search cancel

Enabling additional ETW tracing for use in EDR in SESC

book

Article ID: 229645

calendar_today

Updated On:

Products

Endpoint Security Complete

Issue/Introduction

Symantec Endpoint Security Complete (SESC) ingests events from various Event Tracing for Windows (ETW) providers and most work with the default configuration in Microsoft Windows.

 

Resolution

For Microsoft-Windows-Win32k providers, you may need to confirm the following settings exist in the registry on your devices and reflect the values listed below. Once completed, a reboot is needed.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Win32kProvider]
"BufferSize"=dword:00000040
"ClockType"=dword:00000002
"EnableSecurityProvider"=dword:00000000
"FlushTimer"=dword:00000001
"Guid"="{8c416c79-d49b-4f01-a467-e56d3aa8234c}"
"LogFileMode"=dword:180001c0
"MaximumBuffers"=dword:00000010
"MinimumBuffers"=dword:00000000
"OwningChannel"="Security"
"Start"=dword:00000001
"Status"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Win32kProvider\{8c416c79-d49b-4f01-a467-e56d3aa8234c}]
"Enabled"=dword:00000001
"Status"=dword:00000000
"EnableLevel"=dword:00000000

Additional Information

This issue applies for Symantec Agents version 14.3 RU1 or later.