How does the ETW-based USB keylogger POC work and what are its limitations?

The POC uses Event Tracing for Windows (ETW) to capture keystrokes from USB keyboards by leveraging kernel-mode event providers. It requires administrator privileges and works on Windows 7+ with USB 2.0 or 3.0 (not PS/2). Major limitations include recording latency, instability, and error messages like 'ignoring non-usb keyboard device'. The full technique is described in Study Notes Weekly No.3. ETW keylogging is a novel approach compared to other application whitelisting bypass methods such as using BGInfo.