This page is being prepared for a substantial reworking. Some content may be temporarily missing. Temporarily may turn into indefinitely. New content may be more than usually defective. The page is now published only as a revision in progress. Use with caution.

EVENT_INSTANCE_HEADER

The EVENT_INSTANCE_HEADER is one of several types of fixed-size header that introduce variable-size data for events that are logged through Event Tracing for Windows (ETW). As with other types of event, those that begin with an EVENT_INSTANCE_HEADER accumulate first in trace buffers. To have these events persist in this raw form for ready inspection, configure the event tracing session to flush the trace buffers to an Event Trace Log (ETL) file.

Less common among the several types of event that get into the trace buffers, those that begin with an EVENT_INSTANCE_HEADER typically originated with this header. The documented API function TraceEventInstance takes an EVENT_INSTANCE_HEADER as its input. The similarly old kernel export IoWMIWriteEvent is documented as taking a WNODE_HEADER as its input, but can handle an EVENT_INSTANCE_HEADER.

Documentation Status

The EVENT_INSTANCE_HEADER structure is documented.

That said, Microsoft seems never to have documented that IoWMIWriteEvent accepts an EVENT_INSTANCE_HEADER. (A search through Google for the function and structure in combination produces no matches today, 10th December 2018.)

Layout

The EVENT_INSTANCE_HEADER is 0x38 bytes in both 32-bit and 64-bit Windows in all known versions that have it, i.e., 5.0 and higher.

Offset Definition Versions
0x00 
USHORT Size;
 5.0 and higher
0x02 
UCHAR HeaderType;
UCHAR MarkerFlags;
 5.0 only 
union {
    USHORT FieldTypeFlags;
    struct {
        UCHAR HeaderType;
        UCHAR MarkerFlags;
    };
};
 5.1 and higher
0x04 
union {
    ULONG Version;
    struct {
        UCHAR Type;
        UCHAR Level;
        USHORT Version;
    } Class;
};
 5.0 and higher
0x08 
ULONGLONG ThreadId;
 5.0 only 
ULONG ThreadId;
 5.1 and higher
0x0C 
ULONG ProcessId;
 5.1 and higher
0x10 
LARGE_INTEGER TimeStamp;
 5.0 and higher
0x18 
ULONGLONG RegHandle;
 5.0 and higher
0x20 
ULONG InstanceId;
 5.0 and higher
0x24 
ULONG ParentInstanceId;
 5.0 and higher
0x28 
union {
    struct {
        ULONG ClientContext;
        ULONG Flags;
    };
    struct {
        ULONG KernelTime;
        ULONG UserTime;
    };
    ULONG64 ProcessorTime;
};
 5.0 to 5.2 
union {
    struct {
        ULONG KernelTime;
        ULONG UserTime;
    };
    ULONG64 ProcessorTime;
    struct {
        ULONG EventId;
        ULONG Flags;
    };
};
 6.0 and higher
0x30 
ULONGLONG ParentRegHandle;
 5.0 and higher

The first 4 bytes have common elements in all the various Trace Headers. All have the high two bits set in the MarkerFlags. What distinguishes a header as continuing specifically as an EVENT_INSTANCE_HEADER is the HeaderType:

Value Name Implied Layout
0x0B TRACE_HEADER_TYPE_INSTANCE32 0x38 bytes of header followed by 32-bit event data
0x15 TRACE_HEADER_TYPE_INSTANCE64 0x38 bytes of header followed by 64-bit event data

This page was created on 10th December 2018 and was last modified on 30th November 2022.

Copyright © 2018-2022. Geoff Chappell. All rights reserved. Conditions apply.