Simple Windows console application that listen for DNS resolutions events using the ETW Win32 API.
The application opens a real time event session and register to the Microsoft-Windows-DNS-Client providers to wait for DNS related events.
It generates two log files app.log
with application specific logs and audit.log
where it write every query performed in the OS.
It also store some statistics and print them out to stdout every 5 seconds and when finishing the application, with a summary of the total queries intercepted, the top 10 most resolved domains and the top 10 most active process resolving DNS queries.
[INFO][2020-04-24.13:54:53] - Starting Agentx Application
[INFO][2020-04-24.13:54:53] - Starting Microsoft-Windows-DNS-Client sensor
[INFO][2020-04-24.13:54:53] - Event trace session succesfully started
[INFO][2020-04-24.13:54:53] - Event provider succesfully enabled in event trace session.
[INFO][2020-04-24.13:54:53] - Sensor Microsoft-Windows-DNS-Client started.
[DEBUG][2020-04-24.13:54:55] - Event ID: 3006
[DEBUG][2020-04-24.13:54:55] - Event Time: 04/24/2020 13:54:53.548885500
[DEBUG][2020-04-24.13:54:55] - Received DNS Event generated by ProcessId: 16388
[DEBUG][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
[DEBUG][2020-04-24.13:54:55] - Event ID: 3006
[DEBUG][2020-04-24.13:54:55] - Event Time: 04/24/2020 13:54:53.548924100
[DEBUG][2020-04-24.13:54:55] - Received DNS Event generated by ProcessId: 16388
[DEBUG][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
[DEBUG][2020-04-24.13:54:55] - Event ID: 3008
[DEBUG][2020-04-24.13:54:55] - Event Time: 04/24/2020 13:54:53.548930700
[DEBUG][2020-04-24.13:54:55] - Received DNS Event generated by ProcessId: 16388
[DEBUG][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
[AUDIT][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
[AUDIT][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
[AUDIT][2020-04-24.13:54:55] - QueryName: checkappexec.microsoft.com performed by [16388] smartscreen.exe
DNS Sensor Info
{
Total Queries Received: 103
Total Process Generating Queries: 6
TOP Most Queried Domains:
26% - vortex.data.microsoft.com : 27
19% - checkappexec.microsoft.com : 20
13% - presence.teams.microsoft.com : 14
13% - play.google.com : 14
13% - drive.google.com : 14
8% - wpad : 9
4% - clients4.google.com : 5
TOP Most Active Process:
76% - [PID: 3068] : 79
7% - [PID: 8128] : 8
5% - chrome.exe : 6
3% - smartscreen.exe : 4
3% - [PID: 16060] : 4
1% - Teams.exe : 2
}
To start the application just run the compiled process as an Administrator, to stop collecting logs just use CTRL+C
A Visual Studio 2019 solution and project is available within the source code, just use it to compile the project.
The DNS Provider UUID is hardcoded and should be the same across all Windows versions, but in case it registered internally with a different UUID this wont work out of the box as this value needs to be updated. The application opens a real time mode trace session, so keep in mind this note taken from MS docs:
Only users with administrative privileges, users in the Performance Log Users group, and applications running as LocalSystem, > LocalService, NetworkService can consume events in real time. To grant a restricted user the ability to consume events in real time, add them to the Performance Log Users group