# Each of these sections should be run separatedly# Setup: Create trace#

1. # Each of these sections should be run separatedly
2.  
3. # Setup: Create trace
4.  
5. # You can find keywords for a provider with: logman query providers "Provider Name"
6. # Providing an empty keyword list will return all events
7.  
8. $Providers = @{
9.     "Microsoft-Windows-Kernel-File" = "KERNEL_FILE_KEYWORD_FILENAME","KERNEL_FILE_KEYWORD_CREATE","KERNEL_FILE_KEYWORD_READ","KERNEL_FILE_KEYWORD_WRITE";
10.     "Microsoft-Windows-Kernel-Process" = "WINEVENT_KEYWORD_PROCESS","WINEVENT_KEYWORD_THREAD","WINEVENT_KEYWORD_IMAGE";
11.     "Microsoft-Windows-Kernel-Registry" = @();
12.     "Microsoft-Windows-Kernel-Network" = @();
13. }
14.  
15. logman create trace -n PseudoProcMon -o c:\temp\trace.etl
16.  
17. ForEach ($Provider In $Providers.Keys) {
18.     $KeywordString = ""
19.     If ($Providers[$Provider].Count -gt 0) {
20.         $KeywordString = "($($Providers[$Provider] -Join ","))"
21.     }
22.     logman update PseudoProcMon -p "$Provider" $KeywordString
23. }
24.  
25. # Start trace
26. logman start PseudoProcMon
27.  
28. # Stop trace
29. logman stop PseudoProcMon