drop system evtx csv or autologger registry export · detect ETW provider disablement · autologger session tampering · telemetry coverage · csv export · runs locally
artifacts
drop evtx csv / autologger .reg / powershell evtx
or click
AutoLogger Enabled=0 · kernel EventTracing ID 1 · PowerShell 4104 Stop-Trace / logman / wevtutil · SysmonDrv registry
drop system evtx csv · autologger registry · powershell operational evtx