ETW_PROVIDER_TRAITS

The ETW_PROVIDER_TRAITS structure is the container in which the kernel keeps traits that are set for the registrations of event providers.

Provider traits are set for a registration through the kernel-mode EtwSetInformation and user-mode EventSetInformation functions when given the information class EventProviderSetTraits (2). If a registration has provider traits, then the ETW_REG_ENTRY that represents the registration has a Traits member that points to the ETW_PROVIDER_TRAITS that contains the traits.

Documentation Status

The ETW_PROVIDER_TRAITS structure is not documented.

Layout

The ETW_PROVIDER_TRAITS is 0x14 or 0x20 bytes in 32-bit and 64-bit Windows 10, respectively.

Offset (x86)	Offset (x64)	Definition
0x00	0x00	RTL_BALANCED_NODE Node;
0x0C	0x18	ULONG ReferenceCount;
0x10	0x1C	UCHAR Traits [ANYSIZE_ARRAY];

The ETW_PROVIDER_TRAITS is a fixed-size header. The Traits are the variable-size traits information that kernel-mode or user-mode callers set for the registration. The same traits information can be set for many registrations. To avoid duplication, the kernel keeps a tree of reference-counted structures which each have different trait information. Registrations that have identical trait information all have their Traits pointing to the same ETW_PROVIDER_TRAITS.

Trace information is itself a set of containers of essentially arbitrary data. Microsoft documents the format:

a 16-bit size in bytes;
a null-terminated string of single-byte characters;
zero or more individual traits.

Each trait has a similar format:

a 16-bit size in bytes;
an 8-bit type from the ETW_PROVIDER_TRAIT_TYPE enumeration;
arbitrary type-specific trait data.

Note that all items are byte-aligned. There is no alignment padding, e.g., of a 16-bit size to a 16-bit offset after the string.