PROCESSOR_PROFILE_CONTROL_AREA

The processors that Windows runs on have an increasing wealth of debugging support that includes a style of tracing or profiling in which the processor does not interrupt its execution, as for debug exceptions, or quickly save details into a handful of available Model Specific Registers, but instead records events in a possibly large area of memory. This processor feature looks to have started with the development of Last Branch Recording (LBR) into the Branch Trace Store (BTS). It also supports Processor Event Based Sampling (PEBS). Separate memory for branch records and PEBS records is found from pointers and other control data in a Debug Store (DS) Save Area. It is DS which has the corresponding cpuid feature flag to tell of its overall availability, and then bits in the IA32_MISC_ENABLE MSR tell whether the particular sub-features BTS and PEBS are unavailable. The PROCESSOR_PROFILE_CONTROL_AREA is Microsoft’s generalisation of a control area for this sort of processor profiling such as it might ever be developed beyond DS by Intel or be supported at all for processors from other vendors.

Availability

The PROCESSOR_PROFILE_CONTROL_AREA dates from version 6.2.

The intended way that a PROCESSOR_PROFILE_CONTROL_AREA is created for a processor is through the ZwSetSystemInformation function’s information class SystemProcessorProfileControlArea (0x81). The caller provides a SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA as the information buffer. Setting the Allocate member to TRUE for input has the kernel create a PROCESSOR_PROFILE_CONTROL_AREA for the current processor and return the address as output in the ProcessorProfileControlArea member. Calling with Allocate as FALSE destroys the current processor’s PROCESSOR_PROFILE_CONTROL_AREA.

Documentation Status

The PROCESSOR_PROFILE_CONTROL_AREA is not documented. What’s known of its layout, below, is from public symbol files for the kernel, starting with version 6.2.

Layout

The PROCESSOR_PROFILE_CONTROL_AREA is 0x60 bytes in both 32-bit and 64-bit Windows in version 6.2 and higher.

Offset Definition Version
0x00 
PEBS_DS_SAVE_AREA PebsDsSaveArea;
 6.2 and higher

The only profiling that is yet accommodated in the PROCESSOR_PROFILE_CONTROL_AREA is Intel’s Debug Store. The PEBS_DS_SAVE_AREA is Microsoft’s representation of what the Intel processor manuals present as the 64-Bit DS Save Area. While it is not known to have any separate use in Windows, it is as well given here.

Offset Definition Version
0x00 
ULONGLONG BtsBufferBase;
 6.2 and higher
0x08 
ULONGLONG BtsIndex;
 6.2 and higher
0x10 
ULONGLONG BtsAbsoluteMaximum;
 6.2 and higher
0x18 
ULONGLONG BtsInterruptThreshold;
 6.2 and higher
0x20 
ULONGLONG PebsBufferBase;
 6.2 and higher
0x28 
ULONGLONG PebsIndex;
 6.2 and higher
0x30 
ULONGLONG PebsAbsoluteMaximum;
 6.2 and higher
0x38 
ULONGLONG PebsInterruptThreshold;
 6.2 and higher
0x40 
ULONGLONG PebsCounterReset0;
 6.2 and higher
0x48 
ULONGLONG PebsCounterReset1;
 6.2 and higher
0x50 
ULONGLONG PebsCounterReset2;
 6.2 and higher
0x58 
ULONGLONG PebsCounterReset3;
 6.2 and higher

The kernel retains access to the PebsIndex member. This allows the kernel to stamp the current PEBS index into the kernel’s own events as extended event data. This is a potentially important provision for reconciling the processor’s PEBS records with the bigger picture of what the kernel was doing at the time. Notably, the kernel can be configured to add PEBS indexes to its traces of when the processor switched from one thread to another.

This page was created on 3rd January 2020 and was last modified on 4th January 2020.

Copyright © 2020. Geoff Chappell. All rights reserved. Conditions apply.