Geoff Chappell - Software Analyst
The ETW_NOTIFICATION_TYPE enumeration has the values that are meaningful for the NotificationType in an ETW_NOTIFICATION_HEADER or ETWP_NOTIFICATION_HEADER.
The ETW_NOTIFICATION_TYPE enumeration is not documented, but Microsoft has published a C-language definition in the NTETW.H header from the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10.
Were it not for this relatively recent and possibly unintended disclosure, the practical equivalent of a C-language definition has since Windows 8 been published as type information in the symbol files for the kernel. For earlier versions, type information is known from a statically linked library, named CLFSMGMT.LIB, which Microsoft distributes with the Software Development Kit (SDK) starting with Windows Vista.
Possible values and Microsoft’s names for them are known from type information and the one C-language definition, as described above.
Value | Name | Versions |
---|---|---|
0x01 | EtwNotificationTypeNoReply | 6.0 and higher |
0x02 | EtwNotificationTypeLegacyEnable | 6.0 and higher |
0x03 | EtwNotificationTypeEnable | 6.0 and higher |
0x04 | EtwNotificationTypePrivateLogger | 6.0 and higher |
0x05 | EtwNotificationTypePerfLib | 6.0 and higher |
0x06 | EtwNotificationTypeAudio | 6.0 and higher |
0x07 | EtwNotificationTypeSession | 6.0 and higher |
0x08 | EtwNotificationTypeReserved | 6.0 and higher |
0x09 | EtwNotificationTypeCredentialUI | 6.0 and higher |
0x0A | EtwNotificationTypeInProcSession | 6.3 and higher |
0x0B | EtwNotificationTypeFilteredPrivateLogger | 1703 and higher |
0x0A (6.0 to 6.2); 0x0B (6.3 to 1607); 0x0C |
EtwNotificationTypeMax | 6.0 and higher |
Definition of EtwNotificationTypeReserved is known only from type information in symbol files. No use or implementation is yet known in any version.
Some notification types are not possible for notifications from user mode just from calling documented API functions. They instead require such NTDLL functions as EtwSendNotification and look to have very particular reasons for existence. For instance, EtwNotificationTypeCredentialUI is known only in notifications from CONSENT.EXE as it enters and leaves the secure desktop.