v3.0.2 - Python 3.10-3.14 Support

Changes

Python Version Support

• Dropped: Python 3.9 (EOL October 2025)
• Added: Python 3.14 support
• Supported versions: 3.10, 3.11, 3.12, 3.13, 3.14

Internal Changes

• Upgraded PyO3 from 0.22 to 0.25 for Python 3.14 compatibility
• Migrated to new PyO3 API (IntoPyObject trait, removed *_bound methods)

Project Metadata

• Updated repository description and topics
• Added Changelog URL to PyPI project URLs

Full Changelog: v3.0.1...v3.0.2

v3.0.1 - Performance and Code Quality Improvements

Performance Improvements

CorrelationEngine (correlation.py)

• O(1) event removal: Changed from list to dict-based indexing for event storage
• Events now tracked by internal ID for constant-time removal from indexes
• Extracted common _sort_by_timestamp() helper method

Player.seek() (recording.py)

• Binary search: Uses bisect.bisect_left for O(log n) timestamp seeking (was O(n) linear search)
• Pre-builds timestamp index during file load

EventBuffer.get_events() (dashboard.py)

• Uses itertools.islice to avoid full list conversion for efficient event retrieval
• Optimized EventSerializer with attribute mapping dictionary

EtwStreamer (streamer.py)

• Cached event loop: Added _get_loop() helper to reduce asyncio.get_event_loop() overhead

Error Handling Improvements

OtlpFileExporter (exporters/otlp.py)

• Atomic file writes: Uses temp file + rename pattern for crash safety
• Added proper exception handling with logging for OSError, TypeError, ValueError

Player (recording.py)

• Added specific exception handling for JSONDecodeError, KeyError, OSError
• Uses logging for error diagnostics instead of silent failures

Code Quality

• Added logging throughout for better diagnostics
• Consistent use of type hints
• Improved code organization with helper methods

Full Changelog: v3.0.0...v3.0.1

v3.0.0 - Advanced Analysis Features

PyETWkit v3.0.0 - Advanced Analysis Features

New Features

Live Dashboard

• Gradio-based real-time UI for ETW event visualization
• CLI command: pyetwkit dashboard PROVIDER or pyetwkit dashboard --profile PROFILE
• Auto-refreshing event table and statistics
• Support for public share links with --share option

Event Correlation Engine

• Auto-correlate events by PID, TID, or Handle
• Generate unified activity timelines
• Export to JSON for further analysis
• "Wireshark for ETW" level insight

Recording & Replay

• Capture ETW sessions to .etwpack format
• Compression support: ZSTD, LZ4, GZIP
• Fast replay with filtering and seeking
• Convert ETL files to etwpack format

OpenTelemetry Exporter

• Export ETW events to OTLP endpoints
• Integration with Jaeger, Grafana, Datadog
• Custom span mapping with SpanMapper
• Batch export with configurable intervals

Installation

pip install pyetwkit

# With dashboard support
pip install pyetwkit[dashboard]

Quick Start

# Launch live dashboard
pyetwkit dashboard Microsoft-Windows-Kernel-Process

# Use a profile
pyetwkit dashboard --profile network --port 8080

Full Changelog

See CHANGELOG for details.

v2.0.0 - Multi-session, Manifest Events, Rust Filtering

What's New in v2.0.0

This release introduces three major features for advanced ETW event processing.

🆕 Features

Multi-session Concurrent Subscription (#48)

• MultiSession class for managing multiple ETW sessions simultaneously
• Unified event delivery from Kernel + User + Custom providers
• Thread-safe event queue with automatic collection

from pyetwkit import MultiSession, KernelFlags

manager = MultiSession()
manager.add_kernel_session(flags=KernelFlags.PROCESS | KernelFlags.NETWORK)
manager.add_provider("22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716")

with manager:
    for event in manager.events():
        print(f"[{event.provider_name}] {event.event_id}")

Manifest-based Typed Events (#55)

• ManifestParser for parsing ETW provider manifests from registry and files
• ProviderManifest, EventDefinition, FieldDefinition data classes
• TypedEventFactory for creating typed events from manifests
• ManifestCache for efficient manifest lookups

from pyetwkit import ManifestParser, TypedEventFactory

parser = ManifestParser()
manifest = parser.parse_from_registry("22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716")
factory = TypedEventFactory(manifest)
typed_event = factory.create(raw_event)

Real-time Event Filtering Callbacks (#56)

• RustEventFilter for high-performance Rust-side event filtering
• Filter by event IDs, levels, keywords, PIDs, and properties
• Support for regex matching and comparison operators
• AND/OR/NOT logical operators for combining filters

from pyetwkit import RustEventFilter

filter = (
    RustEventFilter()
    .event_ids([1, 2, 3])
    .level_max(4)
    .pid(1234)
    .property_contains("ImageFileName", "chrome")
)

📦 Installation

pip install pyetwkit==2.0.0

Full Changelog

v1.1.0...v2.0.0

v1.1.0 - Enhanced Core APIs

What's New in v1.1.0

New Features

Typed Events API (typed_events.py)

• TypedEvent dataclass for type-safe event handling
• Event type detection: ProcessEvent, FileEvent, NetworkEvent, RegistryEvent, DnsEvent
• Automatic event classification with to_typed_event() function
• Easy access to event properties via typed attributes

Async API (async_api.py)

• AsyncEtwSession - Async wrapper for ETW sessions with proper provider ordering
• EventBatcher - Batch events for efficient processing
• gather_events() - Collect events over a time period
• stream_to_queue() - Stream events to an async queue

Filtering API (filtering.py)

• EventFilterBuilder - Fluent interface for building complex filters
• Support for event ID, provider, process, keyword, and level filtering
• Logical operators: AND, OR, NOT
• Predicate-based custom filters

Examples

• demo_async_api.py - Demonstrates async event collection
• demo_typed_events.py - Shows typed event handling
• demo_filtering.py - Examples of event filtering

Bug Fixes

• Fixed AsyncEtwSession provider ordering to respect user-specified order
• Fixed Python 3.9 compatibility for type annotations
• Fixed CI test isolation to prevent src directory import conflicts

Developer Experience

• Added pre-commit hooks for code quality (black, ruff, cargo fmt, clippy)
• Improved CI workflow with better test isolation
• Enhanced example scripts with better error handling

Installation

pip install pyetwkit

Upgrade from v1.0.0

This is a backwards-compatible release. No code changes are required.

---

🤖 Generated with Claude Code

v1.0.0 - Initial Release

PyETWkit v1.0.0

Features

• Real-time ETW streaming (sync & async APIs)
• Kernel providers: Process, Thread, Registry, File, Disk, Network
• User providers: NDIS, Media Foundation, WASAPI, DXGI, Audio
• Filtering: Provider / Event ID / PID / Opcode
• Rust backend (pyo3) for high throughput
• Provider discovery: list_providers(), search_providers(), get_provider_info()
• Schema support: EventSchema, SchemaCache
• Data export: Pandas, Arrow, Parquet, CSV, JSON
• CLI tool: pyetwkit command with live viewer
• Provider profiles: Pre-configured profiles for common use cases
• ETL file reading: EtlReader for offline analysis

Installation

pip install pyetwkit

Quick Start

from pyetwkit import EtwListener

for event in EtwListener(Microsoft-Windows-Kernel-Process).events():
    print(event)

Requirements

• Windows 10/11/Server
• Python 3.9+
• Administrator privileges for ETW tracing

🤖 Generated with Claude Code