ETW is a tracing facility that allows a user to log events to a file or buffer. An overview of ETW can be found here. The basic architecture includes a Provider, Controller, and a Consumer. The controller defines and controls a capture session. This includes what providers are in the as well as starting and stopping the session. The provider, specified using a GUID (Globally Unique Identifier), logs events to a series of buffers. The Consumer receives messages either from a buffer or a file and processes them in chronological order. This module is an entirely Python-based ctypes wrapper around the Win32 APIs necessary for controlling ETW sessions and processing message data. The module is very flexible and can set pre or post-capture filters.