rabbitstack
diff --git a/‎cmd/fibratus/app/rules/validate.go‎
Lines changed: 2 additions & 1 deletion b/‎cmd/fibratus/app/rules/validate.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎configs/fibratus.yml‎
Lines changed: 4 additions & 0 deletions b/‎configs/fibratus.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 8 additions & 0 deletions b/‎go.mod‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 22 additions & 2 deletions b/‎go.sum‎
Lines changed: 22 additions & 2 deletions
diff --git a/‎internal/bootstrap/bootstrap.go‎
Lines changed: 14 additions & 13 deletions b/‎internal/bootstrap/bootstrap.go‎
Lines changed: 14 additions & 13 deletions
diff --git a/‎internal/etw/processors/registry_windows.go‎
Lines changed: 1 addition & 3 deletions b/‎internal/etw/processors/registry_windows.go‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎internal/etw/source.go‎
Lines changed: 9 additions & 21 deletions b/‎internal/etw/source.go‎
Lines changed: 9 additions & 21 deletions
diff --git a/‎internal/etw/source_test.go‎
Lines changed: 8 additions & 16 deletions b/‎internal/etw/source_test.go‎
Lines changed: 8 additions & 16 deletions
@@ -24,6 +24,7 @@ import (
 	"github.com/rabbitstack/fibratus/internal/bootstrap"
 	"github.com/rabbitstack/fibratus/pkg/filter"
 	"github.com/rabbitstack/fibratus/pkg/filter/fields"
+	"github.com/rabbitstack/fibratus/pkg/rules"
 	"path/filepath"
 	"strings"
 )
@@ -91,7 +92,7 @@ func validateRules() error {
 		f := filter.New(rule.Condition, cfg)
 		err := f.Compile()
 		if err != nil {
-			return fmt.Errorf("%v %v", emoji.DisappointedFace, filter.ErrInvalidFilter(rule.Name, err))
+			return fmt.Errorf("%v %v", emoji.DisappointedFace, rules.ErrInvalidFilter(rule.Name, err))
 		}
 
 		w := warning{rule: rule.Name}
 
@@ -131,6 +131,10 @@ filament:
 # For local file system rule paths, it is possible to use the glob expression to load the
 # rules from different directory locations.
 filters:
+  # Indicates if the rule engine match all strategy is enabled. When the match all strategy
+  # is enabled, a single event can trigger multiple rules.
+  match-all: true
+
   rules:
     # Indicates if the rule engine is enabled and rules loaded
     enabled: true
 
@@ -28,6 +28,7 @@ require (
 	github.com/spf13/viper v1.6.2
 	github.com/streadway/amqp v1.0.0
 	github.com/stretchr/testify v1.8.1
+	github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6
 	github.com/valyala/bytebufferpool v1.0.0
 	github.com/valyala/gozstd v1.11.0
 	github.com/xeipuuv/gojsonschema v1.2.0
@@ -44,9 +45,16 @@ require (
 )
 
 require (
+	github.com/BurntSushi/toml v0.4.1 // indirect
 	github.com/rivo/uniseg v0.4.2 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect
+	go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf // indirect
+	golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	honnef.co/go/tools v0.3.2 // indirect
 )
 
 require (
 
@@ -1,6 +1,7 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
+github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
@@ -77,8 +78,9 @@ github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
@@ -230,6 +232,8 @@ github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKs
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
+github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
@@ -254,6 +258,12 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+go4.org/intern v0.0.0-20211027215823-ae77deb06f29 h1:UXLjNohABv4S58tHmeuIZDO6e3mHpW2Dx33gaNt03LE=
+go4.org/intern v0.0.0-20211027215823-ae77deb06f29/go.mod h1:cS2ma+47FKrLPdXFpr7CuxiTW3eyJbWew4qx0qtQWDA=
+go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf h1:IdwJUzqoIo5lkr2EOyKoe5qipUaEjbOKKY5+fzPBZ3A=
+go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf/go.mod h1:+QXzaoURFd0rGDIjDNpyIkv+F9R7EmeKorvlKRnhqgA=
+go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760 h1:FyBZqvoA/jbNzuAWLQE2kG820zMAkcilx6BMjGbL/E4=
+go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
 golang.org/x/arch v0.6.0 h1:S0JTfE48HbRj80+4tbvZDYsJ3tGv6BUU3XxyZ7CirAc=
 golang.org/x/arch v0.6.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -263,10 +273,14 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e h1:qyrTQ++p1afMkO4DPEeLGq/3oTsdlvdH4vqZUBWzUKM=
+golang.org/x/exp/typeparams v0.0.0-20220218215828-6cf2b201936e/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -289,6 +303,8 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180816055513-1c9583448a9c/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -330,6 +346,8 @@ golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
@@ -363,5 +381,7 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.3.2 h1:ytYb4rOqyp1TSa2EPvNVwtPQJctSELKaMyLfqNP4+34=
+honnef.co/go/tools v0.3.2/go.mod h1:jzwdWgg7Jdq75wlfblQxO4neNaFFSvgc1tD5Wv8U0Yw=
 www.velocidex.com/golang/go-ntfs v0.2.1-0.20240818145200-04736de821dc h1:eeL+RUEGr6/lYL8hJEbvugrF88I6W4pBaVtFa1falj4=
 www.velocidex.com/golang/go-ntfs v0.2.1-0.20240818145200-04736de821dc/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc=
@@ -30,6 +30,7 @@ import (
 	"github.com/rabbitstack/fibratus/pkg/handle"
 	"github.com/rabbitstack/fibratus/pkg/kcap"
 	"github.com/rabbitstack/fibratus/pkg/ps"
+	"github.com/rabbitstack/fibratus/pkg/rules"
 	"github.com/rabbitstack/fibratus/pkg/symbolize"
 	"github.com/rabbitstack/fibratus/pkg/sys"
 	"github.com/rabbitstack/fibratus/pkg/util/multierror"
@@ -52,7 +53,7 @@ type App struct {
 	config     *config.Config
 	evs        *EventSourceControl
 	symbolizer *symbolize.Symbolizer
-	rules      *filter.Rules
+	engine     *rules.Engine
 	hsnap      handle.Snapshotter
 	psnap      ps.Snapshotter
 	filament   filament.Filament
@@ -134,34 +135,34 @@ func NewApp(cfg *config.Config, options ...Option) (*App, error) {
 	hsnap := handle.NewSnapshotter(cfg, opts.handleSnapshotFn)
 	psnap := ps.NewSnapshotter(hsnap, cfg)
 
-	var (
-		rules *filter.Rules
-		res   *config.RulesCompileResult
-	)
+	var engine *rules.Engine
+	var rs *config.RulesCompileResult
+
 	if cfg.Filters.Rules.Enabled && !cfg.ForwardMode && !cfg.IsCaptureSet() {
-		rules = filter.NewRules(psnap, cfg)
+		engine = rules.NewEngine(psnap, cfg)
 		var err error
-		res, err = rules.Compile()
+		rs, err = engine.Compile()
 		if err != nil {
 			return nil, err
 		}
-		if res != nil {
-			log.Infof("rules compile summary: %s", res)
+		if rs != nil {
+			log.Infof("rules compile summary: %s", rs)
 		}
 	} else {
 		log.Info("rule engine is disabled")
 	}
 
-	evs := NewEventSourceControl(psnap, hsnap, cfg, res)
+	evs := NewEventSourceControl(psnap, hsnap, cfg, rs)
 
 	app := &App{
 		config:  cfg,
 		evs:     evs,
-		rules:   rules,
+		engine:  engine,
 		hsnap:   hsnap,
 		psnap:   psnap,
 		signals: sigs,
 	}
+
 	return app, nil
 }
 
@@ -234,8 +235,8 @@ func (f *App) Run(args []string) error {
 			f.evs.RegisterEventListener(f.symbolizer)
 		}
 		// register rule engine
-		if f.rules != nil {
-			f.evs.RegisterEventListener(f.rules)
+		if f.engine != nil {
+			f.evs.RegisterEventListener(f.engine)
 		}
 		// register YARA scanner
 		if cfg.Yara.Enabled {
 
@@ -87,9 +87,7 @@ func (r *registryProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, erro
 	switch e.Type {
 	case ktypes.RegKCBRundown, ktypes.RegCreateKCB:
 		khandle := e.Kparams.MustGetUint64(kparams.RegKeyHandle)
-		if _, ok := r.keys[khandle]; !ok {
-			r.keys[khandle], _ = e.Kparams.GetString(kparams.RegPath)
-		}
+		r.keys[khandle] = e.Kparams.MustGetString(kparams.RegPath)
 		kcbCount.Add(1)
 	case ktypes.RegDeleteKCB:
 		khandle := e.Kparams.MustGetUint64(kparams.RegKeyHandle)
 
@@ -71,16 +71,6 @@ var (
 	buffersRead = expvar.NewInt("kstream.kbuffers.read")
 )
 
-// SupportsSystemProviders determines if the support for granular
-// system providers in present.
-func SupportsSystemProviders() bool {
-	maj, _, patch := windows.RtlGetNtVersionNumbers()
-	if maj > 10 {
-		return true
-	}
-	return maj >= 10 && patch >= 20348
-}
-
 // EventSource is the core component responsible for
 // starting ETW tracing sessions and setting up event
 // consumers.
@@ -100,6 +90,8 @@ type EventSource struct {
 
 	filter    filter.Filter
 	listeners []kevent.Listener
+
+	isClosed bool
 }
 
 // NewEventSource creates the new ETW event source.
@@ -177,13 +169,6 @@ func (e *EventSource) Open(config *config.Config) error {
 
 	e.addTrace(etw.KernelLoggerSession, etw.KernelTraceControlGUID)
 
-	if SupportsSystemProviders() && !config.IsCaptureSet() {
-		log.Info("system providers support detected")
-		if config.Kstream.EnableRegistryKevents {
-			e.addTraceKeywords(etw.SystemRegistrySession, etw.SystemRegistryProviderID, etw.RegistryKeywordGeneral)
-		}
-	}
-
 	if config.Kstream.EnableDNSEvents {
 		e.addTrace(etw.DNSClientSession, etw.DNSClientGUID)
 	}
@@ -268,11 +253,16 @@ func (e *EventSource) Open(config *config.Config) error {
 // signal the event callback to stop consuming more events.
 // Finally, the trace is stopped along with all event consumers.
 func (e *EventSource) Close() error {
+	if e.isClosed {
+		return nil
+	}
+
 	for _, consumer := range e.consumers {
 		if err := consumer.Close(); err != nil {
 			log.Warnf("couldn't close consumer: %v", err)
 		}
 	}
+
 	for _, trace := range e.traces {
 		if !trace.IsStarted() {
 			continue
@@ -292,6 +282,8 @@ func (e *EventSource) Close() error {
 
 	close(e.stop)
 
+	e.isClosed = true
+
 	return e.sequencer.Shutdown()
 }
 
@@ -321,7 +313,3 @@ func (e *EventSource) RegisterEventListener(lis kevent.Listener) {
 func (e *EventSource) addTrace(name string, guid windows.GUID) {
 	e.traces = append(e.traces, NewTrace(name, guid, 0x0, e.config))
 }
-
-func (e *EventSource) addTraceKeywords(name string, guid windows.GUID, keywords uint64) {
-	e.traces = append(e.traces, NewTrace(name, guid, keywords, e.config))
-}
@@ -127,21 +127,17 @@ func TestEventSourceStartTraces(t *testing.T) {
 			evs := NewEventSource(psnap, hsnap, tt.cfg, nil)
 			require.NoError(t, evs.Open(tt.cfg))
 			defer evs.Close()
-			if !SupportsSystemProviders() {
-				assert.Equal(t, tt.wantSessions, len(evs.(*EventSource).traces))
-			}
+			assert.Equal(t, tt.wantSessions, len(evs.(*EventSource).traces))
 
 			for _, trace := range evs.(*EventSource).traces {
 				require.True(t, trace.Handle().IsValid())
 				require.NoError(t, etw.ControlTrace(0, trace.Name, trace.GUID, etw.Query))
-				if !SupportsSystemProviders() {
-					if tt.wantFlags != nil && trace.IsKernelTrace() {
-						flags, err := etw.GetTraceSystemFlags(trace.Handle())
-						require.NoError(t, err)
-						// check enabled system event flags
-						require.Equal(t, tt.wantFlags[0], flags[0])
-						require.Equal(t, tt.wantFlags[1], flags[4])
-					}
+				if tt.wantFlags != nil && trace.IsKernelTrace() {
+					flags, err := etw.GetTraceSystemFlags(trace.Handle())
+					require.NoError(t, err)
+					// check enabled system event flags
+					require.Equal(t, tt.wantFlags[0], flags[0])
+					require.Equal(t, tt.wantFlags[1], flags[4])
 				}
 			}
 		})
@@ -204,11 +200,7 @@ func TestEventSourceEnableFlagsDynamically(t *testing.T) {
 
 	flags := evs.(*EventSource).traces[0].enableFlagsDynamically(cfg.Kstream)
 
-	if SupportsSystemProviders() {
-		require.Len(t, evs.(*EventSource).traces, 3)
-	} else {
-		require.Len(t, evs.(*EventSource).traces, 2)
-	}
+	require.Len(t, evs.(*EventSource).traces, 2)
 
 	require.True(t, flags&etw.FileIO != 0)
 	require.True(t, flags&etw.Process != 0)