This function registers the current process as the provider of security events.


ULONG EtwRegisterSecurityProvider (VOID);

Return Value

The function returns zero for success, else an error code.


This function is essentially a call to the kernel, specifically through NtTraceControl case 0x18 with no input or output. It claims the right for the current process to write user-mode security events. It is an error (ERROR_ACCESS_DENIED) if the kernel has assigned this right already, even to the same process. Otherwise, the function succeeds and only the process that called this function is subsequently able to write user-mode security events.

The security provider is very special. It has a hard-coded registration in the kernel, to be enabled for one and only one logger. It is protected from functional interfaces both for registering event providers and enumerating them.

Provider GUID: {54849625-5478-4994-A5BA-3E3B0328C30D}
Provider Name: Microsoft-Windows-Security-Auditing
Logger GUID: {0E66E20B-B802-BA6A-9272-31199D0ED295}
Logger Name: Eventlog-Security

The logger is not protected in this sense, only the provider. The standard Windows configuration does specify security for the logger, and quite tightly, with access allowed only to the SYSTEM account and to the Eventlog service (which is not permitted the TRACELOG_LOG_EVENT permission). However, this protection is just the usual machinery. User-mode code, and even kernel-mode code outside the kernel, cannot get a registration handle for the provider. Its only way to write an event from this provider is through EtwWriteUMSecurityEvent (or its equivalent in terms of NtTraceEvent), and the kernel permits this to succeed only if made by the same process that first called this EtwRegisterSecurityProvider function (or its equivalent in terms of NtTraceControl).


The EtwRegisterSecurityProvider function is exported by name from NTDLL.DLL in version 6.0 and higher.

Perhaps unsurprisingly, this function is not documented. Its only known user is LSASRV.DLL.