Geoff Chappell, Software Analyst
SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED
ULONG
EtwEventWriteEndScenario (
REGHANDLE RegHandle,
PCEVENT_DESCRIPTOR EventDescriptor,
ULONG UserDataCount,
PEVENT_DATA_DESCRIPTOR UserData);
The RegHandle argument specifies an event provider.
The EventDescriptor argument is the address of a structure that describes an event to write.
The UserDataCount argument specifies the number of data elements to pass with the event.
The UserData argument is the address of an array of structures that each describe one of those data elements.
The function returns zero for success, else an error code.
The EtwEventWriteEndScenario function is just EtwEventWrite, to write the specified event, but with the earlier step of calling the NT kernel to end all WDI scenarios for which the specified event is configured as an end event.
It is an error (ERROR_INVALID_PARAMETER) to omit the event descriptor. It is also an error (ERROR_INVALID_HANDLE) if the handle to the provider is invalid or if the event is not enabled for the provider.
The EtwEventWriteEndScenario function is exported by name from NTDLL.DLL in version 6.0 and higher. The preferred access is through EventWriteEndScenario, which is exported by ADVAPI32.DLL version 6.0 and higher.
Not only does Microsoft not document EtwEventWriteEndScenario, as expected for an NTDLL function, but the forward from ADVAPI32 is not documented either.