Geoff Chappell - Software Analyst
The WMI_CLIENT_CONTEXT structure (formally _WMI_CLIENT_CONTEXT) is the original form of what is nowadays named the ETW_BUFFER_CONTEXT. It dates from version 5.0 but is extinct in version 6.0 and higher.
In the original implementation of Event Tracing for Windows (ETW), a WMI_CLIENT_CONTEXT is kept as the ClientContext member of the WMI_BUFFER_HEADER at the start of every trace buffer and is duplicated from there into the ClientContext member of the EVENT_TRACE for each event that is consumed from the buffer. For this second purpose, however, it is an opaque ULONG. Indeed, Microsoft only ever documented it as Reserved.
The reworked interface for event consumers in Windows Vista opened the client context to inspection but rebadged it as a buffer context. The implementation still keeps it as ClientContext in each WMI_BUFFER_HEADER, but the type now is named ETW_BUFFER_CONTEXT and event consumption duplicates it into the BufferContext member of either an EVENT_TRACE or an EVENT_RECORD.
The WMI_CLIENT_CONTEXT was not documented. Neither is a C-language definition known to have ever been published. Its successor is documented and has its C-language definition in the widely distributed EVNTRACE.H.
The WMI_CLIENT_CONTEXT is four bytes in both 32-bit and 64-bit Windows. Offsets, names and types are known from public symbol files for the kernel from Windows XP SP3 and Windows Server 2003 SP2, and no earlier.
| Offset | Definition | Versions |
|---|---|---|
| 0x00 |
UCHAR ProcessorNumber; |
5.0 to 5.2 |
| 0x01 |
UCHAR Alignment; |
5.0 to 5.2 |
| 0x02 |
USHORT LoggerId; |
5.0 to 5.2 |
All the structure’s few members survive in-place to the ETW_BUFFER_CONTEXT in versions 6.0 and higher. Version 6.2 widens the 8-bit ProcessorNumber to a 16-bit ProcessorIndex but keeps the ProcessNumber and Alignment in a union.