SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED

EtwWriteUMSecurityEvent

This function writes a user-mode security event.

Declaration 

ULONG
EtwWriteUMSecurityEvent (
    PCEVENT_DESCRIPTOR EventDescriptor,
    USHORT EventProperty,
    ULONG UserDataCount,
    PEVENT_DATA_DESCRIPTOR UserData);

Parameters

The EventProperty argument specifies properties of the event. The supported values are:

0x0001 EVENT_HEADER_PROPERTY_XML
0x0002 EVENT_HEADER_PROPERTY_FORWARDED_XML
0x0004 EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG

For other arguments (and the return value), refer to Microsoft’s documentation of EventWrite.

Behaviour

This function is essentially a call to the kernel, specifically through NtTraceEvent case 0x05. The kernel verifies that the current process is the one that earlier called EtwRegisterSecurityProvider for permission to write security events. For other processes, the function fails (returning ERROR_ACCESS_DENIED).

Availability

The EtwWriteUMSecurityEvent function is exported by name from NTDLL.DLL in version 6.0 and higher.

Perhaps unsurprisingly, this function is not documented. Its only known user is LSASRV.DLL.

This page was created on 18th November 2008 and was last modified on 21st November 2008.

Copyright © 2008. Geoff Chappell. All rights reserved. Conditions apply.