WMI_LOGGER_CONTEXT

The WMI_LOGGER_CONTEXT structure (formally _WMI_LOGGER_CONTEXT) is the kernel’s representation of an event logger, known more formally as an event tracing session. It is one of the most important of all internal details for any inspection of Event Tracing for Windows (ETW).

A WMI_LOGGER_CONTEXT is created when a logger is started and is retained until the logger is stopped. Except for auto-loggers, which the kernel itself starts, all ways to start a logger go through NtTraceControl with the function code EtwStartLoggerCode (0x01). For well-behaved user-mode programs, this means going through the documented StartTrace function.

The kernel keeps the addresses of the created WMI_LOGGER_CONTEXT instances in an array of pointers in the kernel’s own data section. This array’s capacity of 32 in version 5.0 and 64 since is therefore the maximum number of event tracing sessions that can be active at any given time. This limit has long been documented, though curiously not until recently in the documentation of StartTrace (where it would seem to matter most as something to know). That it is documented there now looks to be because the limit can be varied in later releases of Windows 10 than had yet been studied for this article when it was first written. As usual, more research is required.

Documentation Status

The WMI_LOGGER_CONTEXT structure is not documented.

Though Microsoft is not known to have published a C-language definition in any header file from a development kit, the limit of 64 to the number of WMI_LOGGER_CONTEXT structures that the kernel can track at any one time is formalised by the definition of a macro MAXLOGGERS in the NTWMI.H from the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10.

Layout

Since the WMI_LOGGER_CONTEXT is very much for the kernel’s own use, it should not surprise that the layout changes significantly between versions and even between builds. As so often with structures that are private to the kernel, the rate of change between builds has picked up markedly in Windows 10. The following changes of size are known:

Version Size (x86) Size (x64)
5.0 0x0140  
5.1 0x01C8  
5.2 0x01D8 0x0280
early 6.0 (before SP1) 0x0270 0x0350
late 6.0 0x0280 0x0370
6.1 0x0238 0x0330
6.2 0x0270 0x0378
6.3 0x0278 0x0378
10.0 0x0288 0x0398
1511 0x0288 0x0390
1607 0x02F0 0x0440
1703 0x0310 0x0468
1709 0x05A0 0x0990
1803 0x0370 0x0510
1809 0x0380 0x0520
1903 0x0390 0x0540
2004 0x0398 0x0550

The preceding sizes, and the offsets, types and names in the table below are from Microsoft’s public symbol files for the kernel, starting with Windows XP SP3 and Windows Server 2003 SP2. Since symbol files for earlier versions do not contain type information for the WMI_LOGGER_CONTEXT structure, what’s known for them is instead inferred from what use these versions of the kernel are seen to make of the structure in comparison with those for which Microsoft’s names and types are known. Where the correspondence is close, it seems reasonable to suppose continuity. Some use, however, has no correspondence, the code having changed too much. Even where the use hasn’t changed, tracking it down exhaustively would be difficult, if not impossible, even with source code. The structure’s development is hard enough to track even for the relatively recent versions, as members have occasionally been moved from one end to the other.

Offset (x86) Offset (x64) Definition Versions Remarks
0x00 0x00 
ULONG LoggerId;
 6.1 and higher previously at 0x14 and 0x1C
0x04 0x04 
ULONG BufferSize;
 6.1 and higher previously at 0xA4 and 0xEC
0x08 0x08 
ULONG MaximumEventSize;
 6.1 and higher previously at 0xA8 and 0xF0
0x0C (6.1) 0x0C (6.1) 
LONG CollectionOn;
 6.1 only previously at 0x58 and 0x9C;
next at 0xF0 and 0x0150
0x10 (6.1);
0x0C 		0x10 (6.1);
0x0C 
ULONG LoggerMode;
 6.1 and higher previously at 0x60 and 0xA4
0x14 (6.1);
0x10 		0x14 (6.1);
0x10 
LONG AcceptNewEvents;
 6.1 and higher previously at 0x0250 and 0x0338
0x14 0x14 
ULONG EventMarker [1];
 6.2 and higher (x86)   
ULONG EventMarker [2];
 6.2 and higher (x64)  
0x18 0x1C 
ULONG ErrorMarker;
 6.2 and higher  
0x1C 0x20 
ULONG SizeMask;
 6.2 and higher  
0x18 (6.1);
0x20 		0x18 (6.1);
0x28 
LONGLONG (*GetCpuClock) (VOID);
 6.1 and higher previously at 0xC4 and 0x0118
0x00 (5.0 to 5.2) 0x00 (5.2) 
KSPIN_LOCK BufferSpinLock;
 5.0 to 5.2  
0x08 (5.0 to 5.2);
0x00 (6.0);
0x20 (6.1) 		0x08 (5.2);
0x00 (6.0);
0x20 (6.1) 
LARGE_INTEGER StartTime;
 5.0 to 6.1 next at 0x0230 and 0x0320
0x10 (5.0 to 5.2);
0x08 (6.0);
0x28 (6.1) 		0x10 (5.2);
0x08 (6.0);
0x28 (6.1) 
HANDLE LogFileHandle;
 5.0 to 6.1 next at 0x0238 and 0x0328
0x14 (5.0 to 5.2) 0x18 (5.2) 
KSEMAPHORE LoggerSemaphore;
 5.0 to 5.2  
0x28 (5.0 to 5.2);
0x0C (6.0);
0x2C (6.1);
0x24 		  unknown 32-bit thread ID 5.0 only  
0x38 (5.2);
0x10 (6.0);
0x30 
ETHREAD *LoggerThread;
 5.1 and higher  
0x2C (5.0 to 5.2) 0x40 (5.2) 
KEVENT LoggerEvent;
 5.0 to 5.2 next at 0x014C
0x3C (5.1 to 5.2) 0x58 (5.2) 
KEVENT FlushEvent;
 5.1 to 5.2 next at 0x015C
0x3C (5.0);
0x4C (5.1 to 5.2);
0x10 (6.0);
0x30 (6.1);
0x28 		0x70 (5.2);
0x18 (6.0);
0x38 
NTSTATUS LoggerStatus;
 5.0 and higher  
0x40 (5.0);
0x50 (5.1 to 5.2);
0x14 (6.0) 		0x74 (5.2);
0x1C (6.0) 
ULONG LoggerId;
 5.0 to 6.0 next at 0x00
0x44 (5.0);
0x54 (5.1 to 5.2) 		0x78 (5.2) 
LONG BuffersAvailable;
 5.0 to 5.2 next as LONG volatile at 0x7C
0x58 (5.1 to 5.2) 0x7C (5.2) 
ULONG UsePerfClock;
 5.1 to 5.2 previously at 0xE4
0x5C (5.1 to 5.2) 0x80 (5.2) 
ULONG WriteFailureLimit;
 5.1 to 5.2  
0x60 (5.1 to 5.2) 0x84 (5.2) 
ULONG BuffersDirty;
 5.1 only   
LONG BuffersDirty;
 5.2 only  
0x64 (5.1 to 5.2) 0x88 (5.2) 
ULONG BuffersInUse;
 5.1 only   
LONG BuffersInUse;
 5.2 only  
0x68 (5.1 to 5.2) 0x8C (5.2) 
ULONG SwitchingInProgress;
 5.1 to 5.2  
0x2C 0x3C 
ULONG FailureReason;
 6.2 and higher  
0x18 (6.0);
0x34 (6.1);
0x30 		0x20 (6.0);
0x40 
PVOID NBQHead;
 6.0 to 6.1   
ETW_BUFFER_QUEUE BufferQueue;
 6.2 and higher  
0x1C (6.0);
0x38 (6.1);
0x3C (6.2 to 1511);
0x38 		0x28 (6.0);
0x48 (6.1);
0x58 (6.2 to 1511);
0x50 
PVOID OverflowNBQHead;
 6.0 to 6.1   
ETW_BUFFER_QUEUE OverflowQueue;
 6.2 and higher  
0x48 (5.0);
0x70 (5.1 to 5.2);
0x20 (6.0);
0x40 (6.1) 		  
LIST_ENTRY FreeList;
 5.0 only  
0x90 (5.2);
0x30 (6.0);
0x50 (6.1) 
SLIST_HEADER FreeList;
 5.1 to 5.2   
SLIST_HEADER QueueBlockFreeList;
 6.0 to 6.1  
0x78 (5.1 to 5.2) 0xA0 (5.2) 
SLIST_HEADER FlushList;
 5.1 to 5.2  
0x80 (5.2) 0xB0 (5.2) 
SLIST_HEADER WaitList;
 5.2 only  
0x50 (5.0);
0x80 (5.1);
0x88 (5.2);
0x28 (6.0);
0x48 (6.1 to 1511);
0x40 		  
LIST_ENTRY GlobalList;
 5.0 only  
0xC0 (5.2);
0x40 (6.0);
0x60 (6.1);
0x70 (6.2 to 1511);
0x60 
SLIST_HEADER GlobalList;
 5.1 to 6.0   
LIST_ENTRY GlobalList;
 6.1 and higher  
0x58 (5.0)   unaccounted four bytes 5.0 only  
0x5C (5.0);
0x88 (5.1);
0x90 (5.2) 		  
WMI_BUFFER_HEADER **ProcessorBuffers;
 5.0 only   
SLIST_HEADER *ProcessorBuffers;
 5.1 only  
0xD0 (5.2) 
WMI_BUFFER_HEADER **ProcessorBuffers;
 5.2 only  
0x50 (6.2 to 1511);
0x48 (1607 to 1703) 		0x80 (6.2 to 1511);
0x70 (1607 to 1703) 
LIST_ENTRY ProviderBinaryList;
 6.2 to 1703  
0x48 0x70 
LIST_ENTRY DebugIdTrackingList;
 1709 and higher  
0x50 0x80 
ETW_DECODE_CONTROL_ENTRY *DecodeControlList;
 1709 and higher  
0x54 0x88 
ULONG DecodeControlCount;
 1709 and higher  
0x30 (late 6.0);
0x50 (6.1);
0x58 (6.2 to 1511);
0x50 (1607 to 1703);
0x58 		0x50 (late 6.0);
0x70 (6.1);
0x90 (6.2 to 1511);
0x80 (1607 to 1703);
0x90 
WMI_BUFFER_HEADER *BatchedBufferList;
 late 6.0   
union {
    WMI_BUFFER_HEADER *BatchedBufferList;
    EX_FAST_REF CurrentBuffer;
};
 6.1 and higher  
0x60 (5.0);
0x8C (5.1);
0x94 (5.2);
0x30 (early 6.0);
0x34 (late 6.0);
0x54 (6.1);
0x5C (6.2 to 1511);
0x54 (1607 to 1703);
0x5C 		0xD8 (5.2);
0x50 (early 6.0);
0x58 (late 6.0);
0x78 (6.1);
0x98 (6.2 to 1511);
0x88 (1607 to 1703);
0x98 
UNICODE_STRING LoggerName;
 5.0 and higher  
0x68 (5.0);
0x94 (5.1);
0x9C (5.2);
0x38 (early 6.0);
0x3C (late 6.0);
0x5C (6.1);
0x64 (6.2 to 1511);
0x5C (1607 to 1703);
0x64 		0xE8 (5.2);
0x60 (early 6.0);
0x68 (late 6.0);
0x88 (6.1);
0xA8 (6.2 to 1511);
0x98 (1607 to 1703);
0xA8 
UNICODE_STRING LogFileName;
 5.0 and higher  
0x9C (5.1);
0xA4 (5.2);
0x40 (early 6.0);
0x44 (late 6.0);
0x64 (6.1);
0x6C (6.2 to 1511);
0x64 (1607 to 1703);
0x6C 		0xF8 (5.2);
0x70 (early 6.0);
0x78 (late 6.0);
0x98 (6.1);
0xB8 (6.2 to 1511);
0xA8 (1607 to 1703);
0xB8 
UNICODE_STRING LogFilePattern;
 5.1 and higher  
0xA4 (5.1);
0xAC (5.2);
0x48 (early 6.0);
0x4C (late 6.0);
0x6C (6.1);
0x74 (6.2 to 1511);
0x6C (1607 to 1703);
0x74 		0x0108 (5.2);
0x80 (early 6.0);
0x88 (late 6.0);
0xA8 (6.1);
0xC8 (6.2 to 1511);
0xB8 (1607 to 1703);
0xC8 
UNICODE_STRING NewLogFileName;
 5.1 and higher  
0x70 (5.0);
0xAC (5.1);
0xB4 (5.2) 		0x0118 (5.2) 
UCHAR *EndPageMarker;
 5.0 to 5.2  
0x50 (early 6.0);
0x54 (late 6.0);
0x74 (6.1);
0x7C (6.2 to 1511);
0x74 (1607 to 1703);
0x7C 		0x90 (early 6.0);
0x98 (late 6.0);
0xB8 (6.1);
0xD8 (6.2 to 1511);
0xC8 (1607 to 1703);
0xD8 
ULONG ClockType;
 6.0 and higher  
0x74 (5.0);
0xB0 (5.1);
0xB8 (5.2);
0x54 (early 6.0);
0x58 (late 6.0) 		0x0120 (5.2);
0x94 (early 6.0);
0x9C (late 6.0) 
LONG CollectionOn;
 5.0 to 6.0 next at 0x0C
0x78 (5.0);
0xB4 (5.1);
0xBC (5.2) 		0x0124 (5.2) 
ULONG KernelTraceOn;
 5.0 to 5.2 next as KernelTrace in Flags
0xB8 (5.1);
0xC0 (5.2) 		0x0128 (5.2) 
LONG PerfLogInTransition;
 5.1 to 5.2  
0x7C (5.0);
0xBC (5.1);
0xC4 (5.2) 		  unknown four bytes 5.0 only  
0x012C (5.2) 
ULONG RequestFlag;
 5.1 to 5.2 next at 0x0248
0x80 (5.0);
0xC0 (5.1);
0xC8 (5.2) 		0x0130 (5.2) 
ULONG EnableFlags;
 5.0 to 5.2  
0x84 (5.0);
0xC4 (5.1);
0xCC (5.2);
0x58 (early 6.0);
0x5C (late 6.0);
0x78 (6.1) 		0x0134 (5.2);
0x98 (early 6.0);
0xA0 (late 6.0);
0xBC (6.1) 
ULONG MaximumFileSize;
 5.0 to 6.1 next at 0xD4 and 0x0134
0x88 (5.0);
0xC8 (5.1);
0xD0 (5.2);
0x5C (early 6.0);
0x60 (late 6.0) 		0x0138 (5.2);
0x9C (early 6.0);
0xA4 (late 6.0) 
union {
    ULONG LoggerMode;
    WMI_LOGGER_MODE LoggerModeFlags;
};
 5.0 to 5.2   
ULONG LoggerMode;
 6.0 next at 0x10
0xD4 (5.2) 0x013C (5.2) 
ULONG Wow;
 5.2 only next in Flags
0x8C (5.0);
0xCC (5.1);
0xD8 (5.2);
0x60 (early 6.0);
0x64 (late 6.0);
0x7C (6.1);
0x80 (6.2 to 1511);
0x78 (1607 to 1703);
0x80 		0x0140 (5.2);
0xA0 (early 6.0);
0xA8 (late 6.0);
0xC0 (6.1);
0xDC (6.2 to 1511);
0xCC (1607 to 1703);
0xDC 
ULONG LastFlushedBuffer;
 5.0 and higher  
0xD0 (5.1);
0xDC (5.2) 		0x0144 (5.2) 
ULONG RefCount;
 5.1 to 5.2  
0x90 (5.0);
0xD4 (5.1);
0xE0 (5.2);
0x64 (early 6.0);
0x68 (late 6.0);
0x80 (6.1);
0x84 (6.2 to 1511);
0x7C (1607 to 1703);
0x84 		0x0148 (5.2);
0xA4 (early 6.0);
0xAC (late 6.0);
0xC4 (6.1);
0xE0 (6.2 to 1511);
0xD0 (1607 to 1703);
0xE0 
LARGE_INTEGER FlushTimer;
 5.0 only   
ULONG FlushTimer;
 5.1 and higher  
0x6C (late 6.0);
0x84 (6.1);
0x88 (6.2 to 1511);
0x80 (1607 to 1703);
0x88 		0xB0 (late 6.0);
0xC8 (6.1);
0xE4 (6.2 to 1511);
0xD4 (1607 to 1703);
0xE4 
ULONG FlushThreshold;
 late 6.0 and higher  
0x98 (5.0);
0xD8 (5.1);
0xE8 (5.2) 		0x0150 (5.2) 
LARGE_INTEGER FirstBufferOffset;
 5.0 to 5.2  
0xA0 (5.0);
0xE0 (5.1);
0xF0 (5.2);
0x68 (early 6.0);
0x70 (late 6.0);
0x88 (6.1);
0x90 (6.2 to 1511);
0x88 (1607 to 1703);
0x90 		0x0158 (5.2);
0xA8 (early 6.0);
0xB8 (late 6.0);
0xD0 (6.1);
0xE8 (6.2 to 1511);
0xD8 (1607 to 1703);
0xE8 
LARGE_INTEGER ByteOffset;
 5.0 and higher  
0xA8 (5.0);
0xE8 (5.1);
0xF8 (5.2) 		0x0160 (5.2) 
LARGE_INTEGER BufferAgeLimit;
 5.0 to 5.2  
0x70 (early 6.0);
0x78 (late 6.0) 		0xB0 (early 6.0);
0xC0 (late 6.0) 
LARGE_INTEGER FlushTimeStamp;
 6.0  
0xB0 (5.0)   
ULONG BufferSize;
 5.0 only next at 0x0108
0xB4 (5.0)   
LONG NumberOfBuffers;
 5.0 only next at 0x010C
0xB8 (5.0);
0xF0 (5.1);
0x0100 (5.2) 		0x0168 (5.2) 
ULONG MaximumBuffers;
 5.0 to 5.2 next at 0x84
0xBC (5.0);
0xF4 (5.1);
0x0104 (5.2);
0x78 (early 6.0);
0x80 (late 6.0);
0x90 (6.1);
0x98 (6.2 to 1511);
0x90 (1607 to 1703);
0x98 		0x016C (5.2);
0xB8 (early 6.0);
0xC8 (late 6.0);
0xD8 (6.1);
0xF0 (6.2 to 1511);
0xE0 (1607 to 1703);
0xF0 
ULONG MinimumBuffers;
 5.0 and higher  
0x7C (early 6.0);
0x84 (late 6.0);
0x94 (6.1);
0x9C (6.2 to 1511);
0x94 (1607 to 1703);
0x9C 		0xBC (early 6.0);
0xCC (late 6.0);
0xDC (6.1);
0xF4 (6.2 to 1511);
0xE4 (1607 to 1703);
0xF4 
LONG volatile BuffersAvailable;
 6.0 and higher previously LONG at 0x54 and 0x78
0x80 (early 6.0);
0x88 (late 6.0);
0x98 (6.1);
0xA0 (6.2 to 1511);
0x98 (1607 to 1703);
0xA0 		0xC0 (early 6.0);
0xD0 (late 6.0);
0xE0 (6.1);
0xF8 (6.2 to 1511);
0xE8 (1607 to 1703);
0xF8 
LONG volatile NumberOfBuffers;
 6.0 and higher previously LONG at 0x011C and 0x0184
0x84 (early 6.0);
0x8C (late 6.0);
0x9C (6.1);
0xA4 (6.2 to 1511);
0x9C (1607 to 1703);
0xA4 		0xC4 (early 6.0);
0xD4 (late 6.0);
0xE4 (6.1);
0xFC (6.2 to 1511);
0xEC (1607 to 1703);
0xFC 
ULONG MaximumBuffers;
 6.0 and higher previously at 0x0100 and 0x0168
0xC0 (5.0);
0xF8 (5.1);
0x0108 (5.2);
0x88 (early 6.0);
0x90 (late 6.0);
0xA0 (6.1);
0xA8 (6.2 to 1511);
0xA0 (1607 to 1703);
0xA8 		0x0170 (5.2);
0xC8 (early 6.0);
0xD8 (late 6.0);
0xE8 (6.1);
0x0100 (6.2 to 1511);
0xF0 (1607 to 1703);
0x0100 
ULONG EventsLost;
 5.0 to 5.2   
ULONG volatile EventsLost;
 6.0 and higher  
0xAC (6.3 to 1511);
0xA4 (1607 to 1703);
0xAC 		0x0104 (6.3 to 1511);
0xF4 (1607 to 1703);
0x0104 
LONG volatile PeakBuffersCount;
 6.3 and higher  
0xC4 (5.0);
0xFC (5.1);
0x010C (5.2);
0x8C (early 6.0);
0x94 (late 6.0);
0xA4 (6.1);
0xAC (6.2);
0xB0 (6.3 to 1511);
0xA8 (1607 to 1703);
0xB0 		0x0174 (5.2);
0xCC (early 6.0);
0xDC (late 6.0);
0xEC (6.1);
0x0104 (6.2);
0x0108 (6.2 to 1511);
0xF8 (1607 to 1703);
0x0108 
ULONG BuffersWritten;
 5.0 and higher  
0xC8 (5.0);
0x0100 (5.1);
0x0110 (5.2);
0x90 (early 6.0);
0x98 (late 6.0);
0xA8 (6.1);
0xB0 (6.2);
0xB4 (6.3 to 1511);
0xAC (1607 to 1703);
0xB4 		0x0178 (5.2);
0xD0 (early 6.0);
0xE0 (late 6.0);
0xF0 (6.1);
0x0108 (6.2);
0x010C (6.2 to 1511);
0xFC (1607 to 1703);
0x010C 
ULONG LogBuffersLost;
 5.0 and higher  
0x94 (early 6.0);
0x9C (late 6.0);
0xAC (6.1);
0xB4 (6.2);
0xB8 (6.3 to 1511);
0xB0 (1607 to 1703);
0xB8 		0xD4 (early 6.0);
0xE4 (late 6.0);
0xF4 (6.1);
0x010C (6.2);
0x0110 (6.2 to 1511);
0x0100 (1607 to 1703);
0x0110 
ULONG RealTimeBuffersDelivered;
 6.0 and higher  
0xCC (5.0);
0x0104 (5.1);
0x0114 (5.2);
0x98 (early 6.0);
0xA0 (late 6.0);
0xB0 (6.1);
0xB8 (6.2);
0xBC (6.3 to 1511);
0xB4 (1607 to 1703);
0xBC 		0x017C (5.2);
0xD8 (early 6.0);
0xE8 (late 6.0);
0xF8 (6.1);
0x0110 (6.2);
0x0114 (6.2 to 1511);
0x0104 (1607 to 1703);
0x0114 
ULONG RealTimeBuffersLost;
 5.0 and higher  
0x0108 (5.1);
0x0118 (5.2);
0x9C (early 6.0);
0xA4 (late 6.0) 		0x0180 (5.2);
0xDC (early 6.0);
0xEC (late 6.0) 
ULONG BufferSize;
 5.1 to 6.0 previously at 0xB0;
next at 0x04
0x010C (5.1);
0x011C (5.2) 		0x0184 (5.2) 
LONG NumberOfBuffers;
 5.1 to 5.2 previously at 0xB4;
next as LONG volatile at 0x80
0xA0 (early 6.0);
0xA8 (late 6.0) 		0xE0 (early 6.0);
0xF0 (late 6.0) 
ULONG MaximumEventSize;
 6.0 next at 0x08
0x0110 (5.1);
0x0120 (5.2);
0xA4 (early 6.0);
0xAC (late 6.0);
0xB4 (6.1);
0xBC (6.2);
0xC0 (6.3 to 1511);
0xB8 (1607 to 1703);
0xC0 		0x0188 (5.2);
0xE8 (early 6.0);
0xF8 (late 6.0);
0x0100 (6.1);
0x0118 (6.2 to 1511);
0x0108 (1607 to 1703);
0x0118 
LONG *SequencePtr;
 5.1 and higher  
0xA8 (early 6.0);
0xB0 (late 6.0);
0xB8 (6.1);
0xC0 (6.2);
0xC4 (6.3 to 1511);
0xBC (1607 to 1703);
0xC4 		0xF0 (early 6.0);
0x0100 (late 6.0);
0x0108 (6.1);
0x0120 (6.2 to 1511);
0x0110 (1607 to 1703);
0x0120 
ULONG LocalSequence;
 6.0 and higher previously at 0x0184 and 0x0208
0xD0 (5.0)   unknown 4-byte counter 5.0 only  
0xD4 (5.0);
0x0114 (5.1);
0x0124 (5.2);
0xAC (early 6.0);
0xB4 (late 6.0);
0xBC (6.1);
0xC4 (6.2);
0xC8 (6.3 to 1511);
0xC0 (1607 to 1703);
0xC8 		0x0190 (5.2);
0xF4 (early 6.0);
0x0104 (late 6.0);
0x010C (6.1);
0x0124 (6.2 to 1511);
0x0114 (1607 to 1703);
0x0124 
GUID InstanceGuid;
 5.0 and higher  
0xE4 (5.0)   
ULONG UsePerfClock;
 5.0 only next at 0x58
0xE8 (5.0);
0x0124 (5.1);
0x0134 (5.2) 		0x01A0 (5.2) 
PVOID LoggerHeader;
 5.0 to 5.2  
0x0128 (5.1);
0x0138 (5.2);
0xBC (early 6.0);
0xC4 (late 6.0) 		0x01A8 (5.2);
0x0108 (early 6.0);
0x0118 (late 6.0) 
LONGLONG (*GetCpuClock) (VOID);
 5.1 to 6.0 next at 0x18
0xEC (5.0)   unknown SECURITY_QUALITY_OF_SERVICE 5.0 only  
0xF8 (5.0);
0x012C (5.1);
0x013C (5.2) 		0x01B0 (5.2) 
SECURITY_CLIENT_CONTEXT ClientSecurityContext;
 5.0 to 5.2 next at 0x01AC
0x0134 (5.0)   unknown pointer to a WMI_LOGGER_CONTEXT pointer 5.0 only  
0x0138 (5.0)   unknown pointer to array of eight pointers 5.0 only last member in 5.0

Microsoft’s names for the last few members of the WMI_LOGGER_CONTEXT in version 5.0 are not knowable from symbol files, there being no continuity even to the orginal version 5.1, let alone to the first service pack for which the public symbol files have type information for this structure. The pointer at offset 0x0134 is into the device extension of the WMI service device object, and specifically to this logger’s slot in the extension’s array of pointers to logger contexts. The pointer at offset 0x0138 is meaningful only for kernel-tracing sessions. It addresses an array of eight pseudo-handles for locked-down sections within the kernel. Four bytes at offset 0x013C have no known use and are here though to be undefined padding for the structure’s 8-byte alignment.

Offset (x86) Offset (x64) Definition Versions Remarks
0x0168 (5.1);
0x0178 (5.2) 		0x01F8 (5.2) 
PVOID LoggerExtension;
 5.1 to 5.2  
0x016C (5.1);
0x017C (5.2) 		0x0200 (5.2) 
LONG ReleaseQueue;
 5.1 to 5.2  
0x0170 (5.1);
0x0180 (5.2) 		0x0204 (5.2) 
TRACE_ENABLE_FLAG_EXTENSION EnableFlagExtension;
 5.1 to 5.2  
0x0174 (5.1);
0x0184 (5.2) 		0x0208 (5.2) 
ULONG LocalSequence;
 5.1 to 5.2 next at 0xA8
0x0178 (5.1);
0x0188 (5.2) 		0x020C (5.2) 
ULONG MaximumIrql;
 5.1 to 5.2  
0x017C (5.1);
0x018C (5.2) 		0x0210 (5.2) 
ULONG *EnableFlagArray;
 5.1 to 5.2  
0x0180 (5.1);
0x0190 (5.2) 		0x0218 (5.2) 
KMUTANT LoggerMutex;
 5.1 to 5.2 next at 0x018C
0x01A0 (5.1);
0x01B0 (5.2) 		0x0250 (5.2) 
LONG MutexCount;
 5.1 to 5.2  
0xD4 (6.2);
0xD8 (6.3 to 1511);
0xD0 (1607 to 1703);
0xD8 		0x0134 (6.2 to 1511);
0x0124 (1607 to 1703);
0x0134 
ULONG MaximumFileSize;
 6.2 and higher previously at 0x78 and 0xBC
0x01A4 (5.1);
0x01B4 (5.2);
0xC0 (early 6.0);
0xC8 (late 6.0);
0xCC (6.1);
0xD8 (6.2);
0xDC (6.3 to 1511);
0xD4 (1607 to 1703);
0xDC 		0x0254 (5.2);
0x0110 (early 6.0);
0x0120 (late 6.0);
0x011C (6.1);
0x0138 (6.2 to 1511);
0x0128 (1607 to 1703);
0x0138 
ULONG FileCounter;
 5.1 to 5.2   
LONG FileCounter;
 6.0 and higher  
0x01A8 (5.1);
0x01B8 (5.2);
0xC4 (early 6.0);
0xCC (late 6.0);
0xD0 (6.1) 		0x0258 (5.2);
0x0118 (early 6.0);
0x0128 (late 6.0);
0x0120 (6.1) 
VOID 
(*BufferCallback) (
    WMI_BUFFER_HEADER *, 
    PVOID);
 5.1 to 5.2   
VOID 
(* volatile BufferCallback) (
    WMI_BUFFER_HEADER *, 
    PVOID);
 6.0 to 6.1  
0x01AC (5.1);
0x01BC (5.2) 		0x0260 (5.2) 
PVOID CallbackContext;
 5.1 to 5.2  
0x01B0 (5.1);
0x01C0 (5.2);
0xC8 (early 6.0);
0xD0 (late 6.0);
0xD4 (6.1);
0xDC (6.2);
0xE0 (6.3 to 1511);
0xD8 (1607 to 1703);
0xE0 		0x0268 (5.2);
0x0120 (early 6.0);
0x0130 (late 6.0);
0x0128 (6.1);
0x013C (6.2 to 1511);
0x012C (1607 to 1703);
0x013C 
POOL_TYPE PoolType;
 5.1 and higher  
0x01B8 (5.1);
0x01C8 (5.2) 		0x0270 (5.2) 
LARGE_INTEGER ReferenceSystemTime;
 5.1 to 5.2  
0x01C0 (5.1);
0x01D0 (5.2) 		0x0278 (5.2) 
LARGE_INTEGER ReferenceTimeStamp;
 5.1 to 5.2 last member in 5.1 and 5.2
0xD0 (early 6.0);
0xD8 (late 6.0);
0xD8 (6.1);
0xE0 (6.2);
0xE8 (6.3 to 1511);
0xE0 (1607 to 1703);
0xE8 		0x0128 (early 6.0);
0x0138 (late 6.0);
0x0130 (6.1);
0x0140 (6.2 to 1511);
0x0130 (1607 to 1703);
0x0140 
ETW_REF_CLOCK ReferenceTime;
 6.0 and higher  
0xE0 (early 6.0);
0xE8 (late 6.0) 		0x0138 (early 6.0);
0x0148 (late 6.0) 
BOOLEAN RealtimeLoggerContextFreed;
 6.0 only next in Flags
0xF0 (6.2);
0xF8 (6.3 to 1511);
0xF0 (1607 to 1703);
0xF8 		0x0150 (6.2 to 1511);
0x0140 (1607 to 1703);
0x0150 
LONG CollectionOn;
 6.2 and higher previously at 0x0C
0xF4 (6.2);
0xFC (6.3 to 1511);
0xF4 (1607 to 1703);
0xFC 		0x0154 (6.2 to 1511);
0x0144 (1607 to 1703);
0x0154 
ULONG ProviderInfoSize;
 6.2 and higher  
0xE4 (early 6.0);
0xEC (late 6.0);
0xE8 (6.1);
0xF8 (6.2);
0x0100 (6.3 to 1511);
0xF8 (1607 to 1703);
0x0100 		0x0140 (early 6.0);
0x0150 (late 6.0);
0x0140 (6.1);
0x0158 (6.2 to 1511);
0x0148 (1607 to 1703);
0x0158 
LIST_ENTRY Consumers;
 6.0 and higher  
0xEC (early 6.0);
0xF4 (late 6.0);
0xF0 (6.1);
0x0100 (6.2);
0x0108 (6.3 to 1511);
0x0100 (1607 to 1703);
0x0108 		0x0150 (early 6.0);
0x0160 (late 6.0);
0x0150 (6.1);
0x0168 (6.2 to 1511);
0x0158 (1607 to 1703);
0x0168 
ULONG NumConsumers;
 6.0 and higher  
0xF4 (6.1);
0x0104 (6.2);
0x010C (6.3 to 1511);
0x0104 (1607 to 1703);
0x010C 		0x0158 (6.1);
0x0170 (6.2 to 1511);
0x0160 (1607 to 1703);
0x0170 
ETW_REALTIME_CONSUMER *TransitionConsumer;
 6.1 and higher  
0xF0 (early 6.0);
0xF8 (late 6.0) 		0x0158 (early 6.0);
0x0168 (late 6.0) 
LIST_ENTRY Connecting;
 6.0 only  
0xF8 (early 6.0);
0x0100 (late 6.0) 		0x0168 (early 6.0);
0x0178 (late 6.0) 
BOOLEAN NewConsumer;
 6.0 only  
0xFC (early 6.0);
0x0104 (late 6.0);
0xF8 (6.1);
0x0108 (6.2);
0x0110 (6.3 to 1511);
0x0108 (1607 to 1703);
0x0110 		0x0170 (early 6.0);
0x0180 (late 6.0);
0x0160 (6.1);
0x0178 (6.2 to 1511);
0x0168 (1607 to 1703);
0x0178 
PVOID RealtimeLogfileHandle;
 6.0 and higher  
0x0100 (early 6.0);
0x0108 (late 6.0);
0xFC (6.1);
0x010C (6.2);
0x0114 (6.3 to 1511);
0x010C (1607 to 1703);
0x0114 		0x0178 (early 6.0);
0x0188 (late 6.0);
0x0168 (6.1);
0x0180 (6.2 to 1511);
0x0170 (1607 to 1703);
0x0188 
UNICODE_STRING RealtimeLogfileName;
 6.0 and higher  
0x0108 (early 6.0);
0x0110 (late 6.0);
0x0108 (6.1);
0x0118 (6.2);
0x0120 (6.3 to 1511);
0x0118 (1607 to 1703);
0x0120 		0x0188 (early 6.0);
0x0198 (late 6.0);
0x0178 (6.1);
0x0190 (6.2 to 1511);
0x0180 (1607 to 1703);
0x0190 
LARGE_INTEGER RealtimeWriteOffset;
 6.0 and higher  
0x0110 (early 6.0);
0x0118 (late 6.0);
0x0110 (6.1);
0x0120 (6.2);
0x0128 (6.3 to 1511);
0x0120 (1607 to 1703);
0x0128 		0x0190 (early 6.0);
0x01A0 (late 6.0);
0x0180 (6.1);
0x0198 (6.2 to 1511);
0x0188 (1607 to 1703);
0x0198 
LARGE_INTEGER RealtimeReadOffset;
 6.0 and higher  
0x0118 (early 6.0);
0x0120 (late 6.0);
0x0118 (6.1);
0x0128 (6.2);
0x0130 (6.3 to 1511);
0x0128 (1607 to 1703);
0x0130 		0x0198 (early 6.0);
0x01A8 (late 6.0);
0x0188 (6.1);
0x01A0 (6.2 to 1511);
0x0190 (1607 to 1703);
0x01A0 
LARGE_INTEGER RealtimeLogfileSize;
 6.0 and higher  
0x0120 (early 6.0);
0x0128 (late 6.0);
0x0120 (6.1);
0x0130 (6.2);
0x0138 (6.3 to 1511);
0x0130 (1607 to 1703);
0x0138 		0x01A0 (early 6.0);
0x01B0 (late 6.0);
0x0190 (6.1);
0x01A8 (6.2 to 1511);
0x0198 (1607 to 1703);
0x01A8 
ULONGLONG RealtimeLogfileUsage;
 6.0 and higher  
0x0130 (late 6.0);
0x0128 (6.1);
0x0138 (6.2);
0x0140 (6.3 to 1511);
0x0138 (1607 to 1703);
0x0140 		0x01B8 (late 6.0);
0x0198 (6.1);
0x01B0 (6.2 to 1511);
0x01A0 (1607 to 1703);
0x01B0 
ULONGLONG RealtimeMaximumFileSize;
 late 6.0 and higher  
0x0128 (early 6.0);
0x0138 (late 6.0);
0x0130 (6.1);
0x0140 (6.2);
0x0148 (6.3 to 1511);
0x0140 (1607 to 1703);
0x0148 		0x01A8 (early 6.0);
0x01C0 (late 6.0);
0x01A0 (6.1);
0x01B8 (6.2 to 1511);
0x01A8 (1607 to 1703);
0x01B8 
ULONG RealtimeBuffersSaved;
 6.0 and higher  
0x0130 (early 6.0);
0x0140 (late 6.0);
0x0138 (6.1);
0x0148 (6.2);
0x0150 (6.3 to 1511);
0x0148 (1607 to 1703);
0x0150 		0x01B0 (early 6.0);
0x01C8 (late 6.0);
0x01A8 (6.1);
0x01C0 (6.2 to 1511);
0x01B0 (1607 to 1703);
0x01C0 
ETW_REF_CLOCK RealtimeReferenceTime;
 6.0 and higher  
0x0140 (early 6.0);
0x0150 (late 6.0) 		0x01C0 (early 6.0);
0x01D8 (late 6.0) 
ULONG RealtimeDisconnectProcessId;
 6.0 only  
0x0144 (early 6.0);
0x0154 (late 6.0) 		0x01C4 (early 6.0);
0x01DC (late 6.0) 
ULONG RealtimeDisconnectConsumerId;
 6.0 only  
0x0148 (early 6.0);
0x0158 (late 6.0);
0x0148 (6.1);
0x0158 (6.2);
0x0160 (6.3 to 1511);
0x0158 (1607 to 1703);
0x0160 		0x01C8 (early 6.0);
0x01E0 (late 6.0);
0x01B8 (6.1);
0x01D0 (6.2 to 1511);
0x01C0 (1607 to 1703);
0x01D0 
ETW_RT_EVENT_LOSS NewRTEventsLost;
 6.0 and higher  
0x014C (early 6.0);
0x015C (late 6.0);
0x014C (6.1);
0x015C (6.2);
0x0164 (6.3 to 1511);
0x015C (1607 to 1703);
0x0164 		0x01D0 (early 6.0);
0x01E8 (late 6.0);
0x01C0 (6.1);
0x01D8 (6.2 to 1511);
0x01C8 (1607 to 1703);
0x01D8 
KEVENT LoggerEvent;
 6.0 and higher previously at 0x2C and 0x40
0x015C (early 6.0);
0x016C (late 6.0);
0x015C (6.1);
0x016C (6.2);
0x0174 (6.3 to 1511);
0x016C (1607 to 1703);
0x0174 		0x01E8 (early 6.0);
0x0200 (late 6.0);
0x01D8 (6.1);
0x01F0 (6.2 to 1511);
0x01E0 (1607 to 1703);
0x01F0 
KEVENT FlushEvent;
 6.0 and higher previously at 0x3C and 0x58
0x0170 (6.1);
0x0180 (6.2);
0x0188 (6.3 to 1511);
0x017C (1607 to 1703);
0x0188 		0x01F0 (6.1);
0x0208 (6.2 to 1511);
0x01F8 (1607 to 1703);
0x0208 
KTIMER FlushTimeOutTimer;
 6.1 and higher  
0x016C (early 6.0);
0x017C (late 6.0);
0x0198 (6.1);
0x01A8 (6.2);
0x01B0 (6.3 to 1511);
0x01A8 (1607 to 1703);
0x01B0 		0x0200 (early 6.0);
0x0218 (late 6.0);
0x0230 (6.1);
0x0248 (6.2 to 1511);
0x0238 (1607 to 1703);
0x0248 
KDPC FlushDpc;
 6.0 to 6.1   
KDPC LoggerDpc;
 6.2 and higher  
0x018C (early 6.0);
0x019C (late 6.0);
0x01B8 (6.1);
0x01C8 (6.2);
0x01D0 (6.3 to 1511);
0x01C8 (1607 to 1703);
0x01D0 		0x0240 (early 6.0);
0x0258 (late 6.0);
0x0270 (6.1);
0x0288 (6.2 to 1511);
0x0278 (1607 to 1703);
0x0288 
KMUTANT LoggerMutex;
 6.0 and higher previously at 0x0190 and 0x0218
0x01BC (late 6.0);
0x01D8 (6.1);
0x01E8 (6.2);
0x01F0 (6.3 to 1511);
0x01E8 (1607 to 1703);
0x01F0 		0x0290 (late 6.0);
0x02A8 (6.1);
0x02C0 (6.2 to 1511);
0x02B0 (1607 to 1703);
0x02C0 
EX_PUSH_LOCK LoggerLock;
 late 6.0 and higher  
0x01DC (6.1);
0x01EC (6.2);
0x01F4 (6.3 to 1511);
0x01EC (1607 to 1703);
0x01F4 		0x02B0 (6.1);
0x02C8 (6.2 to 1511);
0x02B8 (1607 to 1703);
0x02C8 
union {
    KSPIN_LOCK BufferListSpinLock;
    EX_PUSH_LOCK BufferListPushLock;
};
 6.1 and higher  
0x01AC (early 6.0);
0x01C0 (late 6.0);
0x01E0 (6.1);
0x01F0 (6.2);
0x01F8 (6.3 to 1511);
0x01F0 (1607 to 1703);
0x01F8 		0x0278 (early 6.0);
0x0298 (late 6.0);
0x02B8 (6.1);
0x02D0 (6.2 to 1511);
0x02C0 (1607 to 1703);
0x02D0 
SECURITY_CLIENT_CONTEXT ClientSecurityContext;
 6.0 and higher previously at 0x013C and 0x01B0
0x0234 (10.0 to 1511);
0x022C (1607 to 1703);
0x0234 		0x0318 (10.0 to 1511);
0x0308 (1607 to 1703);
0x0318 
TOKEN_ACCESS_INFORMATION *TokenAccessInformation;
 10.0 and higher  
0x01E8 (early 6.0);
0x01FC (late 6.0);
0x021C (6.1);
0x022C (6.2);
0x0234 (6.3);
0x0238 (10.0 to 1511);
0x0230 (1607 to 1703);
0x0238 		0x02C0 (early 6.0);
0x02E0 (late 6.0);
0x0300 (6.1);
0x0318 (6.2 to 6.3);
0x0320 (10.0 to 1511);
0x0310 (1607 to 1703);
0x0320 
EX_FAST_REF SecurityDescriptor;
 6.0 and higher  
0x01F0 (early 6.0);
0x0200 (late 6.0) 		0x02C8 (early 6.0);
0x02E8 (late 6.0) 
WMI_BUFFER_HEADER DummyBufferForMarker;
 6.0 only  
0x0230 (6.2);
0x0238 (6.3);
0x0240 (10.0 to 1511);
0x0238 (1607 to 1703);
0x0240 		0x0320 (6.2 to 6.3);
0x0328 (10.0 to 1511);
0x0318 (1607 to 1703);
0x0328 
LARGE_INTEGER StartTime;
 6.2 and higher previously at 0x20
0x0238 (6.2);
0x0240 (6.3);
0x0248 (10.0 to 1511);
0x0240 (1607 to 1703);
0x0248 		0x0328 (6.2 to 6.3);
0x0330 (10.0 to 1511);
0x0320 (1607 to 1703);
0x0330 
HANDLE LogFileHandle;
 6.2 and higher previously at 0x28
0x0238 (early 6.0);
0x0248 (late 6.0);
0x0220 (6.1);
0x0240 (6.2);
0x0248 (6.3);
0x0250 (10.0 to 1511);
0x0248 (1607 to 1703);
0x0250 		0x0310 (early 6.0);
0x0330 (late 6.0);
0x0308 (6.1);
0x0330 (6.2 to 6.3);
0x0338 (10.0 to 1511);
0x0328 (1607 to 1703);
0x0338 
LONGLONG BufferSequenceNumber;
 6.0 and higher  
0x0240 (early 6.0);
0x0250 (late 6.0) 		0x0318 (early 6.0);
0x0338 (late 6.0) 
LONG AcceptNewEvents;
 6.0 only next at 0x14
0x0244 (early 6.0);
0x0254 (late 6.0);
0x0228 (6.1);
0x0248 (6.2);
0x0250 (6.3);
0x0258 (10.0 to 1511);
0x0250 (1607 to 1703);
0x0258 		0x031C (early 6.0);
0x033C (late 6.0);
0x0310 (6.1);
0x0338 (6.2 to 6.3);
0x0340 (10.0 to 1511);
0x0330 (1607 to 1703);
0x0340 
union {
    ULONG Flags;
    struct {
        /*  bit fields, follow link  */
    };
};
 6.0 and higher  
0x0248 (early 6.0);
0x0258 (late 6.0);
0x022C (6.1);
0x024C (6.2);
0x0254 (6.3);
0x025C (10.0 to 1511);
0x0254 (1607 to 1703);
0x025C 		0x0320 (early 6.0);
0x0340 (late 6.0);
0x0314 (6.1);
0x033C (6.2 to 6.3);
0x0344 (10.0 to 1511);
0x0334 (1607 to 1703);
0x0344 
union {
    ULONG RequestFlag;
    struct {
        /*  bit fields, follow link  */
    };
};
 6.0 to 6.1 previously at 0xC4 and 0x012C 
union {
    ULONG volatile RequestFlag;
    struct {
        /*  bit fields, follow link  */
    };
};
 6.2 and higher  
0x024C (early 6.0);
0x025C (late 6.0) 		0x0324 (early 6.0);
0x0344 (late 6.0) 
USHORT StackTraceFilterHookCount;
 6.0 only  
0x024E (early 6.0);
0x025E (late 6.0) 		0x0326 (early 6.0);
0x0346 (late 6.0) 
USHORT StackTraceFilter [0x10];
 6.0 only last member in 6.0
0x0260 0x0350 
ETW_STACK_TRACE_BLOCK StackTraceBlock;
 1709 and higher  
0x0230 (6.1);
0x0250 (6.2);
0x0258 (6.3);
0x0260 (10.0 to 1511);
0x0258 (1607 to 1703);
0x04E8 (1709);
0x02B0 		0x0318 (6.1);
0x0340 (6.2 to 6.3);
0x0348 (10.0 to 1511);
0x0338 (1607 to 1703);
0x0850 (1709);
0x03D0 
RTL_BITMAP HookIdMap;
 6.1 and higher last member in 6.1
0x0258 (6.2);
0x0260 (6.3);
0x0268 (10.0 to 1511);
0x0260 (1607 to 1703);
0x04F0 (1709);
0x02B8 		0x0350 (6.2 to 6.3);
0x0358 (10.0 to 1511);
0x0348 (1607 to 1703);
0x0860 (1709);
0x03E0 
ETW_STACK_CACHE *StackCache;
 6.2 and higher  
0x025C (6.2);
0x0264 (6.3);
0x026C (10.0 to 1511);
0x0264 (1607 to 1703);
0x04F4 (1709);
0x02BC 		0x0358 (6.2 to 6.3);
0x0360 (10.0 to 1511);
0x0350 (1607 to 1703);
0x0868 (1709);
0x03E8 
ETW_PMC_SUPPORT *PmcData;
 6.2 and higher  
0x04F8 (1709);
0x02C0 		0x0870 (1709);
0x03F0 
ETW_LBR_SUPPORT *LbrData;
 1709 and higher  
0x02C4 0x03F8 
ETW_IPT_SUPPORT *IptData;
 1803 and higher  
0x0260 (6.2);
0x0268 (6.3);
0x0270 (10.0 to 1511);
0x0268 (1607 to 1703) 		0x0360 (6.2 to 6.3);
0x0368 (10.0 to 1511);
0x0358 (1607 to 1703) 
LIST_ENTRY WinRtProviderBinaryList;
 6.2 to 1703  
0x04FC (1709);
0x02C8 		0x0878 (1709);
0x0400 
LIST_ENTRY BinaryTrackingList;
 1709 and higher  
0x0268 (6.2);
0x0270 (6.3);
0x0278 (10.0 to 1511);
0x0270 (1607 to 1703);
0x0504 (1709);
0x02D0 		0x0370 (6.2 to 6.3);
0x0378 (10.0 to 1511);
0x0368 (1607 to 1703);
0x0888 (1709);
0x0410 
WMI_BUFFER_HEADER **ScratchArray;
 6.2 and higher last member in 6.2 and 6.3
0x027C (10.0 to 1511);
0x0274 (1607 to 1703);
0x0508 (1709);
0x02D4 		0x0380 (10.0 to 1511);
0x0370 (1607 to 1703);
0x0890 (1709);
0x0418 
DISALLOWED_GUIDS DisallowedGuids;
 10.0 and higher last member in 1511
0x0284 (10.0) 0x0390 (10.0) 
ESILO *ServerSilo;
 10.0 only last member in 10.0
0x0280 (1703);
0x0510 (1709);
0x02E0 		0x0380 (1703);
0x08A0 (1709);
0x0428 
LONGLONG RelativeTimeDueTime;
 1703 and higher  
0x0288 (1703);
0x0518 (1709);
0x02E8 		0x0388 1703);
0x08A8 (1709);
0x0430 
PERIODIC_CAPTURE_STATE_GUIDS PeriodicCaptureStateGuids;
 1703 and higher  
0x0290 (1703);
0x0520 (1709);
0x02F0 		0x0398 1703);
0x08B8 (1709);
0x0440 
EX_TIMER *PeriodicCaptureStateTimer;
 1703 and higher  
0x0294 (1703);
0x0524 (1709);
0x02F4 		0x03A0 1703);
0x08C0 (1709);
0x0448 
ETW_PERIODIC_TIMER_STATE PeriodicCaptureStateTimerState;
 1703 and higher  
0x027C (1607);
0x0298 (1703);
0x0528 (1709);
0x02F8 		0x0380 (1607);
0x03A8 1703);
0x08C8 (1709);
0x0450 
ETW_SOFT_RESTART_CONTEXT *SoftRestartContext;
 1607 and higher  
0x0280 (1607);
0x029C (1703);
0x052C (1709);
0x02FC 		0x0388 (1607);
0x03B0 1703);
0x08D0 (1709);
0x0458 
ETW_SILODRIVERSTATE *SiloState;
 1607 and higher  
0x0284 (1607);
0x02A0 (1703);
0x0530 (1709);
0x0300 		0x0390 (1607);
0x03B8 1703);
0x08D8 (1709);
0x0460 
WORK_QUEUE_ITEM CompressionWorkItem;
 1607 and higher  
0x0294 (1607);
0x02B0 (1703);
0x0540 (1709);
0x0310 		0x03B0 (1607);
0x03D8 1703);
0x08F8 (1709);
0x0480 
LONG CompressionWorkItemState;
 1607 and higher  
0x0298 (1607);
0x02B4 (1703);
0x0544 (1709);
0x0314 		0x03B8 (1607);
0x03E0 1703);
0x0900 (1709);
0x0488 
EX_PUSH_LOCK CompressionLock;
 1607 and higher  
0x029C (1607);
0x02B8 (1703);
0x0548 (1709);
0x0318 		0x03C0 (1607);
0x03E8 1703);
0x0908 (1709);
0x0490 
WMI_BUFFER_HEADER *CompressionTarget;
 1607 and higher  
0x02A0 (1607);
0x02BC (1703);
0x054C (1709);
0x031C 		0x03C8 (1607);
0x03F0 1703);
0x0910 (1709);
0x0498 
PVOID CompressionWorkspace;
 1607 and higher  
0x02A4 (1607);
0x02C0 (1703);
0x0550 (1709);
0x0320 		0x03D0 (1607);
0x03F8 1703);
0x0918 (1709);
0x04A0 
LONG CompressionOn;
 1607 and higher  
0x02A8 (1607);
0x02C4 (1703);
0x0554 (1709);
0x0324 		0x03D4 (1607);
0x03FC 1703);
0x091C (1709);
0x04A4 
ULONG CompressionRatioGuess;
 1607 and higher  
0x02AC (1607);
0x02C8 (1703);
0x0558 (1709);
0x0328 		0x03D8 (1607);
0x0400 1703);
0x0920 (1709);
0x04A8 
ULONG PartialBufferCompressionLevel;
 1607 and higher  
0x02B0 (1607);
0x02CC (1703);
0x055C (1709);
0x032C 		0x03DC (1607);
0x0404 1703);
0x0924 (1709);
0x04AC 
ETW_COMPRESSION_RESUMPTION_MODE CompressionResumptionMode;
 1607 and higher  
0x02B4 (1607);
0x02D0 (1703);
0x0560 (1709);
0x0330 		0x03E0 (1607);
0x0408 1703);
0x0928 (1709);
0x04B0 
SINGLE_LIST_ENTRY PlaceholderList;
 1607 and higher  
0x02B8 (1607);
0x02D4 (1703);
0x0564 (1709);
0x0334 		0x03E8 (1607);
0x0410 1703);
0x0930 (1709);
0x04B8 
KDPC CompressionDpc;
 1607 and higher  
0x02D8 (1607);
0x02F8 (1703);
0x0588 (1709);
0x0358 		0x0428 (1607);
0x0450 1703);
0x0970 (1709);
0x04F8 
LARGE_INTEGER LastBufferSwitchTime;
 1607 and higher  
0x02E0 (1607);
0x0300 (1703);
0x0590 (1709);
0x0360 		0x0430 (1607);
0x0458 1703);
0x0978 (1709);
0x0500 
LARGE_INTEGER BufferWriteDuration;
 1607 and higher  
0x02E8 (1607);
0x0308 (1703);
0x0598 (1709);
0x0368 		0x0438 (1607);
0x0460 1703);
0x0980 (1709);
0x0508 
LARGE_INTEGER BufferCompressDuration;
 1607 and higher last member in 1607 to 1803
0x0370 0x0510 
LONGLONG ReferenceQpcDelta;
 1809 and higher  
0x0378 0x0518 
ETW_EVENT_CALLBACK_CONTEXT *CallbackContext;
 1809 and higher last member in 1809
0x037C 0x0520 
LARGE_INTEGER *LastDroppedTime;
 1903 and higher  
0x0380 0x0528 
LARGE_INTEGER *FlushingLastDroppedTime;
 1903 and higher  
0x0388 0x0530 
LONGLONG FlushingSequenceNumber;
 1903 and higher last member in 1903
0x0390 0x0538 
ETW_PARTITION_CONTEXT PartitionContext;
 2004 and higher  
0x0394 0x0540 
MDL *BufferMdl;
 2004 and higher last member in 2004

Note that in x64 builds for version 1709 and higher, the StackTraceBlock and thence the whole of the WMI_LOGGER_CONTEXT has 16-byte alignment.

Clock Type

The defined values for the ClockType each correspond to a different GetCpuClock routine for getting timestamps. Microsoft’s names are known from the NTWMI.H header:

Value Name Time
0 EVENT_TRACE_CLOCK_RAW  
1 EVENT_TRACE_CLOCK_PERFCOUNTER tick count from the KeQueryPerformanceCounter function
2 EVENT_TRACE_CLOCK_SYSTEMTIME 100ns units since 1601, as from the KeQuerySystemTimePrecise function 
3 EVENT_TRACE_CLOCK_CPUCYCLE processor cycle count from the rdtsc instruction
4 EVENT_TRACE_CLOCK_MAX  

This page was created on 25th November 2016 and was last modified on 17th October 2022.

Copyright © 2016-2022. Geoff Chappell. All rights reserved. Conditions apply.