EVENT_INSTANCE_HEADER

The EVENT_INSTANCE_HEADER is one of several types of fixed-size header that introduce variable-size data for events that are logged through Event Tracing for Windows (ETW). As with other types of event, those that begin with an EVENT_INSTANCE_HEADER accumulate first in trace buffers. To have these events persist in this raw form for ready inspection, configure the event tracing session to flush the trace buffers to an Event Trace Log (ETL) file.

Less common among the several types of event that get into the trace buffers, those that begin with an EVENT_INSTANCE_HEADER typically originated with this header. The documented API function TraceEventInstance takes an EVENT_INSTANCE_HEADER as its input. The similarly old kernel export IoWMIWriteEvent is documented as taking a WNODE_HEADER as its input, but can handle an EVENT_INSTANCE_HEADER.

Documentation Status

The EVENT_INSTANCE_HEADER structure is documented.

That said, Microsoft seems never to have documented that IoWMIWriteEvent accepts an EVENT_INSTANCE_HEADER. (A search through Google for the function and structure in combination produces no matches today, 10th December 2018.)

Layout

The EVENT_INSTANCE_HEADER is 0x38 bytes in both 32-bit and 64-bit Windows in all known versions that have it, i.e., 5.0 and higher.

Offset Definition Versions
0x00
USHORT Size;
5.0 and higher
0x02
UCHAR HeaderType;
UCHAR MarkerFlags;
5.0 only
union {
    USHORT FieldTypeFlags;
    struct {
        UCHAR HeaderType;
        UCHAR MarkerFlags;
    };
};
5.1 and higher
0x04
union {
    ULONG Version;
    struct {
        UCHAR Type;
        UCHAR Level;
        USHORT Version;
    } Class;
};
5.0 and higher
0x08
ULONGLONG ThreadId;
5.0 only
ULONG ThreadId;
5.1 and higher
0x0C
ULONG ProcessId;
5.1 and higher
0x10
LARGE_INTEGER TimeStamp;
5.0 and higher
0x18
ULONGLONG RegHandle;
5.0 and higher
0x20
ULONG InstanceId;
5.0 and higher
0x24
ULONG ParentInstanceId;
5.0 and higher
0x28
union {
    struct {
        ULONG ClientContext;
        ULONG Flags;
    };
    struct {
        ULONG KernelTime;
        ULONG UserTime;
    };
    ULONG64 ProcessorTime;
};
5.0 to 5.2
union {
    struct {
        ULONG KernelTime;
        ULONG UserTime;
    };
    ULONG64 ProcessorTime;
    struct {
        ULONG EventId;
        ULONG Flags;
    };
};
6.0 and higher
0x30
ULONGLONG ParentRegHandle;
5.0 and higher

The first 4 bytes have common elements in all the various Trace Headers. All have the high two bits set in the MarkerFlags. What distinguishes a header as continuing specifically as an EVENT_INSTANCE_HEADER is the HeaderType:

Value Name Implied Layout
0x0B TRACE_HEADER_TYPE_INSTANCE32 0x38 bytes of header followed by 32-bit event data
0x15 TRACE_HEADER_TYPE_INSTANCE64 0x38 bytes of header followed by 64-bit event data