Geoff Chappell - Software Analyst
Events that are delivered to the NT Kernel Logger get logged to trace buffers, as do any other. While there, they begin with either a PERFINFO_TRACE_HEADER or a SYSTEM_TRACE_HEADER in either its full or compact form. If the event tracing session is configured to flush to an Event Trace Log (ETL) file, the events can be seen raw, with these headers, because the events are not yet translated to an EVENT_RECORD or EVENT_TRACE for presentation to an event consumer.
As events for the NT Kernel Logger go into the trace buffers, the analogue of an event ID as a unique numerical value for each type of event is the 16-bit HookId, at offset 0x06 in the trace header. This HookId is itself formed in two parts, specifically a Group and Type as the high and low bytes, respectively, such that similar types of events are conveniently managed in groups.
By the way, this convenience is not immediate for interpreting an ETL file from an NT Kernel Logger session using the ordinary Microsoft tools for perusing logged events. Though the Event Viewer will load an ETL file from an NT Kernel Logger session and the WEVTUTIL command-line tool will process one, the presentation is arguably anything but helpful. The HookId uniquely identifies each type of event, but it does not show as the Event ID. Instead, when an event that has a HookId is translated to an EVENT_RECORD or EVENT_TRACE for presentation to an event consumer, the high byte, i.e., the Group, is translated to a GUID to show as the ProviderId and the low byte, i.e., the Type, becomes the Opcode in the EventDescriptor. It’s obvious once you think about it!
The intended bare-bones way to interpret ETL files from an NT Kernel Logger session is with the Tracefmt and TraceView tools from the Windows Driver Kit (WDK). These tools’ interpretation of the event-specific data is aided by a text file named SYSTEM.TMF that tells how to format the data for some (very few) of the (very many) possible types of event. Not quite so bare-boned are higher-level tools—which can at least in principle be written by anyone—that learn the formatting from Managed Object Format (MOF) data that is compiled into the WMI repository. From SYSTEM.TMF and Microsoft’s documentation of event data “simplified from MOF code” for the MSNT_SystemTrace class, one might easily think that the types of events that can be sent to the NT Kernel Logger number in the dozens, but they are in fact numerous, nowadays running to more than five hundred. For the overwhelming majority that are hidden, develoment into third-party tools seems highly unlikely.
Microsoft’s higher-level tools than Tracefmt and TraceView have been available for years now. The Windows Performance Analyzer delivers some pleasingly elaborate analysis and graphical presentation, and attracts approving reviews of the power and sophistication that Microsoft has brought to performance analysis not just of Windows programs and drivers but of Windows itself. But given how much of this power comes from keeping large tracts of relevant material undocumented, is it too cynical to suggest that of all the work that Microsoft has been putting into improved performance monitoring of Windows, a good proportion has been directed at ensuring that no market develops for tools other than Microsoft’s?
In the following table, the HookId values that start each group are named from the NTWMI.H that Microsoft published in early editions of the Enterprise WDK for Windows 10 (for the original release and for Version 1511), and the corresponding GUID and its symbolic name are from symbol files for the SECHOST.DLL from the original release of Windows 10. The relevance of this DLL is that it implements the ProcessTrace function which translates the events into the standard presentation for event consumers. Some of the GUIDs, though not their correspondence to the high byte of a HookID, are anyway defined in readily available headers, notably EVNTRACE.H and WMIGUID.H. Some, whether defined in a header or not, are even documented (as NT Kernel Logger Constants).
| Value | Name | GUID Value | GUID Name | Versions |
|---|---|---|---|---|
| 0x0000 | EVENT_TRACE_GROUP_HEADER | {68FDD900-4A3E-11D1-84F4-0000F80464E3} | EventTraceGuid | 5.0 and higher |
| 0x0100 | EVENT_TRACE_GROUP_IO | {3D6FA8D4-FE05-11D0-9DDA-00C04FD7BA7C} | DiskIoGuid | 5.0 and higher |
| 0x0200 | EVENT_TRACE_GROUP_MEMORY | {3D6FA8D3-FE05-11D0-9DDA-00C04FD7BA7C} | PageFaultGuid | 5.0 and higher |
| 0x0300 | EVENT_TRACE_GROUP_PROCESS | {3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C} | ProcessGuid | 5.0 and higher |
| 0x0400 | EVENT_TRACE_GROUP_FILE | {90CBDC39-4A3E-11D1-84F4-0000F80464E3} | FileIoGuid | 5.0 and higher |
| 0x0500 | EVENT_TRACE_GROUP_THREAD | {3D6FA8D1-FE05-11D0-9DDA-00C04FD7BA7C} | ThreadGuid | 5.0 and higher |
| 0x0600 | EVENT_TRACE_GROUP_TCPIP | {9A280AC0-C8E0-11D1-84E2-00C04FB998A2} | TcpIpGuid | 5.0 and higher |
| 0x0700 | EVENT_TRACE_GROUP_JOB | {3282FC76-FEED-498E-8AA7-E70F459D430E } | JobGuid | 5.0 and higher |
| 0x0800 | EVENT_TRACE_GROUP_UDPIP | {BF3A50C5-A9C9-4988-A005-2DF0B7C80F80} | UdpIpGuid | 5.0 and higher |
| 0x0900 | EVENT_TRACE_GROUP_REGISTRY | {AE53722E-C863-11D2-8659-00C04FA321A1} | RegistryGuid | 5.0 and higher |
| 0x0A00 | EVENT_TRACE_GROUP_DBGPRINT | {13976D09-A327-438C-950B-7F03192815C7} | DbgPrintGuid | |
| 0x0B00 | EVENT_TRACE_GROUP_CONFIG | {01853A65-418F-4F36-AEFC-DC0F1D2FD235} | EventTraceConfigGuid | |
| 0x0C00 | EVENT_TRACE_GROUP_SPARE1 | {99134383-5248-43FC-834B-529454E75DF3} | EventTraceSpare1 | |
| 0x0D00 | EVENT_TRACE_GROUP_WNF | {42695762-EA50-497A-9068-5CBBB35E0B95} | WnfGuid | |
| 0x0E00 | EVENT_TRACE_GROUP_POOL | {0268A8B6-74FD-4302-9DD0-6E8F1795C0CF} | PoolGuid | |
| 0x0F00 | EVENT_TRACE_GROUP_PERFINFO | {CE1DBFB4-137E-4DA6-87B0-3F59AA102CBC} | PerfInfoGuid | |
| 0x1000 | EVENT_TRACE_GROUP_HEAP | {222962AB-6180-4B88-A825-346B75F2A24A} | HeapGuid | |
| 0x1100 | EVENT_TRACE_GROUP_OBJECT | {89497F50-EFFE-4440-8CF2-CE6B1CDCACA7} | ObjectGuid | |
| 0x1200 | EVENT_TRACE_GROUP_POWER | {E43445E0-0903-48C3-B878-FF0FCCEBDD04} | PowerGuid | |
| 0x1300 | EVENT_TRACE_GROUP_MODBOUND | {A9152F00-3F58-4BEE-92A1-70C7D079D5DD} | ModBoundGuid | |
| 0x1400 | EVENT_TRACE_GROUP_IMAGE | {2CB15D1D-5FC1-11D2-ABE1-00A0C911F518} | ImageLoadGuid | |
| 0x1500 | EVENT_TRACE_GROUP_DPC | {B2D14872-7C5B-463D-8419-EE9BF7D23E04} | DpcGuid | |
| 0x1600 | EVENT_TRACE_GROUP_CC | {7687A439-F752-45B8-B741-321AEC0F8DF9} | CcGuid | |
| 0x1700 | EVENT_TRACE_GROUP_CRITSEC | {3AC66736-CC59-4CFF-8115-8DF50E39816B} | CritSecGuid | |
| 0x1800 | EVENT_TRACE_GROUP_STACKWALK | {DEF2FE46-7BD6-4B80-BD94-F57FE20D0CE3} | StackWalkGuid | |
| 0x1900 | EVENT_TRACE_GROUP_UMS | {9AEC974B-5B8E-4118-9B92-3186D8002CE5} | UmsEventGuid | |
| 0x1A00 | EVENT_TRACE_GROUP_ALPC | {45D8CCCD-539F-4B72-A8B7-5C683142609A} | ALPCGuid | |
| 0x1B00 | EVENT_TRACE_GROUP_SPLITIO | {D837CA92-12B9-44A5-AD6A-3A65B3578AA8} | SplitIoGuid | |
| 0x1C00 | EVENT_TRACE_GROUP_THREAD_POOL | {C861D0E2-A2C1-4D36-9F9C-970BAB943A12} | ThreadPoolGuid | |
| 0x1D00 | EVENT_TRACE_GROUP_HYPERVISOR | {7F2A405C-69B5-4BF9-A1F5-30E8F1AFAB5E} | HypervisorTraceGuid | |
| 0x1E00 | EVENT_TRACE_GROUP_HYPERVISORX | {2CE9A149-EFFE-42F0-A635-A1D39E26C8F2} | HypervisorXTraceGuid |
There looks to be some loose association of these groups with the PERFINFO_GROUPMASK that is the modern extension of the EnableFlags of the EVENT_TRACE_PROPERTIES structure as passed through such API function as StartTrace and ControlTrace. It is mostly true that an event with a given HookId can get logged only if a particular bit or combination of bits is set in the group mask, but no formal correspondence between the Group and the bit is yet known. Unless one is discovered, inferring an informal one might usefully be on someone’s to-do list.
Though Microsoft leaves formal definition of the groups to a semi-secret header, some values of the Type, i.e., the low byte of each hook ID, are defined in the readily available EVNTRACE.H. The first ten types appear to have been intended from the start as generic:
| Value | Name | Versions |
|---|---|---|
| 0x00 | EVENT_TRACE_TYPE_INFO | 5.0 and higher |
| 0x01 | EVENT_TRACE_TYPE_START | 5.0 and higher |
| 0x02 | EVENT_TRACE_TYPE_END | 5.0 and higher |
| EVENT_TRACE_TYPE_STOP | 6.0 and higher | |
| 0x03 | EVENT_TRACE_TYPE_DC_START | 5.0 and higher |
| 0x04 | EVENT_TRACE_TYPE_DC_END | 5.0 and higher |
| 0x05 | EVENT_TRACE_TYPE_EXTENSION | 5.0 and higher |
| 0x06 | EVENT_TRACE_TYPE_REPLY | 5.0 and higher |
| 0x07 | EVENT_TRACE_TYPE_DEQUEUE | 5.0 and higher |
| EVENT_TRACE_TYPE_RESUME | 6.0 and higher | |
| 0x08 | EVENT_TRACE_TYPE_CHECKPOINT | 5.0 and higher |
| EVENT_TRACE_TYPE_SUSPEND | 6.0 and higher | |
| 0x09 | EVENT_TRACE_TYPE_RESERVED9 | 5.0 to 5.2 |
| EVENT_TRACE_TYPE_WINEVT_SEND | 6.0 and higher | |
| 0xF0 | EVENT_TRACE_TYPE_WINEVT_RECEIVE | 6.0 and higher |
See that two of these got aliases for Windows Vista, which also added a generic type at the high end. Types from 0x0A and up, but not even nearly as far as 0xF0, are assigned differently in different groups. EVNTRACE.H has always given Microsoft’s names for a handful. (These are indicated in the tables below as “type alone”.)
As for the hundreds of possible types of event, whether as values of HookId or of combinations of Group and Type (or ProviderId and Opcode), a complete list would require an exhaustive search through the code of all modules that might log to an NT Kernel Logger session—which means not just the kernel, and not just modules in kernel mode, but at least NTDLL, ADVAPI32 and SECHOST in user mode too. Without such a search, the best that’s known to be available are macro definitions in Microsoft’s semi-secret NTWMI.H.
Of course, that a header from Microsoft defines a macro for an event, and even a structure for the event data, doesn’t mean that the event actually can ever be written. Not only may the definition remain from an old version or anticipate a future version, but the nature of some of these events is that they may be generated in such high volume that it would not surprise to find they are intended only for debug releases or only for internal testing. However they’re known, they’re collected below for easy reckoning in order of increasing HookId. Eventually, each event might be shown with such detail as where the event can originate, which group mask is required, which header is used, what data follows the header, and even which versions the event can occur in. (But, really, how is this not documented by Microsoft? And, given that it’s not documented, how is it that the rest of the industry hasn’t found a way to make it someone’s paid work? Then, other people’s paid work could be directed at developing superior tools for performance analysis and everyone would benefit from knowing more about what these tools actually measure.)
Please note a general caution about versions that are indicated for any of these events. This study is preliminary and episodic at best. That a version is indicated does mean that use is known in those versions. It does not mean that earlier versions have no support, just that I don’t know of it or that I haven’t yet recorded it here. It’s a rough indication only.
The first group is of events that have to do with the general business of logging events. Indeed, the event numbered 0x0000 is not even specific to the NT Kernel Logger but is the first in every ETL file, whatever the trace session.
| Value | Name | Event Data | Versions |
|---|---|---|---|
| 0x0000 | WMI_LOG_TYPE_HEADER |
TRACE_LOGFILE_HEADER
and two null-terminated Unicode strings |
5.0 and higher |
| 0x0005 | WMI_LOG_TYPE_HEADER_EXTENSION | ETW_KERNEL_HEADER_EXTENSION | 5.2 and higher |
| 0x0008 | WMI_LOG_TYPE_RUNDOWN_COMPLETE | ||
| 0x000A | type alone as EVENT_TRACE_TYPE_GUIDMAP | type defined for 5.0 and higher | |
| 0x000B | type alone as EVENT_TRACE_TYPE_CONFIG | type defined for 5.0 and higher | |
| 0x000C | type alone as EVENT_TRACE_TYPE_SIDINFO | type defined for 5.0 and higher | |
| 0x000D | type alone as EVENT_TRACE_TYPE_SECURITY | type defined for 5.0 and higher | |
| 0x0020 | WMI_LOG_TYPE_GROUP_MASKS_END | ETW_KERNEL_HEADER_EXTENSION | 6.0 and higher |
| 0x0030 | WMI_LOG_TYPE_RUNDOWN_BEGIN | ||
| 0x0031 | WMI_LOG_TYPE_RUNDOWN_END | ||
| 0x0040 | WMI_LOG_TYPE_DBGID_RSDS; type alone as EVENT_TRACE_TYPE_DBGID_RSDS |
6.2 and higher | |
| 0x0041 | WMI_LOG_TYPE_DBGID_NB10 | ||
| 0x0042 | WMI_LOG_TYPE_BUILD_LAB | 6.2 and higher | |
| 0x0043 | WMI_LOG_TYPE_BINARY_PATH | 6.2 and higher |
| Value | Name | Event Data | Versions |
|---|---|---|---|
| 0x010A | WMI_LOG_TYPE_IO_READ; type alone as EVENT_TRACE_TYPE_IO_READ |
ETW_DISKIO_READWRITE | 5.0 only |
| ETW_DISKIO_READWRITE_V2 | 5.1 to 6.1 | ||
| ETW_DISKIO_READWRITE_V3 | 6.2 and higher | ||
| 0x010B | WMI_LOG_TYPE_IO_WRITE; type alone as EVENT_TRACE_TYPE_IO_WRITE |
ETW_DISKIO_READWRITE | 5.0 only |
| ETW_DISKIO_READWRITE_V2 | 5.1 to 6.1 | ||
| ETW_DISKIO_READWRITE_V3 | 6.2 and higher | ||
| 0x010C | WMI_LOG_TYPE_IO_READ_INIT; type alone as EVENT_TRACE_TYPE_IO_READ_INIT |
type defined for 6.0 and higher | |
| 0x010D | WMI_LOG_TYPE_IO_WRITE_INIT; type alone as EVENT_TRACE_TYPE_IO_WRITE_INIT |
type defined for 6.0 and higher | |
| 0x010E | WMI_LOG_TYPE_IO_FLUSH; type alone as EVENT_TRACE_TYPE_IO_FLUSH |
type defined for 6.0 and higher | |
| 0x010F | WMI_LOG_TYPE_IO_FLUSH_INIT; type alone as EVENT_TRACE_TYPE_IO_FLUSH_INIT |
type defined for 6.0 and higher | |
| 0x0110 | WMI_LOG_TYPE_IO_REDIRECTED_INIT; type alone as EVENT_TRACE_TYPE_IO_REDIRECTED_INIT |
type defined for 6.3 and higher | |
| 0x0120 | PERFINFO_LOG_TYPE_DRIVER_INIT | ||
| 0x0121 | PERFINFO_LOG_TYPE_DRIVER_INIT_COMPLETE | ||
| 0x0122 | PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_CALL | 5.1 and higher | |
| 0x0123 | PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_RETURN | 5.1 and higher | |
| 0x0124 | PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_CALL | ||
| 0x0125 | PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_RETURN | 6.0 and higher | |
| 0x0126 | PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_CALL | ||
| 0x0127 | PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_RETURN | ||
| 0x0128 | PERFINFO_LOG_TYPE_DRIVER_STARTIO_CALL | ||
| 0x0129 | PERFINFO_LOG_TYPE_DRIVER_STARTIO_RETURN | ||
| 0x0130 | PERFINFO_LOG_TYPE_PREFETCH_ACTION | ||
| 0x0131 | PERFINFO_LOG_TYPE_PREFETCH_REQUEST | ||
| 0x0132 | PERFINFO_LOG_TYPE_PREFETCH_READLIST | ||
| 0x0133 | PERFINFO_LOG_TYPE_PREFETCH_READ | ||
| 0x0134 | PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST | 5.1 and higher | |
| 0x0135 | PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST_RETURN | 5.1 and higher | |
| 0x0136 | PERFINFO_LOG_TYPE_BOOT_PREFETCH_INFORMATION | 5.1 and higher | |
| 0x0137 | PERFINFO_LOG_TYPE_OPTICAL_IO_READ; type alone as EVENT_TRACE_TYPE_OPTICAL_IO_READ |
6.2 and higher | |
| 0x0138 | PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_WRITE |
6.2 and higher | |
| 0x0139 | PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_FLUSH |
6.2 and higher | |
| 0x013A | PERFINFO_LOG_TYPE_OPTICAL_IO_READ_INIT;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_READ_INIT |
6.2 and higher | |
| 0x013B | PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE_INIT;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_WRITE_INIT |
6.2 and higher | |
| 0x013C | PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH_INIT;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_FLUSH_INIT |
6.2 and higher |
| Value | Name | Event Data | Versions |
|---|---|---|---|
| 0x020A | WMI_LOG_TYPE_PAGE_FAULT_TRANSITION;
type alone as EVENT_TRACE_TYPE_MM_TF |
WMI_PAGE_FAULT | 5.0 and higher |
| 0x020B | WMI_LOG_TYPE_PAGE_FAULT_DEMAND_ZERO;
type alone as EVENT_TRACE_TYPE_MM_DZF |
WMI_PAGE_FAULT | 5.0 and higher |
| 0x020C | WMI_LOG_TYPE_PAGE_FAULT_COPY_ON_WRITE;
type alone as EVENT_TRACE_TYPE_MM_COW |
WMI_PAGE_FAULT | 5.0 and higher |
| 0x020D | WMI_LOG_TYPE_PAGE_FAULT_GUARD_PAGE;
type alone as EVENT_TRACE_TYPE_MM_GPF |
WMI_PAGE_FAULT | 5.0 and higher |
| 0x020E | WMI_LOG_TYPE_PAGE_FAULT_HARD_PAGE_FAULT;
type alone as EVENT_TRACE_TYPE_MM_HPF |
WMI_PAGE_FAULT | 5.0 and higher |
| 0x020F | WMI_LOG_TYPE_PAGE_FAULT_ACCESS_VIOLATION;
type alone as EVENT_TRACE_TYPE_MM_AV |
6.0 and higher | |
| 0x0220 | PERFINFO_LOG_TYPE_HARDFAULT | 5.1 and higher | |
| 0x0221 | PERFINFO_LOG_TYPE_REMOVEPAGEBYCOLOR | 5.1 and higher | |
| 0x0222 | PERFINFO_LOG_TYPE_REMOVEPAGEFROMLIST | 5.1 and higher | |
| 0x0223 | PERFINFO_LOG_TYPE_PAGEINMEMORY | 5.1 and higher | |
| 0x0224 | PERFINFO_LOG_TYPE_INSERTINFREELIST | 5.1 and higher | |
| 0x0225 | PERFINFO_LOG_TYPE_INSERTINMODIFIEDLIST | ||
| 0x0226 | PERFINFO_LOG_TYPE_INSERTINLIST | ||
| 0x0228 | PERFINFO_LOG_TYPE_INSERTATFRONT | ||
| 0x0229 | PERFINFO_LOG_TYPE_UNLINKFROMSTANDBY | ||
| 0x022A | PERFINFO_LOG_TYPE_UNLINKFFREEORZERO | ||
| 0x022B | PERFINFO_LOG_TYPE_WORKINGSETMANAGER | ||
| 0x022C | PERFINFO_LOG_TYPE_TRIMPROCESS | ||
| 0x022E | PERFINFO_LOG_TYPE_ZEROSHARECOUNT | 5.1 and higher | |
| 0x023C | PERFINFO_LOG_TYPE_WSINFOPROCESS | ||
| 0x0245 | PERFINFO_LOG_TYPE_FAULTADDR_WITH_IP | ||
| 0x0246 | PERFINFO_LOG_TYPE_TRIMSESSION | ||
| 0x0247 | PERFINFO_LOG_TYPE_MEMORYSNAPLITE | 5.1 and higher | |
| 0x0248 | PERFINFO_LOG_TYPE_PFMAPPED_SECTION_RUNDOWN | ||
| 0x0249 | PERFINFO_LOG_TYPE_PFMAPPED_SECTION_CREATE | PERFINFO_PFMAPPED_SECTION_INFORMATION | 6.0 and higher |
| 0x024A | PERFINFO_LOG_TYPE_WSINFOSESSION | ||
| 0x024B | PERFINFO_LOG_TYPE_CREATE_SESSION | 6.0 and higher | |
| 0x024C | PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_END | 6.0 and higher | |
| 0x024D | PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_START | 6.2 and higher | |
| 0x024E | PERFINFO_LOG_TYPE_SESSION_DELETE | 6.2 and higher | |
| 0x024F | PERFINFO_LOG_TYPE_PFMAPPED_SECTION_DELETE | PERFINFO_PFMAPPED_SECTION_INFORMATION | 6.2 and higher |
| 0x0262 | PERFINFO_LOG_TYPE_VIRTUAL_ALLOC | 6.0 and higher | |
| 0x0263 | PERFINFO_LOG_TYPE_VIRTUAL_FREE | 6.0 and higher | |
| 0x0264 | PERFINFO_LOG_TYPE_HEAP_RANGE_RUNDOWN | ||
| 0x0265 | PERFINFO_LOG_TYPE_HEAP_RANGE_CREATE | 6.2 and higher | |
| 0x0266 | PERFINFO_LOG_TYPE_HEAP_RANGE_RESERVE | 6.2 and higher | |
| 0x0267 | PERFINFO_LOG_TYPE_HEAP_RANGE_RELEASE | 6.2 and higher | |
| 0x0268 | PERFINFO_LOG_TYPE_HEAP_RANGE_DESTROY | 6.2 and higher | |
| 0x0269 | PERFINFO_LOG_TYPE_PAGEFILE_BACK | 6.0 and higher | |
| 0x0270 | PERFINFO_LOG_TYPE_MEMINFO | 6.0 and higher | |
| 0x0271 | PERFINFO_LOG_TYPE_CONTMEM_GENERATE | 6.0 and higher | |
| 0x0272 | PERFINFO_LOG_TYPE_FILE_STORE_FAULT | ||
| 0x0273 | PERFINFO_LOG_TYPE_INMEMORY_STORE_FAULT | ||
| 0x0274 | PERFINFO_LOG_TYPE_COMPRESSED_PAGE | 6.1 and higher | |
| 0x0275 | PERFINFO_LOG_TYPE_PAGEINMEMORY_ACTIVE | 6.2 and higher | |
| 0x0276 | PERFINFO_LOG_TYPE_PAGE_ACCESS | 6.2 and higher | |
| 0x0277 | PERFINFO_LOG_TYPE_PAGE_RELEASE | 6.2 and higher | |
| 0x0278 | PERFINFO_LOG_TYPE_PAGE_RANGE_ACCESS | 6.2 and higher | |
| 0x0279 | PERFINFO_LOG_TYPE_PAGE_RANGE_RELEASE | 6.2 and higher | |
| 0x027A | PERFINFO_LOG_TYPE_PAGE_COMBINE | 6.2 and higher | |
| 0x027B | PERFINFO_LOG_TYPE_KERNEL_MEMUSAGE | ||
| 0x027C | PERFINFO_LOG_TYPE_MM_STATS | 6.2 and higher | |
| 0x027D | PERFINFO_LOG_TYPE_MEMINFOEX_WS | 6.2 and higher | |
| 0x027E | PERFINFO_LOG_TYPE_MEMINFOEX_SESSIONWS | 6.2 and higher | |
| 0x027F | PERFINFO_LOG_TYPE_VIRTUAL_ROTATE | 6.2 and higher | |
| 0x0280 | PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_START | ||
| 0x0281 | PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_END | ||
| 0x0282 | PERFINFO_LOG_TYPE_PAGE_ACCESS_EX | 6.2 and higher | |
| 0x0283 | PERFINFO_LOG_TYPE_REMOVEFROMWS | 6.2 and higher | |
| 0x0284 | PERFINFO_LOG_TYPE_WSSHAREABLE_RUNDOWN | ||
| 0x0285 | PERFINFO_LOG_TYPE_INMEMORYACTIVE_RUNDOWN | 6.2 and higher | |
| 0x0286 | PERFINFO_LOG_TYPE_MEM_RESET_INFO | ||
| 0x0287 | PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_CREATE | PERFINFO_PFMAPPED_SECTION_OBJECT_INFORMATION | |
| 0x0288 | PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_DELETE | PERFINFO_PFMAPPED_SECTION_OBJECT_INFORMATION |
| Value | Name | Versions |
|---|---|---|
| 0x0301 | WMI_LOG_TYPE_PROCESS_CREATE | 5.0 and higher |
| 0x0302 | WMI_LOG_TYPE_PROCESS_DELETE | 5.0 and higher |
| 0x0303 | WMI_LOG_TYPE_PROCESS_DC_START | 5.1 and higher |
| 0x0304 | WMI_LOG_TYPE_PROCESS_DC_END | 6.0 and higher |
| 0x030A | WMI_LOG_TYPE_PROCESS_LOAD_IMAGE; type alone as EVENT_TRACE_TYPE_LOAD |
5.0 and higher |
| 0x030B | WMI_LOG_TYPE_PROCESS_TERMINATE ; type alone as EVENT_TRACE_TYPE_TERMINATE |
type defined for 6.3 and higher |
| 0x0320 | PERFINFO_LOG_TYPE_PROCESS_PERFCTR_END | 6.0 and higher |
| 0x0321 | PERFINFO_LOG_TYPE_PROCESS_PERFCTR_RD | 6.0 and higher |
| 0x0323 | PERFINFO_LOG_TYPE_INSWAPPROCESS | 5.1 and higher |
| 0x0324 | PERFINFO_LOG_TYPE_PROCESS_FREEZE | 6.2 and higher |
| 0x0325 | PERFINFO_LOG_TYPE_PROCESS_THAW | 6.2 and higher |
| 0x0326 | PERFINFO_LOG_TYPE_BOOT_PHASE_START | 5.1 and higher |
| 0x0327 | PERFINFO_LOG_TYPE_ZOMBIE_PROCESS | 6.0 and higher |
| 0x0328 | PERFINFO_LOG_TYPE_PROCESS_SET_AFFINITY | |
| 0x0330 | PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_USER | 6.2 and higher |
| 0x0331 | PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_EXECUTION | 6.2 and higher |
| 0x0332 | PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_KERNEL | 6.2 and higher |
| 0x0333 | PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_INSTRUMENTATION | 6.2 and higher |
| 0x0334 | PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_PRESERVE_PROCESS | |
| 0x0340 | PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_USER | 6.2 and higher |
| 0x0341 | PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_EXECUTION | 6.2 and higher |
| 0x0342 | PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_KERNEL | 6.2 and higher |
| 0x0343 | PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_INSTRUMENTATION | 6.2 and higher |
| 0x0344 | PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_PRESERVE_PROCESS | |
| 0x0350 | PERFINFO_LOG_TYPE_WAKE_DROP_USER | 6.2 and higher |
| 0x0351 | PERFINFO_LOG_TYPE_WAKE_DROP_EXECUTION | 6.2 and higher |
| 0x0352 | PERFINFO_LOG_TYPE_WAKE_DROP_KERNEL | 6.2 and higher |
| 0x0353 | PERFINFO_LOG_TYPE_WAKE_DROP_INSTRUMENTATION | 6.2 and higher |
| 0x0354 | PERFINFO_LOG_TYPE_WAKE_DROP_PRESERVE_PROCESS | |
| 0x0360 | PERFINFO_LOG_TYPE_WAKE_EVENT_USER | 6.2 and higher |
| 0x0361 | PERFINFO_LOG_TYPE_WAKE_EVENT_EXECUTION | 6.2 and higher |
| 0x0362 | PERFINFO_LOG_TYPE_WAKE_EVENT_KERNEL | 6.2 and higher |
| 0x0363 | PERFINFO_LOG_TYPE_WAKE_EVENT_INSTRUMENTATION | 6.2 and higher |
| 0x0364 | PERFINFO_LOG_TYPE_WAKE_EVENT_PRESERVE_PROCESS | |
| 0x0370 | PERFINFO_LOG_TYPE_DEBUG_EVENT |
The WMI_LOG_TYPE_PROCESS_LOAD_IMAGE event gets special attention when SECHOST translates it for presentation to event consumers. Specifically, it gets reassigned to the group represented by ImageLoadGuid.
| Value | Name | Versions |
|---|---|---|
| 0x0400 | PERFINFO_LOG_TYPE_FILENAME | 5.0 and higher |
| 0x0420 | PERFINFO_LOG_TYPE_FILENAME_CREATE | 5.1 and higher |
| 0x0421 | PERFINFO_LOG_TYPE_FILENAME_SAME | |
| 0x0422 | PERFINFO_LOG_TYPE_FILENAME_NULL | |
| 0x0423 | PERFINFO_LOG_TYPE_FILENAME_DELETE | |
| 0x0424 | PERFINFO_LOG_TYPE_FILENAME_RUNDOWN | |
| 0x0425 | PERFINFO_LOG_TYPE_MAPFILE | 6.2 and higher |
| 0x0426 | PERFINFO_LOG_TYPE_UNMAPFILE | 6.2 and higher |
| 0x0427 | PERFINFO_LOG_TYPE_MAPFILE_DC_START | |
| 0x0428 | PERFINFO_LOG_TYPE_MAPFILE_DC_END | |
| 0x0440 | PERFINFO_LOG_TYPE_FILE_IO_CREATE | |
| 0x0441 | PERFINFO_LOG_TYPE_FILE_IO_CLEANUP | |
| 0x0442 | PERFINFO_LOG_TYPE_FILE_IO_CLOSE | |
| 0x0443 | PERFINFO_LOG_TYPE_FILE_IO_READ | |
| 0x0444 | PERFINFO_LOG_TYPE_FILE_IO_WRITE | |
| 0x0445 | PERFINFO_LOG_TYPE_FILE_IO_SET_INFORMATION | |
| 0x0446 | PERFINFO_LOG_TYPE_FILE_IO_DELETE | |
| 0x0447 | PERFINFO_LOG_TYPE_FILE_IO_RENAME | |
| 0x0448 | PERFINFO_LOG_TYPE_FILE_IO_DIRENUM | |
| 0x0449 | PERFINFO_LOG_TYPE_FILE_IO_FLUSH | |
| 0x044A | PERFINFO_LOG_TYPE_FILE_IO_QUERY_INFORMATION | |
| 0x044B | PERFINFO_LOG_TYPE_FILE_IO_FS_CONTROL | |
| 0x044C | PERFINFO_LOG_TYPE_FILE_IO_OPERATION_END | |
| 0x044D | PERFINFO_LOG_TYPE_FILE_IO_DIRNOTIFY | |
| 0x044E | PERFINFO_LOG_TYPE_FILE_IO_CREATE_NEW | |
| 0x044F | PERFINFO_LOG_TYPE_FILE_IO_DELETE_PATH | |
| 0x0450 | PERFINFO_LOG_TYPE_FILE_IO_RENAME_PATH | |
| 0x0451 | PERFINFO_LOG_TYPE_FILE_IO_SETLINK_PATH | |
| 0x0452 | PERFINFO_LOG_TYPE_FILE_IO_SETLINK | |
| 0x0460 | PERFINFO_LOG_TYPE_FLT_PREOP_INIT; type alone as EVENT_TRACE_TYPE_FLT_PREOP_INIT |
type defined for 6.2 and higher |
| 0x0461 | PERFINFO_LOG_TYPE_FLT_POSTOP_INIT; type alone as EVENT_TRACE_TYPE_FLT_POSTOP_INIT |
type defined for 6.2 and higher |
| 0x0462 | PERFINFO_LOG_TYPE_FLT_PREOP_COMPLETION;
type alone as EVENT_TRACE_TYPE_FLT_PREOP_COMPLETION |
type defined for 6.2 and higher |
| 0x0463 | PERFINFO_LOG_TYPE_FLT_POSTOP_COMPLETION;
type alone as EVENT_TRACE_TYPE_FLT_POSTOP_COMPLETION |
type defined for 6.2 and higher |
| 0x0464 | PERFINFO_LOG_TYPE_FLT_PREOP_FAILURE;
type alone as EVENT_TRACE_TYPE_FLT_PREOP_FAILURE |
type defined for 6.2 and higher |
| 0x0465 | PERFINFO_LOG_TYPE_FLT_POSTOP_FAILURE;
type alone as EVENT_TRACE_TYPE_FLT_POSTOP_FAILURE |
type defined for 6.2 and higher |
| Value | Name | Event Data (After Trace Header) | Versions |
|---|---|---|---|
| 0x0501 | WMI_LOG_TYPE_THREAD_CREATE | WMI_EXTENDED_THREAD_INFORMATION | 5.0 and higher |
| 0x0502 | WMI_LOG_TYPE_THREAD_DELETE | WMI_EXTENDED_THREAD_INFORMATION | 5.0 and higher |
| 0x0503 | WMI_LOG_TYPE_THREAD_DC_START | WMI_EXTENDED_THREAD_INFORMATION | 5.1 and higher |
| 0x0504 | WMI_LOG_TYPE_THREAD_DC_END | WMI_EXTENDED_THREAD_INFORMATION | 6.0 and higher |
| 0x0523 | convert to GUI thread | 5.1 and higher | |
| 0x0524 | PERFINFO_LOG_TYPE_CONTEXTSWAP | WMI_CONTEXTSWAP | 5.1 and higher |
| 0x0525 | PERFINFO_LOG_TYPE_CONTEXTSWAP_BATCH |
PERFINFO_CCSWAP_BUFFER
and sequence of related structures |
6.0 and higher |
| 0x0529 | PERFINFO_LOG_TYPE_SPINLOCK | WMI_SPINLOCK | 6.1 and higher (x64); 6.2 and higher (x86) |
| 0x052A | PERFINFO_LOG_TYPE_QUEUE | ||
| 0x052B | PERFINFO_LOG_TYPE_RESOURCE | WMI_RESOURCE | 6.1 and higher |
| 0x052C | PERFINFO_LOG_TYPE_PUSHLOCK | ||
| 0x052D | PERFINFO_LOG_TYPE_WAIT_SINGLE | ||
| 0x052E | PERFINFO_LOG_TYPE_WAIT_MULTIPLE | ||
| 0x052F | PERFINFO_LOG_TYPE_DELAY_EXECUTION | ||
| 0x0530 | PERFINFO_LOG_TYPE_THREAD_SET_PRIORITY | ETW_PRIORITY_EVENT | 6.0 and higher |
| 0x0531 | PERFINFO_LOT_TYPE_THREAD_SET_BASE_PRIORITY | ETW_PRIORITY_EVENT | 6.0 and higher |
| 0x0532 | PERFINFO_LOG_TYPE_READY_THREAD | ETW_READY_THREAD_EVENT | 6.0 and higher |
| 0x0533 | PERFINFO_LOG_TYPE_THREAD_SET_PAGE_PRIORITY | ETW_PRIORITY_EVENT | 6.1 and higher |
| 0x0534 | PERFINFO_LOG_TYPE_THREAD_SET_IO_PRIORITY | ETW_PRIORITY_EVENT | 6.1 and higher |
| 0x0535 | PERFINFO_LOG_TYPE_THREAD_SET_AFFINITY | ETW_THREAD_AFFINITY_EVENT | 6.1 and higher |
| 0x0539 | PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM | ||
| 0x053A | PERFINFO_LOG_TYPE_DFSS_START_NEW_INTERVAL | ETW_DFSS_START_NEW_INTERVAL | 6.1 and higher |
| 0x053B | PERFINFO_LOG_TYPE_DFSS_PROCESS_IDLE_ONLY_QUEUE | ETW_DFSS_RELEASE_THREAD_ON_IDLE | 6.1 and higher |
| 0x053C | PERFINFO_LOG_TYPE_ANTI_STARVATION_BOOST | ETW_ANTI_STARVATION_BOOST_EVENT | 6.2 and higher |
| 0x053D | PERFINFO_LOG_TYPE_THREAD_MIGRATION | 6.2 and higher | |
| 0x053E | PERFINFO_LOG_TYPE_KQUEUE_ENQUEUE | ETW_KQUEUE_ENQUEUE_EVENT | 6.2 and higher |
| 0x053F | PERFINFO_LOG_TYPE_KQUEUE_DEQUEUE | ETW_KQUEUE_DEQUEUE_EVENT with sequence of pointers as Entries array |
6.2 and higher |
| 0x0540 | PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_START | one pointer; if structure then name unknown |
|
| 0x0541 | PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_END | one pointer; if structure, then name unknown |
|
| 0x0542 | PERFINFO_LOG_TYPE_AUTO_BOOST_SET_FLOOR | ETW_AUTOBOOST_SET_PRIORITY_FLOOR_EVENT | |
| 0x0543 | PERFINFO_LOG_TYPE_AUTO_BOOST_CLEAR_FLOOR | ETW_AUTOBOOST_CLEAR_PRIORITY_FLOOR_EVENT | |
| 0x0544 | PERFINFO_LOG_TYPE_AUTO_BOOST_NO_ENTRIES | ETW_AUTOBOOST_NO_ENTRIES_EVENT | |
| 0x0545 | PERFINFO_LOG_TYPE_THREAD_SUBPROCESSTAG_CHANGED |
Though the NTWMI.H from the WDK for Windows 10 has it that PERFINFO_LOG_TYPE_DFSS_START_NEW_INTERVAL (0x053A) and PERFINFO_LOG_TYPE_DFSS_PROCESS_IDLE_ONLY_QUEUE (0x053B) are still defined, the kernel has no code for them except in version 6.1.
| Value | Name | Versions |
|---|---|---|
| 0x060A | WMI_LOG_TYPE_TCPIP_SEND; type alone as EVENT_TRACE_TYPE_SEND |
type defined for 5.0 and higher |
| 0x060B | WMI_LOG_TYPE_TCPIP_RECEIVE; type alone as EVENT_TRACE_TYPE_RECEIVE |
type defined for 5.0 and higher |
| 0x060C | WMI_LOG_TYPE_TCPIP_CONNECT; type alone as EVENT_TRACE_TYPE_CONNECT |
type defined for 5.0 and higher |
| 0x060D | WMI_LOG_TYPE_TCPIP_DISCONNECT; type alone as EVENT_TRACE_TYPE_DISCONNECT |
type defined for 5.0 and higher |
| 0x060E | WMI_LOG_TYPE_TCPIP_RETRANSMIT ; type alone as EVENT_TRACE_TYPE_RETRANSMIT |
type defined for 5.1 and higher |
| 0x060F | WMI_LOG_TYPE_TCPIP_ACCEPT; type alone as EVENT_TRACE_TYPE_ACCEPT |
type defined for 5.1 and higher |
| 0x0610 | WMI_LOG_TYPE_TCPIP_RECONNECT; type alone as EVENT_TRACE_TYPE_RECONNECT |
type defined for 5.1 and higher |
| 0x0611 | WMI_LOG_TYPE_TCPIP_FAIL; type alone as EVENT_TRACE_TYPE_CONNFAIL |
type defined for 5.2 and higher |
| 0x0612 | WMI_LOG_TYPE_TCPIP_TCPCOPY; type alone as EVENT_TRACE_TYPE_COPY_TCP |
type defined for 5.2 and higher |
| 0x0613 | WMI_LOG_TYPE_TCPIP_ARPCOPY; type alone as EVENT_TRACE_TYPE_COPY_ARP |
type defined for 5.2 and higher |
| 0x0614 | WMI_LOG_TYPE_TCPIP_FULLACK; type alone as EVENT_TRACE_TYPE_ACKFULL |
type defined for 5.2 and higher |
| 0x0615 | WMI_LOG_TYPE_TCPIP_PARTACK; type alone as EVENT_TRACE_TYPE_ACKPART |
type defined for 5.2 and higher |
| 0x0616 | WMI_LOG_TYPE_TCPIP_DUPACK; type alone as EVENT_TRACE_TYPE_ACKDUP |
type defined for 5.2 and higher |
| 0x061A | WMI_LOG_TYPE_TCPIP_SEND_IPV6 | |
| 0x061B | WMI_LOG_TYPE_TCPIP_RECEIVE_IPV6 | |
| 0x061C | WMI_LOG_TYPE_TCPIP_CONNECT_IPV6 | |
| 0x061D | WMI_LOG_TYPE_TCPIP_DISCONNECT_IPV6 | |
| 0x061E | WMI_LOG_TYPE_TCPIP_RETRANSMIT_IPV6 | |
| 0x061F | WMI_LOG_TYPE_TCPIP_ACCEPT_IPV6 | |
| 0x0620 | WMI_LOG_TYPE_TCPIP_RECONNECT_IPV6 | |
| 0x0621 | WMI_LOG_TYPE_TCPIP_FAIL_IPV6 | |
| 0x0622 | WMI_LOG_TYPE_TCPIP_TCPCOPY_IPV6 | |
| 0x0623 | WMI_LOG_TYPE_TCPIP_ARPCOPY_IPV6 | |
| 0x0624 | WMI_LOG_TYPE_TCPIP_FULLACK_IPV6 | |
| 0x0625 | WMI_LOG_TYPE_TCPIP_PARTACK_IPV6 | |
| 0x0626 | WMI_LOG_TYPE_TCPIP_DUPACK_IPV6 |
| Value | Name |
|---|---|
| 0x0720 | WMI_LOG_TYPE_JOB_CREATE |
| 0x0721 | WMI_LOG_TYPE_JOB_TERMINATE |
| 0x0722 | WMI_LOG_TYPE_JOB_OPEN |
| 0x0723 | WMI_LOG_TYPE_JOB_ASSIGN_PROCESS |
| 0x0724 | WMI_LOG_TYPE_JOB_REMOVE_PROCESS |
| 0x0725 | WMI_LOG_TYPE_JOB_SET |
| 0x0726 | WMI_LOG_TYPE_JOB_QUERY |
| 0x0727 | WMI_LOG_TYPE_JOB_SET_FAILED |
| 0x0728 | WMI_LOG_TYPE_JOB_QUERY_FAILED |
| 0x0729 | WMI_LOG_TYPE_JOB_SET_NOTIFICATION |
| 0x072A | WMI_LOG_TYPE_JOB_SEND_NOTIFICATION |
| 0x072B | WMI_LOG_TYPE_JOB_QUERY_VIOLATION |
| 0x072C | WMI_LOG_TYPE_JOB_SET_CPU_RATE |
| 0x072D | WMI_LOG_TYPE_JOB_SET_NET_RATE |
| Value | Name |
|---|---|
| 0x080A | WMI_LOG_TYPE_UDP_SEND |
| 0x080B | WMI_LOG_TYPE_UDP_RECEIVE |
| 0x0811 | WMI_LOG_TYPE_UDP_FAIL |
| 0x081A | WMI_LOG_TYPE_UDP_SEND_IPV6 |
| 0x081B | WMI_LOG_TYPE_UDP_RECEIVE_IPV6 |
| Value | Name | Versions |
|---|---|---|
| 0x090A | type alone as EVENT_TRACE_TYPE_REGCREATE | 5.0 and higher |
| 0x090B | type alone as EVENT_TRACE_TYPE_REGOPEN | 5.0 and higher |
| 0x090C | type alone as EVENT_TRACE_TYPE_REGDELETE | 5.0 and higher |
| 0x090D | type alone as EVENT_TRACE_TYPE_REGQUERY | 5.0 and higher |
| 0x090E | type alone as EVENT_TRACE_TYPE_REGSETVALUE | 5.0 and higher |
| 0x090F | type alone as EVENT_TRACE_TYPE_REGDELETEVALUE | 5.0 and higher |
| 0x0910 | type alone as EVENT_TRACE_TYPE_REGQUERYVALUE | 5.0 and higher |
| 0x0911 | type alone as EVENT_TRACE_TYPE_REGENUMERATEKEY | 5.0 and higher |
| 0x0912 | type alone as EVENT_TRACE_TYPE_REGENUMERATEVALUEKEY | 5.0 and higher |
| 0x0913 | type alone as EVENT_TRACE_TYPE_REGQUERYMULTIPLEVALUE | 5.0 and higher |
| 0x0914 | type alone as EVENT_TRACE_TYPE_REGSETINFORMATION | 5.0 and higher |
| 0x0915 | type alone as EVENT_TRACE_TYPE_REGFLUSH | 5.0 and higher |
| 0x0916 | type alone as EVENT_TRACE_TYPE_REGKCBDMP | 5.1 to 5.2 |
| type alone as EVENT_TRACE_TYPE_REGKCBCREATE | 6.0 and higher | |
| 0x0917 | type alone as EVENT_TRACE_TYPE_REGKCBDELETE | 6.0 and higher |
| 0x0918 | WMI_LOG_TYPE_REG_RUNDOWNBEGIN; type alone as EVENT_TRACE_TYPE_REGKCBRUNDOWNBEGIN |
type defined for 6.0 and higher |
| 0x0919 | WMI_LOG_TYPE_REG_RUNDOWNEND; type alone as EVENT_TRACE_TYPE_REGKCBRUNDOWNEND |
6.0 and higher |
| 0x091A | type alone as EVENT_TRACE_TYPE_REGVIRTUALIZE | 6.0 and higher |
| 0x091B | type alone as EVENT_TRACE_TYPE_REGCLOSE | type defined for 6.0 and higher |
| 0x091C | type alone as EVENT_TRACE_TYPE_REGSETSECURITY | 6.1 and higher |
| 0x091D | type alone as EVENT_TRACE_TYPE_REGQUERYSECURITY | 6.1 and higher |
| 0x091E | type alone as EVENT_TRACE_TYPE_REGCOMMIT | 6.1 and higher |
| 0x091F | type alone as EVENT_TRACE_TYPE_REGPREPARE | 6.1 and higher |
| 0x0920 | type alone as EVENT_TRACE_TYPE_REGROLLBACK | 6.1 |
| PERFINFO_LOG_TYPE_CMCELLREFERRED | ||
| 0x0921 | type alone as EVENT_TRACE_TYPE_REGMOUNTHIVE | 6.1 |
| PERFINFO_LOG_TYPE_REG_SET_VALUE | ||
| 0x0922 | PERFINFO_LOG_TYPE_REG_COUNTERS | 6.0 and higher |
| 0x0923 | PERFINFO_LOG_TYPE_REG_CONFIG | 6.1 and higher |
| 0x0924 | PERFINFO_LOG_TYPE_REG_HIVE_INITIALIZE | 6.2 and higher |
| 0x0925 | PERFINFO_LOG_TYPE_REG_HIVE_DESTROY | 6.2 and higher |
| 0x0926 | PERFINFO_LOG_TYPE_REG_HIVE_LINK | 6.2 and higher |
| 0x0927 | PERFINFO_LOG_TYPE_REG_HIVE_RUNDOWN_DC_END | 6.2 and higher |
| 0x0928 | PERFINFO_LOG_TYPE_REG_HIVE_DIRTY | 6.2 and higher |
| 0x0930 | PERFINFO_LOG_TYPE_REG_NOTIF_REGISTER | 6.2 and higher |
| 0x0931 | PERFINFO_LOG_TYPE_REG_NOTIF_DELIVER |
| Value | Name | Versions |
|---|---|---|
| 0x0A20 | PERFINFO_LOG_TYPE_DEBUG_PRINT | 6.2 and higher |
| Value | Name | Versions |
|---|---|---|
| 0x0B0A | WMI_LOG_TYPE_CONFIG_CPU; type alone as EVENT_TRACE_TYPE_CONFIG_CPU |
type defined for 5.1 and higher |
| 0x0B0B | WMI_LOG_TYPE_CONFIG_PHYSICALDISK; type alone as EVENT_TRACE_TYPE_CONFIG_PHYSICALDISK |
type defined for 5.1 and higher |
| 0x0B0C | WMI_LOG_TYPE_CONFIG_LOGICALDISK; type alone as EVENT_TRACE_TYPE_CONFIG_LOGICALDISK |
type defined for 5.1 and higher |
| 0x0B0D | WMI_LOG_TYPE_CONFIG_NIC; type alone as EVENT_TRACE_TYPE_CONFIG_NIC |
type defined for 5.1 and higher |
| 0x0B0E | WMI_LOG_TYPE_CONFIG_VIDEO; type alone as EVENT_TRACE_TYPE_CONFIG_VIDEO |
type defined for 5.1 and higher |
| 0x0B0F | WMI_LOG_TYPE_CONFIG_SERVICES; type alone as EVENT_TRACE_TYPE_CONFIG_SERVICES |
type defined for 5.1 and higher |
| 0x0B10 | WMI_LOG_TYPE_CONFIG_POWER; type alone as EVENT_TRACE_TYPE_CONFIG_POWER |
type defined for 5.1 and higher |
| 0x0B11 | type alone as EVENT_TRACE_TYPE_CONFIG_NETINFO | type defined for 5.2 and higher |
| 0x0B12 | WMI_LOG_TYPE_CONFIG_OPTICALMEDIA; type alone as EVENT_TRACE_TYPE_CONFIG_OPTICALMEDIA |
type defined for 6.2 and higher |
| 0x0B15 | WMI_LOG_TYPE_CONFIG_IRQ; type alone as EVENT_TRACE_TYPE_CONFIG_IRQ |
type defined for 6.0 and higher |
| 0x0B16 | WMI_LOG_TYPE_CONFIG_PNP; type alone as EVENT_TRACE_TYPE_CONFIG_PNP |
type defined for 6.0 and higher |
| 0x0B17 | WMI_LOG_TYPE_CONFIG_IDECHANNEL; type alone as EVENT_TRACE_TYPE_CONFIG_IDECHANNEL |
type defined for 6.0 and higher |
| 0x0B18 | WMI_LOG_TYPE_CONFIG_NUMANODE; type alone as EVENT_TRACE_TYPE_CONFIG_NUMANODE |
type defined for 6.2 and higher |
| 0x0B19 | WMI_LOG_TYPE_CONFIG_PLATFORM; type alone as EVENT_TRACE_TYPE_CONFIG_PLATFORM |
type defined for 6.1 and higher |
| 0x0B1A | WMI_LOG_TYPE_CONFIG_PROCESSORGROUP;
type alone as EVENT_TRACE_TYPE_CONFIG_PROCESSORGROUP |
type defined for 6.2 and higher |
| 0x0B1B | WMI_LOG_TYPE_CONFIG_PROCESSORNUMBER;
type alone as EVENT_TRACE_TYPE_CONFIG_PROCESSORNUMBER |
type defined for 6.2 and higher |
| 0x0B1C | WMI_LOG_TYPE_CONFIG_DPI; type alone as EVENT_TRACE_TYPE_CONFIG_DPI |
type defined for 6.2 and higher |
| 0x0B1D | WMI_LOG_TYPE_CONFIG_CODEINTEGRITY; type alone as EVENT_TRACE_TYPE_CONFIG_CI_INFO |
type defined for 6.3 and higher |
| 0x0B1E | WMI_LOG_TYPE_CONFIG_MACHINEID; type alone as EVENT_TRACE_TYPE_CONFIG_MACHINEID |
type defined for 10.0 and higher |
| 0x0B1F | WMI_LOG_TYPE_CONFIG_DEFRAG; type alone as EVENT_TRACE_TYPE_CONFIG_DEFRAG |
type defined for 1511 and higher |
| 0x0B20 | type alone as EVENT_TRACE_TYPE_CONFIG_MOBILEPLATFORM | type defined for 1607 and higher |
| 0x0B21 | type alone as EVENT_TRACE_TYPE_CONFIG_DEVICEFAMILY | type defined for 1607 and higher |
| 0x0B22 | type alone as EVENT_TRACE_TYPE_CONFIG_FLIGHTID | type defined for 1607 and higher |
| 0x0B23 | type alone as EVENT_TRACE_TYPE_CONFIG_PROCESSOR | type defined for 1709 and higher |
| WMI_LOG_TYPE_CONFIG_OSVERSION | ||
| WMI_LOG_TYPE_CONFIG_VISUALTHEME | ||
| WMI_LOG_TYPE_CONFIG_SYSTEMRANGE | ||
| WMI_LOG_TYPE_CONFIG_SYSDLLINFO |
The last four are defined in NTWMI.H but evaluation depends on macros that are not defined in any other known header.
| Value | Name |
|---|---|
| 0x0D20 | PERFINFO_LOG_TYPE_WNF_SUBSCRIBE |
| 0x0D21 | PERFINFO_LOG_TYPE_WNF_UNSUBSCRIBE |
| 0x0D22 | PERFINFO_LOG_TYPE_WNF_CALLBACK |
| 0x0D23 | PERFINFO_LOG_TYPE_WNF_PUBLISH |
| 0x0D24 | PERFINFO_LOG_TYPE_WNF_NAME_SUB_RUNDOWN |
| Value | Name | Versions |
|---|---|---|
| 0x0E20 | PERFINFO_LOG_TYPE_ALLOCATEPOOL | 6.1 and higher |
| 0x0E21 | PERFINFO_LOG_TYPE_ALLOCATEPOOL_SESSION | 6.1 and higher |
| 0x0E22 | PERFINFO_LOG_TYPE_FREEPOOL | 6.1 and higher |
| 0x0E23 | PERFINFO_LOG_TYPE_FREEPOOL_SESSION | 6.1 and higher |
| 0x0E24 | PERFINFO_LOG_TYPE_ADDPOOLPAGE | |
| 0x0E25 | PERFINFO_LOG_TYPE_ADDPOOLPAGE_SESSION | |
| 0x0E26 | PERFINFO_LOG_TYPE_BIGPOOLPAGE | |
| 0x0E27 | PERFINFO_LOG_TYPE_BIGPOOLPAGE_SESSION | |
| 0x0E28 | PERFINFO_LOG_TYPE_POOLSNAP_DC_START | |
| 0x0E29 | PERFINFO_LOG_TYPE_POOLSNAP_DC_END | |
| 0x0E2A | PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_START | |
| 0x0E2B | PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_END | |
| 0x0E2C | PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_START | |
| 0x0E2D | PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_END | |
| 0x0E2E | PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_START | |
| 0x0E2F | PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_END |
| Value | Name | Event Data (After Trace Header) | Versions |
|---|---|---|---|
| 0x0F20 | PERFINFO_LOG_TYPE_RUNDOWN_CHECKPOINT | ||
| 0x0F22 | PERFINFO_LOG_TYPE_MARK | 5.1 and higher | |
| 0x0F24 | PERFINFO_LOG_TYPE_ASYNCMARK | ||
| 0x0F26 | PERFINFO_LOG_TYPE_IMAGENAME | ||
| 0x0F27 | PERFINFO_LOG_TYPE_DELAYS_CC_CAN_I_WRITE | ||
| 0x0F2E | PERFINFO_LOG_TYPE_SAMPLED_PROFILE | PERFINFO_SAMPLED_PROFILE_INFORMATION | 5.1 and higher |
| 0x0F2F | PERFINFO_LOG_TYPE_PMC_INTERRUPT | PERFINFO_PMC_SAMPLE_INFORMATION | 6.2 and higher |
| 0x0F30 | PERFINFO_LOG_TYPE_PMC_CONFIG | ||
| 0x0F32 | PERFINFO_LOG_TYPE_MSI_INTERRUPT | 6.1 and higher | |
| 0x0F33 | PERFINFO_LOG_TYPE_SYSCALL_ENTER | PERFINFO_SYSCALL_ENTER_DATA | 6.0 and higher |
| 0x0F34 | PERFINFO_LOG_TYPE_SYSCALL_EXIT | PERFINFO_SYSCALL_EXIT_DATA | 6.0 and higher |
| 0x0F35 | PERFINFO_LOG_TYPE_BACKTRACE | ||
| 0x0F36 | PERFINFO_LOG_TYPE_BACKTRACE_USERSTACK | ||
| 0x0F37 | PERFINFO_LOG_TYPE_SAMPLED_PROFILE_CACHE | 5.1 and higher | |
| 0x0F38 | PERFINFO_LOG_TYPE_EXCEPTION_STACK | ||
| 0x0F39 | PERFINFO_LOG_TYPE_BRANCH_TRACE | ||
| 0x0F3A | PERFINFO_LOG_TYPE_DEBUGGER_ENABLED | 6.0 and higher | |
| 0x0F3B | PERFINFO_LOG_TYPE_DEBUGGER_EXIT | ||
| 0x0F40 | PERFINFO_LOG_TYPE_BRANCH_TRACE_DEBUG | ||
| 0x0F41 | PERFINFO_LOG_TYPE_BRANCH_ADDRESS_DEBUG | ||
| 0x0F42 | PERFINFO_LOG_TYPE_THREADED_DPC | 6.0 and higher | |
| 0x0F43 | PERFINFO_LOG_TYPE_INTERRUPT | 5.1 and higher | |
| 0x0F44 | PERFINFO_LOG_TYPE_DPC | 5.1 and higher | |
| 0x0F45 | PERFINFO_LOG_TYPE_TIMERDPC | 5.1 and higher | |
| 0x0F46 | PERFINFO_LOG_TYPE_IOTIMER_EXPIRATION | ||
| 0x0F47 | PERFINFO_LOG_TYPE_SAMPLED_PROFILE_NMI | ||
| 0x0F48 | PERFINFO_LOG_TYPE_SAMPLED_PROFILE_SET_INTERVAL | PERFINFO_SAMPLED_PROFILE_CONFIG | 6.0 and higher |
| 0x0F49 | PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_START | 6.0 and higher | |
| 0x0F4A | PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_END | 6.0 and higher | |
| 0x0F4B | PERFINFO_LOG_TYPE_SPINLOCK_DC_START | ||
| 0x0F4C | PERFINFO_LOG_TYPE_SPINLOCK_DC_END | ||
| 0x0F4D | PERFINFO_LOG_TYPE_ERESOURCE_DC_START | ||
| 0x0F4E | PERFINFO_LOG_TYPE_ERESOURCE_DC_END | ||
| 0x0F4F | PERFINFO_LOG_TYPE_CLOCK_INTERRUPT | 6.2 and higher | |
| 0x0F50 | PERFINFO_LOG_TYPE_TIMER_EXPIRATION_START | 6.2 and higher | |
| 0x0F51 | PERFINFO_LOG_TYPE_TIMER_EXPIRATION | 6.2 and higher | |
| 0x0F52 | PERFINFO_LOG_TYPE_TIMER_SET_PERIODIC | 6.2 and higher | |
| 0x0F53 | PERFINFO_LOG_TYPE_TIMER_SET_ONE_SHOT | 6.2 and higher | |
| 0x0F54 | PERFINFO_LOG_TYPE_TIMER_SET_THREAD | 6.2 and higher | |
| 0x0F55 | PERFINFO_LOG_TYPE_TIMER_CANCEL | 6.2 and higher | |
| 0x0F56 | PERFINFO_LOG_TYPE_TIME_ADJUSTMENT | 6.2 and higher | |
| 0x0F57 | PERFINFO_LOG_TYPE_CLOCK_MODE_SWITCH | 6.2 and higher | |
| 0x0F58 | PERFINFO_LOG_TYPE_CLOCK_TIME_UPDATE | 6.2 and higher | |
| 0x0F59 | PERFINFO_LOG_TYPE_CLOCK_DYNAMIC_TICK_VETO | 6.2 and higher | |
| 0x0F5A | PERFINFO_LOG_TYPE_CLOCK_CONFIGURATION | ||
| 0x0F5B | PERFINFO_LOG_TYPE_IPI | ||
| 0x0F5C | PERFINFO_LOG_TYPE_UNEXPECTED_INTERRUPT | 6.2 and higher | |
| 0x0F5D | PERFINFO_LOG_TYPE_IOTIMER_START | 6.2 and higher | |
| 0x0F5E | PERFINFO_LOG_TYPE_IOTIMER_STOP | 6.2 and higher | |
| 0x0F5F | PERFINFO_LOG_TYPE_PASSIVE_INTERRUPT | ||
| 0x0F60 | PERFINFO_LOG_TYPE_WDF_INTERRUPT | ||
| 0x0F61 | PERFINFO_LOG_TYPE_WDF_PASSIVE_INTERRUPT | ||
| 0x0F62 | PERFINFO_LOG_TYPE_WDF_DPC | ||
| 0x0F63 | PERFINFO_LOG_TYPE_CPU_CACHE_FLUSH | ||
| 0x0F64 | PERFINFO_LOG_TYPE_DPC_ENQUEUE | 6.2 and higher | |
| 0x0F65 | PERFINFO_LOG_TYPE_DPC_EXECUTION | 6.2 and higher | |
| 0x0F66 | PERFINFO_LOG_TYPE_INTERRUPT_STEERING | ||
| 0x0F67 | PERFINFO_LOG_TYPE_WDF_WORK_ITEM | ||
| 0x0F68 | PERFINFO_LOG_TYPE_KTIMER2_SET | ETW_SET_KTIMER2_EVENT | 10.0 and higher |
| 0x0F69 | PERFINFO_LOG_TYPE_KTIMER2_EXPIRATION | ||
| 0x0F6A | PERFINFO_LOG_TYPE_KTIMER2_CANCEL | ||
| 0x0F6B | PERFINFO_LOG_TYPE_KTIMER2_DISABLE | ||
| 0x0F6C | PERFINFO_LOG_TYPE_KTIMER2_FINALIZATION | ||
| 0x0F6D | PERFINFO_LOG_TYPE_SHOULD_YIELD_PROCESSOR | ||
| 0x0F80 | PERFINFO_LOG_TYPE_FUNCTION_CALL | ||
| 0x0F81 | PERFINFO_LOG_TYPE_FUNCTION_RETURN | ||
| 0x0F82 | PERFINFO_LOG_TYPE_FUNCTION_ENTER | ||
| 0x0F83 | PERFINFO_LOG_TYPE_FUNCTION_EXIT | ||
| 0x0F84 | PERFINFO_LOG_TYPE_TAILCALL | ||
| 0x0F85 | PERFINFO_LOG_TYPE_TRAP | ||
| 0x0F86 | PERFINFO_LOG_TYPE_SPINLOCK_ACQUIRE | ||
| 0x0F87 | PERFINFO_LOG_TYPE_SPINLOCK_RELEASE | ||
| 0x0F88 | PERFINFO_LOG_TYPE_CAP_COMMENT | ||
| 0x0F89 | PERFINFO_LOG_TYPE_CAP_RUNDOWN |
| Value | Name | Versions |
|---|---|---|
| 0x1020 | PERFINFO_LOG_TYPE_HEAP_CREATE | 6.2 and higher |
| 0x1021 | PERFINFO_LOG_TYPE_HEAP_ALLOC | 6.2 and higher |
| 0x1022 | PERFINFO_LOG_TYPE_HEAP_REALLOC | |
| 0x1023 | PERFINFO_LOG_TYPE_HEAP_DESTROY | 6.2 and higher |
| 0x1024 | PERFINFO_LOG_TYPE_HEAP_FREE | 6.2 and higher |
| 0x1025 | PERFINFO_LOG_TYPE_HEAP_EXTEND | 6.2 and higher |
| 0x1026 | PERFINFO_LOG_TYPE_HEAP_SNAPSHOT | |
| 0x1027 | PERFINFO_LOG_TYPE_HEAP_CREATE_SNAPSHOT | |
| 0x1028 | PERFINFO_LOG_TYPE_HEAP_DESTROY_SNAPSHOT | |
| 0x1029 | PERFINFO_LOG_TYPE_HEAP_EXTEND_SNAPSHOT | |
| 0x102A | PERFINFO_LOG_TYPE_HEAP_CONTRACT | 6.2 and higher |
| 0x102B | PERFINFO_LOG_TYPE_HEAP_LOCK | |
| 0x102C | PERFINFO_LOG_TYPE_HEAP_UNLOCK | |
| 0x102D | PERFINFO_LOG_TYPE_HEAP_VALIDATE | |
| 0x102E | PERFINFO_LOG_TYPE_HEAP_WALK | |
| 0x102F | PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC | |
| 0x1030 | PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE | |
| 0x1031 | PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC_CACHE | |
| 0x1032 | PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE_CACHE | |
| 0x1033 | PERFINFO_LOG_TYPE_HEAP_COMMIT | 6.2 and higher |
| 0x1034 | PERFINFO_LOG_TYPE_HEAP_DECOMMIT | 6.2 and higher |
| 0x1035 | PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_INIT | |
| 0x1036 | PERFINFO_LOG_TYPE_HEAP_AFFINITY_ENABLE | |
| 0x1038 | PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ACTIVATED | |
| 0x1039 | PERFINFO_LOG_TYPE_HEAP_AFFINITY_ASSIGN | |
| 0x103A | PERFINFO_LOG_TYPE_HEAP_REUSE_THRESHOLD_ACTIVATED |
| Value | Name | Versions |
|---|---|---|
| 0x1120 | PERFINFO_LOG_TYPE_CREATE_HANDLE | 6.2 and higher |
| 0x1121 | PERFINFO_LOG_TYPE_CLOSE_HANDLE | 6.2 and higher |
| 0x1122 | PERFINFO_LOG_TYPE_DUPLICATE_HANDLE | 6.2 and higher |
| 0x1124 | PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_START | |
| 0x1125 | PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_END | |
| 0x1126 | PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_START | |
| 0x1127 | PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_END | |
| 0x1130 | PERFINFO_LOG_TYPE_CREATE_OBJECT | 6.2 and higher |
| 0x1131 | PERFINFO_LOG_TYPE_DELETE_OBJECT | 6.2 and higher |
| 0x1132 | PERFINFO_LOG_TYPE_REFERENCE_OBJECT | 6.2 and higher |
| 0x1133 | PERFINFO_LOG_TYPE_DEREFERENCE_OBJECT | 6.2 and higher |
| Value | Name | Versions |
|---|---|---|
| 0x1220 | PERFINFO_LOG_TYPE_BATTERY_LIFE_INFO | |
| 0x1221 | PERFINFO_LOG_TYPE_IDLE_STATE_CHANGE | |
| 0x1222 | PERFINFO_LOG_TYPE_SET_POWER_ACTION | 5.1 and higher |
| 0x1223 | PERFINFO_LOG_TYPE_SET_POWER_ACTION_RET | 5.1 and higher |
| 0x1224 | PERFINFO_LOG_TYPE_SET_DEVICES_STATE | 5.1 and higher |
| 0x1225 | PERFINFO_LOG_TYPE_SET_DEVICES_STATE_RET | 5.1 and higher |
| 0x1226 | PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE | 5.1 and higher |
| 0x1227 | PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE_COMPLETE | 5.1 and higher |
| 0x1228 | PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT | 5.1 and higher |
| 0x1229 | PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT_RET | 5.1 and higher |
| 0x1230 | PERFINFO_LOG_TYPE_PO_PRESLEEP | 5.1 and higher |
| 0x1231 | PERFINFO_LOG_TYPE_PO_POSTSLEEP | 5.1 and higher |
| 0x1232 | PERFINFO_LOG_TYPE_PO_CALIBRATED_PERFCOUNTER | 6.0 and higher |
| 0x1233 | PERFINFO_LOG_TYPE_PPM_PERF_STATE_CHANGE | 6.0 and higher |
| 0x1234 | PERFINFO_LOG_TYPE_PPM_THROTTLE_STATE_CHANGE | |
| 0x1235 | PERFINFO_LOG_TYPE_PPM_IDLE_STATE_CHANGE | 6.0 and higher |
| 0x1236 | PERFINFO_LOG_TYPE_PPM_THERMAL_CONSTRAINT | 6.0 and higher |
| 0x1237 | PERFINFO_LOG_TYPE_PO_SIGNAL_RESUME_UI | 6.0 and higher |
| 0x1238 | PERFINFO_LOG_TYPE_PO_SIGNAL_VIDEO_ON | 6.0 and higher |
| 0x1239 | PERFINFO_LOG_TYPE_PPM_IDLE_STATE_ENTER | 6.1 and higher |
| 0x123A | PERFINFO_LOG_TYPE_PPM_IDLE_STATE_EXIT | 6.1 and higher |
| 0x123B | PERFINFO_LOG_TYPE_PPM_PLATFORM_IDLE_STATE_ENTER | 6.2 and higher |
| 0x123C | PERFINFO_LOG_TYPE_PPM_IDLE_EXIT_LATENCY | 6.2 and higher |
| 0x123D | PERFINFO_LOG_TYPE_PPM_IDLE_PROCESSOR_SELECTION | |
| 0x123E | PERFINFO_LOG_TYPE_PPM_IDLE_PLATFORM_SELECTION | |
| 0x123F | PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_ENTER | |
| 0x1240 | PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_EXIT |
| Value | Name |
|---|---|
| 0x1318 | PERFINFO_LOG_TYPE_COWHEADER |
| 0x1319 | PERFINFO_LOG_TYPE_COWBLOB |
| 0x131A | PERFINFO_LOG_TYPE_COWBLOB_CLOSED |
| 0x1320 | PERFINFO_LOG_TYPE_MODULEBOUND_ENT |
| 0x1321 | PERFINFO_LOG_TYPE_MODULEBOUND_JUMP |
| 0x1322 | PERFINFO_LOG_TYPE_MODULEBOUND_RET |
| 0x1323 | PERFINFO_LOG_TYPE_MODULEBOUND_CALL |
| 0x1324 | PERFINFO_LOG_TYPE_MODULEBOUND_CALLRET |
| 0x1325 | PERFINFO_LOG_TYPE_MODULEBOUND_INT2E |
| 0x1326 | PERFINFO_LOG_TYPE_MODULEBOUND_INT2B |
| 0x1327 | PERFINFO_LOG_TYPE_MODULEBOUND_FULLTRACE |
| Value | Name | Versions |
|---|---|---|
| 0x1401 | WMI_LOG_TYPE_IMAGE_LOAD | |
| 0x1402 | WMI_LOG_TYPE_IMAGE_UNLOAD | 6.0 and higher |
| 0x1403 | WMI_LOG_TYPE_IMAGE_DC_START | 6.0 and higher |
| 0x1404 | WMI_LOG_TYPE_IMAGE_DC_END | 6.0 and higher |
| 0x1420 | WMI_LOG_TYPE_IMAGE_RELOCATION | |
| 0x1421 | WMI_LOG_TYPE_IMAGE_KERNEL_BASE | 6.1 and higher |
| 0x1422 | WMI_LOG_TYPE_IMAGE_HYPERCALL_PAGE | |
| 0x1480 | PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_ATTEMPT | |
| 0x1481 | PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_SUCCESS | |
| 0x1482 | PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_FAIL | |
| 0x1483 | PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_WAIT | |
| 0x1484 | PERFINFO_LOG_TYPE_LDR_PROC_INIT_DONE | |
| 0x1485 | PERFINFO_LOG_TYPE_LDR_CREATE_SECTION | |
| 0x1486 | PERFINFO_LOG_TYPE_LDR_SECTION_CREATED | |
| 0x1487 | PERFINFO_LOG_TYPE_LDR_MAP_VIEW | |
| 0x1490 | PERFINFO_LOG_TYPE_LDR_RELOCATE_IMAGE | |
| 0x1491 | PERFINFO_LOG_TYPE_LDR_IMAGE_RELOCATED | |
| 0x1492 | PERFINFO_LOG_TYPE_LDR_HANDLE_OLD_DESCRIPTORS | |
| 0x1493 | PERFINFO_LOG_TYPE_LDR_OLD_DESCRIPTORS_HANDLED | |
| 0x1494 | PERFINFO_LOG_TYPE_LDR_HANDLE_NEW_DESCRIPTORS | |
| 0x1495 | PERFINFO_LOG_TYPE_LDR_NEW_DESCRIPTORS_HANDLED | |
| 0x1496 | PERFINFO_LOG_TYPE_LDR_DLLMAIN_EXIT | |
| 0x14A0 | PERFINFO_LOG_TYPE_LDR_FIND_DLL | |
| 0x14A1 | PERFINFO_LOG_TYPE_LDR_VIEW_MAPPED | |
| 0x14A2 | PERFINFO_LOG_TYPE_LDR_LOCK_RELEASE | |
| 0x14A3 | PERFINFO_LOG_TYPE_LDR_DLLMAIN_ENTER | |
| 0x14A4 | PERFINFO_LOG_TYPE_LDR_ERROR | |
| 0x14A5 | PERFINFO_LOG_TYPE_LDR_VIEW_MAPPING | |
| 0x14A6 | PERFINFO_LOG_TYPE_LDR_SNAPPING | |
| 0x14A7 | PERFINFO_LOG_TYPE_LDR_SNAPPED | |
| 0x14A8 | PERFINFO_LOG_TYPE_LDR_LOADING | |
| 0x14A9 | PERFINFO_LOG_TYPE_LDR_LOADED | |
| 0x14AA | PERFINFO_LOG_TYPE_LDR_FOUND_KNOWN_DLL | |
| 0x14AB | PERFINFO_LOG_TYPE_LDR_ABNORMAL | |
| 0x14AC | PERFINFO_LOG_TYPE_LDR_PLACEHOLDER | |
| 0x14AD | PERFINFO_LOG_TYPE_LDR_RDY_TO_INIT | |
| 0x14AE | PERFINFO_LOG_TYPE_LDR_RDY_TO_RUN | |
| 0x14B0 | PERFINFO_LOG_TYPE_LDR_NEW_DLL_LOAD | |
| 0x14B1 | PERFINFO_LOG_TYPE_LDR_NEW_DLL_AS_DATA | |
| 0x14C0 | PERFINFO_LOG_TYPE_LDR_EXTERNAL_PATH | |
| 0x14C1 | PERFINFO_LOG_TYPE_LDR_GENERATED_PATH | |
| 0x14D0 | PERFINFO_LOG_TYPE_LDR_APISET_RESOLVING | |
| 0x14D1 | PERFINFO_LOG_TYPE_LDR_APISET_HOSTED | |
| 0x14D2 | PERFINFO_LOG_TYPE_LDR_APISET_UNHOSTED | |
| 0x14D3 | PERFINFO_LOG_TYPE_LDR_APISET_UNRESOLVED | |
| 0x14D4 | PERFINFO_LOG_TYPE_LDR_SEARCH_SECURITY | |
| 0x14D5 | PERFINFO_LOG_TYPE_LDR_SEARCH_PATH_SECURITY |
| Value | Name | Versions |
|---|---|---|
| 0x1600 | PERFINFO_LOG_TYPE_CC_WORKITEM_ENQUEUE | 6.2 and higher |
| 0x1601 | PERFINFO_LOG_TYPE_CC_WORKITEM_DEQUEUE | 6.2 and higher |
| 0x1602 | PERFINFO_LOG_TYPE_CC_WORKITEM_COMPLETE | 6.2 and higher |
| 0x1603 | PERFINFO_LOG_TYPE_CC_READ_AHEAD | 6.2 and higher |
| 0x1604 | PERFINFO_LOG_TYPE_CC_WRITE_BEHIND | |
| 0x1605 | PERFINFO_LOG_TYPE_CC_LAZY_WRITE_SCAN | 6.2 and higher |
| 0x1606 | PERFINFO_LOG_TYPE_CC_CAN_I_WRITE_FAIL | 6.2 and higher |
| 0x1609 | PERFINFO_LOG_TYPE_CC_FLUSH_CACHE | 6.2 and higher |
| 0x160A | PERFINFO_LOG_TYPE_CC_FLUSH_SECTION | 6.2 and higher |
| 0x160B | PERFINFO_LOG_TYPE_CC_READ_AHEAD_PREFETCH | 6.2 and higher |
| 0x160C | PERFINFO_LOG_TYPE_CC_SCHEDULE_READ_AHEAD | 6.2 and higher |
| 0x160D | PERFINFO_LOG_TYPE_CC_LOGGED_STREAM_INFO | 6.2 and higher |
| 0x160E | PERFINFO_LOG_TYPE_CC_EXTRA_WRITEBEHIND_THREAD | 6.2 and higher |
| Value | Name |
|---|---|
| 0x1720 | PERFINFO_LOG_TYPE_CRITSEC_ENTER |
| 0x1721 | PERFINFO_LOG_TYPE_CRITSEC_LEAVE |
| 0x1722 | PERFINFO_LOG_TYPE_CRITSEC_COLLISION |
| 0x1723 | PERFINFO_LOG_TYPE_CRITSEC_INITIALIZE |
| Value | Name | Versions |
|---|---|---|
| 0x1820 | PERFINFO_LOG_TYPE_STACKWALK | 6.1 and higher |
| 0x1822 | PERFINFO_LOG_TYPE_STACKTRACE_CREATE | |
| 0x1823 | PERFINFO_LOG_TYPE_STACKTRACE_DELETE | |
| 0x1824 | PERFINFO_LOG_TYPE_STACKTRACE_RUNDOWN | |
| 0x1825 | PERFINFO_LOG_TYPE_STACKTRACE_KEY_KERNEL | |
| 0x1826 | PERFINFO_LOG_TYPE_STACKTRACE_KEY_USER |
| Value | Name |
|---|---|
| 0x1920 | PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_START |
| 0x1921 | PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_END |
| 0x1922 | PERFINFO_LOG_TYPE_UMS_PARK |
| 0x1923 | PERFINFO_LOG_TYPE_UMS_DISASSOCIATE |
| 0x1924 | PERFINFO_LOG_TYPE_UMS_CONTEXT_SWITCH |
| Value | Name | Versions |
|---|---|---|
| 0x1A21 | WMI_LOG_TYPE_ALPC_SEND_MESSAGE | 6.0 and higher |
| 0x1A22 | WMI_LOG_TYPE_ALPC_RECEIVE_MESSAGE | 6.0 and higher |
| 0x1A23 | WMI_LOG_TYPE_ALPC_WAIT_FOR_REPLY | 6.0 and higher |
| 0x1A24 | WMI_LOG_TYPE_ALPC_WAIT_FOR_NEW_MESSAGE | 6.0 and higher |
| 0x1A25 | WMI_LOG_TYPE_ALPC_UNWAIT | 6.0 and higher |
| 0x1A26 | WMI_LOG_TYPE_ALPC_CONNECT_REQUEST | 6.2 and higher |
| 0x1A27 | WMI_LOG_TYPE_ALPC_CONNECT_SUCCESS | 6.2 and higher |
| 0x1A28 | WMI_LOG_TYPE_ALPC_CONNECT_FAIL | 6.2 and higher |
| 0x1A29 | WMI_LOG_TYPE_ALPC_CLOSE_PORT | 6.2 and higher |
| Value | Name | Versions |
|---|---|---|
| 0x1B20 | PERFINFO_LOG_TYPE_SPLITIO_VOLMGR | late 5.2 |
| Value | Name |
|---|---|
| 0x1C20 | PERFINFO_LOG_TYPE_TP_CALLBACK_ENQUEUE |
| 0x1C21 | PERFINFO_LOG_TYPE_TP_CALLBACK_DEQUEUE |
| 0x1C22 | PERFINFO_LOG_TYPE_TP_CALLBACK_START |
| 0x1C23 | PERFINFO_LOG_TYPE_TP_CALLBACK_STOP |
| 0x1C24 | PERFINFO_LOG_TYPE_TP_CALLBACK_CANCEL |
| 0x1C25 | PERFINFO_LOG_TYPE_TP_POOL_CREATE |
| 0x1C26 | PERFINFO_LOG_TYPE_TP_POOL_CLOSE |
| 0x1C27 | PERFINFO_LOG_TYPE_TP_POOL_TH_MIN_SET |
| 0x1C28 | PERFINFO_LOG_TYPE_TP_POOL_TH_MAX_SET |
| 0x1C29 | PERFINFO_LOG_TYPE_TP_WORKER_NUMANODE_SWITCH |
| 0x1C2A | PERFINFO_LOG_TYPE_TP_TIMER_SET |
| 0x1C2B | PERFINFO_LOG_TYPE_TP_TIMER_CANCELLED |
| 0x1C2C | PERFINFO_LOG_TYPE_TP_TIMER_SET_NTTIMER |
| 0x1C2D | PERFINFO_LOG_TYPE_TP_TIMER_CANCEL_NTTIMER |
| 0x1C2E | PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_BEGIN |
| 0x1C2F | PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_END |
| 0x1C30 | PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION |