Geoff Chappell, Software Analyst
PLACEHOLDER FOR WORK THAT MAY NEVER BE DONE - PREVIEW ONLY
When given EtwStopLoggerCode (2) as its FunctionCode argument, the NtTraceControl function stops a tracing session, known less formally as a logger. This note deals only with the function’s behaviour that is specific to this function code. The function’s general behaviour is here taken as assumed knowledge.
A WMI_LOGGER_INFORMATION structure is expected to begin the input and is produced as the function’s successful output. If either the input or output buffer is too small for this structure, including because a user-mode request gives NULL for either buffer’s address, the function returns STATUS_INVALID_BUFFER_SIZE. If a kernel-mode request provides no input, the returned error code is STATUS_INVALID_PARAMETER.
The WMI_LOGGER_INFORMATION members that matter for specifying which tracing session to operate on are:
The one GUID that matters is {9E814AAD-3204-11D2-9A82-006008A86939}, which Microsoft defines symbolically as SystemTraceControlGuid. If the Guid is exactly this, then the session is necessarily the NT Kernel Logger. The ID and name are irrelevant.
For any other GUID, the logger’s name has precedence over the logger ID. It is in the WMI_LOGGER_INFORMATION as a UNICODE_STRING. If its Length is non-zero, then the session can only be found by name. For a user-mode request, the Buffer must be 2-byte aligned and must lie wholly in user-mode address space. Failure to capture a copy into paged pool is fatal for the function, which returns STATUS_NO_MEMORY or an exception code. To specify the logger by name is to ask the kernel to acquire and release successive loggers by ID until finding one that has the specified (case-insensitive) name. If no match is found, the function returns STATUS_WMI_INSTANCE_NOT_FOUND.
Specifying the logger ID directly is more efficient. It is the low 16 bits of the HistoricalContext. It can be 0xFFFF to stand for whatever logger ID is assigned to the NT Kernel Logger. In all versions up to and including the original release of Windows 10, the logger ID cannot exceed 64.
TO BE DONE?