Hook IDs For NT Kernel Logger Events

Events that are delivered to the NT Kernel Logger get logged to trace buffers, as do any other. While there, they begin with either a PERFINFO_TRACE_HEADER or a SYSTEM_TRACE_HEADER in either its full or compact form. If the event tracing session is configured to flush to an Event Trace Log (ETL) file, the events can be seen raw, with these headers, because the events are not yet translated to an EVENT_RECORD or EVENT_TRACE for presentation to an event consumer.

As the events go into the trace buffers, the analogue of an event ID as a unique numerical value for each type of event is the 16-bit HookId, at offset 0x06 in the trace header. This HookId is itself formed in two parts, specifically a Group and Type as the high and low bytes, respectively, such that similar types of events are conveniently managed in groups.

By the way, this convenience is not immediate for interpreting an ETL file from an NT Kernel Logger session using the ordinary Microsoft tools for perusing logged events. Though the Event Viewer will load an ETL file from an NT Kernel Logger session and the WEVTUTIL command-line tool will process one, the presentation is arguably anything but helpful. Though the HookId uniquely identifies each type of event, it does not show as the Event ID. Instead, when an event that has a HookId is translated to an EVENT_RECORD or EVENT_TRACE for presentation to an event consumer—any, not just the ordinary tools—the high byte, i.e., the Group, is translated to a GUID to show as the ProviderId and the low byte, i.e., the Type, becomes the Opcode in the EventDescriptor. It’s obvious once you think about it!

The intended way to interpret ETL files from an NT Kernel Logger session is with the Tracefmt and TraceView tools from the Windows Driver Kit (WDK), whose interpretation of the event-specific data is aided by a text file named SYSTEM.TMF that tells how to format the data for some few of the possible events, or with higher-level tools—at least in principle written by anyone—that learn the formatting from Managed Object Format (MOF) data that is compiled into the WMI repository. The types of events that can be sent to the NT Kernel Logger are not just few, are not even mere dozens, such as might be expected from perusal of SYSTEM.TMF or of Microsoft’s documentation of event data “simplified from MOF code” for the MSNT_SystemTrace class. Instead, they are truly numerous, nowadays running to more than five hundred.

Groups

In the following table, the HookId values that start each group are named from the NTWMI.H that is published with some editions of the WDK for Windows 10, and the corresponding GUID and its symbolic name are from symbol files for the SECHOST.DLL from the original release of Windows 10. (This DLL implements the ProcessTrace function which translates the events into the standard presentation for event consumers.) Some of the GUIDs, though not their correspondence to the high byte of a HookID, are anyway defined in various headers, notably EVNTRACE.H and WMIGUID.H. Some, whether defined in a header or not, are even documented (as NT Kernel Logger Constants). Inevitably, some are not known at all in Microsoft’s documentation or headers.

Value Name GUID Value GUID Name
0x0000 EVENT_TRACE_GROUP_HEADER {68FDD900-4A3E-11D1-84F4-0000F80464E3} EventTraceGuid
0x0100 EVENT_TRACE_GROUP_IO {3D6FA8D4-FE05-11D0-9DDA-00C04FD7BA7C} DiskIoGuid
0x0200 EVENT_TRACE_GROUP_MEMORY {3D6FA8D3-FE05-11D0-9DDA-00C04FD7BA7C} PageFaultGuid
0x0300 EVENT_TRACE_GROUP_PROCESS {3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C} ProcessGuid
0x0400 EVENT_TRACE_GROUP_FILE {90CBDC39-4A3E-11D1-84F4-0000F80464E3} FileIoGuid
0x0500 EVENT_TRACE_GROUP_THREAD {3D6FA8D1-FE05-11D0-9DDA-00C04FD7BA7C} ThreadGuid
0x0600 EVENT_TRACE_GROUP_TCPIP {9A280AC0-C8E0-11D1-84E2-00C04FB998A2} TcpIpGuid
0x0700 EVENT_TRACE_GROUP_JOB {3282FC76-FEED-498E-8AA7-E70F459D430E } JobGuid
0x0800 EVENT_TRACE_GROUP_UDPIP {BF3A50C5-A9C9-4988-A005-2DF0B7C80F80} UdpIpGuid
0x0900 EVENT_TRACE_GROUP_REGISTRY {AE53722E-C863-11D2-8659-00C04FA321A1} RegistryGuid
0x0A00 EVENT_TRACE_GROUP_DBGPRINT {13976D09-A327-438C-950B-7F03192815C7} DbgPrintGuid
0x0B00 EVENT_TRACE_GROUP_CONFIG {01853A65-418F-4F36-AEFC-DC0F1D2FD235} EventTraceConfigGuid
0x0C00 EVENT_TRACE_GROUP_SPARE1 {99134383-5248-43FC-834B-529454E75DF3} EventTraceSpare1
0x0D00 EVENT_TRACE_GROUP_WNF {42695762-EA50-497A-9068-5CBBB35E0B95} WnfGuid
0x0E00 EVENT_TRACE_GROUP_POOL {0268A8B6-74FD-4302-9DD0-6E8F1795C0CF} PoolGuid
0x0F00 EVENT_TRACE_GROUP_PERFINFO {CE1DBFB4-137E-4DA6-87B0-3F59AA102CBC} PerfInfoGuid
0x1000 EVENT_TRACE_GROUP_HEAP {222962AB-6180-4B88-A825-346B75F2A24A} HeapGuid
0x1100 EVENT_TRACE_GROUP_OBJECT {89497F50-EFFE-4440-8CF2-CE6B1CDCACA7} ObjectGuid
0x1200 EVENT_TRACE_GROUP_POWER {E43445E0-0903-48C3-B878-FF0FCCEBDD04} PowerGuid
0x1300 EVENT_TRACE_GROUP_MODBOUND {A9152F00-3F58-4BEE-92A1-70C7D079D5DD} ModBoundGuid
0x1400 EVENT_TRACE_GROUP_IMAGE {2CB15D1D-5FC1-11D2-ABE1-00A0C911F518} ImageLoadGuid
0x1500 EVENT_TRACE_GROUP_DPC {B2D14872-7C5B-463D-8419-EE9BF7D23E04} DpcGuid
0x1600 EVENT_TRACE_GROUP_CC {7687A439-F752-45B8-B741-321AEC0F8DF9} CcGuid
0x1700 EVENT_TRACE_GROUP_CRITSEC {3AC66736-CC59-4CFF-8115-8DF50E39816B} CritSecGuid
0x1800 EVENT_TRACE_GROUP_STACKWALK {DEF2FE46-7BD6-4B80-BD94-F57FE20D0CE3} StackWalkGuid
0x1900 EVENT_TRACE_GROUP_UMS {9AEC974B-5B8E-4118-9B92-3186D8002CE5} UmsEventGuid
0x1A00 EVENT_TRACE_GROUP_ALPC {45D8CCCD-539F-4B72-A8B7-5C683142609A} ALPCGuid
0x1B00 EVENT_TRACE_GROUP_SPLITIO {D837CA92-12B9-44A5-AD6A-3A65B3578AA8} SplitIoGuid
0x1C00 EVENT_TRACE_GROUP_THREAD_POOL {C861D0E2-A2C1-4D36-9F9C-970BAB943A12} ThreadPoolGuid
0x1D00 EVENT_TRACE_GROUP_HYPERVISOR {7F2A405C-69B5-4BF9-A1F5-30E8F1AFAB5E} HypervisorTraceGuid
0x1E00 EVENT_TRACE_GROUP_HYPERVISORX {2CE9A149-EFFE-42F0-A635-A1D39E26C8F2} HypervisorXTraceGuid

There is at best a loose association of these groups with the group mask that is the modern elaboration of the EnableFlags of the EVENT_TRACE_PROPERTIES structure as passed through such API function as StartTrace and ControlTrace. It is mostly true that an event with a given HookId can get logged only if a particular bit or combination of bits is set in the group mask, but there seems to be no formal correspondence. Unless one is discovered, inferring an informal one might usefully be on someone’s to-do list.

Events

As for the hundreds of possible events, i.e., values of HookId or combinations of Group and Type (or ProviderId and Opcode), a complete list would require an exhaustive search through the code of all modules that might log to an NT Kernel Logger session—which means not just the kernel, and not just modules in kernel mode, but at least NTDLL, ADVAPI32 and SECHOST in user mode too. Without such a search, the best that’s known to be available are macro definitions in NTWMI.H. Of course, that a header from Microsoft defines a macro for an event, and even a structure for the event data, doesn’t mean that the event actually can ever be sent. Not only may the definition remain from an old version or anticipate a future version, but with these events, and the high volume they might be generated in, it would not surprise to find that some are intended only for debug releases or only for internal testing. However they’re known, they’re collected below for easy reckoning in order of increasing HookId. Eventually, each event might be shown with such detail as where the event can originate, which group mask is required, which header is used, and what data follows the header. (But, really, how is this not someone’s paid work?)

Event Tracing

The first group is of events that have to do with the general business of logging events. Indeed, the event numbered 0x0000 is not even specific to the NT Kernel Logger but is the first in every ETL file, whatever the trace session.

Value Name Event Data
0x0000 WMI_LOG_TYPE_HEADER TRACE_LOGFILE_HEADER
and two null-terminated Unicode strings
0x0005 WMI_LOG_TYPE_HEADER_EXTENSION ETW_KERNEL_HEADER_EXTENSION
0x0008 WMI_LOG_TYPE_RUNDOWN_COMPLETE  
0x0020 WMI_LOG_TYPE_GROUP_MASKS_END ETW_KERNEL_HEADER_EXTENSION
0x0030 WMI_LOG_TYPE_RUNDOWN_BEGIN  
0x0031 WMI_LOG_TYPE_RUNDOWN_END  
0x0040 WMI_LOG_TYPE_DBGID_RSDS  
0x0041 WMI_LOG_TYPE_DBGID_NB10  
0x0042 WMI_LOG_TYPE_BUILD_LAB  
0x0043 WMI_LOG_TYPE_BINARY_PATH  

Disk I/O

Value Name
0x010A WMI_LOG_TYPE_IO_READ
0x010B WMI_LOG_TYPE_IO_WRITE
0x010C WMI_LOG_TYPE_IO_READ_INIT
0x010D WMI_LOG_TYPE_IO_WRITE_INIT
0x010E WMI_LOG_TYPE_IO_FLUSH
0x010F WMI_LOG_TYPE_IO_FLUSH_INIT
0x0110 WMI_LOG_TYPE_IO_REDIRECTED_INIT
0x0120 PERFINFO_LOG_TYPE_DRIVER_INIT
0x0121 PERFINFO_LOG_TYPE_DRIVER_INIT_COMPLETE
0x0122 PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_CALL
0x0123 PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_RETURN
0x0124 PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_CALL
0x0125 PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_RETURN
0x0126 PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_CALL
0x0127 PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_RETURN
0x0128 PERFINFO_LOG_TYPE_DRIVER_STARTIO_CALL
0x0129 PERFINFO_LOG_TYPE_DRIVER_STARTIO_RETURN
0x0130 PERFINFO_LOG_TYPE_PREFETCH_ACTION
0x0131 PERFINFO_LOG_TYPE_PREFETCH_REQUEST
0x0132 PERFINFO_LOG_TYPE_PREFETCH_READLIST
0x0133 PERFINFO_LOG_TYPE_PREFETCH_READ
0x0134 PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST
0x0135 PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST_RETURN
0x0136 PERFINFO_LOG_TYPE_BOOT_PREFETCH_INFORMATION
0x0137 PERFINFO_LOG_TYPE_OPTICAL_IO_READ
0x0138 PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE
0x0139 PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH
0x013A PERFINFO_LOG_TYPE_OPTICAL_IO_READ_INIT
0x013B PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE_INIT
0x013C PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH_INIT

Memory

Value Name
0x020A WMI_LOG_TYPE_PAGE_FAULT_TRANSITION
0x020B WMI_LOG_TYPE_PAGE_FAULT_DEMAND_ZERO
0x020C WMI_LOG_TYPE_PAGE_FAULT_COPY_ON_WRITE
0x020D WMI_LOG_TYPE_PAGE_FAULT_GUARD_PAGE
0x020E WMI_LOG_TYPE_PAGE_FAULT_HARD_PAGE_FAULT
0x020F WMI_LOG_TYPE_PAGE_FAULT_ACCESS_VIOLATION
0x0220 PERFINFO_LOG_TYPE_HARDFAULT
0x0221 PERFINFO_LOG_TYPE_REMOVEPAGEBYCOLOR
0x0222 PERFINFO_LOG_TYPE_REMOVEPAGEFROMLIST
0x0223 PERFINFO_LOG_TYPE_PAGEINMEMORY
0x0224 PERFINFO_LOG_TYPE_INSERTINFREELIST
0x0225 PERFINFO_LOG_TYPE_INSERTINMODIFIEDLIST
0x0226 PERFINFO_LOG_TYPE_INSERTINLIST
0x0228 PERFINFO_LOG_TYPE_INSERTATFRONT
0x0229 PERFINFO_LOG_TYPE_UNLINKFROMSTANDBY
0x022A PERFINFO_LOG_TYPE_UNLINKFFREEORZERO
0x022B PERFINFO_LOG_TYPE_WORKINGSETMANAGER
0x022C PERFINFO_LOG_TYPE_TRIMPROCESS
0x022E PERFINFO_LOG_TYPE_ZEROSHARECOUNT
0x023C PERFINFO_LOG_TYPE_WSINFOPROCESS
0x0245 PERFINFO_LOG_TYPE_FAULTADDR_WITH_IP
0x0246 PERFINFO_LOG_TYPE_TRIMSESSION
0x0247 PERFINFO_LOG_TYPE_MEMORYSNAPLITE
0x0248 PERFINFO_LOG_TYPE_PFMAPPED_SECTION_RUNDOWN
0x0249 PERFINFO_LOG_TYPE_PFMAPPED_SECTION_CREATE
0x024A PERFINFO_LOG_TYPE_WSINFOSESSION
0x024B PERFINFO_LOG_TYPE_CREATE_SESSION
0x024C PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_END
0x024D PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_START
0x024E PERFINFO_LOG_TYPE_SESSION_DELETE
0x024F PERFINFO_LOG_TYPE_PFMAPPED_SECTION_DELETE
0x0262 PERFINFO_LOG_TYPE_VIRTUAL_ALLOC
0x0263 PERFINFO_LOG_TYPE_VIRTUAL_FREE
0x0264 PERFINFO_LOG_TYPE_HEAP_RANGE_RUNDOWN
0x0265 PERFINFO_LOG_TYPE_HEAP_RANGE_CREATE
0x0266 PERFINFO_LOG_TYPE_HEAP_RANGE_RESERVE
0x0267 PERFINFO_LOG_TYPE_HEAP_RANGE_RELEASE
0x0268 PERFINFO_LOG_TYPE_HEAP_RANGE_DESTROY
0x0269 PERFINFO_LOG_TYPE_PAGEFILE_BACK
0x0270 PERFINFO_LOG_TYPE_MEMINFO
0x0271 PERFINFO_LOG_TYPE_CONTMEM_GENERATE
0x0272 PERFINFO_LOG_TYPE_FILE_STORE_FAULT
0x0273 PERFINFO_LOG_TYPE_INMEMORY_STORE_FAULT
0x0274 PERFINFO_LOG_TYPE_COMPRESSED_PAGE
0x0275 PERFINFO_LOG_TYPE_PAGEINMEMORY_ACTIVE
0x0276 PERFINFO_LOG_TYPE_PAGE_ACCESS
0x0277 PERFINFO_LOG_TYPE_PAGE_RELEASE
0x0278 PERFINFO_LOG_TYPE_PAGE_RANGE_ACCESS
0x0279 PERFINFO_LOG_TYPE_PAGE_RANGE_RELEASE
0x027A PERFINFO_LOG_TYPE_PAGE_COMBINE
0x027B PERFINFO_LOG_TYPE_KERNEL_MEMUSAGE
0x027C PERFINFO_LOG_TYPE_MM_STATS
0x027D PERFINFO_LOG_TYPE_MEMINFOEX_WS
0x027E PERFINFO_LOG_TYPE_MEMINFOEX_SESSIONWS
0x027F PERFINFO_LOG_TYPE_VIRTUAL_ROTATE
0x0280 PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_START
0x0281 PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_END
0x0282 PERFINFO_LOG_TYPE_PAGE_ACCESS_EX
0x0283 PERFINFO_LOG_TYPE_REMOVEFROMWS
0x0284 PERFINFO_LOG_TYPE_WSSHAREABLE_RUNDOWN
0x0285 PERFINFO_LOG_TYPE_INMEMORYACTIVE_RUNDOWN
0x0286 PERFINFO_LOG_TYPE_MEM_RESET_INFO
0x0287 PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_CREATE
0x0288 PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_DELETE

Process

Value Name
0x0301 WMI_LOG_TYPE_PROCESS_CREATE
0x0302 WMI_LOG_TYPE_PROCESS_DELETE
0x0303 WMI_LOG_TYPE_PROCESS_DC_START
0x0304 WMI_LOG_TYPE_PROCESS_DC_END
0x030A WMI_LOG_TYPE_PROCESS_LOAD_IMAGE
0x030B WMI_LOG_TYPE_PROCESS_TERMINATE
0x0320 PERFINFO_LOG_TYPE_PROCESS_PERFCTR_END
0x0321 PERFINFO_LOG_TYPE_PROCESS_PERFCTR_RD
0x0323 PERFINFO_LOG_TYPE_INSWAPPROCESS
0x0324 PERFINFO_LOG_TYPE_PROCESS_FREEZE
0x0325 PERFINFO_LOG_TYPE_PROCESS_THAW
0x0326 PERFINFO_LOG_TYPE_BOOT_PHASE_START
0x0327 PERFINFO_LOG_TYPE_ZOMBIE_PROCESS
0x0328 PERFINFO_LOG_TYPE_PROCESS_SET_AFFINITY
0x0330 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_USER
0x0331 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_EXECUTION
0x0332 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_KERNEL
0x0333 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_INSTRUMENTATION
0x0334 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_PRESERVE_PROCESS
0x0340 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_USER
0x0341 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_EXECUTION
0x0342 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_KERNEL
0x0343 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_INSTRUMENTATION
0x0344 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_PRESERVE_PROCESS
0x0350 PERFINFO_LOG_TYPE_WAKE_DROP_USER
0x0351 PERFINFO_LOG_TYPE_WAKE_DROP_EXECUTION
0x0352 PERFINFO_LOG_TYPE_WAKE_DROP_KERNEL
0x0353 PERFINFO_LOG_TYPE_WAKE_DROP_INSTRUMENTATION
0x0354 PERFINFO_LOG_TYPE_WAKE_DROP_PRESERVE_PROCESS
0x0360 PERFINFO_LOG_TYPE_WAKE_EVENT_USER
0x0361 PERFINFO_LOG_TYPE_WAKE_EVENT_EXECUTION
0x0362 PERFINFO_LOG_TYPE_WAKE_EVENT_KERNEL
0x0363 PERFINFO_LOG_TYPE_WAKE_EVENT_INSTRUMENTATION
0x0364 PERFINFO_LOG_TYPE_WAKE_EVENT_PRESERVE_PROCESS
0x0370 PERFINFO_LOG_TYPE_DEBUG_EVENT

The WMI_LOG_TYPE_PROCESS_LOAD_IMAGE event gets special attention when SECHOST translates it for presentation to event consumers. Specifically, it gets reassigned to the group represented by ImageLoadGuid.

File

Value Name
0x0400 PERFINFO_LOG_TYPE_FILENAME
0x0420 PERFINFO_LOG_TYPE_FILENAME_CREATE
0x0421 PERFINFO_LOG_TYPE_FILENAME_SAME
0x0422 PERFINFO_LOG_TYPE_FILENAME_NULL
0x0423 PERFINFO_LOG_TYPE_FILENAME_DELETE
0x0424 PERFINFO_LOG_TYPE_FILENAME_RUNDOWN
0x0425 PERFINFO_LOG_TYPE_MAPFILE
0x0426 PERFINFO_LOG_TYPE_UNMAPFILE
0x0427 PERFINFO_LOG_TYPE_MAPFILE_DC_START
0x0428 PERFINFO_LOG_TYPE_MAPFILE_DC_END
0x0440 PERFINFO_LOG_TYPE_FILE_IO_CREATE
0x0441 PERFINFO_LOG_TYPE_FILE_IO_CLEANUP
0x0442 PERFINFO_LOG_TYPE_FILE_IO_CLOSE
0x0443 PERFINFO_LOG_TYPE_FILE_IO_READ
0x0444 PERFINFO_LOG_TYPE_FILE_IO_WRITE
0x0445 PERFINFO_LOG_TYPE_FILE_IO_SET_INFORMATION
0x0446 PERFINFO_LOG_TYPE_FILE_IO_DELETE
0x0447 PERFINFO_LOG_TYPE_FILE_IO_RENAME
0x0448 PERFINFO_LOG_TYPE_FILE_IO_DIRENUM
0x0449 PERFINFO_LOG_TYPE_FILE_IO_FLUSH
0x044A PERFINFO_LOG_TYPE_FILE_IO_QUERY_INFORMATION
0x044B PERFINFO_LOG_TYPE_FILE_IO_FS_CONTROL
0x044C PERFINFO_LOG_TYPE_FILE_IO_OPERATION_END
0x044D PERFINFO_LOG_TYPE_FILE_IO_DIRNOTIFY
0x044E PERFINFO_LOG_TYPE_FILE_IO_CREATE_NEW
0x044F PERFINFO_LOG_TYPE_FILE_IO_DELETE_PATH
0x0450 PERFINFO_LOG_TYPE_FILE_IO_RENAME_PATH
0x0451 PERFINFO_LOG_TYPE_FILE_IO_SETLINK_PATH
0x0452 PERFINFO_LOG_TYPE_FILE_IO_SETLINK
0x0460 PERFINFO_LOG_TYPE_FLT_PREOP_INIT
0x0461 PERFINFO_LOG_TYPE_FLT_POSTOP_INIT
0x0462 PERFINFO_LOG_TYPE_FLT_PREOP_COMPLETION
0x0463 PERFINFO_LOG_TYPE_FLT_POSTOP_COMPLETION
0x0464 PERFINFO_LOG_TYPE_FLT_PREOP_FAILURE
0x0465 PERFINFO_LOG_TYPE_FLT_POSTOP_FAILURE

Thread

Value Name Event Data (After Trace Header)
0x0501 WMI_LOG_TYPE_THREAD_CREATE WMI_EXTENDED_THREAD_INFORMATION
0x0502 WMI_LOG_TYPE_THREAD_DELETE WMI_EXTENDED_THREAD_INFORMATION
0x0503 WMI_LOG_TYPE_THREAD_DC_START WMI_EXTENDED_THREAD_INFORMATION
0x0504 WMI_LOG_TYPE_THREAD_DC_END WMI_EXTENDED_THREAD_INFORMATION
0x0524 PERFINFO_LOG_TYPE_CONTEXTSWAP WMI_CONTEXTSWAP
0x0525 PERFINFO_LOG_TYPE_CONTEXTSWAP_BATCH PERFINFO_CCSWAP_BUFFER
and sequence of related structures
0x0529 PERFINFO_LOG_TYPE_SPINLOCK WMI_SPINLOCK
0x052A PERFINFO_LOG_TYPE_QUEUE  
0x052B PERFINFO_LOG_TYPE_RESOURCE WMI_RESOURCE
0x052C PERFINFO_LOG_TYPE_PUSHLOCK  
0x052D PERFINFO_LOG_TYPE_WAIT_SINGLE  
0x052E PERFINFO_LOG_TYPE_WAIT_MULTIPLE  
0x052F PERFINFO_LOG_TYPE_DELAY_EXECUTION  
0x0530 PERFINFO_LOG_TYPE_THREAD_SET_PRIORITY ETW_PRIORITY_EVENT
0x0531 PERFINFO_LOT_TYPE_THREAD_SET_BASE_PRIORITY ETW_PRIORITY_EVENT
0x0532 PERFINFO_LOG_TYPE_READY_THREAD ETW_READY_THREAD_EVENT
0x0533 PERFINFO_LOG_TYPE_THREAD_SET_PAGE_PRIORITY ETW_PRIORITY_EVENT
0x0534 PERFINFO_LOG_TYPE_THREAD_SET_IO_PRIORITY ETW_PRIORITY_EVENT
0x0535 PERFINFO_LOG_TYPE_THREAD_SET_AFFINITY ETW_THREAD_AFFINITY_EVENT
0x0539 PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM  
0x053A PERFINFO_LOG_TYPE_DFSS_START_NEW_INTERVAL  
0x053B PERFINFO_LOG_TYPE_DFSS_PROCESS_IDLE_ONLY_QUEUE  
0x053C PERFINFO_LOG_TYPE_ANTI_STARVATION_BOOST ETW_ANTI_STARVATION_BOOST_EVENT
0x053D PERFINFO_LOG_TYPE_THREAD_MIGRATION  
0x053E PERFINFO_LOG_TYPE_KQUEUE_ENQUEUE ETW_KQUEUE_ENQUEUE_EVENT
0x053F PERFINFO_LOG_TYPE_KQUEUE_DEQUEUE ETW_KQUEUE_DEQUEUE_EVENT
with sequence of pointers as Entries array
0x0540 PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_START one pointer;
if structure then name unknown 
0x0541 PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_END one pointer;
if structure, then name unknown
0x0542 PERFINFO_LOG_TYPE_AUTO_BOOST_SET_FLOOR ETW_AUTOBOOST_SET_PRIORITY_FLOOR_EVENT
0x0543 PERFINFO_LOG_TYPE_AUTO_BOOST_CLEAR_FLOOR ETW_AUTOBOOST_CLEAR_PRIORITY_FLOOR_EVENT
0x0544 PERFINFO_LOG_TYPE_AUTO_BOOST_NO_ENTRIES ETW_AUTOBOOST_NO_ENTRIES_EVENT
0x0545 PERFINFO_LOG_TYPE_THREAD_SUBPROCESSTAG_CHANGED  

TCP/IP

Value Name
0x060A WMI_LOG_TYPE_TCPIP_SEND
0x060B WMI_LOG_TYPE_TCPIP_RECEIVE
0x060C WMI_LOG_TYPE_TCPIP_CONNECT
0x060D WMI_LOG_TYPE_TCPIP_DISCONNECT
0x060E WMI_LOG_TYPE_TCPIP_RETRANSMIT
0x060F WMI_LOG_TYPE_TCPIP_ACCEPT
0x0610 WMI_LOG_TYPE_TCPIP_RECONNECT
0x0611 WMI_LOG_TYPE_TCPIP_FAIL
0x0612 WMI_LOG_TYPE_TCPIP_TCPCOPY
0x0613 WMI_LOG_TYPE_TCPIP_ARPCOPY
0x0614 WMI_LOG_TYPE_TCPIP_FULLACK
0x0615 WMI_LOG_TYPE_TCPIP_PARTACK
0x0616 WMI_LOG_TYPE_TCPIP_DUPACK
0x061A WMI_LOG_TYPE_TCPIP_SEND_IPV6
0x061B WMI_LOG_TYPE_TCPIP_RECEIVE_IPV6
0x061C WMI_LOG_TYPE_TCPIP_CONNECT_IPV6
0x061D WMI_LOG_TYPE_TCPIP_DISCONNECT_IPV6
0x061E WMI_LOG_TYPE_TCPIP_RETRANSMIT_IPV6
0x061F WMI_LOG_TYPE_TCPIP_ACCEPT_IPV6
0x0620 WMI_LOG_TYPE_TCPIP_RECONNECT_IPV6
0x0621 WMI_LOG_TYPE_TCPIP_FAIL_IPV6
0x0622 WMI_LOG_TYPE_TCPIP_TCPCOPY_IPV6
0x0623 WMI_LOG_TYPE_TCPIP_ARPCOPY_IPV6
0x0624 WMI_LOG_TYPE_TCPIP_FULLACK_IPV6
0x0625 WMI_LOG_TYPE_TCPIP_PARTACK_IPV6
0x0626 WMI_LOG_TYPE_TCPIP_DUPACK_IPV6

Job

Value Name
0x0720 WMI_LOG_TYPE_JOB_CREATE
0x0721 WMI_LOG_TYPE_JOB_TERMINATE
0x0722 WMI_LOG_TYPE_JOB_OPEN
0x0723 WMI_LOG_TYPE_JOB_ASSIGN_PROCESS
0x0724 WMI_LOG_TYPE_JOB_REMOVE_PROCESS
0x0725 WMI_LOG_TYPE_JOB_SET
0x0726 WMI_LOG_TYPE_JOB_QUERY
0x0727 WMI_LOG_TYPE_JOB_SET_FAILED
0x0728 WMI_LOG_TYPE_JOB_QUERY_FAILED
0x0729 WMI_LOG_TYPE_JOB_SET_NOTIFICATION
0x072A WMI_LOG_TYPE_JOB_SEND_NOTIFICATION
0x072B WMI_LOG_TYPE_JOB_QUERY_VIOLATION
0x072C WMI_LOG_TYPE_JOB_SET_CPU_RATE
0x072D WMI_LOG_TYPE_JOB_SET_NET_RATE

UDP/IP

Value Name
0x080A WMI_LOG_TYPE_UDP_SEND
0x080B WMI_LOG_TYPE_UDP_RECEIVE
0x0811 WMI_LOG_TYPE_UDP_FAIL
0x081A WMI_LOG_TYPE_UDP_SEND_IPV6
0x081B WMI_LOG_TYPE_UDP_RECEIVE_IPV6

Registry

Value Name
0x0918 WMI_LOG_TYPE_REG_RUNDOWNBEGIN
0x0919 WMI_LOG_TYPE_REG_RUNDOWNEND
0x0920 PERFINFO_LOG_TYPE_CMCELLREFERRED
0x0921 PERFINFO_LOG_TYPE_REG_SET_VALUE
0x0922 PERFINFO_LOG_TYPE_REG_COUNTERS
0x0923 PERFINFO_LOG_TYPE_REG_CONFIG
0x0924 PERFINFO_LOG_TYPE_REG_HIVE_INITIALIZE
0x0925 PERFINFO_LOG_TYPE_REG_HIVE_DESTROY
0x0926 PERFINFO_LOG_TYPE_REG_HIVE_LINK
0x0927 PERFINFO_LOG_TYPE_REG_HIVE_RUNDOWN_DC_END
0x0928 PERFINFO_LOG_TYPE_REG_HIVE_DIRTY
0x0930 PERFINFO_LOG_TYPE_REG_NOTIF_REGISTER
0x0931 PERFINFO_LOG_TYPE_REG_NOTIF_DELIVER

Debug

Value Name
0x0A20 PERFINFO_LOG_TYPE_DEBUG_PRINT

Configuration

Value Name
0x0B0A WMI_LOG_TYPE_CONFIG_CPU
0x0B0B WMI_LOG_TYPE_CONFIG_PHYSICALDISK
0x0B0C WMI_LOG_TYPE_CONFIG_LOGICALDISK
0x0B0D WMI_LOG_TYPE_CONFIG_NIC
0x0B0E WMI_LOG_TYPE_CONFIG_VIDEO
0x0B0F WMI_LOG_TYPE_CONFIG_SERVICES
0x0B10 WMI_LOG_TYPE_CONFIG_POWER
0x0B12 WMI_LOG_TYPE_CONFIG_OPTICALMEDIA
0x0B15 WMI_LOG_TYPE_CONFIG_IRQ
0x0B16 WMI_LOG_TYPE_CONFIG_PNP
0x0B17 WMI_LOG_TYPE_CONFIG_IDECHANNEL
0x0B18 WMI_LOG_TYPE_CONFIG_NUMANODE
0x0B19 WMI_LOG_TYPE_CONFIG_PLATFORM
0x0B1A WMI_LOG_TYPE_CONFIG_PROCESSORGROUP
0x0B1B WMI_LOG_TYPE_CONFIG_PROCESSORNUMBER
0x0B1C WMI_LOG_TYPE_CONFIG_DPI
0x0B1D WMI_LOG_TYPE_CONFIG_CODEINTEGRITY
0x0B1E WMI_LOG_TYPE_CONFIG_MACHINEID
0x0B1F WMI_LOG_TYPE_CONFIG_DEFRAG
  WMI_LOG_TYPE_CONFIG_OSVERSION
  WMI_LOG_TYPE_CONFIG_VISUALTHEME
  WMI_LOG_TYPE_CONFIG_SYSTEMRANGE
  WMI_LOG_TYPE_CONFIG_SYSDLLINFO

The last four are defined in NTWMI.H but evaluation depends on macros that are not defined in any other known header.

WNF

Value Name
0x0D20 PERFINFO_LOG_TYPE_WNF_SUBSCRIBE
0x0D21 PERFINFO_LOG_TYPE_WNF_UNSUBSCRIBE
0x0D22 PERFINFO_LOG_TYPE_WNF_CALLBACK
0x0D23 PERFINFO_LOG_TYPE_WNF_PUBLISH
0x0D24 PERFINFO_LOG_TYPE_WNF_NAME_SUB_RUNDOWN

Pool

Value Name
0x0E20 PERFINFO_LOG_TYPE_ALLOCATEPOOL
0x0E21 PERFINFO_LOG_TYPE_ALLOCATEPOOL_SESSION
0x0E22 PERFINFO_LOG_TYPE_FREEPOOL
0x0E23 PERFINFO_LOG_TYPE_FREEPOOL_SESSION
0x0E24 PERFINFO_LOG_TYPE_ADDPOOLPAGE
0x0E25 PERFINFO_LOG_TYPE_ADDPOOLPAGE_SESSION
0x0E26 PERFINFO_LOG_TYPE_BIGPOOLPAGE
0x0E27 PERFINFO_LOG_TYPE_BIGPOOLPAGE_SESSION
0x0E28 PERFINFO_LOG_TYPE_POOLSNAP_DC_START
0x0E29 PERFINFO_LOG_TYPE_POOLSNAP_DC_END
0x0E2A PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_START
0x0E2B PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_END
0x0E2C PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_START
0x0E2D PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_END
0x0E2E PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_START
0x0E2F PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_END

Performance Information

Value Name Event Data (After Trace Header)
0x0F20 PERFINFO_LOG_TYPE_RUNDOWN_CHECKPOINT  
0x0F22 PERFINFO_LOG_TYPE_MARK  
0x0F24 PERFINFO_LOG_TYPE_ASYNCMARK  
0x0F26 PERFINFO_LOG_TYPE_IMAGENAME  
0x0F27 PERFINFO_LOG_TYPE_DELAYS_CC_CAN_I_WRITE  
0x0F2E PERFINFO_LOG_TYPE_SAMPLED_PROFILE PERFINFO_SAMPLED_PROFILE_INFORMATION
0x0F2F PERFINFO_LOG_TYPE_PMC_INTERRUPT PERFINFO_PMC_SAMPLE_INFORMATION
0x0F30 PERFINFO_LOG_TYPE_PMC_CONFIG  
0x0F32 PERFINFO_LOG_TYPE_MSI_INTERRUPT  
0x0F33 PERFINFO_LOG_TYPE_SYSCALL_ENTER PERFINFO_SYSCALL_ENTER_DATA
0x0F34 PERFINFO_LOG_TYPE_SYSCALL_EXIT PERFINFO_SYSCALL_EXIT_DATA
0x0F35 PERFINFO_LOG_TYPE_BACKTRACE  
0x0F36 PERFINFO_LOG_TYPE_BACKTRACE_USERSTACK  
0x0F37 PERFINFO_LOG_TYPE_SAMPLED_PROFILE_CACHE  
0x0F38 PERFINFO_LOG_TYPE_EXCEPTION_STACK  
0x0F39 PERFINFO_LOG_TYPE_BRANCH_TRACE  
0x0F3A PERFINFO_LOG_TYPE_DEBUGGER_ENABLED  
0x0F3B PERFINFO_LOG_TYPE_DEBUGGER_EXIT  
0x0F40 PERFINFO_LOG_TYPE_BRANCH_TRACE_DEBUG  
0x0F41 PERFINFO_LOG_TYPE_BRANCH_ADDRESS_DEBUG  
0x0F42 PERFINFO_LOG_TYPE_THREADED_DPC  
0x0F43 PERFINFO_LOG_TYPE_INTERRUPT  
0x0F44 PERFINFO_LOG_TYPE_DPC  
0x0F45 PERFINFO_LOG_TYPE_TIMERDPC  
0x0F46 PERFINFO_LOG_TYPE_IOTIMER_EXPIRATION  
0x0F47 PERFINFO_LOG_TYPE_SAMPLED_PROFILE_NMI  
0x0F48 PERFINFO_LOG_TYPE_SAMPLED_PROFILE_SET_INTERVAL PERFINFO_SAMPLED_PROFILE_CONFIG
0x0F49 PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_START  
0x0F4A PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_END  
0x0F4B PERFINFO_LOG_TYPE_SPINLOCK_DC_START  
0x0F4C PERFINFO_LOG_TYPE_SPINLOCK_DC_END  
0x0F4D PERFINFO_LOG_TYPE_ERESOURCE_DC_START  
0x0F4E PERFINFO_LOG_TYPE_ERESOURCE_DC_END  
0x0F4F PERFINFO_LOG_TYPE_CLOCK_INTERRUPT  
0x0F50 PERFINFO_LOG_TYPE_TIMER_EXPIRATION_START  
0x0F51 PERFINFO_LOG_TYPE_TIMER_EXPIRATION  
0x0F52 PERFINFO_LOG_TYPE_TIMER_SET_PERIODIC  
0x0F53 PERFINFO_LOG_TYPE_TIMER_SET_ONE_SHOT  
0x0F54 PERFINFO_LOG_TYPE_TIMER_SET_THREAD  
0x0F55 PERFINFO_LOG_TYPE_TIMER_CANCEL  
0x0F56 PERFINFO_LOG_TYPE_TIME_ADJUSTMENT  
0x0F57 PERFINFO_LOG_TYPE_CLOCK_MODE_SWITCH  
0x0F58 PERFINFO_LOG_TYPE_CLOCK_TIME_UPDATE  
0x0F59 PERFINFO_LOG_TYPE_CLOCK_DYNAMIC_TICK_VETO  
0x0F5A PERFINFO_LOG_TYPE_CLOCK_CONFIGURATION  
0x0F5B PERFINFO_LOG_TYPE_IPI  
0x0F5C PERFINFO_LOG_TYPE_UNEXPECTED_INTERRUPT  
0x0F5D PERFINFO_LOG_TYPE_IOTIMER_START  
0x0F5E PERFINFO_LOG_TYPE_IOTIMER_STOP  
0x0F5F PERFINFO_LOG_TYPE_PASSIVE_INTERRUPT  
0x0F60 PERFINFO_LOG_TYPE_WDF_INTERRUPT  
0x0F61 PERFINFO_LOG_TYPE_WDF_PASSIVE_INTERRUPT  
0x0F62 PERFINFO_LOG_TYPE_WDF_DPC  
0x0F63 PERFINFO_LOG_TYPE_CPU_CACHE_FLUSH  
0x0F64 PERFINFO_LOG_TYPE_DPC_ENQUEUE  
0x0F65 PERFINFO_LOG_TYPE_DPC_EXECUTION  
0x0F66 PERFINFO_LOG_TYPE_INTERRUPT_STEERING  
0x0F67 PERFINFO_LOG_TYPE_WDF_WORK_ITEM  
0x0F68 PERFINFO_LOG_TYPE_KTIMER2_SET  
0x0F69 PERFINFO_LOG_TYPE_KTIMER2_EXPIRATION  
0x0F6A PERFINFO_LOG_TYPE_KTIMER2_CANCEL  
0x0F6B PERFINFO_LOG_TYPE_KTIMER2_DISABLE  
0x0F6C PERFINFO_LOG_TYPE_KTIMER2_FINALIZATION  
0x0F6D PERFINFO_LOG_TYPE_SHOULD_YIELD_PROCESSOR  
0x0F80 PERFINFO_LOG_TYPE_FUNCTION_CALL  
0x0F81 PERFINFO_LOG_TYPE_FUNCTION_RETURN  
0x0F82 PERFINFO_LOG_TYPE_FUNCTION_ENTER  
0x0F83 PERFINFO_LOG_TYPE_FUNCTION_EXIT  
0x0F84 PERFINFO_LOG_TYPE_TAILCALL  
0x0F85 PERFINFO_LOG_TYPE_TRAP  
0x0F86 PERFINFO_LOG_TYPE_SPINLOCK_ACQUIRE  
0x0F87 PERFINFO_LOG_TYPE_SPINLOCK_RELEASE  
0x0F88 PERFINFO_LOG_TYPE_CAP_COMMENT  
0x0F89 PERFINFO_LOG_TYPE_CAP_RUNDOWN  

Heap

Value Name
0x1020 PERFINFO_LOG_TYPE_HEAP_CREATE
0x1021 PERFINFO_LOG_TYPE_HEAP_ALLOC
0x1022 PERFINFO_LOG_TYPE_HEAP_REALLOC
0x1023 PERFINFO_LOG_TYPE_HEAP_DESTROY
0x1024 PERFINFO_LOG_TYPE_HEAP_FREE
0x1025 PERFINFO_LOG_TYPE_HEAP_EXTEND
0x1026 PERFINFO_LOG_TYPE_HEAP_SNAPSHOT
0x1027 PERFINFO_LOG_TYPE_HEAP_CREATE_SNAPSHOT
0x1028 PERFINFO_LOG_TYPE_HEAP_DESTROY_SNAPSHOT
0x1029 PERFINFO_LOG_TYPE_HEAP_EXTEND_SNAPSHOT
0x102A PERFINFO_LOG_TYPE_HEAP_CONTRACT
0x102B PERFINFO_LOG_TYPE_HEAP_LOCK
0x102C PERFINFO_LOG_TYPE_HEAP_UNLOCK
0x102D PERFINFO_LOG_TYPE_HEAP_VALIDATE
0x102E PERFINFO_LOG_TYPE_HEAP_WALK
0x102F PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC
0x1030 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE
0x1031 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC_CACHE
0x1032 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE_CACHE
0x1033 PERFINFO_LOG_TYPE_HEAP_COMMIT
0x1034 PERFINFO_LOG_TYPE_HEAP_DECOMMIT
0x1035 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_INIT
0x1036 PERFINFO_LOG_TYPE_HEAP_AFFINITY_ENABLE
0x1038 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ACTIVATED
0x1039 PERFINFO_LOG_TYPE_HEAP_AFFINITY_ASSIGN
0x103A PERFINFO_LOG_TYPE_HEAP_REUSE_THRESHOLD_ACTIVATED

Object

Value Name
0x1120 PERFINFO_LOG_TYPE_CREATE_HANDLE
0x1121 PERFINFO_LOG_TYPE_CLOSE_HANDLE
0x1122 PERFINFO_LOG_TYPE_DUPLICATE_HANDLE
0x1124 PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_START
0x1125 PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_END
0x1126 PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_START
0x1127 PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_END
0x1130 PERFINFO_LOG_TYPE_CREATE_OBJECT
0x1131 PERFINFO_LOG_TYPE_DELETE_OBJECT
0x1132 PERFINFO_LOG_TYPE_REFERENCE_OBJECT
0x1133 PERFINFO_LOG_TYPE_DEREFERENCE_OBJECT

Power

Value Name
0x1220 PERFINFO_LOG_TYPE_BATTERY_LIFE_INFO
0x1221 PERFINFO_LOG_TYPE_IDLE_STATE_CHANGE
0x1222 PERFINFO_LOG_TYPE_SET_POWER_ACTION
0x1223 PERFINFO_LOG_TYPE_SET_POWER_ACTION_RET
0x1224 PERFINFO_LOG_TYPE_SET_DEVICES_STATE
0x1225 PERFINFO_LOG_TYPE_SET_DEVICES_STATE_RET
0x1226 PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE
0x1227 PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE_COMPLETE
0x1228 PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT
0x1229 PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT_RET
0x1230 PERFINFO_LOG_TYPE_PO_PRESLEEP
0x1231 PERFINFO_LOG_TYPE_PO_POSTSLEEP
0x1232 PERFINFO_LOG_TYPE_PO_CALIBRATED_PERFCOUNTER
0x1233 PERFINFO_LOG_TYPE_PPM_PERF_STATE_CHANGE
0x1234 PERFINFO_LOG_TYPE_PPM_THROTTLE_STATE_CHANGE
0x1235 PERFINFO_LOG_TYPE_PPM_IDLE_STATE_CHANGE
0x1236 PERFINFO_LOG_TYPE_PPM_THERMAL_CONSTRAINT
0x1237 PERFINFO_LOG_TYPE_PO_SIGNAL_RESUME_UI
0x1238 PERFINFO_LOG_TYPE_PO_SIGNAL_VIDEO_ON
0x1239 PERFINFO_LOG_TYPE_PPM_IDLE_STATE_ENTER
0x123A PERFINFO_LOG_TYPE_PPM_IDLE_STATE_EXIT
0x123B PERFINFO_LOG_TYPE_PPM_PLATFORM_IDLE_STATE_ENTER
0x123C PERFINFO_LOG_TYPE_PPM_IDLE_EXIT_LATENCY
0x123D PERFINFO_LOG_TYPE_PPM_IDLE_PROCESSOR_SELECTION
0x123E PERFINFO_LOG_TYPE_PPM_IDLE_PLATFORM_SELECTION
0x123F PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_ENTER
0x1240 PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_EXIT

Module

Value Name
0x1318 PERFINFO_LOG_TYPE_COWHEADER
0x1319 PERFINFO_LOG_TYPE_COWBLOB
0x131A PERFINFO_LOG_TYPE_COWBLOB_CLOSED
0x1320 PERFINFO_LOG_TYPE_MODULEBOUND_ENT
0x1321 PERFINFO_LOG_TYPE_MODULEBOUND_JUMP
0x1322 PERFINFO_LOG_TYPE_MODULEBOUND_RET
0x1323 PERFINFO_LOG_TYPE_MODULEBOUND_CALL
0x1324 PERFINFO_LOG_TYPE_MODULEBOUND_CALLRET
0x1325 PERFINFO_LOG_TYPE_MODULEBOUND_INT2E
0x1326 PERFINFO_LOG_TYPE_MODULEBOUND_INT2B
0x1327 PERFINFO_LOG_TYPE_MODULEBOUND_FULLTRACE

Image

Value Name
0x1401 WMI_LOG_TYPE_IMAGE_LOAD
0x1402 WMI_LOG_TYPE_IMAGE_UNLOAD
0x1403 WMI_LOG_TYPE_IMAGE_DC_START
0x1404 WMI_LOG_TYPE_IMAGE_DC_END
0x1420 WMI_LOG_TYPE_IMAGE_RELOCATION
0x1421 WMI_LOG_TYPE_IMAGE_KERNEL_BASE
0x1422 WMI_LOG_TYPE_IMAGE_HYPERCALL_PAGE
0x1480 PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_ATTEMPT
0x1481 PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_SUCCESS
0x1482 PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_FAIL
0x1483 PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_WAIT
0x1484 PERFINFO_LOG_TYPE_LDR_PROC_INIT_DONE
0x1485 PERFINFO_LOG_TYPE_LDR_CREATE_SECTION
0x1486 PERFINFO_LOG_TYPE_LDR_SECTION_CREATED
0x1487 PERFINFO_LOG_TYPE_LDR_MAP_VIEW
0x1490 PERFINFO_LOG_TYPE_LDR_RELOCATE_IMAGE
0x1491 PERFINFO_LOG_TYPE_LDR_IMAGE_RELOCATED
0x1492 PERFINFO_LOG_TYPE_LDR_HANDLE_OLD_DESCRIPTORS
0x1493 PERFINFO_LOG_TYPE_LDR_OLD_DESCRIPTORS_HANDLED
0x1494 PERFINFO_LOG_TYPE_LDR_HANDLE_NEW_DESCRIPTORS
0x1495 PERFINFO_LOG_TYPE_LDR_NEW_DESCRIPTORS_HANDLED
0x1496 PERFINFO_LOG_TYPE_LDR_DLLMAIN_EXIT
0x14A0 PERFINFO_LOG_TYPE_LDR_FIND_DLL
0x14A1 PERFINFO_LOG_TYPE_LDR_VIEW_MAPPED
0x14A2 PERFINFO_LOG_TYPE_LDR_LOCK_RELEASE
0x14A3 PERFINFO_LOG_TYPE_LDR_DLLMAIN_ENTER
0x14A4 PERFINFO_LOG_TYPE_LDR_ERROR
0x14A5 PERFINFO_LOG_TYPE_LDR_VIEW_MAPPING
0x14A6 PERFINFO_LOG_TYPE_LDR_SNAPPING
0x14A7 PERFINFO_LOG_TYPE_LDR_SNAPPED
0x14A8 PERFINFO_LOG_TYPE_LDR_LOADING
0x14A9 PERFINFO_LOG_TYPE_LDR_LOADED
0x14AA PERFINFO_LOG_TYPE_LDR_FOUND_KNOWN_DLL
0x14AB PERFINFO_LOG_TYPE_LDR_ABNORMAL
0x14AC PERFINFO_LOG_TYPE_LDR_PLACEHOLDER
0x14AD PERFINFO_LOG_TYPE_LDR_RDY_TO_INIT
0x14AE PERFINFO_LOG_TYPE_LDR_RDY_TO_RUN
0x14B0 PERFINFO_LOG_TYPE_LDR_NEW_DLL_LOAD
0x14B1 PERFINFO_LOG_TYPE_LDR_NEW_DLL_AS_DATA
0x14C0 PERFINFO_LOG_TYPE_LDR_EXTERNAL_PATH
0x14C1 PERFINFO_LOG_TYPE_LDR_GENERATED_PATH
0x14D0 PERFINFO_LOG_TYPE_LDR_APISET_RESOLVING
0x14D1 PERFINFO_LOG_TYPE_LDR_APISET_HOSTED
0x14D2 PERFINFO_LOG_TYPE_LDR_APISET_UNHOSTED
0x14D3 PERFINFO_LOG_TYPE_LDR_APISET_UNRESOLVED
0x14D4 PERFINFO_LOG_TYPE_LDR_SEARCH_SECURITY
0x14D5 PERFINFO_LOG_TYPE_LDR_SEARCH_PATH_SECURITY

Cache Control

Value Name
0x1600 PERFINFO_LOG_TYPE_CC_WORKITEM_ENQUEUE
0x1601 PERFINFO_LOG_TYPE_CC_WORKITEM_DEQUEUE
0x1602 PERFINFO_LOG_TYPE_CC_WORKITEM_COMPLETE
0x1603 PERFINFO_LOG_TYPE_CC_READ_AHEAD
0x1604 PERFINFO_LOG_TYPE_CC_WRITE_BEHIND
0x1605 PERFINFO_LOG_TYPE_CC_LAZY_WRITE_SCAN
0x1606 PERFINFO_LOG_TYPE_CC_CAN_I_WRITE_FAIL
0x1609 PERFINFO_LOG_TYPE_CC_FLUSH_CACHE
0x160A PERFINFO_LOG_TYPE_CC_FLUSH_SECTION
0x160B PERFINFO_LOG_TYPE_CC_READ_AHEAD_PREFETCH
0x160C PERFINFO_LOG_TYPE_CC_SCHEDULE_READ_AHEAD
0x160D PERFINFO_LOG_TYPE_CC_LOGGED_STREAM_INFO
0x160E PERFINFO_LOG_TYPE_CC_EXTRA_WRITEBEHIND_THREAD

Critical Section

Value Name
0x1720 PERFINFO_LOG_TYPE_CRITSEC_ENTER
0x1721 PERFINFO_LOG_TYPE_CRITSEC_LEAVE
0x1722 PERFINFO_LOG_TYPE_CRITSEC_COLLISION
0x1723 PERFINFO_LOG_TYPE_CRITSEC_INITIALIZE

Stack Walking

Value Name
0x1820 PERFINFO_LOG_TYPE_STACKWALK
0x1822 PERFINFO_LOG_TYPE_STACKTRACE_CREATE
0x1823 PERFINFO_LOG_TYPE_STACKTRACE_DELETE
0x1824 PERFINFO_LOG_TYPE_STACKTRACE_RUNDOWN
0x1825 PERFINFO_LOG_TYPE_STACKTRACE_KEY_KERNEL
0x1826 PERFINFO_LOG_TYPE_STACKTRACE_KEY_USER

UMS

Value Name
0x1920 PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_START
0x1921 PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_END
0x1922 PERFINFO_LOG_TYPE_UMS_PARK
0x1923 PERFINFO_LOG_TYPE_UMS_DISASSOCIATE
0x1924 PERFINFO_LOG_TYPE_UMS_CONTEXT_SWITCH

ALPC

Value Name
0x1A21 WMI_LOG_TYPE_ALPC_SEND_MESSAGE
0x1A22 WMI_LOG_TYPE_ALPC_RECEIVE_MESSAGE
0x1A23 WMI_LOG_TYPE_ALPC_WAIT_FOR_REPLY
0x1A24 WMI_LOG_TYPE_ALPC_WAIT_FOR_NEW_MESSAGE
0x1A25 WMI_LOG_TYPE_ALPC_UNWAIT
0x1A26 WMI_LOG_TYPE_ALPC_CONNECT_REQUEST
0x1A27 WMI_LOG_TYPE_ALPC_CONNECT_SUCCESS
0x1A28 WMI_LOG_TYPE_ALPC_CONNECT_FAIL
0x1A29 WMI_LOG_TYPE_ALPC_CLOSE_PORT

Split I/O

Value Name
0x1B20 PERFINFO_LOG_TYPE_SPLITIO_VOLMGR

Thread Pool

Value Name
0x1C20 PERFINFO_LOG_TYPE_TP_CALLBACK_ENQUEUE
0x1C21 PERFINFO_LOG_TYPE_TP_CALLBACK_DEQUEUE
0x1C22 PERFINFO_LOG_TYPE_TP_CALLBACK_START
0x1C23 PERFINFO_LOG_TYPE_TP_CALLBACK_STOP
0x1C24 PERFINFO_LOG_TYPE_TP_CALLBACK_CANCEL
0x1C25 PERFINFO_LOG_TYPE_TP_POOL_CREATE
0x1C26 PERFINFO_LOG_TYPE_TP_POOL_CLOSE
0x1C27 PERFINFO_LOG_TYPE_TP_POOL_TH_MIN_SET
0x1C28 PERFINFO_LOG_TYPE_TP_POOL_TH_MAX_SET
0x1C29 PERFINFO_LOG_TYPE_TP_WORKER_NUMANODE_SWITCH
0x1C2A PERFINFO_LOG_TYPE_TP_TIMER_SET
0x1C2B PERFINFO_LOG_TYPE_TP_TIMER_CANCELLED
0x1C2C PERFINFO_LOG_TYPE_TP_TIMER_SET_NTTIMER
0x1C2D PERFINFO_LOG_TYPE_TP_TIMER_CANCEL_NTTIMER
0x1C2E PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_BEGIN
0x1C2F PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_END
0x1C30 PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION