# ETW (Event Tracing for Windows) Collector for Runtime Traces

## Module
Scanner

## Status
VERIFIED

## Description
ETW-based function tracing collector for Windows using CLR runtime provider and stack walking for call chains, with container-aware process isolation and DbgHelp symbol resolution.

## Implementation Details
- **ETW Capture Adapter**:
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/WindowsEtwCaptureAdapter.cs` - Windows ETW capture adapter implementing `IRuntimeCaptureAdapter`
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/IRuntimeCaptureAdapter.cs` - Platform-agnostic capture interface
- **Runtime Evidence**:
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeEvidence.cs` - Runtime evidence model
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeEvidenceAggregator.cs` - Aggregates ETW events into runtime evidence
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/StackTraceCapture.cs` - Stack trace capture from ETW stack walking
- **Capture Configuration**:
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeCaptureOptions.cs` - Configuration options
  - `src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/CaptureDurationTimer.cs` - Duration timer

## E2E Test Plan
- [ ] Configure ETW capture on a Windows host and verify `WindowsEtwCaptureAdapter` collects CLR runtime events
- [ ] Verify stack walking captures call chains with correct function names via DbgHelp symbol resolution
- [ ] Verify container-aware process isolation filters events to the target container only
- [ ] Verify runtime evidence aggregation produces structured evidence from ETW events
- [ ] Verify ETW-collected runtime evidence can be used to confirm static reachability claims

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |