1.8 KiB
1.8 KiB
ETW (Event Tracing for Windows) Collector for Runtime Traces
Module
Scanner
Status
IMPLEMENTED
Description
ETW-based function tracing collector for Windows using CLR runtime provider and stack walking for call chains, with container-aware process isolation and DbgHelp symbol resolution.
Implementation Details
- ETW Capture Adapter:
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/WindowsEtwCaptureAdapter.cs- Windows ETW capture adapter implementingIRuntimeCaptureAdaptersrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/IRuntimeCaptureAdapter.cs- Platform-agnostic capture interface
- Runtime Evidence:
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeEvidence.cs- Runtime evidence modelsrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeEvidenceAggregator.cs- Aggregates ETW events into runtime evidencesrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/StackTraceCapture.cs- Stack trace capture from ETW stack walking
- Capture Configuration:
src/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/RuntimeCaptureOptions.cs- Configuration optionssrc/Scanner/StellaOps.Scanner.Analyzers.Native/RuntimeCapture/CaptureDurationTimer.cs- Duration timer
E2E Test Plan
- Configure ETW capture on a Windows host and verify
WindowsEtwCaptureAdaptercollects CLR runtime events - Verify stack walking captures call chains with correct function names via DbgHelp symbol resolution
- Verify container-aware process isolation filters events to the target container only
- Verify runtime evidence aggregation produces structured evidence from ETW events
- Verify ETW-collected runtime evidence can be used to confirm static reachability claims