TRACE_LOGFILE_HEADER

The TRACE_LOGFILE_HEADER is one of many types of fixed-size header that begin the data for an event as held in the trace buffers or flushed to an Event Trace Log (ETL) file. The event is specifically the system event WMI_LOG_TYPE_HEADER.

Usage

The WMI_LOG_TYPE_HEADER event is the very first in every ETL file, beginning immediately after the first WMI_BUFFER_HEADER.

Documentation Status

The TRACE_LOGFILE_HEADER is documented. This is not so that it can be inspected in an ETL file. What is documented is the translation that is presented to callers of the documented OpenTrace function as output in the LogfileHeader member of the EVENT_TRACE_LOGFILE structure whose address is passed to the function as its one argument.

This article is concerned only with the raw TRACE_LOGFILE_HEADER as it appears in trace buffers or ETL files, and only then to note where this differs from what is documented.

Layout

Data for the WMI_LOG_TYPE_HEADER event comprises:

In the SYSTEM_TRACE_HEADER, the Marker is 0xC0010002 for a 32-bit trace session, else 0xC0020002. The difference determines whether the TRACE_LOGFILE_HEADER that follows is the 32-bit or 64-bit form, respectively. The Size is the total in bytes of all the above. The HookId is WMI_LOG_TYPE_HEADER (0x0000), which identifies the event.

The TRACE_LOGFILE_HEADER is 0x0110 or 0x0118 bytes in 32-bit and 64-bit Windows, respectively, in all known versions.

Offset (x86) Offset (x64) Definition
0x00 0x00
ULONG BufferSize;
0x04 0x04
union {
    ULONG Version;
    struct {
        UCHAR MajorVersion;
        UCHAR MinorVersion;
        UCHAR SubVersion;
        UCHAR SubMinorVersion;
    } VersionDetail;
};
0x08 0x08
ULONG ProviderVersion;
0x0C 0x0C
ULONG NumberOfProcessors;
0x10 0x10
LARGE_INTEGER EndTime;
0x18 0x18
ULONG TimerResolution;
0x1C 0x1C
ULONG MaximumFileSize;
0x20 0x20
ULONG LogFileMode;
0x24 0x24
ULONG BuffersWritten;
0x28 0x28
union {
    GUID LogInstanceGuid;
    struct {
        ULONG StartBuffers;
        ULONG PointerSize;
        ULONG EventsLost;
        ULONG CpuSpeedInMHz;
    };
};
0x38 0x38
PWSTR LoggerName;
0x3C 0x40
PWSTR LogFileName;
0x40 0x48
TIME_ZONE_INFORMATION TimeZone;
0xF0 0xF8
LARGE_INTEGER BootTime;
0xF8 0x0100
LARGE_INTEGER PerfFreq;
0x0100 0x0108
LARGE_INTEGER StartTime;
0x0108 0x0110
ULONG ReservedFlags;
0x010C 0x0114
ULONG BuffersLost;

In the VersionDetail, the SubVersion and SubMinorVersion tell a little of the logger’s capability. The Windows 10 kernel sets these as if for a version 2.0 if the logger is sufficiently advanced, else for a version 1.5. Sufficiently advanced means any of the following:

Regardless of how many processors are active, the NumberOfProcessors is 1 if the logger is configured for the EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING (0x10000000) mode.

The LogFileMode reported in this structure is not exactly what the logger keeps as its LoggerMode. The following flags are cleared from it:

The LoggerName and LogFileName pointers are repurposed. They instead take values from the HAL_PLATFORM_TIMER_SOURCE enumeration to tell of the clock interrupt and performance counter, respectively. This enumeration is defined in the NTOSP.H header from some editions of the Windows Driver Kit (WDK) for Windows 10:

The null-terminated Unicode strings that might otherwise be suggested by these members' names simply follow the structure.