Original ProcMon used ETW, Event Tracing for Windows; the analogous technology (... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

bboreham on May 6, 2021 | parent | context | favorite | on: ProcMon for Linux (Preview)

Original ProcMon used ETW, Event Tracing for Windows; the analogous technology (although very different in style) on Linux is eBPF so that’s what this tool uses.

altano on May 6, 2021 [–]

I think you’re mistaken. ProcMon doesn’t use ETW on Windows and I don’t believe it ever did?

bboreham on May 7, 2021 | | [–]

Sorry about that; I guess I misremembered?

This file says it does, though only for network events: https://documentation.help/Process-Monitor/documentation.pdf

ale42 on May 6, 2021 | | [–]

Indeed I don't think so. ProcMon uses a kernel driver for the event tracing.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact