You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, PowerShell uses the same ETW provider GUID as PowerShell on Windows. This presents a few, subtle problems:
1: PowerShell 6 events cannot be easily distinguished from PowerShell/Windows.
2: PowerShell 6 is relying on a valid ETW manifest being registered to ensure events can be decoded. This assumption breaks on down-level systems that do not contain PowerShell/Windows 5.X and also ties PowerShell 6 to PowerShell/Windows events.
The solution is as follows:
1: Snapshot the PowerShell/Windows ETW manifest and update the provider GUID and Provider Name.
The Event viewer location should be moved outside the Microsoft/Windows event tree since PowerShell 6 does not ship inbox.
2: Provide a script or MSI action to register the PowerShell 6 manifest either at install time or as a post install, user step to address xcopy deploy use cases.
3: Document the updated Provider GUID, name, and any registration steps (if appropriate)consumers.
Currently, PowerShell uses the same ETW provider GUID as PowerShell on Windows. This presents a few, subtle problems:
1: PowerShell 6 events cannot be easily distinguished from PowerShell/Windows.
2: PowerShell 6 is relying on a valid ETW manifest being registered to ensure events can be decoded. This assumption breaks on down-level systems that do not contain PowerShell/Windows 5.X and also ties PowerShell 6 to PowerShell/Windows events.
The solution is as follows:
1: Snapshot the PowerShell/Windows ETW manifest and update the provider GUID and Provider Name.