ElmPlugin.dll
What this program actually does
ElmPlugin.dll is the Event Log Monitor (ELM) plugin. It subscribes to Windows Event Log channels via EvtSubscribe, applies regex-based rule filters from seat config, monitors critical Windows services via a ServiceWatcher, and can trigger session termination or telemetry when security-relevant events match configured rules.
It also integrates with logman for ETW trace control and proxies feature enable/disable via GciPlugin's ElmFeatureControl API. MB endpoint: ElmPlugin. Build: version 2.0 2026-04-07-b253f97.
Architecture / control flow
NvContainerGcis.exe
└─ ElmPlugin.dll
├─ GcisPluginTaskQueue / GSConfigClient
├─ PluginStart:
│ ├─ ServiceWatcher — SCM notifications for configured services
│ │ └─ RegisterServiceStopNotify, QueryServiceStatus
│ └─ EvtSubscribe — Windows Event Log subscription
│ └─ EvtRender → rule filter (regex) → action
├─ Session termination hooks
│ └─ Respects session tearing down / enforcement override
├─ logman integration (trace start/stop — inferred from gs2-agent pattern)
└─ GsecTasTelemetryKey RTTI/strings: ServiceWatcher, Poco XML types (rule config parsing), EvtSubscribe, EvtRender.
External interfaces
GCIS Service API
| Message | Purpose |
|---|---|
GCISServiceAPI_GCISRequest_ElmFeatureControl | Enable/disable ELM rules at runtime (via GciPlugin) |
Windows Event Log (wevtapi)
| API | Purpose |
|---|---|
EvtSubscribe | Subscribe to event channels (Security, System, custom) |
EvtRender | Render event XML for rule matching |
EvtRenderSuccededWithEmptyBuffer | Edge-case handling logged as error |
Service Control Manager
| Component | Purpose |
|---|---|
ServiceWatcher | Monitor service stop/start for configured services |
OpenSCManagerW, OpenServiceW, QueryServiceStatus | SCM access |
RegisterServiceStopNotify | Async service stop notifications |
Message Bus
- Endpoint:
ElmPlugin - Receives session state changes to arm/disarm rules
Runtime timeline
| Time (UTC) | Event | Source |
|---|---|---|
| 19:04:52.294 | Module ElmPlugin v2.0, init OK | ElmPluginCurrent.log |
| 19:04:52.883 | Starting ElmPlugin; TAS session initiated | ElmPluginCurrent.log |
| 19:04:53.041 | GcisConfigData not found → Failed to start ElmPlugin | ElmPluginCurrent.log |
| 19:04:53.053 | Stop: Stopping service watcher (watcher started minimally) | ElmPluginCurrent.log |
| 19:04:53.044 | Mandatory plugin Starting failure | NvContainerGcis.log |
ServiceWatcher stop path runs even though full EvtSubscribe likely never armed without config.
Failure modes
| Error string | Meaning |
|---|---|
GSEC_ELM_Error_EmptyConfig | No ELM rules in GcisConfigData |
GSEC_ELM_Error_RuleFiltersNotDefined | Rule filter section missing |
GSEC_ELM_Error_WindowsEventsUndefined | Event channel list missing |
GSEC_ELM_Error_ElmSubscribeEventsFailed | EvtSubscribe setup failed |
GSEC_ELM_Error_EvtRenderFailed | Event rendering error |
GSEC_ELM_Error_FailedToProcessEvent | Rule action pipeline error |
GSEC_ELM_Error_StartServiceWatcherFailed | SCM watcher init failed |
GSEC_ELM_Error_DuplicateServiceRegistrationDetected | Config lists same service twice |
GSEC_ELM_Warning_ServiceDisarmed / ServiceRearmed | Feature toggle |
GSEC_ELM_Warning_IgnoringSessionTerminationDueToSessionTearingDown | Suppress terminate during teardown |
GSEC_ELM_Warning_RegexProcesssingFailed | Rule regex compile/match error |
Missing GcisConfigData | PluginStart abort (observed) |
Not verified
- Exact event channels monitored in Production (Security vs Sysmon vs custom).
- logman trace names and trigger conditions.
- Whether ELM can terminate sessions autonomously or only signals GciPlugin.
- Full rule filter XML/JSON schema.
Evidence
strings/ RTTI onservices/GCIS/plugins/ElmPlugin.dlllogs/GCIS/ElmPluginCurrent.log,ElmPluginOld.loglogs/GCIS/NvContainerGcis.loglogs/GSP/GSConfiguratorPluginCurrent.log