PLACEHOLDER FOR WORK THAT MAY NEVER BE DONE - PREVIEW ONLY

Update Disallow List

When given 0x1C as its FunctionCode argument, the NtTraceControl function sets the disallow list for a provider group. Microsoft’s name for this function code is not known. This note deals only with the function’s behaviour that is specific to this function code. The function’s general behaviour is here taken as assumed knowledge.

If the input buffer does not provide at least 8 bytes, the function returns STATUS_INVALID_PARAMETER. The second dword of input is to be a number of 0x10-byte entries that follow. If the total size does not equal InBufferLen, the function returns STATUS_INVALID_PARAMETER.

TO BE DONE?

This page was created on 22nd April 2020 from material first published on 31st December 2018. It was last modified on 28th May 2020.

Copyright © 2018-2020. Geoff Chappell. All rights reserved. Conditions apply.