ETWP_NOTIFICATION_HEADER

The ETWP_NOTIFICATION_HEADER structure appears to be the kernel’s private variant of the ETW_NOTIFICATION_HEADER. The latter is shared with callers of the NtTraceControl function. They send and receive more or less arbitrary data in packets that begin with the notification header. While the kernel holds a packet in an ETW_QUEUE_ENTRY, it uses some members of the notification header differently—enough differently, it seems, to have prompted a slight renaming. Some of these differences are also known to NTDLL but apparently no higher.

Documentation Status

The ETWP_NOTIFICATION_HEADER structure is not documented.

Layout

The ETWP_NOTIFICATION_HEADER is 0x48 bytes in both 32-bit and 64-bit Windows in versions 6.0 and higher. Whether it or something enough like it exists in versions before 6.0, i.e., before NtTraceControl, is left for another time. Offsets, types and names in the table below are from Microsoft’s symbol files for the kernel starting with Windows 8. No difference is yet known for earlier versions.

Offset Definition Remarks
0x00 
ETW_NOTIFICATION_TYPE NotificationType;
  
0x04 
ULONG NotificationSize;
  
0x08 
LONG RefCount;
 Offset in ETW_NOTIFICATION_HEADER
0x0C 
BOOLEAN ReplyRequested;
  
0x10 
union {
    ULONG ReplyIndex;
    ULONG Timeout;
};
 only Timeout in ETW_NOTIFICATION_HEADER
0x14 
union {
    ULONG ReplyCount;
    ULONG NotifyeeCount;
};
  
0x18 
union {
    ULONGLONG ReplyHandle;
    PVOID ReplyObject;
    ULONG RegIndex;
};
 Reserved2 in ETW_NOTIFICATION_HEADER
0x20 
ULONG TargetPID;
  
0x24 
ULONG SourcePID;
  
0x28 
GUID DestinationGuid;
  
0x38 
GUID SourceGuid;
  

This page was created on 27th November 2016 but was not published until 31st December 2018. It was last modified on 28th May 2020.

Copyright © 2018-2020. Geoff Chappell. All rights reserved. Conditions apply.