Geoff Chappell - Software Analyst
The only known use of the ETW_BUFFER_STATE enumeration (formally _ETW_BUFFER_STATE) is as the State at offset 0x2C in the WMI_BUFFER_HEADER structure. It there has fully replaced the Flags that the structure inherited from some loose compatibility with the WNODE_HEADER. In versions 5.1 to 5.2, if not in version 5.0 too, these Flags are in union with a WMI_BUFFER_STATE that is itself a structure of ULONG bit fields. When version 6.0 changed to keeping similar state as an enumeration, the WMI_BUFFER_STATE was replaced by the ETW_BUFFER_STATE, but the union with the Flags was not tidied away until version 6.1.
Values and names are known from public symbol files for the kernel, starting with Windows Vista.
| Value | Name | Versions |
|---|---|---|
| 0 | EtwBufferStateFree | 6.0 and higher |
| 1 | EtwBufferStateGeneralLogging | 6.0 and higher |
| 2 | EtwBufferStateCSwitch | 6.0 and higher |
| 3 | EtwBufferStateFlush | 6.0 and higher |
| 4 | EtwBufferStatePendingCompression | 1607 and higher |
| 5 | EtwBufferStateCompressed | 1607 and higher |
| 6 | EtwBufferStatePlaceholder | 1607 and higher |
| 4 (6.0 to 1511); 7 |
EtwBufferStateMaximum | 6.0 and higher |