PLACEHOLDER FOR WORK THAT MAY NEVER BE DONE - PREVIEW ONLY

Real-Time Disconnect

When given 0x0E as its FunctionCode argument, the NtTraceControl function disconnects a real-time consumer. Microsoft’s name for this function code is not known. This note deals only with the function’s behaviour that is specific to this function code. The function’s general behaviour is here taken as assumed knowledge.

If the input buffer does not provide exactly 8 bytes or if any output buffer is given, the function returns STATUS_INVALID_PARAMETER. In version 6.0, all eight bytes of input are meaningful: two dwords identify respectively the logger and the consumer. Version 6.1 introduced the EtwConsumer as an object type such that a handle to this object represents the consumer and its connection to a logger, and is all that’s needed for disconnection. The input buffer provides this handle as its first 32 bits even on 64-bit Windows.

TO BE DONE?

This page was created on 22nd April 2020 from material first published on 31st December 2018. It was last modified on 28th May 2020.

Copyright © 2018-2020. Geoff Chappell. All rights reserved. Conditions apply.