Geoff Chappell, Software Analyst
The EVENT_TRACE_TIME_PROFILE_INFORMATION structure is one of many that the ZwQuerySystemInformation (or NtQuerySystemInformation) and ZwSetSystemInformation (or NtSetSystemInformation) functions expect in their information buffer when given the information class SystemPerformanceTraceInformation (0x1F). This particular structure is selected when the first dword in the information buffer on input is EventTraceTimeProfileInformation (0x03).
At least in user mode, the EVENT_TRACE_TIME_PROFILE_INFORMATION structure arguably exists only to support the documented ADVAPI32 or SECHOST functions TraceQueryInformation and TraceSetInformation for their information class TraceSampledProfileIntervalInfo (0x05). Well-behaved user-mode software executing above ADVAPI32 does not call NtQuerySystemInformation or NtSetSystemInformation but prefers TraceQueryInformation and TraceSetInformation and therefore has no need of this structure.
Or so might go the theory or principle. Against it is that although Microsoft’s documentation of TraceQueryInformation and TraceSetInformation, as perused online today (30th November 2016), describes the case plainly enough as “Queries the setting for the sampling profile interval for the supplied source”, it doesn’t say what form of information to expect or provide.
The EVENT_TRACE_TIME_PROFILE_INFORMATION structure is not documented. Its only known public disclosure by Microsoft is a C-language definition in a header file named NTETW.H from the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 version 1511.
The EVENT_TRACE_TIME_PROFILE_INFORMATION is 0x08 bytes in both 32-bit and 64-bit Windows.
| Offset | Definition | Remarks |
|---|---|---|
| 0x00 |
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; |
input |
| 0x04 |
ULONG ProfileInterval; |
output for query; input for set |
The EVENT_TRACE_TIME_PROFILE_INFORMATION structure is meaningful only as input to and output from one case of the ZwQuerySystemInformation function. The behaviour is as well picked up here. This review takes as understood all the general points and shorthands that are noted in the separate attempt at documenting the function, and takes as granted that the information class is SystemPerformanceTraceInformation and that the information buffer is exactly the size of an EVENT_TRACE_PERFORMANCE_INFORMATION in which the EventTraceInformationClass is EventTraceTimeProfileInformation.
The essential work when querying is simply to produce the kernel’s current setting for the profile interval as the ProfileInterval in the output.