ETW-TI Bypass

Ring 0

Disable ETW Threat Intelligence sensor to evade Defender and EDR monitoring.

Detection Evasion

This bypasses Microsoft's primary telemetry sensor for threat detection. Use only for authorized security research.

Overview

ETW-TI (Event Tracing for Windows - Threat Intelligence) is Microsoft's kernel-level telemetry provider that feeds data to Windows Defender and third-party EDRs. Disabling it blinds these security products to many malicious activities.

What ETW-TI Monitors

• Process creation and termination
• Thread injection and remote thread creation
• Memory allocation and protection changes
• Image (DLL/EXE) loading
• Handle operations (open, duplicate)
• Registry modifications
• Filesystem operations

Bypass Methods

Method 1: Provider Handle Nullification

Find and null the ETW-TI provider registration handle. Events are queued but never delivered.

Method 2: KeInsertQueueApc Patching

Patch the APC queueing function to skip ETW event APCs. More aggressive but more complete.

Method 3: Hypervisor EPT Hook

Hook ETW functions via EPT to filter events at Ring -1. PatchGuard-safe.

Implementation

Provider Handle Method

NTSTATUS DisableEtwTi() {
    // 1. Find EtwThreatIntProvRegHandle via signature scanning
    //    This is the handle for the Microsoft-Windows-Threat-Intelligence
    //    ETW provider (GUID: F4E1897C-BB5D-5668-F1D8-040F4D8DD344)
    
    PHANDLE EtwThreatIntProvRegHandle = FindEtwTiHandle();
    if (!EtwThreatIntProvRegHandle) {
        return STATUS_NOT_FOUND;
    }
    
    // 2. Read current handle value
    HANDLE OriginalHandle = *EtwThreatIntProvRegHandle;
    
    // 3. Null the handle - events won't be delivered
    *EtwThreatIntProvRegHandle = NULL;
    
    // Provider is now disabled. To re-enable:
    // *EtwThreatIntProvRegHandle = OriginalHandle;
    
    return STATUS_SUCCESS;
}

// Alternative: Patch EtwTiLogReadWriteVm directly
NTSTATUS PatchEtwTiLogReadWriteVm() {
    // Find function via signature
    PVOID EtwTiLogReadWriteVm = FindPattern(
        ntoskrnl,
        "48 8B C4 48 89 58 08 48 89 68 10..."  // Pattern varies by version
    );
    
    // Patch with RET to disable the function
    BYTE Patch[] = { 0xC3 };  // RET
    WriteKernelMemory(EtwTiLogReadWriteVm, Patch, sizeof(Patch));
    
    return STATUS_SUCCESS;
}

IOCTLs

IOCTL	Code	Description
DISABLE_ETW_TI	0x00222064	Disable ETW-TI provider
ENABLE_ETW_TI	0x00222068	Re-enable ETW-TI provider

What Gets Bypassed

✓ Windows Defender ATP telemetry
✓ EDR process injection detection
✓ Memory tamper detection (VirtualProtect monitoring)
✓ Thread creation monitoring
✓ Credential access events
✓ Most behavioral analysis

What Still Works

• Static signature scanning (file-based)
• AMSI (separate system, use AMSI bypass)
• Minifilter filesystem monitoring
• Kernel callbacks (separate system)
• Network monitoring at driver level

UI Access

Kernel Utilities tab → ETW-TI section → Disable ETW-TI

Button shows current state (Enabled/Disabled) and allows toggling.

PatchGuard Considerations

• Handle nullification — Data modification only, PatchGuard-safe
• Function patching — Code modification, may trigger PatchGuard
• EPT hooking — Ring -1 operation, PatchGuard cannot see

DioProcess uses handle nullification by default for PatchGuard safety.

Combined with Other Bypasses

For maximum evasion, combine ETW-TI bypass with:

• AMSI Bypass — Disable script scanning
• Callback Removal — Disable kernel callbacks
• Minifilter Unlinking — Disable filesystem monitoring

Use Cases

• Red team operations requiring stealth
• Security product testing
• Malware analysis without triggering alerts
• Research on ETW-based detection