问题
> wevtutil.exe gp <provider-name> /ge /gm /f:xml
prints the manifest given a provider, except for its data templates. Is there a tool I am missing that would display the templates defined in an installed provider's manifest? They must be out there in the binary WEVT_TEMPLATE resource, since the Tdh* functions seem to know about them.
回答1:
Perfview can do this with this command:
PerfView userCommand DumpRegisteredManifest <provider-name>
This dumps the complete manifest into an XML.
回答2:
Resource Hacker allows the display of WEVT_TEMPLATE structure.
来源:https://stackoverflow.com/questions/39089525/is-there-a-tool-to-dump-show-event-data-templates-defined-in-a-providers-manife