Hook IDs For NT Kernel Logger Events

Events that are delivered to the NT Kernel Logger get logged to trace buffers, as do any other. While there, they begin with either a PERFINFO_TRACE_HEADER or a SYSTEM_TRACE_HEADER in either its full or compact form. If the event tracing session is configured to flush to an Event Trace Log (ETL) file, the events can be seen raw, with these headers, because the events are not yet translated to an EVENT_RECORD or EVENT_TRACE for presentation to an event consumer.

As the events go into the trace buffers, the analogue of an event ID as a unique numerical value for each type of event is the 16-bit HookId, at offset 0x06 in the trace header. This HookId is itself formed in two parts, specifically a Group and Type as the high and low bytes, respectively, such that similar types of events are conveniently managed in groups.

By the way, this convenience is not immediate for interpreting an ETL file from an NT Kernel Logger session using the ordinary Microsoft tools for perusing logged events. Though the Event Viewer will load an ETL file from an NT Kernel Logger session and the WEVTUTIL command-line tool will process one, the presentation is arguably anything but helpful. Though the HookId uniquely identifies each type of event, it does not show as the Event ID. Instead, when an event that has a HookId is translated to an EVENT_RECORD or EVENT_TRACE for presentation to an event consumer, the high byte, i.e., the Group, is translated to a GUID to show as the ProviderId and the low byte, i.e., the Type, becomes the Opcode in the EventDescriptor. It’s obvious once you think about it!

The intended bare-bones way to interpret ETL files from an NT Kernel Logger session is with the Tracefmt and TraceView tools from the Windows Driver Kit (WDK), whose interpretation of the event-specific data is aided by a text file named SYSTEM.TMF that tells how to format the data for some few of the possible events, or with higher-level tools—at least in principle written by anyone—that learn the formatting from Managed Object Format (MOF) data that is compiled into the WMI repository. The types of events that can be sent to the NT Kernel Logger are not just few and are not even mere dozens, such as might be expected from perusal of SYSTEM.TMF or of Microsoft’s documentation of event data “simplified from MOF code” for the MSNT_SystemTrace class. Instead, they are truly numerous, nowadays running to more than five hundred, the overwhelming majority of which look to be safe from being developed into third-party tools.

More elaborate tools than Tracefmt and TraceView have been available for years now, with analysis and graphical presentation and with approving reviews of the power and sophistication that Microsoft has brought to performance analysis not just of Windows programs and drivers but of Windows itself. But given how much of this power comes from keeping large tracts of relevant material undocumented, is it too cynical to suggest that of all the work that Microsoft has been putting into improved performance monitoring of Windows, a good proportion has been directed at ensuring that no market develops for tools other than what Microsoft provides?

Groups

In the following table, the HookId values that start each group are named from the NTWMI.H that Microsoft published in the 1511 edition of the Enterprise WDK for Windows 10, and the corresponding GUID and its symbolic name are from symbol files for the SECHOST.DLL from the original release of Windows 10. (This DLL implements the ProcessTrace function which translates the events into the standard presentation for event consumers.) Some of the GUIDs, though not their correspondence to the high byte of a HookID, are anyway defined in readily available headers, notably EVNTRACE.H and WMIGUID.H. Some, whether defined in a header or not, are even documented (as NT Kernel Logger Constants). Inevitably, some are not known at all in Microsoft’s documentation or headers.

Value Name GUID Value GUID Name
0x0000 EVENT_TRACE_GROUP_HEADER {68FDD900-4A3E-11D1-84F4-0000F80464E3} EventTraceGuid
0x0100 EVENT_TRACE_GROUP_IO {3D6FA8D4-FE05-11D0-9DDA-00C04FD7BA7C} DiskIoGuid
0x0200 EVENT_TRACE_GROUP_MEMORY {3D6FA8D3-FE05-11D0-9DDA-00C04FD7BA7C} PageFaultGuid
0x0300 EVENT_TRACE_GROUP_PROCESS {3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C} ProcessGuid
0x0400 EVENT_TRACE_GROUP_FILE {90CBDC39-4A3E-11D1-84F4-0000F80464E3} FileIoGuid
0x0500 EVENT_TRACE_GROUP_THREAD {3D6FA8D1-FE05-11D0-9DDA-00C04FD7BA7C} ThreadGuid
0x0600 EVENT_TRACE_GROUP_TCPIP {9A280AC0-C8E0-11D1-84E2-00C04FB998A2} TcpIpGuid
0x0700 EVENT_TRACE_GROUP_JOB {3282FC76-FEED-498E-8AA7-E70F459D430E } JobGuid
0x0800 EVENT_TRACE_GROUP_UDPIP {BF3A50C5-A9C9-4988-A005-2DF0B7C80F80} UdpIpGuid
0x0900 EVENT_TRACE_GROUP_REGISTRY {AE53722E-C863-11D2-8659-00C04FA321A1} RegistryGuid
0x0A00 EVENT_TRACE_GROUP_DBGPRINT {13976D09-A327-438C-950B-7F03192815C7} DbgPrintGuid
0x0B00 EVENT_TRACE_GROUP_CONFIG {01853A65-418F-4F36-AEFC-DC0F1D2FD235} EventTraceConfigGuid
0x0C00 EVENT_TRACE_GROUP_SPARE1 {99134383-5248-43FC-834B-529454E75DF3} EventTraceSpare1
0x0D00 EVENT_TRACE_GROUP_WNF {42695762-EA50-497A-9068-5CBBB35E0B95} WnfGuid
0x0E00 EVENT_TRACE_GROUP_POOL {0268A8B6-74FD-4302-9DD0-6E8F1795C0CF} PoolGuid
0x0F00 EVENT_TRACE_GROUP_PERFINFO {CE1DBFB4-137E-4DA6-87B0-3F59AA102CBC} PerfInfoGuid
0x1000 EVENT_TRACE_GROUP_HEAP {222962AB-6180-4B88-A825-346B75F2A24A} HeapGuid
0x1100 EVENT_TRACE_GROUP_OBJECT {89497F50-EFFE-4440-8CF2-CE6B1CDCACA7} ObjectGuid
0x1200 EVENT_TRACE_GROUP_POWER {E43445E0-0903-48C3-B878-FF0FCCEBDD04} PowerGuid
0x1300 EVENT_TRACE_GROUP_MODBOUND {A9152F00-3F58-4BEE-92A1-70C7D079D5DD} ModBoundGuid
0x1400 EVENT_TRACE_GROUP_IMAGE {2CB15D1D-5FC1-11D2-ABE1-00A0C911F518} ImageLoadGuid
0x1500 EVENT_TRACE_GROUP_DPC {B2D14872-7C5B-463D-8419-EE9BF7D23E04} DpcGuid
0x1600 EVENT_TRACE_GROUP_CC {7687A439-F752-45B8-B741-321AEC0F8DF9} CcGuid
0x1700 EVENT_TRACE_GROUP_CRITSEC {3AC66736-CC59-4CFF-8115-8DF50E39816B} CritSecGuid
0x1800 EVENT_TRACE_GROUP_STACKWALK {DEF2FE46-7BD6-4B80-BD94-F57FE20D0CE3} StackWalkGuid
0x1900 EVENT_TRACE_GROUP_UMS {9AEC974B-5B8E-4118-9B92-3186D8002CE5} UmsEventGuid
0x1A00 EVENT_TRACE_GROUP_ALPC {45D8CCCD-539F-4B72-A8B7-5C683142609A} ALPCGuid
0x1B00 EVENT_TRACE_GROUP_SPLITIO {D837CA92-12B9-44A5-AD6A-3A65B3578AA8} SplitIoGuid
0x1C00 EVENT_TRACE_GROUP_THREAD_POOL {C861D0E2-A2C1-4D36-9F9C-970BAB943A12} ThreadPoolGuid
0x1D00 EVENT_TRACE_GROUP_HYPERVISOR {7F2A405C-69B5-4BF9-A1F5-30E8F1AFAB5E} HypervisorTraceGuid
0x1E00 EVENT_TRACE_GROUP_HYPERVISORX {2CE9A149-EFFE-42F0-A635-A1D39E26C8F2} HypervisorXTraceGuid

There is at best a loose association of these groups with the PERFINFO_GROUPMASK that is the modern elaboration of the EnableFlags of the EVENT_TRACE_PROPERTIES structure as passed through such API function as StartTrace and ControlTrace. It is mostly true that an event with a given HookId can get logged only if a particular bit or combination of bits is set in the group mask, but there seems to be no formal correspondence between the Group and the bit. Unless one is discovered, inferring an informal one might usefully be on someone’s to-do list.

Types

Though Microsoft leaves formal definition of the groups to a semi-secret header, some values of the Type, i.e., the low byte of each hook ID, are defined in the readily available EVNTRACE.H. The first ten types appear to have been intended from the start as generic:

Value Name Versions
0x00 EVENT_TRACE_TYPE_INFO 5.0 and higher
0x01 EVENT_TRACE_TYPE_START 5.0 and higher
0x02 EVENT_TRACE_TYPE_END 5.0 and higher
EVENT_TRACE_TYPE_STOP 6.0 and higher
0x03 EVENT_TRACE_TYPE_DC_START 5.0 and higher
0x04 EVENT_TRACE_TYPE_DC_END 5.0 and higher
0x05 EVENT_TRACE_TYPE_EXTENSION 5.0 and higher
0x06 EVENT_TRACE_TYPE_REPLY 5.0 and higher
0x07 EVENT_TRACE_TYPE_DEQUEUE 5.0 and higher
EVENT_TRACE_TYPE_RESUME 6.0 and higher
0x08 EVENT_TRACE_TYPE_CHECKPOINT 5.0 and higher
EVENT_TRACE_TYPE_SUSPEND 6.0 and higher
0x09 EVENT_TRACE_TYPE_RESERVED9 5.0 to 5.2
EVENT_TRACE_TYPE_WINEVT_SEND 6.0 and higher
0xF0 EVENT_TRACE_TYPE_WINEVT_RECEIVE 6.0 and higher

Some got aliases for Windows Vista, which also added a generic type at the high end. Types from 0x0A and up (but not even nearly as far as 0xF0) are assigned differently in different groups. EVNTRACE.H has always given Microsoft’s names for a handful.

Events

As for the hundreds of possible types of event, i.e., values of HookId or combinations of Group and Type (or ProviderId and Opcode), a complete list would require an exhaustive search through the code of all modules that might log to an NT Kernel Logger session—which means not just the kernel, and not just modules in kernel mode, but at least NTDLL, ADVAPI32 and SECHOST in user mode too. Without such a search, the best that’s known to be available are macro definitions in Microsoft’s semi-secret NTWMI.H (whose only known public disclosure by Microsoft is that one edition of the WDK).

Of course, that a header from Microsoft defines a macro for an event, and even a structure for the event data, doesn’t mean that the event actually can ever be sent. Not only may the definition remain from an old version or anticipate a future version, but with these events, and the high volume they might be generated in, it would not surprise to find that some are intended only for debug releases or only for internal testing. However they’re known, they’re collected below for easy reckoning in order of increasing HookId. Eventually, each event might be shown with such detail as where the event can originate, which group mask is required, which header is used, what data follows the header, and even which versions the event can occur in. (But, really, how is this not someone’s paid work? How is it not documented by Microsoft so that paid work can be directed at developing superior tools for performance analysis rather than rediscovering what Microsoft has already exposed for its own tools?)

Please note a general caution about versions that are indicated for any of these events. This study is preliminary and episodic at best. That a version is indicated does mean that use is known in those versions. It does not mean that earlier versions have no support, just that I don’t know of it or that I haven’t yet recorded it here. It’s a rough indication only. If it ever seems that presenting it is not better than nothing, it will be withdrawn.

Event Tracing

The first group is of events that have to do with the general business of logging events. Indeed, the event numbered 0x0000 is not even specific to the NT Kernel Logger but is the first in every ETL file, whatever the trace session.

Value Name Event Data Versions
0x0000 WMI_LOG_TYPE_HEADER TRACE_LOGFILE_HEADER
and two null-terminated Unicode strings
5.0 and higher
0x0005 WMI_LOG_TYPE_HEADER_EXTENSION ETW_KERNEL_HEADER_EXTENSION 5.2 and higher
0x0008 WMI_LOG_TYPE_RUNDOWN_COMPLETE    
0x000A type alone as EVENT_TRACE_TYPE_GUIDMAP   type defined for 5.0 and higher
0x000B type alone as EVENT_TRACE_TYPE_CONFIG   type defined for 5.0 and higher
0x000C type alone as EVENT_TRACE_TYPE_SIDINFO   type defined for 5.0 and higher
0x000D type alone as EVENT_TRACE_TYPE_SECURITY   type defined for 5.0 and higher
0x0020 WMI_LOG_TYPE_GROUP_MASKS_END ETW_KERNEL_HEADER_EXTENSION 6.0 and higher
0x0030 WMI_LOG_TYPE_RUNDOWN_BEGIN    
0x0031 WMI_LOG_TYPE_RUNDOWN_END    
0x0040 WMI_LOG_TYPE_DBGID_RSDS;
type alone as EVENT_TRACE_TYPE_DBGID_RSDS
  6.2 and higher
0x0041 WMI_LOG_TYPE_DBGID_NB10    
0x0042 WMI_LOG_TYPE_BUILD_LAB   6.2 and higher
0x0043 WMI_LOG_TYPE_BINARY_PATH   6.2 and higher

Disk I/O

Value Name Versions
0x010A WMI_LOG_TYPE_IO_READ;
type alone as EVENT_TRACE_TYPE_IO_READ
5.0 and higher
0x010B WMI_LOG_TYPE_IO_WRITE;
type alone as EVENT_TRACE_TYPE_IO_WRITE
5.0 and higher
0x010C WMI_LOG_TYPE_IO_READ_INIT;
type alone as EVENT_TRACE_TYPE_IO_READ_INIT
type defined for 6.0 and higher
0x010D WMI_LOG_TYPE_IO_WRITE_INIT;
type alone as EVENT_TRACE_TYPE_IO_WRITE_INIT
type defined for 6.0 and higher
0x010E WMI_LOG_TYPE_IO_FLUSH;
type alone as EVENT_TRACE_TYPE_IO_FLUSH
type defined for 6.0 and higher
0x010F WMI_LOG_TYPE_IO_FLUSH_INIT;
type alone as EVENT_TRACE_TYPE_IO_FLUSH_INIT
type defined for 6.0 and higher
0x0110 WMI_LOG_TYPE_IO_REDIRECTED_INIT;
type alone as EVENT_TRACE_TYPE_IO_REDIRECTED_INIT
type defined for 6.3 and higher
0x0120 PERFINFO_LOG_TYPE_DRIVER_INIT  
0x0121 PERFINFO_LOG_TYPE_DRIVER_INIT_COMPLETE  
0x0122 PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_CALL 5.1 and higher
0x0123 PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_RETURN 5.1 and higher
0x0124 PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_CALL  
0x0125 PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_RETURN 6.0 and higher
0x0126 PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_CALL  
0x0127 PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_RETURN  
0x0128 PERFINFO_LOG_TYPE_DRIVER_STARTIO_CALL  
0x0129 PERFINFO_LOG_TYPE_DRIVER_STARTIO_RETURN  
0x0130 PERFINFO_LOG_TYPE_PREFETCH_ACTION  
0x0131 PERFINFO_LOG_TYPE_PREFETCH_REQUEST  
0x0132 PERFINFO_LOG_TYPE_PREFETCH_READLIST  
0x0133 PERFINFO_LOG_TYPE_PREFETCH_READ  
0x0134 PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST 5.1 and higher
0x0135 PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST_RETURN 5.1 and higher
0x0136 PERFINFO_LOG_TYPE_BOOT_PREFETCH_INFORMATION 5.1 and higher
0x0137 PERFINFO_LOG_TYPE_OPTICAL_IO_READ;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_READ
6.2 and higher
0x0138 PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_WRITE
6.2 and higher
0x0139 PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_FLUSH
6.2 and higher
0x013A PERFINFO_LOG_TYPE_OPTICAL_IO_READ_INIT;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_READ_INIT
6.2 and higher
0x013B PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE_INIT;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_WRITE_INIT
6.2 and higher
0x013C PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH_INIT;
type alone as EVENT_TRACE_TYPE_OPTICAL_IO_FLUSH_INIT
6.2 and higher

Memory

Value Name Versions
0x020A WMI_LOG_TYPE_PAGE_FAULT_TRANSITION;
type alone as EVENT_TRACE_TYPE_MM_TF
5.0 and higher
0x020B WMI_LOG_TYPE_PAGE_FAULT_DEMAND_ZERO;
type alone as EVENT_TRACE_TYPE_MM_DZF
5.0 and higher
0x020C WMI_LOG_TYPE_PAGE_FAULT_COPY_ON_WRITE;
type alone as EVENT_TRACE_TYPE_MM_COW
5.0 and higher
0x020D WMI_LOG_TYPE_PAGE_FAULT_GUARD_PAGE;
type alone as EVENT_TRACE_TYPE_MM_GPF
5.0 and higher
0x020E WMI_LOG_TYPE_PAGE_FAULT_HARD_PAGE_FAULT;
type alone as EVENT_TRACE_TYPE_MM_HPF
5.0 and higher
0x020F WMI_LOG_TYPE_PAGE_FAULT_ACCESS_VIOLATION;
type alone as EVENT_TRACE_TYPE_MM_AV
6.0 and higher
0x0220 PERFINFO_LOG_TYPE_HARDFAULT 5.1 and higher
0x0221 PERFINFO_LOG_TYPE_REMOVEPAGEBYCOLOR 5.1 and higher
0x0222 PERFINFO_LOG_TYPE_REMOVEPAGEFROMLIST 5.1 and higher
0x0223 PERFINFO_LOG_TYPE_PAGEINMEMORY 5.1 and higher
0x0224 PERFINFO_LOG_TYPE_INSERTINFREELIST 5.1 and higher
0x0225 PERFINFO_LOG_TYPE_INSERTINMODIFIEDLIST  
0x0226 PERFINFO_LOG_TYPE_INSERTINLIST  
0x0228 PERFINFO_LOG_TYPE_INSERTATFRONT  
0x0229 PERFINFO_LOG_TYPE_UNLINKFROMSTANDBY  
0x022A PERFINFO_LOG_TYPE_UNLINKFFREEORZERO  
0x022B PERFINFO_LOG_TYPE_WORKINGSETMANAGER  
0x022C PERFINFO_LOG_TYPE_TRIMPROCESS  
0x022E PERFINFO_LOG_TYPE_ZEROSHARECOUNT 5.1 and higher
0x023C PERFINFO_LOG_TYPE_WSINFOPROCESS  
0x0245 PERFINFO_LOG_TYPE_FAULTADDR_WITH_IP  
0x0246 PERFINFO_LOG_TYPE_TRIMSESSION  
0x0247 PERFINFO_LOG_TYPE_MEMORYSNAPLITE 5.1 and higher
0x0248 PERFINFO_LOG_TYPE_PFMAPPED_SECTION_RUNDOWN  
0x0249 PERFINFO_LOG_TYPE_PFMAPPED_SECTION_CREATE 6.0 and higher
0x024A PERFINFO_LOG_TYPE_WSINFOSESSION  
0x024B PERFINFO_LOG_TYPE_CREATE_SESSION 6.0 and higher
0x024C PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_END 6.0 and higher
0x024D PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_START 6.2 and higher
0x024E PERFINFO_LOG_TYPE_SESSION_DELETE 6.2 and higher
0x024F PERFINFO_LOG_TYPE_PFMAPPED_SECTION_DELETE 6.2 and higher
0x0262 PERFINFO_LOG_TYPE_VIRTUAL_ALLOC 6.0 and higher
0x0263 PERFINFO_LOG_TYPE_VIRTUAL_FREE 6.0 and higher
0x0264 PERFINFO_LOG_TYPE_HEAP_RANGE_RUNDOWN  
0x0265 PERFINFO_LOG_TYPE_HEAP_RANGE_CREATE 6.2 and higher
0x0266 PERFINFO_LOG_TYPE_HEAP_RANGE_RESERVE 6.2 and higher
0x0267 PERFINFO_LOG_TYPE_HEAP_RANGE_RELEASE 6.2 and higher
0x0268 PERFINFO_LOG_TYPE_HEAP_RANGE_DESTROY 6.2 and higher
0x0269 PERFINFO_LOG_TYPE_PAGEFILE_BACK 6.0 and higher
0x0270 PERFINFO_LOG_TYPE_MEMINFO 6.0 and higher
0x0271 PERFINFO_LOG_TYPE_CONTMEM_GENERATE 6.0 and higher
0x0272 PERFINFO_LOG_TYPE_FILE_STORE_FAULT  
0x0273 PERFINFO_LOG_TYPE_INMEMORY_STORE_FAULT  
0x0274 PERFINFO_LOG_TYPE_COMPRESSED_PAGE 6.1 and higher
0x0275 PERFINFO_LOG_TYPE_PAGEINMEMORY_ACTIVE 6.2 and higher
0x0276 PERFINFO_LOG_TYPE_PAGE_ACCESS 6.2 and higher
0x0277 PERFINFO_LOG_TYPE_PAGE_RELEASE 6.2 and higher
0x0278 PERFINFO_LOG_TYPE_PAGE_RANGE_ACCESS 6.2 and higher
0x0279 PERFINFO_LOG_TYPE_PAGE_RANGE_RELEASE 6.2 and higher
0x027A PERFINFO_LOG_TYPE_PAGE_COMBINE 6.2 and higher
0x027B PERFINFO_LOG_TYPE_KERNEL_MEMUSAGE  
0x027C PERFINFO_LOG_TYPE_MM_STATS 6.2 and higher
0x027D PERFINFO_LOG_TYPE_MEMINFOEX_WS 6.2 and higher
0x027E PERFINFO_LOG_TYPE_MEMINFOEX_SESSIONWS 6.2 and higher
0x027F PERFINFO_LOG_TYPE_VIRTUAL_ROTATE 6.2 and higher
0x0280 PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_START  
0x0281 PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_END  
0x0282 PERFINFO_LOG_TYPE_PAGE_ACCESS_EX 6.2 and higher
0x0283 PERFINFO_LOG_TYPE_REMOVEFROMWS 6.2 and higher
0x0284 PERFINFO_LOG_TYPE_WSSHAREABLE_RUNDOWN  
0x0285 PERFINFO_LOG_TYPE_INMEMORYACTIVE_RUNDOWN 6.2 and higher
0x0286 PERFINFO_LOG_TYPE_MEM_RESET_INFO  
0x0287 PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_CREATE  
0x0288 PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_DELETE  

Process

Value Name Versions
0x0301 WMI_LOG_TYPE_PROCESS_CREATE 5.0 and higher
0x0302 WMI_LOG_TYPE_PROCESS_DELETE 5.0 and higher
0x0303 WMI_LOG_TYPE_PROCESS_DC_START 5.1 and higher
0x0304 WMI_LOG_TYPE_PROCESS_DC_END 6.0 and higher
0x030A WMI_LOG_TYPE_PROCESS_LOAD_IMAGE;
type alone as EVENT_TRACE_TYPE_LOAD
5.0 and higher
0x030B WMI_LOG_TYPE_PROCESS_TERMINATE ;
type alone as EVENT_TRACE_TYPE_TERMINATE
type defined for 6.3 and higher
0x0320 PERFINFO_LOG_TYPE_PROCESS_PERFCTR_END 6.0 and higher
0x0321 PERFINFO_LOG_TYPE_PROCESS_PERFCTR_RD 6.0 and higher
0x0323 PERFINFO_LOG_TYPE_INSWAPPROCESS 5.1 and higher
0x0324 PERFINFO_LOG_TYPE_PROCESS_FREEZE 6.2 and higher
0x0325 PERFINFO_LOG_TYPE_PROCESS_THAW 6.2 and higher
0x0326 PERFINFO_LOG_TYPE_BOOT_PHASE_START 5.1 and higher
0x0327 PERFINFO_LOG_TYPE_ZOMBIE_PROCESS 6.0 and higher
0x0328 PERFINFO_LOG_TYPE_PROCESS_SET_AFFINITY  
0x0330 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_USER 6.2 and higher
0x0331 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_EXECUTION 6.2 and higher
0x0332 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_KERNEL 6.2 and higher
0x0333 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_INSTRUMENTATION 6.2 and higher
0x0334 PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_PRESERVE_PROCESS  
0x0340 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_USER 6.2 and higher
0x0341 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_EXECUTION 6.2 and higher
0x0342 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_KERNEL 6.2 and higher
0x0343 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_INSTRUMENTATION 6.2 and higher
0x0344 PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_PRESERVE_PROCESS  
0x0350 PERFINFO_LOG_TYPE_WAKE_DROP_USER 6.2 and higher
0x0351 PERFINFO_LOG_TYPE_WAKE_DROP_EXECUTION 6.2 and higher
0x0352 PERFINFO_LOG_TYPE_WAKE_DROP_KERNEL 6.2 and higher
0x0353 PERFINFO_LOG_TYPE_WAKE_DROP_INSTRUMENTATION 6.2 and higher
0x0354 PERFINFO_LOG_TYPE_WAKE_DROP_PRESERVE_PROCESS  
0x0360 PERFINFO_LOG_TYPE_WAKE_EVENT_USER 6.2 and higher
0x0361 PERFINFO_LOG_TYPE_WAKE_EVENT_EXECUTION 6.2 and higher
0x0362 PERFINFO_LOG_TYPE_WAKE_EVENT_KERNEL 6.2 and higher
0x0363 PERFINFO_LOG_TYPE_WAKE_EVENT_INSTRUMENTATION 6.2 and higher
0x0364 PERFINFO_LOG_TYPE_WAKE_EVENT_PRESERVE_PROCESS  
0x0370 PERFINFO_LOG_TYPE_DEBUG_EVENT  

The WMI_LOG_TYPE_PROCESS_LOAD_IMAGE event gets special attention when SECHOST translates it for presentation to event consumers. Specifically, it gets reassigned to the group represented by ImageLoadGuid.

File

Value Name Versions
0x0400 PERFINFO_LOG_TYPE_FILENAME 5.0 and higher
0x0420 PERFINFO_LOG_TYPE_FILENAME_CREATE 5.1 and higher
0x0421 PERFINFO_LOG_TYPE_FILENAME_SAME  
0x0422 PERFINFO_LOG_TYPE_FILENAME_NULL  
0x0423 PERFINFO_LOG_TYPE_FILENAME_DELETE  
0x0424 PERFINFO_LOG_TYPE_FILENAME_RUNDOWN  
0x0425 PERFINFO_LOG_TYPE_MAPFILE 6.2 and higher
0x0426 PERFINFO_LOG_TYPE_UNMAPFILE 6.2 and higher
0x0427 PERFINFO_LOG_TYPE_MAPFILE_DC_START  
0x0428 PERFINFO_LOG_TYPE_MAPFILE_DC_END  
0x0440 PERFINFO_LOG_TYPE_FILE_IO_CREATE  
0x0441 PERFINFO_LOG_TYPE_FILE_IO_CLEANUP  
0x0442 PERFINFO_LOG_TYPE_FILE_IO_CLOSE  
0x0443 PERFINFO_LOG_TYPE_FILE_IO_READ  
0x0444 PERFINFO_LOG_TYPE_FILE_IO_WRITE  
0x0445 PERFINFO_LOG_TYPE_FILE_IO_SET_INFORMATION  
0x0446 PERFINFO_LOG_TYPE_FILE_IO_DELETE  
0x0447 PERFINFO_LOG_TYPE_FILE_IO_RENAME  
0x0448 PERFINFO_LOG_TYPE_FILE_IO_DIRENUM  
0x0449 PERFINFO_LOG_TYPE_FILE_IO_FLUSH  
0x044A PERFINFO_LOG_TYPE_FILE_IO_QUERY_INFORMATION  
0x044B PERFINFO_LOG_TYPE_FILE_IO_FS_CONTROL  
0x044C PERFINFO_LOG_TYPE_FILE_IO_OPERATION_END  
0x044D PERFINFO_LOG_TYPE_FILE_IO_DIRNOTIFY  
0x044E PERFINFO_LOG_TYPE_FILE_IO_CREATE_NEW  
0x044F PERFINFO_LOG_TYPE_FILE_IO_DELETE_PATH  
0x0450 PERFINFO_LOG_TYPE_FILE_IO_RENAME_PATH  
0x0451 PERFINFO_LOG_TYPE_FILE_IO_SETLINK_PATH  
0x0452 PERFINFO_LOG_TYPE_FILE_IO_SETLINK  
0x0460 PERFINFO_LOG_TYPE_FLT_PREOP_INIT;
type alone as EVENT_TRACE_TYPE_FLT_PREOP_INIT
type defined for 6.2 and higher
0x0461 PERFINFO_LOG_TYPE_FLT_POSTOP_INIT;
type alone as EVENT_TRACE_TYPE_FLT_POSTOP_INIT
type defined for 6.2 and higher
0x0462 PERFINFO_LOG_TYPE_FLT_PREOP_COMPLETION;
type alone as EVENT_TRACE_TYPE_FLT_PREOP_COMPLETION
type defined for 6.2 and higher
0x0463 PERFINFO_LOG_TYPE_FLT_POSTOP_COMPLETION;
type alone as EVENT_TRACE_TYPE_FLT_POSTOP_COMPLETION
type defined for 6.2 and higher
0x0464 PERFINFO_LOG_TYPE_FLT_PREOP_FAILURE;
type alone as EVENT_TRACE_TYPE_FLT_PREOP_FAILURE
type defined for 6.2 and higher
0x0465 PERFINFO_LOG_TYPE_FLT_POSTOP_FAILURE;
type alone as EVENT_TRACE_TYPE_FLT_POSTOP_FAILURE
type defined for 6.2 and higher

Thread

Value Name Event Data (After Trace Header) Versions
0x0501 WMI_LOG_TYPE_THREAD_CREATE WMI_EXTENDED_THREAD_INFORMATION 5.0 and higher
0x0502 WMI_LOG_TYPE_THREAD_DELETE WMI_EXTENDED_THREAD_INFORMATION 5.0 and higher
0x0503 WMI_LOG_TYPE_THREAD_DC_START WMI_EXTENDED_THREAD_INFORMATION 5.1 and higher
0x0504 WMI_LOG_TYPE_THREAD_DC_END WMI_EXTENDED_THREAD_INFORMATION 6.0 and higher
0x0523 convert to GUI thread   5.1 and higher
0x0524 PERFINFO_LOG_TYPE_CONTEXTSWAP WMI_CONTEXTSWAP 6.0 and higher
0x0525 PERFINFO_LOG_TYPE_CONTEXTSWAP_BATCH PERFINFO_CCSWAP_BUFFER
and sequence of related structures
6.0 and higher
0x0529 PERFINFO_LOG_TYPE_SPINLOCK WMI_SPINLOCK 6.2 and higher
0x052A PERFINFO_LOG_TYPE_QUEUE    
0x052B PERFINFO_LOG_TYPE_RESOURCE WMI_RESOURCE 6.1 and higher
0x052C PERFINFO_LOG_TYPE_PUSHLOCK    
0x052D PERFINFO_LOG_TYPE_WAIT_SINGLE    
0x052E PERFINFO_LOG_TYPE_WAIT_MULTIPLE    
0x052F PERFINFO_LOG_TYPE_DELAY_EXECUTION    
0x0530 PERFINFO_LOG_TYPE_THREAD_SET_PRIORITY ETW_PRIORITY_EVENT 6.0 and higher
0x0531 PERFINFO_LOT_TYPE_THREAD_SET_BASE_PRIORITY ETW_PRIORITY_EVENT 6.0 and higher
0x0532 PERFINFO_LOG_TYPE_READY_THREAD ETW_READY_THREAD_EVENT 6.0 and higher
0x0533 PERFINFO_LOG_TYPE_THREAD_SET_PAGE_PRIORITY ETW_PRIORITY_EVENT 6.1 and higher
0x0534 PERFINFO_LOG_TYPE_THREAD_SET_IO_PRIORITY ETW_PRIORITY_EVENT 6.1 and higher
0x0535 PERFINFO_LOG_TYPE_THREAD_SET_AFFINITY ETW_THREAD_AFFINITY_EVENT 6.1 and higher
0x0539 PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM    
0x053A PERFINFO_LOG_TYPE_DFSS_START_NEW_INTERVAL   6.1 and higher
0x053B PERFINFO_LOG_TYPE_DFSS_PROCESS_IDLE_ONLY_QUEUE   6.1 and higher
0x053C PERFINFO_LOG_TYPE_ANTI_STARVATION_BOOST ETW_ANTI_STARVATION_BOOST_EVENT 6.2 and higher
0x053D PERFINFO_LOG_TYPE_THREAD_MIGRATION   6.2 and higher
0x053E PERFINFO_LOG_TYPE_KQUEUE_ENQUEUE ETW_KQUEUE_ENQUEUE_EVENT 6.2 and higher
0x053F PERFINFO_LOG_TYPE_KQUEUE_DEQUEUE ETW_KQUEUE_DEQUEUE_EVENT
with sequence of pointers as Entries array
6.2 and higher
0x0540 PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_START one pointer;
if structure then name unknown 
 
0x0541 PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_END one pointer;
if structure, then name unknown
 
0x0542 PERFINFO_LOG_TYPE_AUTO_BOOST_SET_FLOOR ETW_AUTOBOOST_SET_PRIORITY_FLOOR_EVENT  
0x0543 PERFINFO_LOG_TYPE_AUTO_BOOST_CLEAR_FLOOR ETW_AUTOBOOST_CLEAR_PRIORITY_FLOOR_EVENT  
0x0544 PERFINFO_LOG_TYPE_AUTO_BOOST_NO_ENTRIES ETW_AUTOBOOST_NO_ENTRIES_EVENT  
0x0545 PERFINFO_LOG_TYPE_THREAD_SUBPROCESSTAG_CHANGED    

TCP/IP

Value Name Versions
0x060A WMI_LOG_TYPE_TCPIP_SEND;
type alone as EVENT_TRACE_TYPE_SEND
type defined for 5.0 and higher
0x060B WMI_LOG_TYPE_TCPIP_RECEIVE;
type alone as EVENT_TRACE_TYPE_RECEIVE
type defined for 5.0 and higher
0x060C WMI_LOG_TYPE_TCPIP_CONNECT;
type alone as EVENT_TRACE_TYPE_CONNECT
type defined for 5.0 and higher
0x060D WMI_LOG_TYPE_TCPIP_DISCONNECT;
type alone as EVENT_TRACE_TYPE_DISCONNECT
type defined for 5.0 and higher
0x060E WMI_LOG_TYPE_TCPIP_RETRANSMIT ;
type alone as EVENT_TRACE_TYPE_RETRANSMIT
type defined for 5.1 and higher
0x060F WMI_LOG_TYPE_TCPIP_ACCEPT;
type alone as EVENT_TRACE_TYPE_ACCEPT
type defined for 5.1 and higher
0x0610 WMI_LOG_TYPE_TCPIP_RECONNECT;
type alone as EVENT_TRACE_TYPE_RECONNECT
type defined for 5.1 and higher
0x0611 WMI_LOG_TYPE_TCPIP_FAIL;
type alone as EVENT_TRACE_TYPE_CONNFAIL
type defined for 5.2 and higher
0x0612 WMI_LOG_TYPE_TCPIP_TCPCOPY;
type alone as EVENT_TRACE_TYPE_COPY_TCP
type defined for 5.2 and higher
0x0613 WMI_LOG_TYPE_TCPIP_ARPCOPY;
type alone as EVENT_TRACE_TYPE_COPY_ARP
type defined for 5.2 and higher
0x0614 WMI_LOG_TYPE_TCPIP_FULLACK;
type alone as EVENT_TRACE_TYPE_ACKFULL
type defined for 5.2 and higher
0x0615 WMI_LOG_TYPE_TCPIP_PARTACK;
type alone as EVENT_TRACE_TYPE_ACKPART
type defined for 5.2 and higher
0x0616 WMI_LOG_TYPE_TCPIP_DUPACK;
type alone as EVENT_TRACE_TYPE_ACKDUP
type defined for 5.2 and higher
0x061A WMI_LOG_TYPE_TCPIP_SEND_IPV6  
0x061B WMI_LOG_TYPE_TCPIP_RECEIVE_IPV6  
0x061C WMI_LOG_TYPE_TCPIP_CONNECT_IPV6  
0x061D WMI_LOG_TYPE_TCPIP_DISCONNECT_IPV6  
0x061E WMI_LOG_TYPE_TCPIP_RETRANSMIT_IPV6  
0x061F WMI_LOG_TYPE_TCPIP_ACCEPT_IPV6  
0x0620 WMI_LOG_TYPE_TCPIP_RECONNECT_IPV6  
0x0621 WMI_LOG_TYPE_TCPIP_FAIL_IPV6  
0x0622 WMI_LOG_TYPE_TCPIP_TCPCOPY_IPV6  
0x0623 WMI_LOG_TYPE_TCPIP_ARPCOPY_IPV6  
0x0624 WMI_LOG_TYPE_TCPIP_FULLACK_IPV6  
0x0625 WMI_LOG_TYPE_TCPIP_PARTACK_IPV6  
0x0626 WMI_LOG_TYPE_TCPIP_DUPACK_IPV6  

Job

Value Name
0x0720 WMI_LOG_TYPE_JOB_CREATE
0x0721 WMI_LOG_TYPE_JOB_TERMINATE
0x0722 WMI_LOG_TYPE_JOB_OPEN
0x0723 WMI_LOG_TYPE_JOB_ASSIGN_PROCESS
0x0724 WMI_LOG_TYPE_JOB_REMOVE_PROCESS
0x0725 WMI_LOG_TYPE_JOB_SET
0x0726 WMI_LOG_TYPE_JOB_QUERY
0x0727 WMI_LOG_TYPE_JOB_SET_FAILED
0x0728 WMI_LOG_TYPE_JOB_QUERY_FAILED
0x0729 WMI_LOG_TYPE_JOB_SET_NOTIFICATION
0x072A WMI_LOG_TYPE_JOB_SEND_NOTIFICATION
0x072B WMI_LOG_TYPE_JOB_QUERY_VIOLATION
0x072C WMI_LOG_TYPE_JOB_SET_CPU_RATE
0x072D WMI_LOG_TYPE_JOB_SET_NET_RATE

UDP/IP

Value Name
0x080A WMI_LOG_TYPE_UDP_SEND
0x080B WMI_LOG_TYPE_UDP_RECEIVE
0x0811 WMI_LOG_TYPE_UDP_FAIL
0x081A WMI_LOG_TYPE_UDP_SEND_IPV6
0x081B WMI_LOG_TYPE_UDP_RECEIVE_IPV6

Registry

Value Name Versions
0x090A type alone as EVENT_TRACE_TYPE_REGCREATE 5.0 and higher
0x090B type alone as EVENT_TRACE_TYPE_REGOPEN 5.0 and higher
0x090C type alone as EVENT_TRACE_TYPE_REGDELETE 5.0 and higher
0x090D type alone as EVENT_TRACE_TYPE_REGQUERY 5.0 and higher
0x090E type alone as EVENT_TRACE_TYPE_REGSETVALUE 5.0 and higher
0x090F type alone as EVENT_TRACE_TYPE_REGDELETEVALUE 5.0 and higher
0x0910 type alone as EVENT_TRACE_TYPE_REGQUERYVALUE 5.0 and higher
0x0911 type alone as EVENT_TRACE_TYPE_REGENUMERATEKEY 5.0 and higher
0x0912 type alone as EVENT_TRACE_TYPE_REGENUMERATEVALUEKEY 5.0 and higher
0x0913 type alone as EVENT_TRACE_TYPE_REGQUERYMULTIPLEVALUE 5.0 and higher
0x0914 type alone as EVENT_TRACE_TYPE_REGSETINFORMATION 5.0 and higher
0x0915 type alone as EVENT_TRACE_TYPE_REGFLUSH 5.0 and higher
0x0916 type alone as EVENT_TRACE_TYPE_REGKCBDMP 5.1 to 5.2
type alone as EVENT_TRACE_TYPE_REGKCBCREATE 6.0 and higher
0x0917 type alone as EVENT_TRACE_TYPE_REGKCBDELETE 6.0 and higher
0x0918 WMI_LOG_TYPE_REG_RUNDOWNBEGIN;
type alone as EVENT_TRACE_TYPE_REGKCBRUNDOWNBEGIN
type defined for 6.0 and higher
0x0919 WMI_LOG_TYPE_REG_RUNDOWNEND;
type alone as EVENT_TRACE_TYPE_REGKCBRUNDOWNEND
6.0 and higher
0x091A type alone as EVENT_TRACE_TYPE_REGVIRTUALIZE 6.0 and higher
0x091B type alone as EVENT_TRACE_TYPE_REGCLOSE type defined for 6.0 and higher
0x091C type alone as EVENT_TRACE_TYPE_REGSETSECURITY 6.1 and higher
0x091D type alone as EVENT_TRACE_TYPE_REGQUERYSECURITY 6.1 and higher
0x091E type alone as EVENT_TRACE_TYPE_REGCOMMIT 6.1 and higher
0x091F type alone as EVENT_TRACE_TYPE_REGPREPARE 6.1 and higher
0x0920 type alone as EVENT_TRACE_TYPE_REGROLLBACK 6.1
PERFINFO_LOG_TYPE_CMCELLREFERRED  
0x0921 type alone as EVENT_TRACE_TYPE_REGMOUNTHIVE 6.1
PERFINFO_LOG_TYPE_REG_SET_VALUE  
0x0922 PERFINFO_LOG_TYPE_REG_COUNTERS 6.0 and higher
0x0923 PERFINFO_LOG_TYPE_REG_CONFIG 6.1 and higher
0x0924 PERFINFO_LOG_TYPE_REG_HIVE_INITIALIZE 6.2 and higher
0x0925 PERFINFO_LOG_TYPE_REG_HIVE_DESTROY 6.2 and higher
0x0926 PERFINFO_LOG_TYPE_REG_HIVE_LINK 6.2 and higher
0x0927 PERFINFO_LOG_TYPE_REG_HIVE_RUNDOWN_DC_END 6.2 and higher
0x0928 PERFINFO_LOG_TYPE_REG_HIVE_DIRTY 6.2 and higher
0x0930 PERFINFO_LOG_TYPE_REG_NOTIF_REGISTER 6.2 and higher
0x0931 PERFINFO_LOG_TYPE_REG_NOTIF_DELIVER  

Debug

Value Name Versions
0x0A20 PERFINFO_LOG_TYPE_DEBUG_PRINT 6.2 and higher

Configuration

Value Name Versions
0x0B0A WMI_LOG_TYPE_CONFIG_CPU;
type alone as EVENT_TRACE_TYPE_CONFIG_CPU
type defined for 5.1 and higher
0x0B0B WMI_LOG_TYPE_CONFIG_PHYSICALDISK;
type alone as EVENT_TRACE_TYPE_CONFIG_PHYSICALDISK
type defined for 5.1 and higher
0x0B0C WMI_LOG_TYPE_CONFIG_LOGICALDISK;
type alone as EVENT_TRACE_TYPE_CONFIG_LOGICALDISK
type defined for 5.1 and higher
0x0B0D WMI_LOG_TYPE_CONFIG_NIC;
type alone as EVENT_TRACE_TYPE_CONFIG_NIC
type defined for 5.1 and higher
0x0B0E WMI_LOG_TYPE_CONFIG_VIDEO;
type alone as EVENT_TRACE_TYPE_CONFIG_VIDEO
type defined for 5.1 and higher
0x0B0F WMI_LOG_TYPE_CONFIG_SERVICES;
type alone as EVENT_TRACE_TYPE_CONFIG_SERVICES
type defined for 5.1 and higher
0x0B10 WMI_LOG_TYPE_CONFIG_POWER;
type alone as EVENT_TRACE_TYPE_CONFIG_POWER
type defined for 5.1 and higher
0x0B11 type alone as EVENT_TRACE_TYPE_CONFIG_NETINFO type defined for 5.2 and higher
0x0B12 WMI_LOG_TYPE_CONFIG_OPTICALMEDIA;
type alone as EVENT_TRACE_TYPE_CONFIG_OPTICALMEDIA
type defined for 6.2 and higher
0x0B15 WMI_LOG_TYPE_CONFIG_IRQ;
type alone as EVENT_TRACE_TYPE_CONFIG_IRQ
type defined for 6.0 and higher
0x0B16 WMI_LOG_TYPE_CONFIG_PNP;
type alone as EVENT_TRACE_TYPE_CONFIG_PNP
type defined for 6.0 and higher
0x0B17 WMI_LOG_TYPE_CONFIG_IDECHANNEL;
type alone as EVENT_TRACE_TYPE_CONFIG_IDECHANNEL
type defined for 6.0 and higher
0x0B18 WMI_LOG_TYPE_CONFIG_NUMANODE;
type alone as EVENT_TRACE_TYPE_CONFIG_NUMANODE
type defined for 6.2 and higher
0x0B19 WMI_LOG_TYPE_CONFIG_PLATFORM;
type alone as EVENT_TRACE_TYPE_CONFIG_PLATFORM
type defined for 6.1 and higher
0x0B1A WMI_LOG_TYPE_CONFIG_PROCESSORGROUP;
type alone as EVENT_TRACE_TYPE_CONFIG_PROCESSORGROUP
type defined for 6.2 and higher
0x0B1B WMI_LOG_TYPE_CONFIG_PROCESSORNUMBER;
type alone as EVENT_TRACE_TYPE_CONFIG_PROCESSORNUMBER
type defined for 6.2 and higher
0x0B1C WMI_LOG_TYPE_CONFIG_DPI;
type alone as EVENT_TRACE_TYPE_CONFIG_DPI
type defined for 6.2 and higher
0x0B1D WMI_LOG_TYPE_CONFIG_CODEINTEGRITY;
type alone as EVENT_TRACE_TYPE_CONFIG_CI_INFO
type defined for 6.3 and higher
0x0B1E WMI_LOG_TYPE_CONFIG_MACHINEID;
type alone as EVENT_TRACE_TYPE_CONFIG_MACHINEID
type defined for 10.0 and higher
0x0B1F WMI_LOG_TYPE_CONFIG_DEFRAG;
type alone as EVENT_TRACE_TYPE_CONFIG_DEFRAG
type defined for 1511 and higher
0x0B20 type alone as EVENT_TRACE_TYPE_CONFIG_MOBILEPLATFORM type defined for 1607 and higher
0x0B21 type alone as EVENT_TRACE_TYPE_CONFIG_DEVICEFAMILY type defined for 1607 and higher
0x0B22 type alone as EVENT_TRACE_TYPE_CONFIG_FLIGHTID type defined for 1607 and higher
0x0B23 type alone as EVENT_TRACE_TYPE_CONFIG_PROCESSOR type defined for 1709 and higher
  WMI_LOG_TYPE_CONFIG_OSVERSION  
  WMI_LOG_TYPE_CONFIG_VISUALTHEME  
  WMI_LOG_TYPE_CONFIG_SYSTEMRANGE  
  WMI_LOG_TYPE_CONFIG_SYSDLLINFO  

The last four are defined in NTWMI.H but evaluation depends on macros that are not defined in any other known header.

WNF

Value Name
0x0D20 PERFINFO_LOG_TYPE_WNF_SUBSCRIBE
0x0D21 PERFINFO_LOG_TYPE_WNF_UNSUBSCRIBE
0x0D22 PERFINFO_LOG_TYPE_WNF_CALLBACK
0x0D23 PERFINFO_LOG_TYPE_WNF_PUBLISH
0x0D24 PERFINFO_LOG_TYPE_WNF_NAME_SUB_RUNDOWN

Pool

Value Name Versions
0x0E20 PERFINFO_LOG_TYPE_ALLOCATEPOOL 6.1 and higher
0x0E21 PERFINFO_LOG_TYPE_ALLOCATEPOOL_SESSION 6.1 and higher
0x0E22 PERFINFO_LOG_TYPE_FREEPOOL 6.1 and higher
0x0E23 PERFINFO_LOG_TYPE_FREEPOOL_SESSION 6.1 and higher
0x0E24 PERFINFO_LOG_TYPE_ADDPOOLPAGE  
0x0E25 PERFINFO_LOG_TYPE_ADDPOOLPAGE_SESSION  
0x0E26 PERFINFO_LOG_TYPE_BIGPOOLPAGE  
0x0E27 PERFINFO_LOG_TYPE_BIGPOOLPAGE_SESSION  
0x0E28 PERFINFO_LOG_TYPE_POOLSNAP_DC_START  
0x0E29 PERFINFO_LOG_TYPE_POOLSNAP_DC_END  
0x0E2A PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_START  
0x0E2B PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_END  
0x0E2C PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_START  
0x0E2D PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_END  
0x0E2E PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_START  
0x0E2F PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_END  

Performance Information

Value Name Event Data (After Trace Header) Versions
0x0F20 PERFINFO_LOG_TYPE_RUNDOWN_CHECKPOINT    
0x0F22 PERFINFO_LOG_TYPE_MARK   5.1 and higher
0x0F24 PERFINFO_LOG_TYPE_ASYNCMARK    
0x0F26 PERFINFO_LOG_TYPE_IMAGENAME    
0x0F27 PERFINFO_LOG_TYPE_DELAYS_CC_CAN_I_WRITE    
0x0F2E PERFINFO_LOG_TYPE_SAMPLED_PROFILE PERFINFO_SAMPLED_PROFILE_INFORMATION 5.1 and higher
0x0F2F PERFINFO_LOG_TYPE_PMC_INTERRUPT PERFINFO_PMC_SAMPLE_INFORMATION 6.2 and higher
0x0F30 PERFINFO_LOG_TYPE_PMC_CONFIG    
0x0F32 PERFINFO_LOG_TYPE_MSI_INTERRUPT   6.1 and higher
0x0F33 PERFINFO_LOG_TYPE_SYSCALL_ENTER PERFINFO_SYSCALL_ENTER_DATA 6.0 and higher
0x0F34 PERFINFO_LOG_TYPE_SYSCALL_EXIT PERFINFO_SYSCALL_EXIT_DATA 6.0 and higher
0x0F35 PERFINFO_LOG_TYPE_BACKTRACE    
0x0F36 PERFINFO_LOG_TYPE_BACKTRACE_USERSTACK    
0x0F37 PERFINFO_LOG_TYPE_SAMPLED_PROFILE_CACHE   5.1 and higher
0x0F38 PERFINFO_LOG_TYPE_EXCEPTION_STACK    
0x0F39 PERFINFO_LOG_TYPE_BRANCH_TRACE    
0x0F3A PERFINFO_LOG_TYPE_DEBUGGER_ENABLED   6.0 and higher
0x0F3B PERFINFO_LOG_TYPE_DEBUGGER_EXIT    
0x0F40 PERFINFO_LOG_TYPE_BRANCH_TRACE_DEBUG    
0x0F41 PERFINFO_LOG_TYPE_BRANCH_ADDRESS_DEBUG    
0x0F42 PERFINFO_LOG_TYPE_THREADED_DPC   6.0 and higher
0x0F43 PERFINFO_LOG_TYPE_INTERRUPT   5.1 and higher
0x0F44 PERFINFO_LOG_TYPE_DPC   5.1 and higher
0x0F45 PERFINFO_LOG_TYPE_TIMERDPC   5.1 and higher
0x0F46 PERFINFO_LOG_TYPE_IOTIMER_EXPIRATION    
0x0F47 PERFINFO_LOG_TYPE_SAMPLED_PROFILE_NMI    
0x0F48 PERFINFO_LOG_TYPE_SAMPLED_PROFILE_SET_INTERVAL PERFINFO_SAMPLED_PROFILE_CONFIG 6.0 and higher
0x0F49 PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_START   6.0 and higher
0x0F4A PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_END   6.0 and higher
0x0F4B PERFINFO_LOG_TYPE_SPINLOCK_DC_START    
0x0F4C PERFINFO_LOG_TYPE_SPINLOCK_DC_END    
0x0F4D PERFINFO_LOG_TYPE_ERESOURCE_DC_START    
0x0F4E PERFINFO_LOG_TYPE_ERESOURCE_DC_END    
0x0F4F PERFINFO_LOG_TYPE_CLOCK_INTERRUPT   6.2 and higher
0x0F50 PERFINFO_LOG_TYPE_TIMER_EXPIRATION_START   6.2 and higher
0x0F51 PERFINFO_LOG_TYPE_TIMER_EXPIRATION   6.2 and higher
0x0F52 PERFINFO_LOG_TYPE_TIMER_SET_PERIODIC   6.2 and higher
0x0F53 PERFINFO_LOG_TYPE_TIMER_SET_ONE_SHOT   6.2 and higher
0x0F54 PERFINFO_LOG_TYPE_TIMER_SET_THREAD   6.2 and higher
0x0F55 PERFINFO_LOG_TYPE_TIMER_CANCEL   6.2 and higher
0x0F56 PERFINFO_LOG_TYPE_TIME_ADJUSTMENT   6.2 and higher
0x0F57 PERFINFO_LOG_TYPE_CLOCK_MODE_SWITCH   6.2 and higher
0x0F58 PERFINFO_LOG_TYPE_CLOCK_TIME_UPDATE   6.2 and higher
0x0F59 PERFINFO_LOG_TYPE_CLOCK_DYNAMIC_TICK_VETO   6.2 and higher
0x0F5A PERFINFO_LOG_TYPE_CLOCK_CONFIGURATION    
0x0F5B PERFINFO_LOG_TYPE_IPI    
0x0F5C PERFINFO_LOG_TYPE_UNEXPECTED_INTERRUPT   6.2 and higher
0x0F5D PERFINFO_LOG_TYPE_IOTIMER_START   6.2 and higher
0x0F5E PERFINFO_LOG_TYPE_IOTIMER_STOP   6.2 and higher
0x0F5F PERFINFO_LOG_TYPE_PASSIVE_INTERRUPT    
0x0F60 PERFINFO_LOG_TYPE_WDF_INTERRUPT    
0x0F61 PERFINFO_LOG_TYPE_WDF_PASSIVE_INTERRUPT    
0x0F62 PERFINFO_LOG_TYPE_WDF_DPC    
0x0F63 PERFINFO_LOG_TYPE_CPU_CACHE_FLUSH    
0x0F64 PERFINFO_LOG_TYPE_DPC_ENQUEUE   6.2 and higher
0x0F65 PERFINFO_LOG_TYPE_DPC_EXECUTION   6.2 and higher
0x0F66 PERFINFO_LOG_TYPE_INTERRUPT_STEERING    
0x0F67 PERFINFO_LOG_TYPE_WDF_WORK_ITEM    
0x0F68 PERFINFO_LOG_TYPE_KTIMER2_SET    
0x0F69 PERFINFO_LOG_TYPE_KTIMER2_EXPIRATION    
0x0F6A PERFINFO_LOG_TYPE_KTIMER2_CANCEL    
0x0F6B PERFINFO_LOG_TYPE_KTIMER2_DISABLE    
0x0F6C PERFINFO_LOG_TYPE_KTIMER2_FINALIZATION    
0x0F6D PERFINFO_LOG_TYPE_SHOULD_YIELD_PROCESSOR    
0x0F80 PERFINFO_LOG_TYPE_FUNCTION_CALL    
0x0F81 PERFINFO_LOG_TYPE_FUNCTION_RETURN    
0x0F82 PERFINFO_LOG_TYPE_FUNCTION_ENTER    
0x0F83 PERFINFO_LOG_TYPE_FUNCTION_EXIT    
0x0F84 PERFINFO_LOG_TYPE_TAILCALL    
0x0F85 PERFINFO_LOG_TYPE_TRAP    
0x0F86 PERFINFO_LOG_TYPE_SPINLOCK_ACQUIRE    
0x0F87 PERFINFO_LOG_TYPE_SPINLOCK_RELEASE    
0x0F88 PERFINFO_LOG_TYPE_CAP_COMMENT    
0x0F89 PERFINFO_LOG_TYPE_CAP_RUNDOWN    

Heap

Value Name Versions
0x1020 PERFINFO_LOG_TYPE_HEAP_CREATE 6.2 and higher
0x1021 PERFINFO_LOG_TYPE_HEAP_ALLOC 6.2 and higher
0x1022 PERFINFO_LOG_TYPE_HEAP_REALLOC  
0x1023 PERFINFO_LOG_TYPE_HEAP_DESTROY 6.2 and higher
0x1024 PERFINFO_LOG_TYPE_HEAP_FREE 6.2 and higher
0x1025 PERFINFO_LOG_TYPE_HEAP_EXTEND 6.2 and higher
0x1026 PERFINFO_LOG_TYPE_HEAP_SNAPSHOT  
0x1027 PERFINFO_LOG_TYPE_HEAP_CREATE_SNAPSHOT  
0x1028 PERFINFO_LOG_TYPE_HEAP_DESTROY_SNAPSHOT  
0x1029 PERFINFO_LOG_TYPE_HEAP_EXTEND_SNAPSHOT  
0x102A PERFINFO_LOG_TYPE_HEAP_CONTRACT 6.2 and higher
0x102B PERFINFO_LOG_TYPE_HEAP_LOCK  
0x102C PERFINFO_LOG_TYPE_HEAP_UNLOCK  
0x102D PERFINFO_LOG_TYPE_HEAP_VALIDATE  
0x102E PERFINFO_LOG_TYPE_HEAP_WALK  
0x102F PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC  
0x1030 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE  
0x1031 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC_CACHE  
0x1032 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE_CACHE  
0x1033 PERFINFO_LOG_TYPE_HEAP_COMMIT 6.2 and higher
0x1034 PERFINFO_LOG_TYPE_HEAP_DECOMMIT 6.2 and higher
0x1035 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_INIT  
0x1036 PERFINFO_LOG_TYPE_HEAP_AFFINITY_ENABLE  
0x1038 PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ACTIVATED  
0x1039 PERFINFO_LOG_TYPE_HEAP_AFFINITY_ASSIGN  
0x103A PERFINFO_LOG_TYPE_HEAP_REUSE_THRESHOLD_ACTIVATED  

Object

Value Name Versions
0x1120 PERFINFO_LOG_TYPE_CREATE_HANDLE 6.2 and higher
0x1121 PERFINFO_LOG_TYPE_CLOSE_HANDLE 6.2 and higher
0x1122 PERFINFO_LOG_TYPE_DUPLICATE_HANDLE 6.2 and higher
0x1124 PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_START  
0x1125 PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_END  
0x1126 PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_START  
0x1127 PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_END  
0x1130 PERFINFO_LOG_TYPE_CREATE_OBJECT 6.2 and higher
0x1131 PERFINFO_LOG_TYPE_DELETE_OBJECT 6.2 and higher
0x1132 PERFINFO_LOG_TYPE_REFERENCE_OBJECT 6.2 and higher
0x1133 PERFINFO_LOG_TYPE_DEREFERENCE_OBJECT 6.2 and higher

Power

Value Name Versions
0x1220 PERFINFO_LOG_TYPE_BATTERY_LIFE_INFO  
0x1221 PERFINFO_LOG_TYPE_IDLE_STATE_CHANGE  
0x1222 PERFINFO_LOG_TYPE_SET_POWER_ACTION 5.1 and higher
0x1223 PERFINFO_LOG_TYPE_SET_POWER_ACTION_RET 5.1 and higher
0x1224 PERFINFO_LOG_TYPE_SET_DEVICES_STATE 5.1 and higher
0x1225 PERFINFO_LOG_TYPE_SET_DEVICES_STATE_RET 5.1 and higher
0x1226 PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE 5.1 and higher
0x1227 PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE_COMPLETE 5.1 and higher
0x1228 PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT 5.1 and higher
0x1229 PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT_RET 5.1 and higher
0x1230 PERFINFO_LOG_TYPE_PO_PRESLEEP 5.1 and higher
0x1231 PERFINFO_LOG_TYPE_PO_POSTSLEEP 5.1 and higher
0x1232 PERFINFO_LOG_TYPE_PO_CALIBRATED_PERFCOUNTER 6.0 and higher
0x1233 PERFINFO_LOG_TYPE_PPM_PERF_STATE_CHANGE 6.0 and higher
0x1234 PERFINFO_LOG_TYPE_PPM_THROTTLE_STATE_CHANGE  
0x1235 PERFINFO_LOG_TYPE_PPM_IDLE_STATE_CHANGE 6.0 and higher
0x1236 PERFINFO_LOG_TYPE_PPM_THERMAL_CONSTRAINT 6.0 and higher
0x1237 PERFINFO_LOG_TYPE_PO_SIGNAL_RESUME_UI 6.0 and higher
0x1238 PERFINFO_LOG_TYPE_PO_SIGNAL_VIDEO_ON 6.0 and higher
0x1239 PERFINFO_LOG_TYPE_PPM_IDLE_STATE_ENTER 6.1 and higher
0x123A PERFINFO_LOG_TYPE_PPM_IDLE_STATE_EXIT 6.1 and higher
0x123B PERFINFO_LOG_TYPE_PPM_PLATFORM_IDLE_STATE_ENTER 6.2 and higher
0x123C PERFINFO_LOG_TYPE_PPM_IDLE_EXIT_LATENCY 6.2 and higher
0x123D PERFINFO_LOG_TYPE_PPM_IDLE_PROCESSOR_SELECTION  
0x123E PERFINFO_LOG_TYPE_PPM_IDLE_PLATFORM_SELECTION  
0x123F PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_ENTER  
0x1240 PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_EXIT  

Module

Value Name
0x1318 PERFINFO_LOG_TYPE_COWHEADER
0x1319 PERFINFO_LOG_TYPE_COWBLOB
0x131A PERFINFO_LOG_TYPE_COWBLOB_CLOSED
0x1320 PERFINFO_LOG_TYPE_MODULEBOUND_ENT
0x1321 PERFINFO_LOG_TYPE_MODULEBOUND_JUMP
0x1322 PERFINFO_LOG_TYPE_MODULEBOUND_RET
0x1323 PERFINFO_LOG_TYPE_MODULEBOUND_CALL
0x1324 PERFINFO_LOG_TYPE_MODULEBOUND_CALLRET
0x1325 PERFINFO_LOG_TYPE_MODULEBOUND_INT2E
0x1326 PERFINFO_LOG_TYPE_MODULEBOUND_INT2B
0x1327 PERFINFO_LOG_TYPE_MODULEBOUND_FULLTRACE

Image

Value Name Versions
0x1401 WMI_LOG_TYPE_IMAGE_LOAD  
0x1402 WMI_LOG_TYPE_IMAGE_UNLOAD 6.0 and higher
0x1403 WMI_LOG_TYPE_IMAGE_DC_START 6.0 and higher
0x1404 WMI_LOG_TYPE_IMAGE_DC_END 6.0 and higher
0x1420 WMI_LOG_TYPE_IMAGE_RELOCATION  
0x1421 WMI_LOG_TYPE_IMAGE_KERNEL_BASE 6.1 and higher
0x1422 WMI_LOG_TYPE_IMAGE_HYPERCALL_PAGE  
0x1480 PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_ATTEMPT  
0x1481 PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_SUCCESS  
0x1482 PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_FAIL  
0x1483 PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_WAIT  
0x1484 PERFINFO_LOG_TYPE_LDR_PROC_INIT_DONE  
0x1485 PERFINFO_LOG_TYPE_LDR_CREATE_SECTION  
0x1486 PERFINFO_LOG_TYPE_LDR_SECTION_CREATED  
0x1487 PERFINFO_LOG_TYPE_LDR_MAP_VIEW  
0x1490 PERFINFO_LOG_TYPE_LDR_RELOCATE_IMAGE  
0x1491 PERFINFO_LOG_TYPE_LDR_IMAGE_RELOCATED  
0x1492 PERFINFO_LOG_TYPE_LDR_HANDLE_OLD_DESCRIPTORS  
0x1493 PERFINFO_LOG_TYPE_LDR_OLD_DESCRIPTORS_HANDLED  
0x1494 PERFINFO_LOG_TYPE_LDR_HANDLE_NEW_DESCRIPTORS  
0x1495 PERFINFO_LOG_TYPE_LDR_NEW_DESCRIPTORS_HANDLED  
0x1496 PERFINFO_LOG_TYPE_LDR_DLLMAIN_EXIT  
0x14A0 PERFINFO_LOG_TYPE_LDR_FIND_DLL  
0x14A1 PERFINFO_LOG_TYPE_LDR_VIEW_MAPPED  
0x14A2 PERFINFO_LOG_TYPE_LDR_LOCK_RELEASE  
0x14A3 PERFINFO_LOG_TYPE_LDR_DLLMAIN_ENTER  
0x14A4 PERFINFO_LOG_TYPE_LDR_ERROR  
0x14A5 PERFINFO_LOG_TYPE_LDR_VIEW_MAPPING  
0x14A6 PERFINFO_LOG_TYPE_LDR_SNAPPING  
0x14A7 PERFINFO_LOG_TYPE_LDR_SNAPPED  
0x14A8 PERFINFO_LOG_TYPE_LDR_LOADING  
0x14A9 PERFINFO_LOG_TYPE_LDR_LOADED  
0x14AA PERFINFO_LOG_TYPE_LDR_FOUND_KNOWN_DLL  
0x14AB PERFINFO_LOG_TYPE_LDR_ABNORMAL  
0x14AC PERFINFO_LOG_TYPE_LDR_PLACEHOLDER  
0x14AD PERFINFO_LOG_TYPE_LDR_RDY_TO_INIT  
0x14AE PERFINFO_LOG_TYPE_LDR_RDY_TO_RUN  
0x14B0 PERFINFO_LOG_TYPE_LDR_NEW_DLL_LOAD  
0x14B1 PERFINFO_LOG_TYPE_LDR_NEW_DLL_AS_DATA  
0x14C0 PERFINFO_LOG_TYPE_LDR_EXTERNAL_PATH  
0x14C1 PERFINFO_LOG_TYPE_LDR_GENERATED_PATH  
0x14D0 PERFINFO_LOG_TYPE_LDR_APISET_RESOLVING  
0x14D1 PERFINFO_LOG_TYPE_LDR_APISET_HOSTED  
0x14D2 PERFINFO_LOG_TYPE_LDR_APISET_UNHOSTED  
0x14D3 PERFINFO_LOG_TYPE_LDR_APISET_UNRESOLVED  
0x14D4 PERFINFO_LOG_TYPE_LDR_SEARCH_SECURITY  
0x14D5 PERFINFO_LOG_TYPE_LDR_SEARCH_PATH_SECURITY  

Cache Control

Value Name Versions
0x1600 PERFINFO_LOG_TYPE_CC_WORKITEM_ENQUEUE 6.2 and higher
0x1601 PERFINFO_LOG_TYPE_CC_WORKITEM_DEQUEUE 6.2 and higher
0x1602 PERFINFO_LOG_TYPE_CC_WORKITEM_COMPLETE 6.2 and higher
0x1603 PERFINFO_LOG_TYPE_CC_READ_AHEAD 6.2 and higher
0x1604 PERFINFO_LOG_TYPE_CC_WRITE_BEHIND  
0x1605 PERFINFO_LOG_TYPE_CC_LAZY_WRITE_SCAN 6.2 and higher
0x1606 PERFINFO_LOG_TYPE_CC_CAN_I_WRITE_FAIL 6.2 and higher
0x1609 PERFINFO_LOG_TYPE_CC_FLUSH_CACHE 6.2 and higher
0x160A PERFINFO_LOG_TYPE_CC_FLUSH_SECTION 6.2 and higher
0x160B PERFINFO_LOG_TYPE_CC_READ_AHEAD_PREFETCH 6.2 and higher
0x160C PERFINFO_LOG_TYPE_CC_SCHEDULE_READ_AHEAD 6.2 and higher
0x160D PERFINFO_LOG_TYPE_CC_LOGGED_STREAM_INFO 6.2 and higher
0x160E PERFINFO_LOG_TYPE_CC_EXTRA_WRITEBEHIND_THREAD 6.2 and higher

Critical Section

Value Name
0x1720 PERFINFO_LOG_TYPE_CRITSEC_ENTER
0x1721 PERFINFO_LOG_TYPE_CRITSEC_LEAVE
0x1722 PERFINFO_LOG_TYPE_CRITSEC_COLLISION
0x1723 PERFINFO_LOG_TYPE_CRITSEC_INITIALIZE

Stack Walking

Value Name Versions
0x1820 PERFINFO_LOG_TYPE_STACKWALK 6.1 and higher
0x1822 PERFINFO_LOG_TYPE_STACKTRACE_CREATE  
0x1823 PERFINFO_LOG_TYPE_STACKTRACE_DELETE  
0x1824 PERFINFO_LOG_TYPE_STACKTRACE_RUNDOWN  
0x1825 PERFINFO_LOG_TYPE_STACKTRACE_KEY_KERNEL  
0x1826 PERFINFO_LOG_TYPE_STACKTRACE_KEY_USER  

UMS

Value Name
0x1920 PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_START
0x1921 PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_END
0x1922 PERFINFO_LOG_TYPE_UMS_PARK
0x1923 PERFINFO_LOG_TYPE_UMS_DISASSOCIATE
0x1924 PERFINFO_LOG_TYPE_UMS_CONTEXT_SWITCH

ALPC

Value Name Versions
0x1A21 WMI_LOG_TYPE_ALPC_SEND_MESSAGE 6.0 and higher
0x1A22 WMI_LOG_TYPE_ALPC_RECEIVE_MESSAGE 6.0 and higher
0x1A23 WMI_LOG_TYPE_ALPC_WAIT_FOR_REPLY 6.0 and higher
0x1A24 WMI_LOG_TYPE_ALPC_WAIT_FOR_NEW_MESSAGE 6.0 and higher
0x1A25 WMI_LOG_TYPE_ALPC_UNWAIT 6.0 and higher
0x1A26 WMI_LOG_TYPE_ALPC_CONNECT_REQUEST 6.2 and higher
0x1A27 WMI_LOG_TYPE_ALPC_CONNECT_SUCCESS 6.2 and higher
0x1A28 WMI_LOG_TYPE_ALPC_CONNECT_FAIL 6.2 and higher
0x1A29 WMI_LOG_TYPE_ALPC_CLOSE_PORT 6.2 and higher

Split I/O

Value Name Versions
0x1B20 PERFINFO_LOG_TYPE_SPLITIO_VOLMGR late 5.2

Thread Pool

Value Name
0x1C20 PERFINFO_LOG_TYPE_TP_CALLBACK_ENQUEUE
0x1C21 PERFINFO_LOG_TYPE_TP_CALLBACK_DEQUEUE
0x1C22 PERFINFO_LOG_TYPE_TP_CALLBACK_START
0x1C23 PERFINFO_LOG_TYPE_TP_CALLBACK_STOP
0x1C24 PERFINFO_LOG_TYPE_TP_CALLBACK_CANCEL
0x1C25 PERFINFO_LOG_TYPE_TP_POOL_CREATE
0x1C26 PERFINFO_LOG_TYPE_TP_POOL_CLOSE
0x1C27 PERFINFO_LOG_TYPE_TP_POOL_TH_MIN_SET
0x1C28 PERFINFO_LOG_TYPE_TP_POOL_TH_MAX_SET
0x1C29 PERFINFO_LOG_TYPE_TP_WORKER_NUMANODE_SWITCH
0x1C2A PERFINFO_LOG_TYPE_TP_TIMER_SET
0x1C2B PERFINFO_LOG_TYPE_TP_TIMER_CANCELLED
0x1C2C PERFINFO_LOG_TYPE_TP_TIMER_SET_NTTIMER
0x1C2D PERFINFO_LOG_TYPE_TP_TIMER_CANCEL_NTTIMER
0x1C2E PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_BEGIN
0x1C2F PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_END
0x1C30 PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION