxperf (Windows Performance Toolkit)ETLParserSilkETW
Collection Commands
KAPE
kape.exe --tsource C: --tdest C:\output --target ETW
tracerpt
tracerpt "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-DiagTrack-Listener.etl" -o C:\output\etl_report.xml -of XML
PowerShell
Copy-Item "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\*.etl" -Destination C:\output\ETL\
xperf
xperf -i "C:\output\AutoLogger-DiagTrack-Listener.etl" -o C:\output\etl_parsed.txt
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
MITRE ATT&CK Techniques
T1562.006T1059