[Enhancement Request] Support for Windows

[nicpenning]

Would it be feasible to introduce the eBPF capability to Windows environments? Today this is done with certain versions of Linux and the capabilities are quite powerful.

I noticed that there is eBPF being developed for Windows but I was curious if there is any play for Elastic here to take advantage of this so that the same powerful features of eBPF for Linux can be implemented for windows.

eBPF for Windows project: https://github.com/microsoft/ebpf-for-windows

[nfritts]

Unfortunately its probably not something that will be prioritized soon. It is something that we've been monitoring, but when looking at the getting started: https://github.com/microsoft/ebpf-for-windows/blob/main/docs/GettingStarted.md#installing-ebpf-for-windows

Since the eBPF for Windows binaries are not yet signed by Microsoft, they will only work on a machine with a kernel debugger (KD) attached and running, or test signing is enabled. (It is expected that official releases of eBPF for Windows will eventually be production signed at some point in the future after security hardening is completed.)

My guess is that until Microsoft is ready to start production signing the eBPF driver, we probably won't be able to do much to support it.

I'll leave the issue open so other's can chime in though.

[nicpenning]

Thanks, Nick! I figured I would just drop a note here just in case others had the same thought so this is good information. I understand the priority given the situation of eBPF for Windows.

[nicpenning]

Any pushing from Elastic to Microsoft on this? I think there is the potential for great opportunities between both Microsoft and Elastic if eBPF can be used in a similar way as it's Linux counterpart.