Geoff Chappell - Software Analyst
SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED
This function writes an event but without requiring that the event provider have registered from user mode.
ULONG
EtwEventWrite (
GUID const *ProviderId,
EVENT_DESCRIPTOR const *EventDescriptor,
ULONG UserDataCount,
EVENT_DATA_DESCRIPTOR *UserData);
The required ProviderId argument identifies which event provider is writing the event.
The required EventDescriptor argument tells which event is to be written.
The optional UserDataCount and UserData arguments are respectively the element count and address of an array of structures that provider event-specific data to record with the event.
The function returns zero for success, else a Win32 error code.
The EtwEventWriteNoRegistration function is exported by name from NTDLL.DLL in version 6.1 and higher.
As with many NTDLL exports, Microsoft does not document EtwEventWriteNoRegistration. No higher-level access is known, documented or not.
A C-language declaration of EtwEventWriteNoRegistration is published by Microsoft in a file named NTETW.H in the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 Version 1511.
If either ProviderId or EventDescriptor is NULL, the function has no event to write, and it returns ERROR_INVALID_PARAMETER.
The main point of this function’s availability in user mode is to write an event as if from a kernel-mode event provider. A side-effect is that it by-passes the user-mode ETW implementation. The function does not send the event to any private user-mode tracing session. For sending the event to the kernel, the function packages its inputs and defaults with an EVENT_HEADER as usual but the Flags argument for NtTraceEvent is ETW_NT_FLAGS_TRACE_EVENT_NOREG and the TraceHandle is the ProviderId.
Details of the kernel-mode handling will be presented elsewhere. A summary is that the kernel requires that the ProviderId is that of a registered event provider and that this provider is enabled for at least some tracing session, else the function returns ERROR_WMI_ALREADY_DISABLED. The function also fails if the user-mode caller does not have TRACELOG_REGISTER_GUIDS access to the provider.