ETW_QUEUE_ENTRY

The ETW_QUEUE_ENTRY structure supports the kernel’s holding of a notification that is ready for an event provider to retrieve.

Documentation Status

The ETW_QUEUE_ENTRY structure is not documented.

Layout

The ETW_QUEUE_ENTRY appears to be very much an implementation detail of the kernel’s own bookkeeping. The following changes of size are known:

Versions Size (x86) Size (x64)
6.0 to 6.1 0x18 0x28
6.2 to 10.0 0x20 0x38

The preceding sizes, and the offsets, types and names in the table below are from Microsoft’s public symbol files for the kernel, starting with Windows 8. Since symbol files for earlier versions do not contain type information for the ETW_QUEUE_ENTRY, what’s shown for them is instead inferred from what use these versions of the kernel are seen to make of the structure in comparison with those for which Microsoft’s names and types are known. Where the correspondence is close, it seems reasonable to infer continuity. Some use, however, has no correspondence, the code having changed too much. Even where the use hasn’t changed, tracking it all down exhaustively would be difficult, if not impossible, even for a small structure and even with source code.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
LIST_ENTRY ListEntry;
6.0 and higher
0x08 0x10
ETWP_NOTIFICATION_HEADER *DataBlock;
6.0 and higher
0x0C 0x18
ETW_REG_ENTRY *RegEntry;
6.0 and higher
0x10 0x20
ETW_REG_ENTRY *ReplyObject;
6.1 and higher
0x14 0x28
PVOID WakeReference;
6.1 and higher
0x10 (6.0 to 6.1);
0x18
0x20 (6.0 to 6.1);
0x30
ULONG RegIndex;
6.0 to 6.1
USHORT RegIndex;
6.2 and higher
0x14 (6.0 to 6.1);
0x1A
0x24 (6.0 to 6.1);
0x32
ULONG ReplyIndex;
6.0 to 6.1
USHORT ReplyIndex;
6.2 and higher
0x1C 0x34
ULONG Flags;
6.2 and higher

The DataBlock is the data that’s to be retrieved. It begins with a notification header, the total size being given by that header’s NotificationSize.