Documentation - ET Ducky

Getting Started

System Requirements

Windows 10 version 1809 or later (Windows 11 recommended)
.NET 9 Runtime (installer will prompt if needed)
Administrator privileges (required for ETW monitoring)
4GB RAM minimum (8GB recommended)
500MB disk space

Installation

Download the installer from the homepage
Run ETDucky-Setup.msi
Accept the User Account Control (UAC) prompt
Follow the installation wizard
Launch ET Ducky from the Start Menu

Note: ET Ducky requires administrator privileges to access Event Tracing for Windows (ETW). You'll see a UAC prompt each time you launch the application.

Using ET Ducky

Starting Monitoring

Launch ET Ducky
Select the ETW providers you want to monitor
Click "Start Monitoring"
Events will appear in real-time

AI-Powered Analysis

ET Ducky can analyze events using AI to provide insights:

Automatic Analysis: Select events and click "Analyze with AI"
Provider Options: Choose from Claude (Anthropic), ChatGPT (OpenAI), or Copilot
Custom Queries: Ask specific questions about event patterns

Subscription Plans

Choose the plan that fits your needs:

Professional ($39/month): Individual use, unlimited monitoring, 1000 AI queries/month
Business ($99/month): Team use, priority support, 5000 AI queries/month
Enterprise ($249/month): Unlimited users, dedicated support, unlimited AI queries

BYOK (Bring Your Own Key): All plans support using your own API keys for AI providers, giving you full control over costs and usage.

Configuration

AI Provider Setup

To use your own API keys:

Go to Settings → AI Providers
Select your preferred provider (Claude, ChatGPT, or Copilot)
Enter your API key
Click "Save Configuration"

ETW Provider Configuration

Configure which Windows ETW providers to monitor:

Windows Kernel Trace: Low-level system events
Application Events: Application-specific traces
Security Events: Security and audit logs
Custom Providers: Add any ETW provider GUID

Database Location

Event data is stored locally in:

%PROGRAMFILES%\ET Ducky\etwmonitor.db

Troubleshooting

Common Issues

UAC Prompt Every Launch

This is normal. ET Ducky requires administrator privileges to access ETW. You can create a scheduled task to run it elevated without prompts.

No Events Showing

Verify you're running as administrator
Check that the ETW provider is enabled
Try restarting the monitoring session

AI Analysis Not Working

Verify your subscription is active
Check your API key is valid (if using BYOK)
Ensure you have an internet connection

Application Crashes

Check the logs at:

%PROGRAMFILES%\ET Ducky\logs\

Still having issues? Contact support at [email protected] with your log files.

API Reference

Supported AI Models

Anthropic Claude

Recommended: claude-sonnet-4-5-20250929 (Claude Sonnet 4.5)
Fast & Economical: claude-haiku-4-5-20251001 (Claude Haiku 4.5)
Most Powerful: claude-opus-4-20250514 (Claude Opus 4)

OpenAI ChatGPT

Recommended: gpt-4o (GPT-4 Omni)
Economical: gpt-4o-mini
Legacy: gpt-3.5-turbo

ETW Provider GUIDs

Common Windows ETW providers you can monitor:

                
Microsoft-Windows-Kernel-Process: {22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}

Microsoft-Windows-TCPIP: {2f07e2ee-15db-40f1-90ef-9d7ba282188a}

Microsoft-Windows-DNS-Client: {1c95126e-7eea-49a9-a3fe-a378b03ddb4d}

Support

Need help? We're here for you:

Email: [email protected]
Documentation: This page
EULA: End User License Agreement
Privacy:

ET Ducky Documentation