v2.0.0 - Multi-session, Manifest Events, Rust Filtering

What's New in v2.0.0

This release introduces three major features for advanced ETW event processing.

🆕 Features

Multi-session Concurrent Subscription (#48)

• MultiSession class for managing multiple ETW sessions simultaneously
• Unified event delivery from Kernel + User + Custom providers
• Thread-safe event queue with automatic collection

from pyetwkit import MultiSession, KernelFlags

manager = MultiSession()
manager.add_kernel_session(flags=KernelFlags.PROCESS | KernelFlags.NETWORK)
manager.add_provider("22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716")

with manager:
    for event in manager.events():
        print(f"[{event.provider_name}] {event.event_id}")

Manifest-based Typed Events (#55)

• ManifestParser for parsing ETW provider manifests from registry and files
• ProviderManifest, EventDefinition, FieldDefinition data classes
• TypedEventFactory for creating typed events from manifests
• ManifestCache for efficient manifest lookups

from pyetwkit import ManifestParser, TypedEventFactory

parser = ManifestParser()
manifest = parser.parse_from_registry("22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716")
factory = TypedEventFactory(manifest)
typed_event = factory.create(raw_event)

Real-time Event Filtering Callbacks (#56)

• RustEventFilter for high-performance Rust-side event filtering
• Filter by event IDs, levels, keywords, PIDs, and properties
• Support for regex matching and comparison operators
• AND/OR/NOT logical operators for combining filters

from pyetwkit import RustEventFilter

filter = (
    RustEventFilter()
    .event_ids([1, 2, 3])
    .level_max(4)
    .pid(1234)
    .property_contains("ImageFileName", "chrome")
)

📦 Installation

pip install pyetwkit==2.0.0

Full Changelog

v1.1.0...v2.0.0