I've been investigating ETW for process/file/registry/network monitoring. It looks like it on Win7 it has everything I need. However, on XP it seems to be lacking the same level of detail. Specifcally, with file IO only "FileCreate" events seem to be logged and process creation events don't give a full path.

Is it possible to determine when a file is written to on XP with ETW? And how about the full path to a process start event?

Starting with Vista MS added a lot of ETW providers to Windows. XP/Server only had a few of them. So you can't fix this for XP.