From ae3e164b777ba2450148bce1d95686b7accfbd9e Mon Sep 17 00:00:00 2001
From: Logan Freijo <5163050+lfreijo@users.noreply.github.com>
Date: Mon, 2 Mar 2026 20:00:51 -0500
Subject: [PATCH 1/2] Update etwmon to support Windows 11

Windows 11 is missing EtwAdminlessProvRegHandle and IoMgrTraceHandle. This allows them to just be skipped but still process
---
 src/plugins/etwmon/etwmon.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/plugins/etwmon/etwmon.cpp b/src/plugins/etwmon/etwmon.cpp
index 4e737ef04..524bcf116 100644
--- a/src/plugins/etwmon/etwmon.cpp
+++ b/src/plugins/etwmon/etwmon.cpp
@@ -534,8 +534,8 @@ etwmon::etwmon(drakvuf_t drakvuf, output_format_t output)
             addr_t entry{};
             if (!drakvuf_get_kernel_symbol_va(drakvuf, name, &entry))
             {
-                PRINT_DEBUG("[ETWMON] Failed to resolve %s\n", name);
-                throw -1;
+                PRINT_DEBUG("[ETWMON] Failed to resolve %s, skipping\n", name);
+                continue;
             }
             this->global_handles_va.push_back(entry);
         }
@@ -548,8 +548,8 @@ etwmon::etwmon(drakvuf_t drakvuf, output_format_t output)
             addr_t entry{};
             if (!drakvuf_get_kernel_symbol_va(drakvuf, name, &entry))
             {
-                PRINT_DEBUG("[ETWMON] Failed to resolve %s\n", name);
-                throw -1;
+                PRINT_DEBUG("[ETWMON] Failed to resolve %s, skipping\n", name);
+                continue;
             }
             for (size_t i = 0; i < size; i++)
             {

From ce4440e9f75b38177829ce535113406e057b4a89 Mon Sep 17 00:00:00 2001
From: Logan Freijo <lfreijo@users.noreply.github.com>
Date: Wed, 4 Mar 2026 16:21:38 +0000
Subject: [PATCH 2/2] etwmon: Add Windows 11 global handle list

Windows 11 (build >= 22000) removed EtwAdminlessProvRegHandle and
IoMgrTraceHandle, and added 8 new handles: EtwpDiskProvRegHandle,
EtwCpuPartitionProvRegHandle, EtwCpuStarvationProvRegHandle,
IopDumpEtwRegHandle, PnpEtwHandle, PnpRundownEtwHandle,
WheapEtwHandle, and SshpTraceHandle.

Add a dedicated win11_global_handles list and select it when the
build number indicates Windows 11. Restore throw on unresolved
symbols since each list now contains only handles known to exist
on its target OS version.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/plugins/etwmon/etwmon.cpp | 55 +++++++++++++++++++++++++++++++----
 1 file changed, 50 insertions(+), 5 deletions(-)

diff --git a/src/plugins/etwmon/etwmon.cpp b/src/plugins/etwmon/etwmon.cpp
index 524bcf116..b48b6bf65 100644
--- a/src/plugins/etwmon/etwmon.cpp
+++ b/src/plugins/etwmon/etwmon.cpp
@@ -147,6 +147,44 @@ static const std::vector<const char*> win10_global_handles =
     "PerfDiagGlobals",
 };
 
+static const std::vector<const char*> win11_global_handles =
+{
+    "EtwpEventTracingProvRegHandle",
+    "EtwKernelProvRegHandle",
+    "EtwpPsProvRegHandle",
+    "EtwpNetProvRegHandle",
+    "EtwpFileProvRegHandle",
+    "EtwpRegTraceHandle",
+    "EtwpMemoryProvRegHandle",
+    "EtwpDiskProvRegHandle",
+    "EtwAppCompatProvRegHandle",
+    "EtwApiCallsProvRegHandle",
+    "EtwCVEAuditProvRegHandle",
+    "EtwThreatIntProvRegHandle",
+    "EtwLpacProvRegHandle",
+    "EtwCpuPartitionProvRegHandle",
+    "EtwCpuStarvationProvRegHandle",
+    "EtwSecurityMitigationsRegHandle",
+    "KiIntSteerEtwHandle",
+    "HvlGlobalSystemEventsHandle",
+    "PopDiagSleepStudyHandle",
+    "WdipSemRegHandle",
+    "IoTraceHandle",
+    "IopDumpEtwRegHandle",
+    "KitEtwHandle",
+    "IopLiveDumpEtwRegHandle",
+    "KseEtwHandle",
+    "PnpEtwHandle",
+    "PnpRundownEtwHandle",
+    "PopDiagHandle",
+    "PopTriggerDiagHandle",
+    "PpmEtwHandle",
+    "PopBatteryEtwHandle",
+    "WheapEtwHandle",
+    "SshpTraceHandle",
+    "PerfDiagGlobals",
+};
+
 static const std::vector<const char*> win7_global_handles =
 {
     "EtwKernelProvRegHandle",
@@ -520,7 +558,14 @@ etwmon::etwmon(drakvuf_t drakvuf, output_format_t output)
             callbacks_names = &win7_global_callbacks;
             break;
         case VMI_OS_WINDOWS_10:
-            handles_names   = &win10_global_handles;
+            if (this->winver.buildnumber >= 22000)
+            {
+                handles_names = &win11_global_handles;
+            }
+            else
+            {
+                handles_names = &win10_global_handles;
+            }
             callbacks_names = &win10_global_callbacks;
             break;
         default:
@@ -534,8 +579,8 @@ etwmon::etwmon(drakvuf_t drakvuf, output_format_t output)
             addr_t entry{};
             if (!drakvuf_get_kernel_symbol_va(drakvuf, name, &entry))
             {
-                PRINT_DEBUG("[ETWMON] Failed to resolve %s, skipping\n", name);
-                continue;
+                PRINT_DEBUG("[ETWMON] Failed to resolve %s\n", name);
+                throw -1;
             }
             this->global_handles_va.push_back(entry);
         }
@@ -548,8 +593,8 @@ etwmon::etwmon(drakvuf_t drakvuf, output_format_t output)
             addr_t entry{};
             if (!drakvuf_get_kernel_symbol_va(drakvuf, name, &entry))
             {
-                PRINT_DEBUG("[ETWMON] Failed to resolve %s, skipping\n", name);
-                continue;
+                PRINT_DEBUG("[ETWMON] Failed to resolve %s\n", name);
+                throw -1;
             }
             for (size_t i = 0; i < size; i++)
             {