PLACEHOLDER FOR WORK THAT MAY NEVER BE DONE - PREVIEW ONLY

EtwWdiSemUpdate

When given EtwWdiSemUpdate (0x14) as its FunctionCode argument, the NtTraceControl function restarts the Scenario Event Mapper (SEM). This note deals only with the function’s behaviour that is specific to this function code. The function’s general behaviour is here taken as assumed knowledge.

This function code takes no input and produces no output. If given any input or output buffer, the function returns STATUS_INVALID_PARAMETER..

Managing the SEM is not widely permitted. The caller must be executing as a member of the Administrators group or as the local system account or as the Diagnostic Policy Service (DPS). Failure for the access check is failure for the function. Except that one-time initialisation is not repeated, restarting the SEM means shutting it down (if it is enabled) and starting as if for the first time. Regrettably, though the SEM is surely a very important (yet almost entirely undocumented) add-on to ETW, it lies far outside the scope of this note.

TO BE DONE?

This page was created on 22nd April 2020 from material first published on 31st December 2018. It was last modified on 28th May 2020.

Copyright © 2018-2020. Geoff Chappell. All rights reserved. Conditions apply.