ETW_REG_ENTRY

The ETW_REG_ENTRY structure is the kernel’s representation of an event registration object. This can exist as a formal object, with handles and access control, or not. The typical case in which an instance is created as a formal object is when registering a user-mode event provider. The object type is named EtwRegistration. Note that the kernel has no exported variable for this object type, presumably because only the kernel is ever involved in interpreting a handle that refers to such an object.

Documentation Status

The ETW_REG_ENTRY structure is not documented.

Layout

For a non-trivial structure that is plainly very much internal to the kernel, the ETW_REG_ENTRY has been relatively stable. There has been growth, inevitably, but the only rearrangement was that version 6.2 compacts a few members and moves them towards the end.

Version Size (x86) Size (x64)
6.0 to 6.1 0x2C 0x50
6.2 to 6.3 0x28 0x50
10.0 0x3C 0x70

The preceding sizes, and the offsets, types and names in the table below are from Microsoft’s symbol files for the kernel starting with Windows Vista.

Offset (x86) Offset (x64) Definition Versions Remarks
0x00 0x00
LIST_ENTRY RegList;
6.0 and higher  
0x08 0x10
LIST_ENTRY GroupRegList;
10.0 and higher  
0x08 (6.0 to 6.3);
0x10
0x10 (6.0 to 6.3);
0x20
ETW_GUID_ENTRY *GuidEntry;
6.0 and higher  
0x0C (6.0 to 6.1) 0x18 (6.0 to 6.1)
USHORT Index;
6.0 to 6.1 next at 0x24 and 0x48
0x0E (6.0 to 6.1) 0x1A (6.0 to 6.1)
USHORT Flags;
6.0 to 6.1 next as UCHAR at 0x26 and 0x4A
0x10 (6.0 to 6.1) 0x1C (6.0 to 6.1)
UCHAR EnableMask;
6.0 to 6.1 next at 0x27 and 0x4B
0x14 0x28
ETW_GUID_ENTRY *GroupEntry;
10.0 and higher  
0x14 (6.0 to 6.1);
0x0C (6.2 to 6.3);
0x18
0x20 (6.0 to 6.1);
0x18 (6.2 to 6.3);
0x30
union {
    ETW_REPLY_QUEUE *ReplyQueue;
    ETW_REG_ENTRY *ReplySlot [4];
};
6.0 only  
union {
    ULONG SessionId;
    ETW_REPLY_QUEUE *ReplyQueue;
    ETW_REG_ENTRY *ReplySlot [4];
};
6.1 only  
union {
    ETW_REPLY_QUEUE *ReplyQueue;
    ETW_QUEUE_ENTRY *ReplySlot [4];
    struct {
        PVOID Caller;
        ULONG SessionId;
    };
};
6.2 and higher  
0x24 (6.0 to 6.1);
0x1C (6.2 to 6.3);
0x28
0x40 (6.0 to 6.1);
0x38 (6.2 to 6.3);
0x50
union {
    EPROCESS *Process;
    PVOID Callback;
};
6.0 to 6.1  
union {
    EPROCESS *Process;
    PVOID CallbackContext;
};
6.2 and higher  
0x28 (6.0 to 6.1);
0x20 (6.2 to 6.3);
0x2C
0x48 (6.0 to 6.1);
0x40 (6.2 to 6.3);
0x58
PVOID CallbackContext;
6.0 to 6.1  
PVOID Callback;
6.2 and higher  
0x24 (6.2 to 6.3);
0x30
0x48 (6.2 to 6.3);
0x60
USHORT Index;
6.2 and higher previously at 0x0C and 0x18
0x26 (6.2 to 6.3);
0x32
0x4A (6.2 to 6.3);
0x62
union {
    UCHAR Flags;
    struct {
        UCHAR DbgKernelRegistration : 1;            // 0x01
        UCHAR DbgUserRegistration : 1;              // 0x02
        UCHAR DbgReplyRegistration : 1;             // 0x04
        UCHAR DbgClassicRegistration : 1;           // 0x08
        UCHAR DbgSessionSpaceRegistration : 1;      // 0x10
        UCHAR DbgModernRegistration : 1;            // 0x20
        UCHAR DbgClosed : 1;                        // 0x40
        UCHAR DbgInserted : 1;                      // 0x80
    };
};
6.2 and higher previously USHORT at 0x0E and 01A
0x27 (6.2 to 6.3);
0x33
0x4B (6.2 to 6.3);
0x63
UCHAR EnableMask;
6.2 and higher previously at 0x10 and 0x1C
0x34 0x64
UCHAR GroupEnableMask;
10.0 and higher  
0x35 0x65
BOOLEAN UseDescriptorType;
10.0 and higher  
0x38 0x68
ETW_PROVIDER_TRAITS *Traits;
10.0 and higher  

Any number of registrations can be opened to any one event provider. The ETW_REG_ENTRY structures for the registrations are linked through the RegList member to the RegListHead in the ETW_GUID_ENTRY that represents the provider.

Each registration allows that its holder can write events through the provider. On the other side, the provider can be accessed by as many as eight loggers, known more formally as event tracing sessions. The eight bits of the EnableMask track which of the possible loggers are enabled.