WMI_TRACE_PACKET

The WMI_TRACE_PACKET is a small structure for a second set of four bytes that are shared by the SYSTEM_TRACE_HEADER and PERFINFO_TRACE_HEADER. These are the old and less old headers for system events.

Layout

The WMI_TRACE_PACKET is four bytes in 32-bit and 64-bit Windows:

Offset Definition
0x00 
USHORT Size;
0x02 
union {
    USHORT HookId;
    struct {
        UCHAR Type;
        UCHAR Group;
    };
};

The total size of data for the event, i.e., both the fixed-size header and the variable-size event data, is given by the Size member. The HookId tells what type of event is logged and determines the meaning of whatever event data follows the header. In the absence of an EVENT_DESCRIPTOR for events that have a SYSTEM_TRACE_HEADER, the HookId is effectively the event identifier (no matter that by the time it gets translated for consumers its Group and Type show as a ProviderId and Opcode).

This page was created on 5th December 2016 and was last modified on 27th October 2022.

Copyright © 2016-2022. Geoff Chappell. All rights reserved. Conditions apply.