Geoff Chappell - Software Analyst
PLACEHOLDER FOR WORK THAT MAY NEVER BE DONE - PREVIEW ONLY
The ETW_SILODRIVERSTATE structure is the state that Event Tracing for Windows (ETW) keeps separately for each silo.
The ETW_SILODRIVERSTATE structure is not documented.
Given that Microsoft discloses relatively little architectural detail about silos, it should not surprise that the ETW_SILODRIVERSTATE changes even between the half-yearly releases of Windows 10.
| Version | Size (x86) | Size (x64) |
|---|---|---|
| 10.0 | 0x0190 | 0x01B0 |
| 1511 to 1607 | 0x0A80 | 0x13A8 |
| 1703 | 0x0AC0 | 0x13F8 |
| 1709 | 0x0A48 | 0x1190 |
| 1803 to 1809 | 0x0A70 | 0x11C0 |
| 1903 | 0x0A90 | 0x11F8 |
| 2004 | 0x0AA8 | 0x1220 |
The preceding sizes, and the offsets, types and names in the table below are from public symbol files for the kernel.
| Offset (x86) | Offset (x64) | Definition | Versions | Remarks |
|---|---|---|---|---|
| 0x00 (10.0) | 0x00 (10.0) |
ULONG EtwpSecurityProviderPID; |
10.0 only | next at 0x0A7C and 0x13A4 |
| 0x00 | 0x00 |
EJOB *Silo; |
1803 and higher | |
| 0x00 (1703 to 1709); 0x04 |
0x00 (1703 to 1709); 0x08 |
ESERVERSILO_GLOBALS *SiloGlobals; |
1703 and higher | |
| 0x04 (1709); 0x08 |
0x08 (1709); 0x10 |
ULONG MaxLoggers; |
1709 and higher | |
| 0x08 (10.0); 0x00 (1511 to 1607); 0x08 (1703 to 1709); 0x10 |
0x08 (10.0); 0x00 (1511 to 1607); 0x08 (1703); 0x10 (1709); 0x18 |
ETW_GUID_ENTRY EtwpSecurityProviderGuidEntry; |
10.0 and higher | |
| 0x0168 (10.0) | 0x0188 (10.0) |
ULONG AuditLoggerId; |
10.0 only | |
| 0x0170 (10.0) | 0x0190 (10.0) |
REGHANDLE EtwPsProvRegHandle; |
10.0 only | |
| 0x0168 (1511 to 1607); 0x0170 (1703 to 1709); 0x0178 (1803 to 1903); 0x0188 |
0x0190 (1511 to 1607); 0x0198 (1703); 0x01A0 (1709); 0x01A8 (1803 to 1903); 0x01C0 |
EX_RUNDOWN_REF_CACHE_AWARE EtwpLoggerRundown [0x10]; |
1511 and higher | |
| 0x0268 (1511 to 1607); 0x0270 (1703); 0x0174 (1709); 0x017C (1803 to 1903); 0x018C |
0x0390 (1511 to 1607); 0x0398 (1703); 0x01A8 (1709); 0x01B0 (1803 to 1903); 0x01C8 |
WMI_LOGGER_CONTEXT *WmipLoggerContext [0x40]; |
1511 to 1703 | |
WMI_LOGGER_CONTEXT **EtwpLoggerContext; |
1709 and higher | |||
| 0x0368 (1511 to 1607); 0x0370 (1703); 0x0178 (1709); 0x0180 (1803 to 1903); 0x0190 |
0x0590 (1511 to 1607); 0x0598 (1703); 0x01B0 (1709); 0x01B8 (1803 to 1903); 0x01D0 |
ETW_HASH_BUCKET EtwpGuidHashTable [0x40]; |
1511 and higher | |
| 0x0178 (10.0); 0x0A68 (1511 to 1607); 0x0A70 (1703); 0x0878 (1709); 0x0880 (1803 to 1903); 0x0890 |
0x0198 (10.0); 0x1390 (1511 to 1607); 0x1398 (1703); 0x0FB0 (1709); 0x0FB8 (1803 to 1903); 0x0FD0 |
USHORT EtwpSecurityLoggers [8]; |
10.0 and higher | |
| 0x0188 (10.0); 0x0A78 (1511 to 1607); 0x0A80 (1703); 0x0888 (1709); 0x0890 (1803 to 1903); 0x08A0 |
0x01A8 (10.0); 0x13A0 (1511 to 1607); 0x13A8 (1703); 0x0FC0 (1709); 0x0FC8 (1803 to 1903); 0x0FE0 |
UCHAR EtwpSecurityProviderEnableMask; |
10.0 and higher | |
| 0x0189 (10.0); 0x0A79 (1511 to 1607); 0x0A84 (1703); 0x088C (1709); 0x0894 (1803 to 1903); 0x08A4 |
0x01A9 (10.0); 0x13A1 (1511 to 1607); 0x13AC (1703); 0x0FC4 (1709); 0x0FCC (1803 to 1903); 0x0FE4 |
BOOLEAN EtwpShutdownInProgress; |
10.0 to 1607 | |
LONG EtwpShutdownInProgress; |
1703 and higher | |||
| 0x0A7C (1511 to 1607); 0x0A88 (1703); 0x0890 (1709); 0x0898 (1803 to 1903); 0x08A8 |
0x13A4 (1511 to 1607); 0x13B0 (1703); 0x0FC8 (1709); 0x0FD0 (1803 to 1903); 0x0FE8 |
ULONG EtwpSecurityProviderPID; |
1511 and higher | previously at 0x00 |
| 0x0A8C (1703); 0x0894 (1709); 0x089C (1803 to 1903); 0x08AC |
0x13B8 (1703); 0x0FD0 (1709); 0x0FD8 (1803 to 1903); 0x0FF0 |
ETW_PRIV_HANDLE_DEMUX_TABLE PrivHandleDemuxTable; |
1703 and higher | |
| 0x0A9C (1703); 0x08A4 (1709); 0x08AC (1803 to 1903); 0x08BC |
0x13D8 (1703); 0x0FF0 (1709); 0x0FF8 (1803 to 1903); 0x1010 |
ETW_COUNTERS EtwpCounters; |
1703 and higher | |
| 0x0AB0 (1703); 0x08B8 (1709); 0x08C0 (1803 to 1903); 0x08D0 |
0x13E8 (1703); 0x1000 (1709); 0x1008 (1803 to 1903); 0x1020 |
LARGE_INTEGER LogfileBytesWritten; |
1703 and higher | |
| 0x0AB8 (1703); 0x08C0 (1709); 0x08C8 (1803 to 1903); 0x08D8 |
0x13F0 (1703); 0x1008 (1709); 0x1010 (1803 to 1903); 0x1028 |
ETW_SILO_TRACING_BLOCK *ProcessorBlocks; |
1703 and higher | |
| 0x08CC (1803 to 1903); 0x08DC |
0x1018 (1803 to 1903); 0x1030 |
EX_WNF_SUBSCRIPTION *ContainerRestoreWnfSubscription; |
1803 and higher | |
| 0x08C4 (1709); 0x08D0 (1803 to 1903); 0x08E0 |
0x1010 (1709); 0x1020 (1803 to 1903); 0x1038 |
GUID PartitionId; |
1709 and higher | |
| 0x08D4 (1709); 0x08E0 (1803 to 1903); 0x08F0 |
0x1020 (1709); 0x1030 (1803 to 1903); 0x1048 |
GUID ParentId; |
1709 and higher | |
| 0x08E8 (1709); 0x08F0 (1803 to 1903); 0x0900 |
0x1030 (1709); 0x1040 (1803 to 1903); 0x1058 |
LARGE_INTEGER QpcOffsetFromRoot; |
1709 and higher | |
| 0x0908 | 0x1060 |
PSTR PartitionName; |
2004 and higher | |
| 0x090C | 0x1068 |
USHORT PartitionNameSize; |
2004 and higher | |
| 0x090E | 0x106A |
USHORT UnusedPadding; |
2004 and higher | |
| 0x08F0 (1709); 0x08F8 (1803 to 1903); 0x0910 |
0x1038 (1709); 0x1048 (1803 to 1903); 0x106C |
ULONG PartitionType; |
1709 and higher | |
| 0x08F4 (1709); 0x08FC (1803 to 1903); 0x0914 |
0x103C (1709); 0x104C (1803 to 1903); 0x1070 |
ETW_SYSTEM_LOGGER_SETTINGS SystemLoggerSettings; |
1709 and higher | |
| 0x0A70 (1903); 0x0A88 |
0x11C0 (1903); 0x11E8 |
KMUTANT EtwpStartTraceMutex; |
1903 and higher |
TO BE DONE?