pip install pywintrace
pip install psutil

import time
import etw
import psutil

def on_trace_event(event):
    event_descriptor_id, info = event
    if event_descriptor_id == 1:
        # parent_process_id = int(info["ParentProcessID"])
        process_id = int(info["ProcessID"])
        # image_name = info["ImageName"]
        # timestamp = int(info["TimeDateStamp"][2:], 16)
        try:
            p = psutil.Process(process_id)
            if p.name() == "WeChat.exe":
                print(" [process] 微信启动: {}".format(process_id))
        except:
            pass
    elif event_descriptor_id == 2:
        process_id = int(info["ProcessID"])
        image_name = info["ImageName"]
        try:
            if image_name == "WeChat.exe":
                print(" [process] 微信退出: {}".format(process_id))
        except:
            pass


class MyETW(etw.ETW):

    def __init__(self, event_callback):
        # define capture provider info, use `logman query providers`
        providers = [etw.ProviderInfo('Microsoft-Windows-Kernel-Process', etw.GUID("{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}"))]
        super().__init__(providers=providers, event_callback=event_callback)

    def start(self):
        # do pre-capture setup
        self.do_capture_setup()
        super().start()

    def stop(self):
        super().stop()
        # do post-capture teardown
        self.do_capture_teardown()

    def do_capture_setup(self):
        # do whatever setup for capture here
        pass

    def do_capture_teardown(self):
        # do whatever for capture teardown here
        pass


def my_capture():
    # instantiate class
    capture = MyETW(on_trace_event)
    # start capture
    capture.start()
    # wait some time to capture data
    while True:
        try:
            time.sleep(0.5)
        except KeyboardInterrupt:
            break
    # stop capture
    capture.stop()


if __name__ == '__main__':
    my_capture()