Geoff Chappell, Software Analyst
The WMI_LOGGER_CONTEXT structure is the kernel’s representation of an event logger, known more formally as an event tracing session. It is one of the most important of all internal details for any inspection of Event Tracing for Windows (ETW).
A WMI_LOGGER_CONTEXT is created when a logger is started and is retained until the logger is stopped. Except for auto-loggers, which the kernel itself starts, all ways to start a logger go through NtTraceControl with the function code EtwStartLoggerCode (0x01). For well-behaved user-mode programs, this means going through the documented StartTrace function.
The kernel keeps the addresses of the created WMI_LOGGER_CONTEXT instances in an array of pointers in the kernel’s own data section. This array’s capacity of 32 in version 5.0 and 64 since is therefore the maximum number of event tracing sessions that can be active at any given time. This limit has long been documented, though curiously not until recently in the documentation of StartTrace (where it would seem to matter most as something to know). That it is documented there now looks to be because the limit can be varied in later releases of Windows 10 than are yet studied for this article.
The WMI_LOGGER_CONTEXT structure is not documented.
Though Microsoft is not known to have published a C-language definition in any header file from a development kit, the limit of 64 to the number of WMI_LOGGER_CONTEXT structures that the kernel can track at any one time is formalised by the definition of a macro MAXLOGGERS in the NTWMI.H from the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 version 1511.
Since the WMI_LOGGER_CONTEXT is very much for the kernel’s own use, it should not surprise that the layout changes significantly between versions and even between builds. As so often with structures that are private to the kernel, the rate of change between builds has picked up markedly in Windows 10. The following changes of size are known:
Version | Size (x86) | Size (x64) |
---|---|---|
5.0 | 0x0140 | |
5.1 | 0x01C8 | |
5.2 | 0x01D8 | 0x0280 |
early 6.0 (before Windows Vista SP1) | 0x0270 | 0x0350 |
late 6.0 (Windows Vista SP1 and higher) | 0x0280 | 0x0370 |
6.1 | 0x0238 | 0x0330 |
6.2 | 0x0270 | 0x0378 |
6.3 | 0x0278 | 0x0378 |
10.0 | 0x0288 | 0x0398 |
1511 | 0x0288 | 0x0390 |
1607 | 0x02F0 | 0x0440 |
1703 | 0x0310 | 0x0468 |
1709 | 0x05A0 | 0x0990 |
1803 | 0x0370 | 0x0510 |
The preceding sizes, and the offsets, types and names in the table below are from Microsoft’s public symbol files for the kernel, starting with Windows XP SP3 and Windows Server 2003 SP2. Since symbol files for earlier versions do not contain type information for the WMI_LOGGER_CONTEXT structure, what’s known for them is instead inferred from what use these versions of the kernel are seen to make of the structure in comparison with those for which Microsoft’s names and types are known. Where the correspondence is close, it seems reasonable to suppose continuity. Some use, however, has no correspondence, the code having changed too much. Even where the use hasn’t changed, tracking it down exhaustively would be difficult, if not impossible, even with source code. The structure’s development is hard enough to track even for the relatively recent versions, as members have occasionally been moved from one end to the other.
Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
---|---|---|---|---|
0x00 | 0x00 |
ULONG LoggerId; |
6.1 and higher | previously at 0x14 and 0x1C |
0x04 | 0x04 |
ULONG BufferSize; |
6.1 and higher | previously at 0xA4 and 0xEC |
0x08 | 0x08 |
ULONG MaximumEventSize; |
6.1 and higher | previously at 0xA8 and 0xF0 |
0x0C (6.1) | 0x0C (6.1) |
LONG CollectionOn; |
6.1 only | previously at 0x58 and 0x9C; next at 0xF0 and 0x0150 |
0x10 (6.1); 0x0C |
0x10 (6.1); 0x0C |
ULONG LoggerMode; |
6.1 and higher | previously at 0x60 and 0xA4 |
0x14 (6.1); 0x10 |
0x14 (6.1); 0x10 |
LONG AcceptNewEvents; |
6.1 and higher | previously at 0x0250 and 0x0338 |
0x14 | 0x14 |
ULONG EventMarker [1]; |
6.2 and higher (x86) | |
ULONG EventMarker [2]; |
6.2 and higher (x64) | |||
0x18 | 0x1C |
ULONG ErrorMarker; |
6.2 and higher | |
0x1C | 0x20 |
ULONG SizeMask; |
6.2 and higher | |
0x18 (6.1); 0x20 |
0x18 (6.1); 0x28 |
LONGLONG (*GetCpuClock) (VOID); |
6.1 and higher | previously at 0xC4 and 0x0118 |
0x00 (5.0 to 5.2) | 0x00 (5.2) |
KSPIN_LOCK BufferSpinLock; |
5.0 to 5.2 | |
0x08 (5.0 to 5.2); 0x00 (6.0); 0x20 (6.1) |
0x08 (5.2); 0x00 (6.0); 0x20 (6.1) |
LARGE_INTEGER StartTime; |
5.0 to 6.1 | next at 0x0230 and 0x0320 |
0x10 (5.0 to 5.2); 0x08 (6.0); 0x28 (6.1) |
0x10 (5.2); 0x08 (6.0); 0x28 (6.1) |
HANDLE LogFileHandle; |
5.0 to 6.1 | next at 0x0238 and 0x0328 |
0x14 (5.0 to 5.2) | 0x18 (5.2) |
KSEMAPHORE LoggerSemaphore; |
5.0 to 5.2 | |
0x28 (5.0 to 5.2); 0x0C (6.0); 0x2C (6.1); 0x24 |
unknown 32-bit thread ID | 5.0 only | ||
0x38 (5.2); 0x10 (6.0); 0x30 |
ETHREAD *LoggerThread; |
5.1 and higher | ||
0x2C (5.0 to 5.2) | 0x40 (5.2) |
KEVENT LoggerEvent; |
5.0 to 5.2 | next at 0x014C |
0x3C (5.1 to 5.2) | 0x58 (5.2) |
KEVENT FlushEvent; |
5.1 to 5.2 | next at 0x015C |
0x3C (5.0); 0x4C (5.1 to 5.2); 0x10 (6.0); 0x30 (6.1); 0x28 |
0x70 (5.2); 0x18 (6.0); 0x38 |
NTSTATUS LoggerStatus; |
5.0 and higher | |
0x40 (5.0); 0x50 (5.1 to 5.2); 0x14 (6.0) |
0x74 (5.2); 0x1C (6.0) |
ULONG LoggerId; |
5.0 to 6.0 | next at 0x00 |
0x44 (5.0); 0x54 (5.1 to 5.2) |
0x78 (5.2) |
LONG BuffersAvailable; |
5.0 to 5.2 | next as LONG volatile at 0x7C |
0x58 (5.1 to 5.2) | 0x7C (5.2) |
ULONG UsePerfClock; |
5.1 to 5.2 | previously at 0xE4 |
0x5C (5.1 to 5.2) | 0x80 (5.2) |
ULONG WriteFailureLimit; |
5.1 to 5.2 | |
0x60 (5.1 to 5.2) | 0x84 (5.2) |
ULONG BuffersDirty; |
5.1 only | |
LONG BuffersDirty; |
5.2 only | |||
0x64 (5.1 to 5.2) | 0x88 (5.2) |
ULONG BuffersInUse; |
5.1 only | |
LONG BuffersInUse; |
5.2 only | |||
0x68 (5.1 to 5.2) | 0x8C (5.2) |
ULONG SwitchingInProgress; |
5.1 to 5.2 | |
0x2C | 0x3C |
ULONG FailureReason; |
6.2 and higher | |
0x18 (6.0); 0x34 (6.1); 0x30 |
0x20 (6.0); 0x40 |
PVOID NBQHead; |
6.0 to 6.1 | |
ETW_BUFFER_QUEUE BufferQueue; |
6.2 and higher | |||
0x1C (6.0); 0x38 (6.1); 0x3C (6.2 to 1511); 0x38 |
0x28 (6.0); 0x48 (6.1); 0x58 (6.2 to 1511); 0x50 |
PVOID OverflowNBQHead; |
6.0 to 6.1 | |
ETW_BUFFER_QUEUE OverflowQueue; |
6.2 and higher | |||
0x48 (5.0); 0x70 (5.1 to 5.2); 0x20 (6.0); 0x40 (6.1) |
LIST_ENTRY FreeList; |
5.0 only | ||
0x90 (5.2); 0x30 (6.0); 0x50 (6.1) |
SLIST_HEADER FreeList; |
5.1 to 5.2 | ||
SLIST_HEADER QueueBlockFreeList; |
6.0 to 6.1 | |||
0x78 (5.1 to 5.2) | 0xA0 (5.2) |
SLIST_HEADER FlushList; |
5.1 to 5.2 | |
0x80 (5.2) | 0xB0 (5.2) |
SLIST_HEADER WaitList; |
5.2 only | |
0x50 (5.0); 0x80 (5.1); 0x88 (5.2); 0x28 (6.0); 0x48 (6.1 to 1511); 0x40 |
LIST_ENTRY GlobalList; |
5.0 only | ||
0xC0 (5.2); 0x40 (6.0); 0x60 (6.1); 0x70 (6.2 to 1511); 0x60 |
SLIST_HEADER GlobalList; |
5.1 to 6.0 | ||
LIST_ENTRY GlobalList; |
6.1 and higher | |||
0x58 (5.0) | unaccounted four bytes | 5.0 only | ||
0x5C (5.0); 0x88 (5.1); 0x90 (5.2) |
WMI_BUFFER_HEADER **ProcessorBuffers; |
5.0 only | ||
0xD0 (5.2) |
SLIST_HEADER *ProcessorBuffers; |
5.1 to 5.2 | ||
0x50 (6.2 to 1511); 0x48 (1607 to 1703) |
0x80 (6.2 to 1511); 0x70 (1607 to 1703) |
LIST_ENTRY ProviderBinaryList; |
6.2 to 1703 | |
0x48 | 0x70 |
LIST_ENTRY DebugIdTrackingList; |
1709 and higher | |
0x50 | 0x80 |
ETW_DECODE_CONTROL_ENTRY *DecodeControlList; |
1709 and higher | |
0x54 | 0x88 |
ULONG DecodeControlCount; |
1709 and higher | |
0x30 (late 6.0); 0x50 (6.1); 0x58 (6.2 to 1511); 0x50 (1607 to 1703); 0x58 |
0x50 (late 6.0); 0x70 (6.1); 0x90 (6.2 to 1511); 0x80 (1607 to 1703); 0x90 |
WMI_BUFFER_HEADER *BatchedBufferList; |
late 6.0 | |
union { WMI_BUFFER_HEADER *BatchedBufferList; EX_FAST_REF CurrentBuffer; }; |
6.1 and higher | |||
0x60 (5.0); 0x8C (5.1); 0x94 (5.2); 0x30 (early 6.0); 0x34 (late 6.0); 0x54 (6.1); 0x5C (6.2 to 1511); 0x54 (1607 to 1703); 0x5C |
0xD8 (5.2); 0x50 (early 6.0); 0x58 (late 6.0); 0x78 (6.1); 0x98 (6.2 to 1511); 0x88 (1607 to 1703); 0x98 |
UNICODE_STRING LoggerName; |
5.0 and higher | |
0x68 (5.0); 0x94 (5.1); 0x9C (5.2); 0x38 (early 6.0); 0x3C (late 6.0); 0x5C (6.1); 0x64 (6.2 to 1511); 0x5C (1607 to 1703); 0x64 |
0xE8 (5.2); 0x60 (early 6.0); 0x68 (late 6.0); 0x88 (6.1); 0xA8 (6.2 to 1511); 0x98 (1607 to 1703); 0xA8 |
UNICODE_STRING LogFileName; |
5.0 and higher | |
0x9C (5.1); 0xA4 (5.2); 0x40 (early 6.0); 0x44 (late 6.0); 0x64 (6.1); 0x6C (6.2 to 1511); 0x64 (1607 to 1703); 0x6C |
0xF8 (5.2); 0x70 (early 6.0); 0x78 (late 6.0); 0x98 (6.1); 0xB8 (6.2 to 1511); 0xA8 (1607 to 1703); 0xB8 |
UNICODE_STRING LogFilePattern; |
5.1 and higher | |
0xA4 (5.1); 0xAC (5.2); 0x48 (early 6.0); 0x4C (late 6.0); 0x6C (6.1); 0x74 (6.2 to 1511); 0x6C (1607 to 1703); 0x74 |
0x0108 (5.2); 0x80 (early 6.0); 0x88 (late 6.0); 0xA8 (6.1); 0xC8 (6.2 to 1511); 0xB8 (1607 to 1703); 0xC8 |
UNICODE_STRING NewLogFileName; |
5.1 and higher | |
0x70 (5.0); 0xAC (5.1); 0xB4 (5.2) |
0x0118 (5.2) |
UCHAR *EndPageMarker; |
5.0 to 5.2 | |
0x50 (early 6.0); 0x54 (late 6.0); 0x74 (6.1); 0x7C (6.2 to 1511); 0x74 (1607 to 1703); 0x7C |
0x90 (early 6.0); 0x98 (late 6.0); 0xB8 (6.1); 0xD8 (6.2 to 1511); 0xC8 (1607 to 1703); 0xD8 |
ULONG ClockType; |
6.0 and higher | |
0x74 (5.0); 0xB0 (5.1); 0xB8 (5.2); 0x54 (early 6.0); 0x58 (late 6.0) |
0x0120 (5.2); 0x94 (early 6.0); 0x9C (late 6.0) |
LONG CollectionOn; |
5.0 to 6.0 | next at 0x0C |
0x78 (5.0); 0xB4 (5.1); 0xBC (5.2) |
0x0124 (5.2) |
ULONG KernelTraceOn; |
5.0 to 5.2 | next as KernelTrace in Flags |
0xB8 (5.1); 0xC0 (5.2) |
0x0128 (5.2) |
LONG PerfLogInTransition; |
5.1 to 5.2 | |
0x7C (5.0); 0xBC (5.1); 0xC4 (5.2) |
unknown four bytes | 5.0 only | ||
0x012C (5.2) |
ULONG RequestFlag; |
5.1 to 5.2 | next at 0x0248 | |
0x80 (5.0); 0xC0 (5.1); 0xC8 (5.2) |
0x0130 (5.2) |
ULONG EnableFlags; |
5.0 to 5.2 | |
0x84 (5.0); 0xC4 (5.1); 0xCC (5.2); 0x58 (early 6.0); 0x5C (late 6.0); 0x78 (6.1) |
0x0134 (5.2); 0x98 (early 6.0); 0xA0 (late 6.0); 0xBC (6.1) |
ULONG MaximumFileSize; |
5.0 to 6.1 | next at 0xD4 and 0x0134 |
0x88 (5.0); 0xC8 (5.1); 0xD0 (5.2); 0x5C (early 6.0); 0x60 (late 6.0) |
0x0138 (5.2); 0x9C (early 6.0); 0xA4 (late 6.0) |
union { ULONG LoggerMode; WMI_LOGGER_MODE LoggerModeFlags; }; |
5.0 to 5.2 | |
ULONG LoggerMode; |
6.0 | next at 0x10 | ||
0xD4 (5.2) | 0x013C (5.2) |
ULONG Wow; |
5.2 only | next in Flags |
0x8C (5.0); 0xCC (5.1); 0xD8 (5.2); 0x60 (early 6.0); 0x64 (late 6.0); 0x7C (6.1); 0x80 (6.2 to 1511); 0x78 (1607 to 1703); 0x80 |
0x0140 (5.2); 0xA0 (early 6.0); 0xA8 (late 6.0); 0xC0 (6.1); 0xDC (6.2 to 1511); 0xCC (1607 to 1703); 0xDC |
ULONG LastFlushedBuffer; |
5.0 and higher | |
0xD0 (5.1); 0xDC (5.2) |
0x0144 (5.2) |
ULONG RefCount; |
5.1 to 5.2 | |
0x90 (5.0); 0xD4 (5.1); 0xE0 (5.2); 0x64 (early 6.0); 0x68 (late 6.0); 0x80 (6.1); 0x84 (6.2 to 1511); 0x7C (1607 to 1703); 0x84 |
0x0148 (5.2); 0xA4 (early 6.0); 0xAC (late 6.0); 0xC4 (6.1); 0xE0 (6.2 to 1511); 0xD0 (1607 to 1703); 0xE0 |
LARGE_INTEGER FlushTimer; |
5.0 only | |
ULONG FlushTimer; |
5.1 and higher | |||
0x6C (late 6.0); 0x84 (6.1); 0x88 (6.2 to 1511); 0x80 (1607 to 1703); 0x88 |
0xB0 (late 6.0); 0xC8 (6.1); 0xE4 (6.2 to 1511); 0xD4 (1607 to 1703); 0xE4 |
ULONG FlushThreshold; |
late 6.0 and higher | |
0x98 (5.0); 0xD8 (5.1); 0xE8 (5.2) |
0x0150 (5.2) |
LARGE_INTEGER FirstBufferOffset; |
5.0 to 5.2 | |
0xA0 (5.0); 0xE0 (5.1); 0xF0 (5.2); 0x68 (early 6.0); 0x70 (late 6.0); 0x88 (6.1); 0x90 (6.2 to 1511); 0x88 (1607 to 1703); 0x90 |
0x0158 (5.2); 0xA8 (early 6.0); 0xB8 (late 6.0); 0xD0 (6.1); 0xE8 (6.2 to 1511); 0xD8 (1607 to 1703); 0xE8 |
LARGE_INTEGER ByteOffset; |
5.0 and higher | |
0xA8 (5.0); 0xE8 (5.1); 0xF8 (5.2) |
0x0160 (5.2) |
LARGE_INTEGER BufferAgeLimit; |
5.0 to 5.2 | |
0x70 (early 6.0); 0x78 (late 6.0) |
0xB0 (early 6.0); 0xC0 (late 6.0) |
LARGE_INTEGER FlushTimeStamp; |
6.0 | |
0xB0 (5.0) |
ULONG BufferSize; |
5.0 only | next at 0x0108 | |
0xB4 (5.0) |
LONG NumberOfBuffers; |
5.0 only | next at 0x010C | |
0xB8 (5.0); 0xF0 (5.1); 0x0100 (5.2) |
0x0168 (5.2) |
ULONG MaximumBuffers; |
5.0 to 5.2 | next at 0x84 |
0xBC (5.0); 0xF4 (5.1); 0x0104 (5.2); 0x78 (early 6.0); 0x80 (late 6.0); 0x90 (6.1); 0x98 (6.2 to 1511); 0x90 (1607 to 1703); 0x98 |
0x016C (5.2); 0xB8 (early 6.0); 0xC8 (late 6.0)0xD8 (6.1); 0xF0 (6.2 to 1511); 0xE0 (1607 to 1703); 0xF0 |
ULONG MinimumBuffers; |
5.0 and higher | |
0x7C (early 6.0); 0x84 (late 6.0); 0x94 (6.1); 0x9C (6.2 to 1511); 0x94 (1607 to 1703); 0x9C |
0xBC (early 6.0); 0xCC (late 6.0); 0xDC (6.1); 0xF4 (6.2 to 1511); 0xE4 (1607 to 1703); 0xF4 |
LONG volatile BuffersAvailable; |
6.0 and higher | previously LONG at 0x54 and 0x78 |
0x80 (early 6.0); 0x88 (late 6.0); 0x98 (6.1); 0xA0 (6.2 to 1511); 0x98 (1607 to 1703); 0xA0 |
0xC0 (early 6.0); 0xD0 (late 6.0); 0xE0 (6.1); 0xF8 (6.2 to 1511); 0xE8 (1607 to 1703); 0xF8 |
LONG volatile NumberOfBuffers; |
6.0 and higher | previously LONG at 0x011C and 0x0184 |
0x84 (early 6.0); 0x8C (late 6.0); 0x9C (6.1); 0xA4 (6.2 to 1511); 0x9C (1607 to 1703); 0xA4 |
0xC4 (early 6.0); 0xD4 (late 6.0); 0xE4 (6.1); 0xFC (6.2 to 1511); 0xEC (1607 to 1703); 0xFC |
ULONG MaximumBuffers; |
6.0 and higher | previously at 0x0100 and 0x0168 |
0xC0 (5.0); 0xF8 (5.1); 0x0108 (5.2); 0x88 (early 6.0); 0x90 (late 6.0); 0xA0 (6.1); 0xA8 (6.2 to 1511); 0xA0 (1607 to 1703); 0xA8 |
0x0170 (5.2); 0xC8 (early 6.0); 0xD8 (late 6.0); 0xE8 (6.1); 0x0100 (6.2 to 1511); 0xF0 (1607 to 1703); 0x0100 |
ULONG EventsLost; |
5.0 to 5.2 | |
ULONG volatile EventsLost; |
6.0 and higher | |||
0xAC (6.3 to 1511); 0xA4 (1607 to 1703); 0xAC |
0x0104 (6.3 to 1511); 0xF4 (1607 to 1703); 0x0104 |
LONG volatile PeakBuffersCount; |
6.3 and higher | |
0xC4 (5.0); 0xFC (5.1); 0x010C (5.2); 0x8C (early 6.0); 0x94 (late 6.0); 0xA4 (6.1); 0xAC (6.2); 0xB0 (6.3 to 1511); 0xA8 (1607 to 1703); 0xB0 |
0x0174 (5.2); 0xCC (early 6.0); 0xDC (late 6.0); 0xEC (6.1); 0x0104 (6.2); 0x0108 (6.2 to 1511); 0xF8 (1607 to 1703); 0x0108 |
ULONG BuffersWritten; |
5.0 and higher | |
0xC8 (5.0); 0x0100 (5.1); 0x0110 (5.2); 0x90 (early 6.0); 0x98 (late 6.0); 0xA8 (6.1); 0xB0 (6.2); 0xB4 (6.3 to 1511); 0xAC (1607 to 1703); 0xB4 |
0x0178 (5.2); 0xD0 (early 6.0); 0xE0 (late 6.0); 0xF0 (6.1); 0x0108 (6.2); 0x010C (6.2 to 1511); 0xFC (1607 to 1703); 0x010C |
ULONG LogBuffersLost; |
5.0 and higher | |
0x94 (early 6.0); 0x9C (late 6.0); 0xAC (6.1); 0xB4 (6.2); 0xB8 (6.3 to 1511); 0xB0 (1607 to 1703); 0xB8 |
0xD4 (early 6.0); 0xE4 (late 6.0); 0xF4 (6.1); 0x010C (6.2); 0x0110 (6.2 to 1511); 0x0100 (1607 to 1703); 0x0110 |
ULONG RealTimeBuffersDelivered; |
6.0 and higher | |
0xCC (5.0); 0x0104 (5.1); 0x0114 (5.2); 0x98 (early 6.0); 0xA0 (late 6.0); 0xB0 (6.1); 0xB8 (6.2); 0xBC (6.3 to 1511); 0xB4 (1607 to 1703); 0xBC |
0x017C (5.2); 0xD8 (early 6.0); 0xE8 (late 6.0); 0xF8 (6.1); 0x0110 (6.2); 0x0114 (6.2 to 1511); 0x0104 (1607 to 1703); 0x0114 |
ULONG RealTimeBuffersLost; |
5.0 and higher | |
0x0108 (5.1); 0x0118 (5.2); 0x9C (early 6.0); 0xA4 (late 6.0) |
0x0180 (5.2); 0xDC (early 6.0); 0xEC (late 6.0) |
ULONG BufferSize; |
5.1 to 6.0 | previously at 0xB0; next at 0x04 |
0x010C (5.1); 0x011C (5.2) |
0x0184 (5.2) |
LONG NumberOfBuffers; |
5.1 to 5.2 | previously at 0xB4; next as LONG volatile at 0x80 |
0xA0 (early 6.0); 0xA8 (late 6.0) |
0xE0 (early 6.0); 0xF0 (late 6.0) |
ULONG MaximumEventSize; |
6.0 | next at 0x08 |
0x0110 (5.1); 0x0120 (5.2); 0xA4 (early 6.0); 0xAC (late 6.0); 0xB4 (6.1); 0xBC (6.2); 0xC0 (6.3 to 1511); 0xB8 (1607 to 1703); 0xC0 |
0x0188 (5.2); 0xE8 (early 6.0); 0xF8 (late 6.0); 0x0100 (6.1); 0x0118 (6.2 to 1511); 0x0108 (1607 to 1703); 0x0118 |
LONG *SequencePtr; |
5.1 and higher | |
0xA8 (early 6.0); 0xB0 (late 6.0); 0xB8 (6.1); 0xC0 (6.2); 0xC4 (6.3 to 1511); 0xBC (1607 to 1703); 0xC4 |
0xF0 (early 6.0); 0x0100 (late 6.0); 0x0108 (6.1); 0x0120 (6.2 to 1511); 0x0110 (1607 to 1703); 0x0120 |
ULONG LocalSequence; |
6.0 and higher | previously at 0x0184 and 0x0208 |
0xD0 (5.0) | unknown 4-byte counter | 5.0 only | ||
0xD4 (5.0); 0x0114 (5.1); 0x0124 (5.2); 0xAC (early 6.0); 0xB4 (late 6.0); 0xBC (6.1); 0xC4 (6.2); 0xC8 (6.3 to 1511); 0xC0 (1607 to 1703); 0xC8 |
0x0190 (5.2); 0xF4 (early 6.0); 0x0104 (late 6.0); 0x010C (6.1); 0x0124 (6.2 to 1511); 0x0114 (1607 to 1703); 0x0124 |
GUID InstanceGuid; |
5.0 and higher | |
0xE4 (5.0) |
ULONG UsePerfClock; |
5.0 only | next at 0x58 | |
0xE8 (5.0); 0x0124 (5.1); 0x0134 (5.2) |
0x01A0 (5.2) |
PVOID LoggerHeader; |
5.0 to 5.2 | |
0x0128 (5.1); 0x0138 (5.2); 0xBC (early 6.0); 0xC4 (late 6.0) |
0x01A8 (5.2); 0x0108 (early 6.0); 0x0118 (late 6.0) |
LONGLONG (*GetCpuClock) (VOID); |
5.1 to 6.0 | next at 0x18 |
0xEC (5.0) | unknown SECURITY_QUALITY_OF_SERVICE | 5.0 only | ||
0xF8 (5.0); 0x012C (5.1); 0x013C (5.2) |
0x01B0 (5.2) |
SECURITY_CLIENT_CONTEXT ClientSecurityContext; |
5.0 to 5.2 | next at 0x01AC |
0x0134 (5.0) | unknown pointer to a WMI_LOGGER_CONTEXT pointer | 5.0 only | ||
0x0138 (5.0) | unknown pointer to array of eight pointers | 5.0 only | last member in 5.0 |
Microsoft’s names for the last few members of the WMI_LOGGER_CONTEXT in version 5.0 are not knowable from symbol files, there being no continuity even to the orginal version 5.1, let alone to the first service pack for which the public symbol files have type information for this structure. The pointer at offset 0x0134 is into the device extension of the WMI service device object, and specifically to this logger’s slot in the extension’s array of pointers to logger contexts. The pointer at offset 0x0138 is meaningful only for kernel-tracing sessions. It addresses an array of eight pseudo-handles for locked-down sections within the kernel. Four bytes at offset 0x013C have no known use and are here though to be undefined padding for the structure’s 8-byte alignment.
Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
---|---|---|---|---|
0x0168 (5.1); 0x0178 (5.2) |
0x01F8 (5.2) |
PVOID LoggerExtension; |
5.1 to 5.2 | |
0x016C (5.1); 0x017C (5.2) |
0x0200 (5.2) |
LONG ReleaseQueue; |
5.1 to 5.2 | |
0x0170 (5.1); 0x0180 (5.2) |
0x0204 (5.2) |
TRACE_ENABLE_FLAG_EXTENSION EnableFlagExtension; |
5.1 to 5.2 | |
0x0174 (5.1); 0x0184 (5.2) |
0x0208 (5.2) |
ULONG LocalSequence; |
5.1 to 5.2 | next at 0xA8 |
0x0178 (5.1); 0x0188 (5.2) |
0x020C (5.2) |
ULONG MaximumIrql; |
5.1 to 5.2 | |
0x017C (5.1); 0x018C (5.2) |
0x0210 (5.2) |
ULONG *EnableFlagArray; |
5.1 to 5.2 | |
0x0180 (5.1); 0x0190 (5.2) |
0x0218 (5.2) |
KMUTANT LoggerMutex; |
5.1 to 5.2 | next at 0x018C |
0x01A0 (5.1); 0x01B0 (5.2) |
0x0250 (5.2) |
LONG MutexCount; |
5.1 to 5.2 | |
0xD4 (6.2); 0xD8 (6.3 to 1511); 0xD0 (1607 to 1703); 0xD8 |
0x0134 (6.2 to 1511); 0x0124 (1607 to 1703); 0x0134 |
ULONG MaximumFileSize; |
6.2 and higher | previously at 0x78 and 0xBC |
0x01A4 (5.1); 0x01B4 (5.2); 0xC0 (early 6.0); 0xC8 (late 6.0); 0xCC (6.1); 0xD8 (6.2); 0xDC (6.3 to 1511); 0xD4 (1607 to 1703); 0xDC |
0x0254 (5.2); 0x0110 (early 6.0); 0x0120 (late 6.0); 0x011C (6.1); 0x0138 (6.2 to 1511); 0x0128 (1607 to 1703); 0x0138 |
ULONG FileCounter; |
5.1 to 5.2 | |
LONG FileCounter; |
6.0 and higher | |||
0x01A8 (5.1); 0x01B8 (5.2); 0xC4 (early 6.0); 0xCC (late 6.0); 0xD0 (6.1) |
0x0258 (5.2); 0x0118 (early 6.0); 0x0128 (late 6.0); 0x0120 (6.1) |
VOID (*BufferCallback) ( WMI_BUFFER_HEADER *, PVOID); |
5.1 to 5.2 | |
VOID (* volatile BufferCallback) ( WMI_BUFFER_HEADER *, PVOID); |
6.0 to 6.1 | |||
0x01AC (5.1); 0x01BC (5.2) |
0x0260 (5.2) |
PVOID CallbackContext; |
5.1 to 5.2 | |
0x01B0 (5.1); 0x01C0 (5.2); 0xC8 (early 6.0); 0xD0 (late 6.0); 0xD4 (6.1); 0xDC (6.2); 0xE0 (6.3 to 1511); 0xD8 (1607 to 1703); 0xE0 |
0x0268 (5.2); 0x0120 (early 6.0); 0x0130 (late 6.0); 0x0128 (6.1); 0x013C (6.2 to 1511); 0x012C (1607 to 1703); 0x013C |
POOL_TYPE PoolType; |
5.1 and higher | |
0x01B8 (5.1); 0x01C8 (5.2) |
0x0270 (5.2) |
LARGE_INTEGER ReferenceSystemTime; |
5.1 to 5.2 | |
0x01C0 (5.1); 0x01D0 (5.2) |
0x0278 (5.2) |
LARGE_INTEGER ReferenceTimeStamp; |
5.1 to 5.2 | last member in 5.1 and 5.2 |
0xD0 (early 6.0); 0xD8 (late 6.0); 0xD8 (6.1); 0xE0 (6.2); 0xE8 (6.3 to 1511); 0xE0 (1607 to 1703); 0xE8 |
0x0128 (early 6.0); 0x0138 (late 6.0); 0x0130 (6.1); 0x0140 (6.2 to 1511); 0x0130 (1607 to 1703); 0x0140 |
ETW_REF_CLOCK ReferenceTime; |
6.0 and higher | |
0xE0 (early 6.0); 0xE8 (late 6.0) |
0x0138 (early 6.0); 0x0148 (late 6.0) |
BOOLEAN RealtimeLoggerContextFreed; |
6.0 only | next in Flags |
0xF0 (6.2); 0xF8 (6.3 to 1511); 0xF0 (1607 to 1703); 0xF8 |
0x0150 (6.2 to 1511); 0x0140 (1607 to 1703); 0x0150 |
LONG CollectionOn; |
6.2 and higher | previously at 0x0C |
0xF4 (6.2); 0xFC (6.3 to 1511); 0xF4 (1607 to 1703); 0xFC |
0x0154 (6.2 to 1511); 0x0144 (1607 to 1703); 0x0154 |
ULONG ProviderInfoSize; |
6.2 and higher | |
0xE4 (early 6.0); 0xEC (late 6.0); 0xE8 (6.1); 0xF8 (6.2); 0x0100 (6.3 to 1511); 0xF8 (1607 to 1703); 0x0100 |
0x0140 (early 6.0); 0x0150 (late 6.0); 0x0140 (6.1); 0x0158 (6.2 to 1511); 0x0148 (1607 to 1703); 0x0158 |
LIST_ENTRY Consumers; |
6.0 and higher | |
0xEC (early 6.0); 0xF4 (late 6.0); 0xF0 (6.1); 0x0100 (6.2); 0x0108 (6.3 to 1511); 0x0100 (1607 to 1703); 0x0108 |
0x0150 (early 6.0); 0x0160 (late 6.0); 0x0150 (6.1); 0x0168 (6.2 to 1511); 0x0158 (1607 to 1703); 0x0168 |
ULONG NumConsumers; |
6.0 and higher | |
0xF4 (6.1); 0x0104 (6.2); 0x010C (6.3 to 1511); 0x0104 (1607 to 1703); 0x010C |
0x0158 (6.1); 0x0170 (6.2 to 1511); 0x0160 (1607 to 1703); 0x0170 |
ETW_REALTIME_CONSUMER *TransitionConsumer; |
6.1 and higher | |
0xF0 (early 6.0); 0xF8 (late 6.0) |
0x0158 (early 6.0); 0x0168 (late 6.0) |
LIST_ENTRY Connecting; |
6.0 only | |
0xF8 (early 6.0); 0x0100 (late 6.0) |
0x0168 (early 6.0); 0x0178 (late 6.0) |
BOOLEAN NewConsumer; |
6.0 only | |
0xFC (early 6.0); 0x0104 (late 6.0); 0xF8 (6.1); 0x0108 (6.2); 0x0110 (6.3 to 1511); 0x0108 (1607 to 1703); 0x0110 |
0x0170 (early 6.0); 0x0180 (late 6.0); 0x0160 (6.1); 0x0178 (6.2 to 1511); 0x0168 (1607 to 1703); 0x0178 |
PVOID RealtimeLogfileHandle; |
6.0 and higher | |
0x0100 (early 6.0); 0x0108 (late 6.0); 0xFC (6.1); 0x010C (6.2); 0x0114 (6.3 to 1511); 0x010C (1607 to 1703); 0x0114 |
0x0178 (early 6.0); 0x0188 (late 6.0); 0x0168 (6.1); 0x0180 (6.2 to 1511); 0x0170 (1607 to 1703); 0x0188 |
UNICODE_STRING RealtimeLogfileName; |
6.0 and higher | |
0x0108 (early 6.0); 0x0110 (late 6.0); 0x0108 (6.1); 0x0118 (6.2); 0x0120 (6.3 to 1511); 0x0118 (1607 to 1703); 0x0120 |
0x0188 (early 6.0); 0x0198 (late 6.0); 0x0178 (6.1); 0x0190 (6.2 to 1511); 0x0180 (1607 to 1703); 0x0190 |
LARGE_INTEGER RealtimeWriteOffset; |
6.0 and higher | |
0x0110 (early 6.0); 0x0118 (late 6.0); 0x0110 (6.1); 0x0120 (6.2); 0x0128 (6.3 to 1511); 0x0120 (1607 to 1703); 0x0128 |
0x0190 (early 6.0); 0x01A0 (late 6.0); 0x0180 (6.1); 0x0198 (6.2 to 1511); 0x0188 (1607 to 1703); 0x0198 |
LARGE_INTEGER RealtimeReadOffset; |
6.0 and higher | |
0x0118 (early 6.0); 0x0120 (late 6.0); 0x0118 (6.1); 0x0128 (6.2); 0x0130 (6.3 to 1511); 0x0128 (1607 to 1703); 0x0130 |
0x0198 (early 6.0); 0x01A8 (late 6.0); 0x0188 (6.1); 0x01A0 (6.2 to 1511); 0x0190 (1607 to 1703); 0x01A0 |
LARGE_INTEGER RealtimeLogfileSize; |
6.0 and higher | |
0x0120 (early 6.0); 0x0128 (late 6.0); 0x0120 (6.1); 0x0130 (6.2); 0x0138 (6.3 to 1511); 0x0130 (1607 to 1703); 0x0138 |
0x01A0 (early 6.0); 0x01B0 (late 6.0); 0x0190 (6.1); 0x01A8 (6.2 to 1511); 0x0198 (1607 to 1703); 0x01A8 |
ULONGLONG RealtimeLogfileUsage; |
6.0 and higher | |
0x0130 (late 6.0); 0x0128 (6.1); 0x0138 (6.2); 0x0140 (6.3 to 1511); 0x0138 (1607 to 1703); 0x0140 |
0x01B8 (late 6.0); 0x0198 (6.1); 0x01B0 (6.2 to 1511); 0x01A0 (1607 to 1703); 0x01B0 |
ULONGLONG RealtimeMaximumFileSize; |
late 6.0 and higher | |
0x0128 (early 6.0); 0x0138 (late 6.0); 0x0130 (6.1); 0x0140 (6.2); 0x0148 (6.3 to 1511); 0x0140 (1607 to 1703); 0x0148 |
0x01A8 (early 6.0); 0x01C0 (late 6.0); 0x01A0 (6.1); 0x01B8 (6.2 to 1511); 0x01A8 (1607 to 1703); 0x01B8 |
ULONG RealtimeBuffersSaved; |
6.0 and higher | |
0x0130 (early 6.0); 0x0140 (late 6.0); 0x0138 (6.1); 0x0148 (6.2); 0x0150 (6.3 to 1511); 0x0148 (1607 to 1703); 0x0150 |
0x01B0 (early 6.0); 0x01C8 (late 6.0); 0x01A8 (6.1); 0x01C0 (6.2 to 1511); 0x01B0 (1607 to 1703); 0x01C0 |
ETW_REF_CLOCK RealtimeReferenceTime; |
6.0 and higher | |
0x0140 (early 6.0); 0x0150 (late 6.0) |
0x01C0 (early 6.0); 0x01D8 (late 6.0) |
ULONG RealtimeDisconnectProcessId; |
6.0 only | |
0x0144 (early 6.0); 0x0154 (late 6.0) |
0x01C4 (early 6.0); 0x01DC (late 6.0) |
ULONG RealtimeDisconnectConsumerId; |
6.0 only | |
0x0148 (early 6.0); 0x0158 (late 6.0); 0x0148 (6.1); 0x0158 (6.2); 0x0160 (6.3 to 1511); 0x0158 (1607 to 1703); 0x0160 |
0x01C8 (early 6.0); 0x01E0 (late 6.0); 0x01B8 (6.1); 0x01D0 (6.2 to 1511); 0x01C0 (1607 to 1703); 0x01D0 |
ETW_RT_EVENT_LOSS NewRTEventsLost; |
6.0 and higher | |
0x014C (early 6.0); 0x015C (late 6.0); 0x014C (6.1); 0x015C (6.2); 0x0164 (6.3 to 1511); 0x015C (1607 to 1703); 0x0164 |
0x01D0 (early 6.0); 0x01E8 (late 6.0); 0x01C0 (6.1); 0x01D8 (6.2 to 1511); 0x01C8 (1607 to 1703); 0x01D8 |
KEVENT LoggerEvent; |
6.0 and higher | previously at 0x2C and 0x40 |
0x015C (early 6.0); 0x016C (late 6.0); 0x015C (6.1); 0x016C (6.2); 0x0174 (6.3 to 1511); 0x016C (1607 to 1703); 0x0174 |
0x01E8 (early 6.0); 0x0200 (late 6.0); 0x01D8 (6.1); 0x01F0 (6.2 to 1511); 0x01E0 (1607 to 1703); 0x01F0 |
KEVENT FlushEvent; |
6.0 and higher | previously at 0x3C and 0x58 |
0x0170 (6.1); 0x0180 (6.2); 0x0188 (6.3 to 1511); 0x017C (1607 to 1703); 0x0188 |
0x01F0 (6.1); 0x0208 (6.2 to 1511); 0x01F8 (1607 to 1703); 0x0208 |
KTIMER FlushTimeOutTimer; |
6.1 and higher | |
0x016C (early 6.0); 0x017C (late 6.0); 0x0198 (6.1); 0x01A8 (6.2); 0x01B0 (6.3 to 1511); 0x01A8 (1607 to 1703); 0x01B0 |
0x0200 (early 6.0); 0x0218 (late 6.0); 0x0230 (6.1); 0x0248 (6.2 to 1511); 0x0238 (1607 to 1703); 0x0248 |
KDPC FlushDpc; |
6.0 to 6.1 | |
KDPC LoggerDpc; |
6.2 and higher | |||
0x018C (early 6.0); 0x019C (late 6.0); 0x01B8 (6.1); 0x01C8 (6.2); 0x01D0 (6.3 to 1511); 0x01C8 (1607 to 1703); 0x01D0 |
0x0240 (early 6.0); 0x0258 (late 6.0); 0x0270 (6.1); 0x0288 (6.2 to 1511); 0x0278 (1607 to 1703); 0x0288 |
KMUTANT LoggerMutex; |
6.0 and higher | previously at 0x0190 and 0x0218 |
0x01BC (late 6.0); 0x01D8 (6.1); 0x01E8 (6.2); 0x01F0 (6.3 to 1511); 0x01E8 (1607 to 1703); 0x01F0 |
0x0290 (late 6.0); 0x02A8 (6.1); 0x02C0 (6.2 to 1511); 0x02B0 (1607 to 1703); 0x02C0 |
EX_PUSH_LOCK LoggerLock; |
late 6.0 and higher | |
0x01DC (6.1); 0x01EC (6.2); 0x01F4 (6.3 to 1511); 0x01EC (1607 to 1703); 0x01F4 |
0x02B0 (6.1); 0x02C8 (6.2 to 1511); 0x02B8 (1607 to 1703); 0x02C8 |
union { KSPIN_LOCK BufferListSpinLock; EX_PUSH_LOCK BufferListPushLock; }; |
6.1 and higher | |
0x01AC (early 6.0); 0x01C0 (late 6.0); 0x01E0 (6.1); 0x01F0 (6.2); 0x01F8 (6.3 to 1511); 0x01F0 (1607 to 1703); 0x01F8 |
0x0278 (early 6.0); 0x0298 (late 6.0); 0x02B8 (6.1); 0x02D0 (6.2 to 1511); 0x02C0 (1607 to 1703); 0x02D0 |
SECURITY_CLIENT_CONTEXT ClientSecurityContext; |
6.0 and higher | previously at 0x013C and 0x01B0 |
0x0234 (10.0 to 1511); 0x022C (1607 to 1703); 0x0234 |
0x0318 (10.0 to 1511); 0x0308 (1607 to 1703); 0x0318 |
TOKEN_ACCESS_INFORMATION *TokenAccessInformation; |
10.0 and higher | |
0x01E8 (early 6.0); 0x01FC (late 6.0); 0x021C (6.1); 0x022C (6.2); 0x0234 (6.3); 0x0238 (10.0 to 1511); 0x0230 (1607 to 1703); 0x0238 |
0x02C0 (early 6.0); 0x02E0 (late 6.0); 0x0300 (6.1); 0x0318 (6.2 to 6.3); 0x0320 (10.0 to 1511); 0x0310 (1607 to 1703); 0x0320 |
EX_FAST_REF SecurityDescriptor; |
6.0 and higher | |
0x01F0 (early 6.0); 0x0200 (late 6.0) |
0x02C8 (early 6.0); 0x02E8 (late 6.0) |
WMI_BUFFER_HEADER DummyBufferForMarker; |
6.0 only | |
0x0230 (6.2); 0x0238 (6.3); 0x0240 (10.0 to 1511); 0x0238 (1607 to 1703); 0x0240 |
0x0320 (6.2 to 6.3); 0x0328 (10.0 to 1511); 0x0318 (1607 to 1703); 0x0328 |
LARGE_INTEGER StartTime; |
6.2 and higher | previously at 0x20 |
0x0238 (6.2); 0x0240 (6.3); 0x0248 (10.0 to 1511); 0x0240 (1607 to 1703); 0x0248 |
0x0328 (6.2 to 6.3); 0x0330 (10.0 to 1511); 0x0320 (1607 to 1703); 0x0330 |
HANDLE LogFileHandle; |
6.2 and higher | previously at 0x28 |
0x0238 (early 6.0); 0x0248 (late 6.0); 0x0220 (6.1); 0x0240 (6.2); 0x0248 (6.3); 0x0250 (10.0 to 1511); 0x0248 (1607 to 1703); 0x0250 |
0x0310 (early 6.0); 0x0330 (late 6.0); 0x0308 (6.1); 0x0330 (6.2 to 6.3); 0x0338 (10.0 to 1511); 0x0328 (1607 to 1703); 0x0338 |
LONGLONG BufferSequenceNumber; |
6.0 and higher | |
0x0240 (early 6.0); 0x0250 (late 6.0) |
0x0318 (early 6.0); 0x0338 (late 6.0) |
LONG AcceptNewEvents; |
6.0 only | next at 0x14 |
0x0244 (early 6.0); 0x0254 (late 6.0); 0x0228 (6.1); 0x0248 (6.2); 0x0250 (6.3); 0x0258 (10.0 to 1511); 0x0250 (1607 to 1703); 0x0258 |
0x031C (early 6.0); 0x033C (late 6.0); 0x0310 (6.1); 0x0338 (6.2 to 6.3); 0x0340 (10.0 to 1511); 0x0330 (1607 to 1703); 0x0340 |
union { ULONG Flags; struct { /* bit fields, follow link */ }; }; |
6.0 and higher | |
0x0248 (early 6.0); 0x0258 (late 6.0); 0x022C (6.1); 0x024C (6.2); 0x0254 (6.3); 0x025C (10.0 to 1511); 0x0254 (1607 to 1703); 0x025C |
0x0320 (early 6.0); 0x0340 (late 6.0); 0x0314 (6.1); 0x033C (6.2 to 6.3); 0x0344 (10.0 to 1511); 0x0334 (1607 to 1703); 0x0344 |
union { ULONG RequestFlag; struct { /* bit fields, follow link */ }; }; |
6.0 to 6.1 | previously at 0xC4 and 0x012C |
union { ULONG volatile RequestFlag; struct { /* bit fields, follow link */ }; }; |
6.2 and higher | |||
0x024C (early 6.0); 0x025C (late 6.0) |
0x0324 (early 6.0); 0x0344 (late 6.0) |
USHORT StackTraceFilterHookCount; |
6.0 only | |
0x024E (early 6.0); 0x025E (late 6.0) |
0x0326 (early 6.0); 0x0346 (late 6.0) |
USHORT StackTraceFilter [0x10]; |
6.0 only | last member in 6.0 |
0x0260 | 0x0350 |
ETW_STACK_TRACE_BLOCK StackTraceBlock; |
1709 and higher | |
0x0230 (6.1); 0x0250 (6.2); 0x0258 (6.3); 0x0260 (10.0 to 1511); 0x0258 (1607 to 1703); 0x04E8 (1709); 0x02B0 |
0x0318 (6.1); 0x0340 (6.2 to 6.3); 0x0348 (10.0 to 1511); 0x0338 (1607 to 1703); 0x0850 (1709); 0x03D0 |
RTL_BITMAP HookIdMap; |
6.1 and higher | last member in 6.1 |
0x0258 (6.2); 0x0260 (6.3); 0x0268 (10.0 to 1511); 0x0260 (1607 to 1703); 0x04F0 (1709); 0x02B8 |
0x0350 (6.2 to 6.3); 0x0358 (10.0 to 1511); 0x0348 (1607 to 1703); 0x0860 (1709); 0x03E0 |
ETW_STACK_CACHE *StackCache; |
6.2 and higher | |
0x025C (6.2); 0x0264 (6.3); 0x026C (10.0 to 1511); 0x0264 (1607 to 1703); 0x04F4 (1709); 0x02BC |
0x0358 (6.2 to 6.3); 0x0360 (10.0 to 1511); 0x0350 (1607 to 1703); 0x0868 (1709); 0x03E8 |
ETW_PMC_SUPPORT *PmcData; |
6.2 and higher | |
0x04F8 (1709); 0x02C0 |
0x0870 (1709); 0x03F0 |
ETW_LBR_SUPPORT *LbrData; |
1709 and higher | |
0x02C4 | 0x03F8 |
ETW_IPT_SUPPORT *IptData; |
1803 and higher | |
0x0260 (6.2); 0x0268 (6.3); 0x0270 (10.0 to 1511); 0x0268 (1607 to 1703) |
0x0360 (6.2 to 6.3); 0x0368 (10.0 to 1511); 0x0358 (1607 to 1703) |
LIST_ENTRY WinRtProviderBinaryList; |
6.2 to 1703 | |
0x04FC (1709); 0x02C8 |
0x0878 (1709); 0x0400 |
LIST_ENTRY BinaryTrackingList; |
1709 and higher | |
0x0268 (6.2); 0x0270 (6.3); 0x0278 (10.0 to 1511); 0x0270 (1607 to 1703); 0x0504 (1709); 0x02D0 |
0x0370 (6.2 to 6.3); 0x0378 (10.0 to 1511); 0x0368 (1607 to 1703); 0x0888 (1709); 0x0410 |
WMI_BUFFER_HEADER **ScratchArray; |
6.2 and higher | last member in 6.2 and 6.3 |
0x027C (10.0 to 1511); 0x0274 (1607 to 1703); 0x0508 (1709); 0x02D4 |
0x0380 (10.0 to 1511); 0x0370 (1607 to 1703); 0x0890 (1709); 0x0418 |
DISALLOWED_GUIDS DisallowedGuids; |
10.0 and higher | last member in 1511 |
0x0284 (10.0) | 0x0390 (10.0) |
ESILO *ServerSilo; |
10.0 only | last member in 10.0 |
0x0280 (1703); 0x0510 (1709); 0x02E0 |
0x0380 (1703); 0x08A0 (1709); 0x0428 |
LONGLONG RelativeTimeDueTime; |
1703 and higher | |
0x0288 (1703); 0x0518 (1709); 0x02E8 |
0x0388 1703); 0x08A8 (1709); 0x0430 |
PERIODIC_CAPTURE_STATE_GUIDS PeriodicCaptureStateGuids; |
1703 and higher | |
0x0290 (1703); 0x0520 (1709); 0x02F0 |
0x0398 1703); 0x08B8 (1709); 0x0440 |
EX_TIMER *PeriodicCaptureStateTimer; |
1703 and higher | |
0x0294 (1703); 0x0524 (1709); 0x02F4 |
0x03A0 1703); 0x08C0 (1709); 0x0448 |
ETW_PERIODIC_TIMER_STATE PeriodicCaptureStateTimerState; |
1703 and higher | |
0x027C (1607); 0x0298 (1703); 0x0528 (1709); 0x02F8 |
0x0380 (1607); 0x03A8 1703); 0x08C8 (1709); 0x0450 |
ETW_SOFT_RESTART_CONTEXT *SoftRestartContext; |
1607 and higher | |
0x0280 (1607); 0x029C (1703); 0x052C (1709); 0x02FC |
0x0388 (1607); 0x03B0 1703); 0x08D0 (1709); 0x0458 |
ETW_SILODRIVERSTATE *SiloState; |
1607 and higher | |
0x0284 (1607); 0x02A0 (1703); 0x0530 (1709); 0x0300 |
0x0390 (1607); 0x03B8 1703); 0x08D8 (1709); 0x0460 |
WORK_QUEUE_ITEM CompressionWorkItem; |
1607 and higher | |
0x0294 (1607); 0x02B0 (1703); 0x0540 (1709); 0x0310 |
0x03B0 (1607); 0x03D8 1703); 0x08F8 (1709); 0x0480 |
LONG CompressionWorkItemState; |
1607 and higher | |
0x0298 (1607); 0x02B4 (1703); 0x0544 (1709); 0x0314 |
0x03B8 (1607); 0x03E0 1703); 0x0900 (1709); 0x0488 |
EX_PUSH_LOCK CompressionLock; |
1607 and higher | |
0x029C (1607); 0x02B8 (1703); 0x0548 (1709); 0x0318 |
0x03C0 (1607); 0x03E8 1703); 0x0908 (1709); 0x0490 |
WMI_BUFFER_HEADER *CompressionTarget; |
1607 and higher | |
0x02A0 (1607); 0x02BC (1703); 0x054C (1709); 0x031C |
0x03C8 (1607); 0x03F0 1703); 0x0910 (1709); 0x0498 |
PVOID CompressionWorkspace; |
1607 and higher | |
0x02A4 (1607); 0x02C0 (1703); 0x0550 (1709); 0x0320 |
0x03D0 (1607); 0x03F8 1703); 0x0918 (1709); 0x04A0 |
LONG CompressionOn; |
1607 and higher | |
0x02A8 (1607); 0x02C4 (1703); 0x0554 (1709); 0x0324 |
0x03D4 (1607); 0x03FC 1703); 0x091C (1709); 0x04A4 |
ULONG CompressionRatioGuess; |
1607 and higher | |
0x02AC (1607); 0x02C8 (1703); 0x0558 (1709); 0x0328 |
0x03D8 (1607); 0x0400 1703); 0x0920 (1709); 0x04A8 |
ULONG PartialBufferCompressionLevel; |
1607 and higher | |
0x02B0 (1607); 0x02CC (1703); 0x055C (1709); 0x032C |
0x03DC (1607); 0x0404 1703); 0x0924 (1709); 0x04AC |
ETW_COMPRESSION_RESUMPTION_MODE CompressionResumptionMode; |
1607 and higher | |
0x02B4 (1607); 0x02D0 (1703); 0x0560 (1709); 0x0330 |
0x03E0 (1607); 0x0408 1703); 0x0928 (1709); 0x04B0 |
SINGLE_LIST_ENTRY PlaceholderList; |
1607 and higher | |
0x02B8 (1607); 0x02D4 (1703); 0x0564 (1709); 0x0334 |
0x03E8 (1607); 0x0410 1703); 0x0930 (1709); 0x04B8 |
KDPC CompressionDpc; |
1607 and higher | |
0x02D8 (1607); 0x02F8 (1703); 0x0588 (1709); 0x0358 |
0x0428 (1607); 0x0450 1703); 0x0970 (1709); 0x04F8 |
LARGE_INTEGER LastBufferSwitchTime; |
1607 and higher | |
0x02E0 (1607); 0x0300 (1703); 0x0590 (1709); 0x0360 |
0x0430 (1607); 0x0458 1703); 0x0978 (1709); 0x0500 |
LARGE_INTEGER BufferWriteDuration; |
1607 and higher | |
0x02E8 (1607); 0x0308 (1703); 0x0598 (1709); 0x0368 |
0x0438 (1607); 0x0460 1703); 0x0980 (1709); 0x0508 |
LARGE_INTEGER BufferCompressDuration; |
1607 and higher | last member in 1607 and higher |
Note that in x64 builds for version 1709 and higher, the StackTraceBlock and thence the whole of the WMI_LOGGER_CONTEXT has 16-byte alignment.
The defined values for the ClockType each correspond to a different GetCpuClock routine for getting timestamps. Microsoft’s names are known from the NTWMI.H header:
Value | Name | Time |
---|---|---|
0 | EVENT_TRACE_CLOCK_RAW | |
1 | EVENT_TRACE_CLOCK_PERFCOUNTER | tick count from the KeQueryPerformanceCounter function |
2 | EVENT_TRACE_CLOCK_SYSTEMTIME | 100ns units since 1601, as from the KeQuerySystemTimePrecise function |
3 | EVENT_TRACE_CLOCK_CPUCYCLE | processor cycle count from the rdtsc instruction |
4 | EVENT_TRACE_CLOCK_MAX |