ETW_NOTIFICATION_HEADER

The ETW_NOTIFICATION_HEADER structure describes an event notification for multiple cases of the NtTraceControl function.

Documentation Status

The ETW_NOTIFICATION_HEADER structure is not documented. Microsoft has published a C-language definition in the NTETW.H header from the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 version 1511.

Were it not for this relatively recent and possibly unintended disclosure, much would anyway be known from type information in symbol files. Curiously though, type information for this structure has never appeared in any public symbol files for the kernel or for the obvious low-level user-mode DLLs. In the whole of Microsoft’s packages of public symbol files, relevant type information is unknown before Windows 8 and appears in symbol files only for appxdeploymentclient.dll, certenroll.dll (before Windows 10) and windows.storage.applicationdata.dll.

Layout

The ETW_NOTIFICATION_HEADER is 0x48 bytes in both 32-bit and 64-bit Windows in versions 6.0 and higher. Whether it or something enough like it exists in versions before 6.0, i.e., before NtTraceControl, is left for another time. Offsets, types and names in the table below are from public symbol files as described above. No difference is yet known for earlier versions.

Offset Definition
0x00
ETW_NOTIFICATION_TYPE NotificationType;
0x04
ULONG NotificationSize;
0x08
ULONG Offset;
0x0C
BOOLEAN ReplyRequested;
0x10
ULONG Timeout;
0x14
union {
    ULONG ReplyCount;
    ULONG NotifyeeCount;
};
0x18
ULONGLONG Reserved2;
0x20
ULONG TargetPID;
0x24
ULONG SourcePID;
0x28
GUID DestinationGuid;
0x38
GUID SourceGuid;