Geoff Chappell - Software Analyst
Each ETW_QUEUE_ENTRY structure supports the delivery of a notification to one user-mode registration of an event provider.
The ETW_QUEUE_ENTRY structure is not documented.
Though the ETW_QUEUE_ENTRY is very much an implementation detail of the kernel’s own bookkeeping, it has not changed much. The following changes of size are known:
| Versions | Size (x86) | Size (x64) |
|---|---|---|
| 6.0 to 6.1 | 0x18 | 0x28 |
| 6.2 to 10.0 | 0x20 | 0x38 |
The preceding sizes, and the offsets, types and names in the table below are from Microsoft’s public symbol files for the kernel, starting with Windows 8. Since symbol files for earlier versions do not contain type information for the ETW_QUEUE_ENTRY, what’s shown for them is instead inferred from what use these versions of the kernel are seen to make of the structure in comparison with those for which Microsoft’s names and types are known. Where the correspondence is close, it seems reasonable to infer continuity.
| Offset (x86) | Offset (x64) | Definition | Versions |
|---|---|---|---|
| 0x00 | 0x00 |
LIST_ENTRY ListEntry; |
6.0 and higher |
| 0x08 | 0x10 |
ETWP_NOTIFICATION_HEADER *DataBlock; |
6.0 and higher |
| 0x0C | 0x18 |
ETW_REG_ENTRY *RegEntry; |
6.0 and higher |
| 0x10 | 0x20 |
ETW_REG_ENTRY *ReplyObject; |
6.2 and higher |
| 0x14 | 0x28 |
PVOID WakeReference; |
6.2 and higher |
| 0x10 (6.0 to 6.1); 0x18 |
0x20 (6.0 to 6.1); 0x30 |
ULONG RegIndex; |
6.0 to 6.1 |
USHORT RegIndex; |
6.2 and higher | ||
| 0x14 (6.0 to 6.1); 0x1A |
0x24 (6.0 to 6.1); 0x32 |
ULONG ReplyIndex; |
6.0 to 6.1 |
USHORT ReplyIndex; |
6.2 and higher | ||
| 0x1C | 0x34 |
ULONG Flags; |
6.2 and higher |
The one notification may be sent to multiple registrations. All receive the same (referenced-counted) copy of the sending process’s data block but each transmission has its own ETW_QUEUE_ENTRY. The one process may have multiple notifications in progress. All the queue entries are kept in a double-linked list linked through the ListEntry. The queue itself is a LIST_ENTRY in an ETW_DATA_SOURCE structure whose address is kept as the EtwDataSource in the process’s EPROCESS.
The RegIndex is the system-wide 0-based Index of the notifyee ETW_REG_ENTRY, apparently included just for convenience. What the ReplyIndex indexes is the ReplySlot array in the notifyee ETW_REG_ENTRY. Before version 6.2, the indexed ReplySlot points to the reply object. The ReplyIndex is thus the queue entry’s access to the reply object. This access is reversed in later versions: the queue entry holds the reply object’s address and the indexed ReplySlot points to the queue entry.