Add functionality: Provider specific information

[secDre4mer]

First of all, thank you for creating the library. I've recently started working with ETW and have found it to be very useful so far.
However, one thing I was missing was information about the registered providers (e.g: there is no way yet to look up a provider based on its name). I feel that some additional provider specific information about events could also be very helpful, e.g. a text version of a specific task code.

I've created a first implementation for these points in my fork (https://github.com/secDre4mer/etw). If you think this functionality might be helpful for others, I'd like to create a pull request.

[yalegko]

Hey, we're glad to hear that it's useful for somebody!

As for the original issue.

Yes, the ability to look for a provider by name seems quite a convenient feature. We discussed a solution like yours during lib development. Sadly, now we're unsure why we didn't implement it. Perhaps, it was due to a lack of a way to get the provider directly, without enumerating all available ones (which seems like unnecessary overhead).

As for other features like querying info about a provider, isn't it easier to use Windows tooling as logman (e.g. logman query providers 'Microsoft-Windows-DNS-Client') during the development process?

Do we miss some use cases when you need to query provider features in the runtime?

As for available contribution at all

We noticed that you've already fixed an issue, which we also faced in production recently. We'll be glad to see PR with secDre4mer@a6f6813.

We'll highly appreciate it if you respond as soon as you get a chance, as we need a fixed version for the nearest release.

[secDre4mer]

Hi,

Thanks for the feedback. The reason why I implemented a provider lookup by name is that the provider name will ultimately be received at runtime from configuration files, and therefore a lookup at development time is not feasible.
I've created #7 for the MapInfo fix.

[yalegko]

the provider name will ultimately be received at runtime from configuration file

Yea, and the ability to lookup provider by name is unarguably good. My question was about other provider information, like an ability to query provider Levels, Tasks, Keywords and so on. Windows native toolkit seems easier to use, that's why I asked about cases to use them in runtime in Go

So to clarify it once again:

• LookupProvider and ListProviders look good
• All other Provider methods seems questionable

p.s. Thx again for #7. All other bugfixes are always appreciated :)

[secDre4mer]

Hi,

I think you're right about ListKeywords / ListChannels / ..., that functionality is not useful at runtime and likely superfluous. QueryTask / QueryOpcode are potentially useful in my opinion, e.g. when writing ETW events as a human readable form. I'll move them to a separate PR from LookupProvider / ListProviders, however, and if necessary we can continue the discussion there.
#8 created for LookupProvider / ListProviders.