ETW_REALTIME_CONSUMER

The ETW_REALTIME_CONSUMER structure is the kernel’s representation of a real-time event consumer that is connected to a logger. It is a formal object, with handles and access control. The object type is named EtwConsumer. Note that the kernel has no exported variable for this object type, presumably because only the kernel is ever involved in interpreting a handle that refers to such an object.

Documentation Status

The ETW_REALTIME_CONSUMER structure is not documented.

Layout

For a non-trivial structure that is plainly very much internal to the kernel, the ETW_REALTIME_CONSUMER has been very stable, if only since version 6.1 settled on making the structure into an object type. The following changes of size are known.

Version	Size (x86)	Size (x64)
6.0	0x40	0x60
6.1	0x50	0x88
6.2	0x4C	0x88
6.3 to 1511	0x54	0x98
1607	0x58	0xA0

These sizes, and the offsets, types and names in the table below are from Microsoft’s symbol files for the kernel starting with Windows 7. The implementation in version 6.0, predating the object type, is very different and type information seems not to have made it into the public symbol files for Windows Vista, but there is evident continuity.

Offset (x86)	Offset (x64)	Definition	Versions	Remarks
0x00	0x00	LIST_ENTRY Links;	6.0 and higher
0x08 (6.0)	0x10 (6.0)	unknown HANDLE to pipe	6.0 only
0x0C (6.0); 0x08	0x18 (6.0); 0x10	HANDLE ProcessHandle;	6.1 and higher
0x10 (6.0)	0x20 (6.0)	unknown 32-bit sequence number as consumer ID	6.0 only
0x14 (6.0)	0x24 (6.0)	unknown 32-bit process ID	6.0 only
0x18 (6.0)	0x28 (6.0)	ULONG BuffersLost;	6.0 only	next at 0x28 and 0x50
0x1C (6.0)	0x2C (6.0)	BOOLEAN NewBuffersLost;	6.0 only	next at 0x35 and 0x5D
0x0C	0x18	EPROCESS *ProcessObject;	6.1 and higher
0x20 (6.0); 0x10	0x30 (6.0); 0x20	PVOID NextNotDelivered;	6.0 and higher
0x24 (6.0); 0x14	0x38 (6.0); 0x28	PVOID RealtimeConnectContext;	6.0 and higher
0x28 (6.0)	0x40 (6.0)	unknown KEVENT	6.0 only
0x18	0x30	KEVENT *DisconnectEvent;	6.1 and higher
0x1C	0x38	KEVENT *DataAvailableEvent;	6.1 and higher
0x20	0x40	ULONG *UserBufferCount;	6.1 and higher
0x24	0x48	SINGLE_LIST_ENTRY *UserBufferListHead;	6.1 and higher
0x28	0x50	ULONG BuffersLost;	6.1 and higher	previously at 0x18 and 0x28
0x38 (6.0); 0x2C	0x58 (6.0); 0x54	ULONG EmptyBuffersCount;	6.0 and higher
0x30	0x58	ULONG LoggerId;	6.1 only
0x30	0x58	USHORT LoggerId;	6.2 and higher
0x3C (6.0); 0x34 (6.1)	0x5C	BOOLEAN ShutDownRequested;	6.0 to 6.1	next in Flags
0x35 (6.1)	0x5D (6.1)	BOOLEAN NewBuffersLost;	6.1 only	previously at 0x1C and 0x2C; next in Flags
0x36 (6.1)	0x5E (6.1)	BOOLEAN Disconnected;	6.1 only	next in Flags
0x32	0x5A	union { UCHAR Flags; struct { /* bit fields, see below */ }; };	6.2 and higher
0x38 (6.1); 0x34	0x60	RTL_BITMAP ReservedBufferSpaceBitMap;	6.1 and higher
0x40 (6.1); 0x3C	0x70	UCHAR *ReservedBufferSpace;	6.1 and higher
0x44 (6.1); 0x40	0x78	ULONG ReservedBufferSpaceSize;	6.1 and higher
0x48 (6.1); 0x44	0x7C	ULONG UserPagesAllocated;	6.1 and higher
0x4C (6.1); 0x48	0x80	ULONG UserPagesReused;	6.1 and higher
	0x84	BOOLEAN Wow;	6.1 only	next in Flags
0x4C	0x88	ULONG *EventsLostCount;	6.3 and higher
0x50	0x90	ULONG *BuffersLostCount;	6.3 and higher
0x54	0x98	ETW_SILODRIVERSTATE *SiloState;	1607 and higher

Flags

Version 6.2 consolidated some one-byte booleans into UCHAR bit fields as Flags, and added one:

Mask (x86)	Mask (x64)	Definition	Versions	Remarks
0x01	0x01	UCHAR ShutDownRequest : 1;	6.2 and higher	previously BOOLEAN at 0x34 and 0x5C
0x02	0x02	UCHAR NewBuffersLost : 1;	6.2 and higher	previously BOOLEAN at 0x35 and 0x5D
0x04	0x04	UCHAR Disconnected : 1;	6.2 and higher	previously BOOLEAN at 0x36 and 0x5E
0x08	0x08	UCHAR Notified : 1;	6.2 and higher
	0x10	UCHAR Wow : 1;	6.2 and higher	previously BOOLEAN at 0x84