Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the EVNTRACE.H header at
d:\th.public.fre\internal\minwin\priv_sdk\inc
and draws from it the following type definitions:
| Line Number | Type |
|---|---|
| 653 | struct _TRACE_LOGFILE_HEADER |
| 657 | unnamed struct VersionDetail in anonymous union in struct _TRACE_LOGFILE_HEADER |
| 876 | struct _ETW_BUFFER_CONTEXT |
| 901 | struct _TRACE_ENABLE_INFO |
A header named EVNTRACE.H is among the headers in the publicly available Windows Driver Kit (WDK) for Windows 10. It is there in the “shared” subdirectory with many other headers that are intended for use in both kernel-mode and user-mode programming.
For completeness, note that the kernel uses other types that are defined in this header but which do not show in the public symbol files—and the header defines types that are not used by the kernel:
| Line Number | Type |
|---|---|
| 500 | struct _EVENT_TRACE_HEADER |
| 511 | unnamed struct Class in anonymous union in struct _EVENT_TRACE_HEADER |
| 540 | struct _EVENT_INSTANCE_HEADER |
| 551 | unnamed struct Class in anonymous union in struct _EVENT_INSTANCE_HEADER |
| 630 | struct _MOF_FIELD |
| 653 | struct _TRACE_LOGFILE_HEADER |
| 657 | unnamed struct VersionDetail in anonymous union in struct _TRACE_LOGFILE_HEADER |
| 696 | struct _TRACE_LOGFILE_HEADER32 |
| 700 | unnamed struct VersionDetail in anonymous union in struct _TRACE_LOGFILE_HEADER32 |
| 739 | struct _TRACE_LOGFILE_HEADER64 |
| 643 | unnamed struct VersionDetail in anonymous union in struct _TRACE_LOGFILE_HEADER64 |
| 792 | struct EVENT_INSTANCE_INFO |
| 813 | struct _EVENT_TRACE_PROPERTIES |
| 850 | struct _TRACE_GUID_REGISTRATION |
| 861 | struct _TRACE_GUID_PROPERTIES |
| 876 | struct _ETW_BUFFER_CONTEXT |
| 901 | struct _TRACE_ENABLE_INFO |
| 918 | struct _TRACE_PROVIDER_INSTANCE_INFO |
| 930 | struct _TRACE_GUID_INFO |
| 935 | struct _PROFILE_SOURCE_INFO |
| 955 | struct _EVENT_TRACE |
| 1023 | struct _EVENT_TRACE_LOGFILEW |
| 1059 | struct _EVENT_TRACE_LOGFILEA |
| 1464 | struct _ENABLE_TRACE_PARAMETERS_V1 |
| 1472 | struct _ENABLE_TRACE_PARAMETERS |
| 1507 | enum _TRACE_QUERY_INFO_CLASS |
| 1550 | struct _CLASSIC_EVENT_ID |
| 1556 | struct _TRACE_PROFILE_INTERVAL |
| 1561 | struct _TRACE_VERSION_INFO |