Geoff Chappell - Software Analyst
The ETW_PMC_SUPPORT structure is created for an event logger when processor performance monitoring is enabled for it. Such requests reach the kernel only through ZwSetSystemInformation or NtSetSystemInformation when given the information class SystemPerformanceTraceInformation (0x1F) with an information buffer whose first dword is EventTraceProfileEventListInformation (0x0E) or EventTraceProfileCounterListInformation (0x0F).
The ETW_PMC_SUPPORT structure is not documented.
The ETW_PMC_SUPPORT looked stable for several versions, but variability has since set in. The following changes of size are known:
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 6.2 to 1607 | 0x24 | 0x28 |
| 1703 to 1809 | 0x34 | 0x38 |
| 1903 to 2004 | 0x18 | 0x20 |
Offsets, types and names in the table below are from symbol files for the kernel in Windows 8 and higher.
| Offset (x86) | Offset (x64) | Definition | Versions |
|---|---|---|---|
| 0x00 | 0x00 |
KPROFILE_SOURCE Source [4]; |
6.2 to 1607 |
KPROFILE_SOURCE Source [8]; |
1703 to 1809 | ||
KPROFILE_SOURCE *Source; |
1903 and higher | ||
| 0x10 (6.2 to 1607); 0x20 (1703 to 1809); 0x04 |
0x10 (6.2 to 1607); 0x20 (1703 to 1809); 0x08 |
ULONG volatile HookIdCount; |
6.2 and higher |
| 0x14 (6.2 to 1607); 0x24 (1703 to 1809); 0x08 |
0x14 (6.2 to 1607); 0x24 (1703 to 1809); 0x0C |
USHORT HookId [4]; |
6.2 and higher |
| 0x1C (6.2 to 1607); 0x2C (1703 to 1809); 0x10 |
0x1C (6.2 to 1607); 0x2C (1703 to 1809); 0x14 |
ULONG volatile CountersCount; |
6.2 and higher |
| 0x20 (6.2 to 1607); 0x30 (1703 to 1809); 0x14 |
0x20 (6.2 to 1607); 0x30 (1703 to 1809); 0x18 |
HAL_PMC_COUNTERS *ProcessorCtrs [ANYSIZE_ARRAY]; |
6.2 and higher |
The structure is always allocated from non-paged no-execute pool. Its address is kept as the PmcData member of the WMI_LOGGER_CONTEXT that represents the event logger.
Each logger can nominate up to four counters (but more in later versions). These are selected from the KPROFILE_SOURCE enumeration that is defined in WDM.H and lists the types of information that the HAL may keep about processor performance. The profile sources are provided as the ProfileSources member of the EVENT_TRACE_PROFILE_COUNTER_INFORMATION that is the required input for the relevant case of ZwSetSystemInformation.
The ProcessorCtrs array has as many elements as there can ever be processors. Each is a pointer to a HAL_PMC_COUNTERS structure for which Microsoft’s symbol files do not provide type information. From the NTOSP.H header in the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10, it is known that Microsoft defines the type PMC_HANDLE for this pointer.