Geoff Chappell - Software Analyst
The public symbol file NTKRPAMP.PDB for the original release of Windows 10 tells that the kernel is built with the NTETW.H header at
d:\th.public.fre\internal\sdk\inc\minwin
and draws from it the following type definition:
| Line Number | Type |
|---|---|
| 268 | enum _ETW_NOTIFICATION_TYPE |
The header NTETW.H is published in the “minwin” directory of the Windows Driver Kit (WDK) for Windows 10 in the original and Version 1511 editions. Microsoft is not known to have published it before or since.
Perhaps by oversight, but perhaps not, Microsoft has since Windows 8 distributed some private symbol files in downloadable packages of otherwise public symbol files. Though Microsoft no longer packages symbol files for downloading, these private symbol files continue to be made available at Microsoft’s public symbol server. A few of these private symbol files show that the corresponding binaries were built with NTETW.H included by the source files. They thus tell of many more types that are defined in NTETW.H than do the public symbol files for the kernel. The applicable binaries are conspicuously few (up to and including the 2004 release of Windows 10):
Since this header’s contents are completely known for the early releases of Windows 10 but not before or since, it is as well to move on a few years. The table below is of types that are defined in the otherwise unseen NTETW.H in the 2004 edition of WIndows 10:
| Line Number (Version 2004) |
Type |
|---|---|
| 82 | struct _ETW_UMGL_KEY |
| 298 | enum _ETW_NOTIFICATION_TYPE |
| 316 | enum ETWTRACECONTROLCODE |
| 328 | struct _ETW_NOTIFICATION_HEADER |
| 414 | struct _ETW_KERNEL_HEADER_EXTENSION |
| 422 | struct _ETW_SET_MARK_INFORMATION |
| 427 | struct _ETW_PARTITION_INFO_EXTENSION |
| 436 | struct _ETW_PARTITION_INFO_EXTENSION |
| 445 | struct _ETW_LAST_DROPPED_EVENT_STRUCT |
| 455 | enum _EVENT_TRACE_INFORMATION_CLASS |
| 485 | struct _EVENT_TRACE_VERSION_INFORMATION |
| 490 | struct _EVENT_TRACE_GROUPMASK_INFORMATION |
| 496 | struct _EVENT_TRACE_PERFORMANCE_INFORMATION |
| 501 | struct _EVENT_TRACE_TIME_PROFILE_INFORMATION |
| 506 | struct _EVENT_TRACE_SESSION_SECURITY_INFORMATION |
| 513 | struct _EVENT_TRACE_SPINLOCK_INFORMATION_V1 |
| 520 | struct _EVENT_TRACE_SPINLOCK_INFORMATION |
| 528 | struct _EVENT_TRACE_SYSTEM_EVENT_INFORMATION |
| 534 | struct _EVENT_TRACE_TAG_FILTER_INFORMATION |
| 540 | struct _EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION |
| 547 | struct _EVENT_TRACE_HEAP_TRACING_INFORMATION |
| 576 | struct _EVENT_TRACE_PROFILE_LIST_INFORMATION |
| 582 | struct _EVENT_TRACE_PROFILE_COUNTER_INFORMATION |
| 590 | struct _EVENT_TRACE_STACK_CACHING_INFORMATION |
| 599 | struct _EVENT_TRACE_SOFT_RESTART_INFORMATION |
| 626 | struct _EVENT_TRACE_LBR_CONFIGURATION_INFORMATION |
| 634 | struct _EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 |
| 636 | unnamed struct Intel in anonymous union in struct _EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 |
| 644 | unnamed struct Amd in anonymous union in struct _EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 |
| 648 | unnamed stuct Arm in anonymous union in struct _EVENT_TRACE_PROFILE_ADD_INFORMATION_V2 |
| 655 | struct _EVENT_TRACE_PROFILE_ADD_INFORMATION |
| 675 | struct _EVENT_TRACE_PROFILE_REMOVE_INFORMATION |
| 690 | struct _EVENT_TRACE_IPT_CONFIGURATION_INFORMATION |
| 711 | enum _ETW_COVERAGE_SAMPLER_INFORMATION_CLASS |
| 722 | struct _EVENT_TRACE_COVERAGE_SAMPLER_INFORMATION |
| 737 | struct _ETW_COVERAGE_SAMPLER_STATS |
| 757 | struct _ETW_COVERAGE_SAMPLER_OPTION_FLAGS |
| 775 | struct _ETW_COVERAGE_SAMPLER_OPTIONS |
| 802 | struct _ETW_COVERAGE_SAMPLER_PERF_STATS |
| 916 | struct _ETW_COVERAGE_SAMPLER_STATUS |
| 929 | struct _ETW_COVERAGE_SAMPLER_BLOOM_FILTER |
| 1052 | struct _ETW_COVERAGE_SAMPLER_CREATE_INFO |
| 1059 | struct _ETW_COVERAGE_SAMPLER_BLOOM_INFO |
| 1064 | struct _ETW_COVERAGE_SAMPLER_PERF_INFO |
| 1069 | struct _ETW_COVERAGE_SAMPLER_STATUS_INFO |
| 1074 | struct _ETW_COVERAGE_SAMPLER_MODULE |
| 1095 | struct _ETW_COVERAGE_SAMPLER_SAMPLE |
| 1102 | struct _ETW_COVERAGE_SAMPLER_DATA |
| 1118 | struct _ETW_COVERAGE_SAMPLER_QUERY_INFO |
| 1128 | enum _ETW_SESSION_NOTIFICATION_TYPE |
| 1137 | struct _ETW_SESSION_NOTIFICATION_PACKET |