Event Tracing for Windows (ETW) is a high-performance tracing infrastructure in the Microsoft Windows operating system that allows developers and system administrators to collect detailed information about system events, application events, and user-defined events.
It provides a mechanism for capturing real-time event data for performance analysis, debugging, and monitoring. It is also used by AVs and EDRs.
The ETW is broken into several components:
Event Tracing supports 64 sessions maximum, including: - Global Logger Session - NT Kernel Logger Session
The Global Logger records early boot events.
The NT Kernel Logger captures OS-level events like disk
I/O and page faults.
ETW state is stored in various structures:
_ETW_SILODRIVERSTATE, _WMI_LOGGER_CONTEXT,
_ETW_REG_ENTRY, _ETW_GUID_ENTRY.
_ETW_SILODRIVERSTATE//0x11c0 bytes (sizeof), src: Vergilius Project
struct _ETW_SILODRIVERSTATE
{
struct _EJOB* Silo; //0x0
struct _ESERVERSILO_GLOBALS* SiloGlobals; //0x8
ULONG MaxLoggers; //0x10
struct _ETW_GUID_ENTRY EtwpSecurityProviderGuidEntry; //0x18
struct _EX_RUNDOWN_REF_CACHE_AWARE** EtwpLoggerRundown; //0x1a8
struct _WMI_LOGGER_CONTEXT** EtwpLoggerContext; //0x1b0
struct _ETW_HASH_BUCKET EtwpGuidHashTable[64]; //0x1b8
USHORT EtwpSecurityLoggers[8]; //0xfb8
UCHAR EtwpSecurityProviderEnableMask; //0xfc8
LONG EtwpShutdownInProgress; //0xfcc
ULONG EtwpSecurityProviderPID; //0xfd0
struct _ETW_PRIV_HANDLE_DEMUX_TABLE PrivHandleDemuxTable; //0xfd8
struct _ETW_COUNTERS EtwpCounters; //0xff8
union _LARGE_INTEGER LogfileBytesWritten; //0x1008
struct _ETW_SILO_TRACING_BLOCK* ProcessorBlocks; //0x1010
struct _EX_WNF_SUBSCRIPTION* ContainerRestoreWnfSubscription; //0x1018
struct _GUID PartitionId; //0x1020
struct _GUID ParentId; //0x1030
union _LARGE_INTEGER QpcOffsetFromRoot; //0x1040
ULONG PartitionType; //0x1048
struct _ETW_SYSTEM_LOGGER_SETTINGS SystemLoggerSettings; //0x104c
}; _WMI_LOGGER_CONTEXT//0x520 bytes (sizeof), src: Vergilius Project
struct _WMI_LOGGER_CONTEXT
{
ULONG LoggerId; //0x0
ULONG BufferSize; //0x4
ULONG MaximumEventSize; //0x8
ULONG LoggerMode; //0xc
LONG AcceptNewEvents; //0x10
ULONG EventMarker[2]; //0x14
ULONG ErrorMarker; //0x1c
ULONG SizeMask; //0x20
LONGLONG (*GetCpuClock)(); //0x28
struct _ETHREAD* LoggerThread; //0x30
LONG LoggerStatus; //0x38
ULONG FailureReason; //0x3c
struct _ETW_BUFFER_QUEUE BufferQueue; //0x40
struct _ETW_BUFFER_QUEUE OverflowQueue; //0x50
struct _LIST_ENTRY GlobalList; //0x60
struct _LIST_ENTRY DebugIdTrackingList; //0x70
struct _ETW_DECODE_CONTROL_ENTRY* DecodeControlList; //0x80
ULONG DecodeControlCount; //0x88
union
{
struct _WMI_BUFFER_HEADER* BatchedBufferList; //0x90
struct _EX_FAST_REF CurrentBuffer; //0x90
};
struct _UNICODE_STRING LoggerName; //0x98
struct _UNICODE_STRING LogFileName; //0xa8
struct _UNICODE_STRING LogFilePattern; //0xb8
struct _UNICODE_STRING NewLogFileName; //0xc8
ULONG ClockType; //0xd8
ULONG LastFlushedBuffer; //0xdc
ULONG FlushTimer; //0xe0
ULONG FlushThreshold; //0xe4
union _LARGE_INTEGER ByteOffset; //0xe8
ULONG MinimumBuffers; //0xf0
volatile LONG BuffersAvailable; //0xf4
volatile LONG NumberOfBuffers; //0xf8
ULONG MaximumBuffers; //0xfc
volatile ULONG EventsLost; //0x100
volatile LONG PeakBuffersCount; //0x104
ULONG BuffersWritten; //0x108
ULONG LogBuffersLost; //0x10c
ULONG RealTimeBuffersDelivered; //0x110
ULONG RealTimeBuffersLost; //0x114
LONG* SequencePtr; //0x118
ULONG LocalSequence; //0x120
struct _GUID InstanceGuid; //0x124
ULONG MaximumFileSize; //0x134
LONG FileCounter; //0x138
enum _POOL_TYPE PoolType; //0x13c
struct _ETW_REF_CLOCK ReferenceTime; //0x140
LONG CollectionOn; //0x150
ULONG ProviderInfoSize; //0x154
struct _LIST_ENTRY Consumers; //0x158
ULONG NumConsumers; //0x168
struct _ETW_REALTIME_CONSUMER* TransitionConsumer; //0x170
VOID* RealtimeLogfileHandle; //0x178
struct _UNICODE_STRING RealtimeLogfileName; //0x180
union _LARGE_INTEGER RealtimeWriteOffset; //0x190
union _LARGE_INTEGER RealtimeReadOffset; //0x198
union _LARGE_INTEGER RealtimeLogfileSize; //0x1a0
ULONGLONG RealtimeLogfileUsage; //0x1a8
ULONGLONG RealtimeMaximumFileSize; //0x1b0
ULONG RealtimeBuffersSaved; //0x1b8
struct _ETW_REF_CLOCK RealtimeReferenceTime; //0x1c0
enum _ETW_RT_EVENT_LOSS NewRTEventsLost; //0x1d0
struct _KEVENT LoggerEvent; //0x1d8
struct _KEVENT FlushEvent; //0x1f0
struct _KTIMER FlushTimeOutTimer; //0x208
struct _KDPC LoggerDpc; //0x248
struct _KMUTANT LoggerMutex; //0x288
struct _EX_PUSH_LOCK LoggerLock; //0x2c0
union
{
ULONGLONG BufferListSpinLock; //0x2c8
struct _EX_PUSH_LOCK BufferListPushLock; //0x2c8
};
struct _SECURITY_CLIENT_CONTEXT ClientSecurityContext; //0x2d0
struct _TOKEN_ACCESS_INFORMATION* TokenAccessInformation; //0x318
struct _EX_FAST_REF SecurityDescriptor; //0x320
union _LARGE_INTEGER StartTime; //0x328
VOID* LogFileHandle; //0x330
LONGLONG BufferSequenceNumber; //0x338
union
{
ULONG Flags; //0x340
struct
{
ULONG Persistent:1; //0x340
ULONG AutoLogger:1; //0x340
ULONG FsReady:1; //0x340
ULONG RealTime:1; //0x340
ULONG Wow:1; //0x340
ULONG KernelTrace:1; //0x340
ULONG NoMoreEnable:1; //0x340
ULONG StackTracing:1; //0x340
ULONG ErrorLogged:1; //0x340
ULONG RealtimeLoggerContextFreed:1; //0x340
ULONG PebsTracing:1; //0x340
ULONG PmcCounters:1; //0x340
ULONG PageAlignBuffers:1; //0x340
ULONG StackLookasideListAllocated:1; //0x340
ULONG SecurityTrace:1; //0x340
ULONG LastBranchTracing:1; //0x340
ULONG SystemLoggerIndex:8; //0x340
ULONG StackCaching:1; //0x340
ULONG ProviderTracking:1; //0x340
ULONG ProcessorTrace:1; //0x340
ULONG QpcDeltaTracking:1; //0x340
ULONG SpareFlags2:4; //0x340
};
};
union
{
volatile ULONG RequestFlag; //0x344
struct
{
ULONG DbgRequestNewFile:1; //0x344
ULONG DbgRequestUpdateFile:1; //0x344
ULONG DbgRequestFlush:1; //0x344
ULONG DbgRequestDisableRealtime:1; //0x344
ULONG DbgRequestDisconnectConsumer:1; //0x344
ULONG DbgRequestConnectConsumer:1; //0x344
ULONG DbgRequestNotifyConsumer:1; //0x344
ULONG DbgRequestUpdateHeader:1; //0x344
ULONG DbgRequestDeferredFlush:1; //0x344
ULONG DbgRequestDeferredFlushTimer:1; //0x344
ULONG DbgRequestFlushTimer:1; //0x344
ULONG DbgRequestUpdateDebugger:1; //0x344
ULONG DbgSpareRequestFlags:20; //0x344
};
};
struct _ETW_STACK_TRACE_BLOCK StackTraceBlock; //0x350
struct _RTL_BITMAP HookIdMap; //0x3d0
struct _ETW_STACK_CACHE* StackCache; //0x3e0
struct _ETW_PMC_SUPPORT* PmcData; //0x3e8
struct _ETW_LBR_SUPPORT* LbrData; //0x3f0
struct _ETW_IPT_SUPPORT* IptData; //0x3f8
struct _LIST_ENTRY BinaryTrackingList; //0x400
struct _WMI_BUFFER_HEADER** ScratchArray; //0x410
struct _DISALLOWED_GUIDS DisallowedGuids; //0x418
LONGLONG RelativeTimerDueTime; //0x428
struct _PERIODIC_CAPTURE_STATE_GUIDS PeriodicCaptureStateGuids; //0x430
struct _EX_TIMER* PeriodicCaptureStateTimer; //0x440
enum _ETW_PERIODIC_TIMER_STATE PeriodicCaptureStateTimerState; //0x448
struct _ETW_SOFT_RESTART_CONTEXT* SoftRestartContext; //0x450
struct _ETW_SILODRIVERSTATE* SiloState; //0x458
struct _WORK_QUEUE_ITEM CompressionWorkItem; //0x460
LONG CompressionWorkItemState; //0x480
struct _EX_PUSH_LOCK CompressionLock; //0x488
struct _WMI_BUFFER_HEADER* CompressionTarget; //0x490
VOID* CompressionWorkspace; //0x498
LONG CompressionOn; //0x4a0
ULONG CompressionRatioGuess; //0x4a4
ULONG PartialBufferCompressionLevel; //0x4a8
enum ETW_COMPRESSION_RESUMPTION_MODE CompressionResumptionMode; //0x4ac
struct _SINGLE_LIST_ENTRY PlaceholderList; //0x4b0
struct _KDPC CompressionDpc; //0x4b8
union _LARGE_INTEGER LastBufferSwitchTime; //0x4f8
union _LARGE_INTEGER BufferWriteDuration; //0x500
union _LARGE_INTEGER BufferCompressDuration; //0x508
LONGLONG ReferenceQpcDelta; //0x510
struct _ETW_EVENT_CALLBACK_CONTEXT* CallbackContext; //0x518
}; _ETW_HASH_BUCKET//0x38 bytes (sizeof), src: Vergilius Project
struct _ETW_HASH_BUCKET
{
struct _LIST_ENTRY ListHead[3]; //0x0
struct _EX_PUSH_LOCK BucketLock; //0x30
}; _ETW_GUID_ENTRY//0x190 bytes (sizeof), src: Vergilius Project
struct _ETW_GUID_ENTRY
{
struct _LIST_ENTRY GuidList; //0x0
volatile LONGLONG RefCount; //0x10
struct _GUID Guid; //0x18
struct _LIST_ENTRY RegListHead; //0x28
VOID* SecurityDescriptor; //0x38
union
{
struct _ETW_LAST_ENABLE_INFO LastEnable; //0x40
ULONGLONG MatchId; //0x40
};
struct _TRACE_ENABLE_INFO ProviderEnableInfo; //0x50
struct _TRACE_ENABLE_INFO EnableInfo[8]; //0x70
struct _ETW_FILTER_HEADER* FilterData; //0x170
struct _ETW_SILODRIVERSTATE* SiloState; //0x178
struct _EX_PUSH_LOCK Lock; //0x180
struct _ETHREAD* LockOwner; //0x188
};