Geoff Chappell - Software Analyst
The ETW_PROVIDER_TRAITS structure is the container in which the kernel keeps traits that are set for the registrations of event providers.
Provider traits are set for a registration through the kernel-mode EtwSetInformation and user-mode EventSetInformation functions when given the information class EventProviderSetTraits (2). If a registration has provider traits, then the ETW_REG_ENTRY that represents the registration has a Traits member that points to the ETW_PROVIDER_TRAITS that contains the traits.
The ETW_PROVIDER_TRAITS structure is not documented.
The ETW_PROVIDER_TRAITS is 0x14 or 0x20 bytes in 32-bit and 64-bit Windows 10, respectively.
Offset (x86) | Offset (x64) | Definition |
---|---|---|
0x00 | 0x00 |
RTL_BALANCED_NODE Node; |
0x0C | 0x18 |
ULONG ReferenceCount; |
0x10 | 0x1C |
UCHAR Traits [ANYSIZE_ARRAY]; |
The ETW_PROVIDER_TRAITS is a fixed-size header. The Traits are the variable-size traits information that kernel-mode or user-mode callers set for the registration. The same traits information can be set for many registrations. To avoid duplication, the kernel keeps a tree of reference-counted structures which each have different trait information. Registrations that have identical trait information all have their Traits pointing to the same ETW_PROVIDER_TRAITS.
Traits information is itself a set of containers of essentially arbitrary data. Microsoft documents the format:
Each trait has a similar format:
Note that all items are byte-aligned. There is no alignment padding, e.g., of a 16-bit size to a 16-bit offset after a string of single-byte characters.