ETW_GUID_ENTRY

The ETW_GUID_ENTRY structure is the kernel’s record of an event provider.

Documentation Status

The ETW_GUID_ENTRY structure is not documented.

Layout

For a non-trivial structure that is plainly very much internal to the kernel, the ETW_GUID_ENTRY has been very stable. In the following table of sizes, different builds of Windows Vista are distinguished as early and late because they are known to vary the layout even though they don’t change the size.

Version Size (x86) Size (x64)
early 6.0 (before Windows Vista SP1) 0x0158 0x0170
late 6.0 (Windows Vista SP1 and higher)
6.1 0x0178 0x01B0
6.2 to 6.3 0x0160 0x0178
10.0 0x0160 0x0180

The preceding sizes, and the offsets, types and names in the table below are from Microsoft’s symbol files for the kernel starting with Windows Vista.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
LIST_ENTRY GuidList;
6.0 and higher
0x08 0x10
LONG_PTR volatile RefCount;
6.0 and higher
0x0C 0x18
GUID Guid;
6.0 and higher
0x1C 0x28
LIST_ENTRY RegListHead;
6.0 and higher
0x24 0x38
PVOID SecurityDescriptor;
6.0 and higher
0x28 0x40
TRACE_ENABLE_CONTEXT LegacyEnableContext;
ULONG LegacyProviderEnabled;
early 6.0 only
ETW_LAST_ENABLE_INFO LastEnable;
late 6.0 only
union {
    ETW_LAST_ENABLE_INFO LastEnable;
    ULONGLONG MatchId;
};
6.1 and higher
0x38 0x50
TRACE_ENABLE_INFO ProviderEnableInfo;
6.0 and higher
0x58 0x70
TRACE_ENABLE_INFO EnableInfo [8];
6.0 and higher
0x0158 0x0170
ETW_FILTER_HEADER *FilterData [8];
6.1 only
ETW_FILTER_HEADER *FilterData;
6.2 and higher
0x015C 0x0178
ESILO *ServerSilo;
10.0 and higher

The kernel can have multiple instances of an ETW_GUID_ENTRY for the same GUID. The kernel keeps three essentially separate lists of these structures, one for each different type of provider: trace provider; notification provider; and provider group. Providers of different types can have the same GUID because the corresponding ETW_GUID_ENTRY instances go into the different lists. Moreover, within each list, providers that register in multiple silos get one instance for each silo.

Microsoft’s symbol files for the kernel—in some Windows versions only—show the different types of event provider as an ETW_GUID_TYPE enumeration:

Numerical Value Symbolic Name Versions
0 EtwTraceGuidType 6.0 and higher
1 EtwNotificationGuidType 6.0 and higher
2 EtwGroupGuidType 10.0 and higher
2 (6.0 to 6.3);
3
EtwGuidTypeMax  

A provider can be enabled for at most eight loggers. The ProviderEnableInfo member is the provider’s own notion of what events it will generate and the EnableInfo array records what events the attached loggers care to receive.

Event filters were added for Windows 7. A provider can have at most eight. The original implementation had an array of eight pointers to ETW_FILTER_HEADER structures, which then changed to having one pointer to an array of eight structures.