Geoff Chappell - Software Analyst
In versions 5.2 and higher, the WMI_BUFFER_HEADER has a USHORT member named BufferFlag at offset 0x34. Microsoft’s names for the possible values (which are defined by macros and thus do not pass into symbol files as type information) are known from the NTWMI.H that Microsoft pubilshed, possibly by accident, with the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10:
| Value | Name |
|---|---|
| 0x0000 | ETW_BUFFER_FLAG_NORMAL |
| 0x0001 | ETW_BUFFER_FLAG_FLUSH_MARKER |
| 0x0002 | ETW_BUFFER_FLAG_EVENTS_LOST |
| 0x0004 | ETW_BUFFER_FLAG_BUFFER_LOST |
| 0x0008 | ETW_BUFFER_FLAG_RTBACKUP_CORRUPT |
| 0x0010 | ETW_BUFFER_FLAG_RTBACKUP |
| 0x0020 | ETW_BUFFER_FLAG_PROC_INDEX |
| 0x0040 | ETW_BUFFER_FLAG_COMPRESSED |