CURRENT WORK ITEM - PREVIEW ONLY

PERFINFO_GROUPMASK

The PERFINFO_GROUPMASK describes the types of event that are enabled in an NT Kernel Logger session.

Usage

Historically, and as far as anyone still might know from the documentation, the choice of events that can be enabled in NT Kernel Logger sessions is managed from user mode via the EnableFlags member of the EVENT_TRACE_PROPERTIES structure that is most of the input and output for such documented API functions as StartTrace and ControlTrace. The PERFINFO_GROUPMASK greatly extends this choice but goes through the separate pair of functions TraceQueryInformation and TraceSetInformation. The PERFINFO_GROUPMASK structure is what these functions produce as output or expect as input in their information buffer when given the information class TraceSystemTraceEnableFlagsInfo (0x04).

Beneath these user-mode API functions, the PERFINFO_GROUPMASK is part of the EVENT_TRACE_GROUPMASK_INFORMATION structure that is expected by the ZwQuerySystemInformation or NtQuerySystemInformation functions and ZwSetSystemInformation or NtSetSystemInformation functions when given their information class SystemPerformanceTraceInformation (0x1F) if the first dword in the information buffer on input is EventTraceGroupMaskInformation (0x01).

Internally, the kernel keeps an array of PERFINFO_GROUPMASK structures, one for each possible NT Kernel Logger session. The present capacity is eight.

Documentation Status

The PERFINFO_GROUPMASK structure is not documented, but a C-language definition is published in a header file named NTWMI.H that appears in some editions of the Windows Driver Kit (WDK) for Windows 10. Until this disclosure, it was known only from type information in public symbol files for the kernel (in Windows Vista and higher).

Layout

The PERFINFO_GROUPMASK structure is 0x20 bytes in both 32-bit and 64-bit Windows. It has just the one member:

Offset Definition
0x00
ULONG Masks [8];

The point to the PERFINFO_GROUPMASK structure is simply that its eight array elements allow 256 flags instead of the 32 that can be passed to and fro in the EnableFlags.

Masks [0]

Indeed, the first element arguably is the EnableFlags:

Value Name Equivalent in EnableFlags
0x00000001 PERF_PROCESS EVENT_TRACE_FLAG_PROCESS
0x00000002 PERF_THREAD EVENT_TRACE_FLAG_THREAD
0x00000003 PERF_PROC_THREAD  
0x00000004 PERF_LOADER EVENT_TRACE_FLAG_IMAGE_LOAD
0x00000008 PERF_PERF_COUNTER EVENT_TRACE_FLAG_PROCESS_COUNTERS
0x00000010 maps to PERF_CONTEXT_SWITCH in Mask [1] EVENT_TRACE_FLAG_CSWITCH
0x00000020 maps to PERF_DPC in Mask [1] EVENT_TRACE_FLAG_DPC
0x00000040 maps to PERF_INTERRUPT in Mask [1] EVENT_TRACE_FLAG_INTERRUPT
0x00000080 maps to PERF_SYSCALL in Mask [2] EVENT_TRACE_FLAG_SYSTEMCALL
0x00000100   EVENT_TRACE_FLAG_DISK_IO
0x00000200 PERF_FILENAME EVENT_TRACE_FLAG_DISK_FILE_IO
0x00000300 PERF_DISK_IO  
0x00000400 PERF_DISK_IO_INIT EVENT_TRACE_FLAG_DISK_IO_INIT
0x00000800 maps to PERF_DISPATCHER in Mask [1] EVENT_TRACE_FLAG_DISPATCHER
0x00001000 PERF_ALL_FAULTS EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS
0x00002000 PERF_HARD_FAULTS EVENT_TRACE_FLAG_MEMORY_HARD_FAULTS
0x00004000 maps to PERF_VIRTUAL_ALLOC in Mask [1] EVENT_TRACE_FLAG_VIRTUAL_ALLOC
0x00008000 PERF_VAMAP EVENT_TRACE_FLAG_VAMAP
0x00010000 PERF_NETWORK EVENT_TRACE_FLAG_NETWORK_TCPIP
0x00020000 PERF_REGISTRY EVENT_TRACE_FLAG_REGISTRY
0x00040000 PERF_DBGPRINT EVENT_TRACE_FLAG_DBGPRINT
0x00080000 PERF_JOB EVENT_TRACE_FLAG_JOB
0x00100000 PERF_ALPC EVENT_TRACE_FLAG_ALPC
0x00200000 PERF_SPLIT_IO EVENT_TRACE_FLAG_SPLIT_IO
0x00400000 PERF_DEBUG_EVENTS EVENT_TRACE_FLAG_DEBUG_EVENTS
0x00800000 maps to PERF_DRIVERS in Mask [1] EVENT_TRACE_FLAG_DRIVER
0x01000000 maps to PERF_PROFILE in Mask [1] EVENT_TRACE_FLAG_PROFILE
0x02000000 PERF_FILE_IO EVENT_TRACE_FLAG_FILE_IO
0x04000000 PERF_FILE_IO_INIT EVENT_TRACE_FLAG_FILE_IO_INIT
0x08000000    
0x10000000 PERF_NO_SYSCONFIG  
0x20000000   EVENT_TRACE_FLAG_EXTENSION
0x40000000   EVENT_TRACE_FLAG_FORWARD_WMI
0x80000000   EVENT_TRACE_FLAG_ENABLE_RESERVE

Masks [1]

Value Name
0x20000001 PERF_MEMORY
0x20000002 PERF_PROFILE
0x20000004 PERF_CONTEXT_SWITCH
0x20000008 PERF_FOOTPRINT
0x20000010 PERF_DRIVERS
0x20000020 PERF_REFSET
0x20000040 PERF_POOL
0x20000041 PERF_POOLTRACE
0x20000080 PERF_DPC
0x20000100 PERF_COMPACT_CSWITCH
0x20000200 PERF_DISPATCHER
0x20000400 PERF_PMC_PROFILE
0x20000402 PERF_PROFILING
0x20000800 PERF_PROCESS_INSWAP
0x20001000 PERF_AFFINITY
0x20002000 PERF_PRIORITY
0x20004000 PERF_INTERRUPT
0x20008000 PERF_VIRTUAL_ALLOC
0x20010000 PERF_SPINLOCK
0x20020000 PERF_SYNC_OBJECTS
0x20040000 PERF_DPC_QUEUE
0x20080000 PERF_MEMINFO
0x20100000 PERF_CONTMEM_GEN
0x20200000 PERF_SPINLOCK_CNTRS
0x20210000 PERF_SPININSTR
0x20400000 PERF_SESSION
PERF_PFSECTION
0x20800000 PERF_MEMINFO_WS
0x21000000 PERF_KERNEL_QUEUE
0x22000000 PERF_INTERRUPT_STEER
0x24000000 PERF_SHOULD_YIELD
0x28000000 PERF_WS

Mask [2]

Value Name
0x40000001 PERF_ANTI_STARVATION
0x40000002 PERF_PROCESS_FREEZE
0x40000004 PERF_PFN_LIST
0x40000008 PERF_WS_DETAIL
0x40000010 PERF_WS_ENTRY
0x40000020 PERF_HEAP
0x40000040 PERF_SYSCALL
0x40000080 PERF_UMS
0x40000100 PERF_BACKTRACE
0x40000200 PERF_VULCAN
0x40000400 PERF_OBJECTS
0x40000800 PERF_EVENTS
0x40001000 PERF_FULLTRACE
0x40002000 PERF_DFSS
0x40004000 PERF_PREFETCH
0x40008000 PERF_PROCESSOR_IDLE
0x40010000 PERF_CPU_CONFIG
0x40020000 PERF_TIMER
0x40040000 PERF_CLOCK_INTERRUPT
0x40080000 PERF_LOAD_BALANCER
0x40100000 PERF_CLOCK_TIMER
0x40200000 PERF_IDLE_SELECTION
0x40400000 PERF_IPI
0x40800000 PERF_IO_TIMER
0x41000000 PERF_REG_HIVE
0x42000000 PERF_REG_NOTIF
0x44000000 PERF_PPM_EXIT_LATENCY
0x48000000 PERF_WORKER_THREAD

Mask [3]

Apparently, no flags are yet defined for mask number 3.

Mask [4]

Value Name
0x80000001 PERF_OPTICAL_IO
0x80000002 PERF_OPTICAL_IO_INIT
0x80000008 PERF_DLL_INFO
0x80000010 PERF_DLL_FLUSH_WS
0x80000040 PERF_OB_HANDLE
0x80000080 PERF_OB_OBJECT
0x80000200 PERF_WAKE_DROP
0x80000400 PERF_WAKE_EVENT
0x80000800 PERF_DEBUGGER
0x80001000 PERF_PROC_ATTACH
0x80002000 PERF_WAKE_COUNTER
0x80008000 PERF_POWER
0x80010000 PERF_SOFT_TRIM
0x80020000 PERF_CC
0x80080000 PERF_FLT_IO_INIT
0x80100000 PERF_FLT_IO
0x80200000 PERF_FLT_FASTIO
0x80400000 PERF_FLT_IO_FAILURE
0x80800000 PERF_HV_PROFILE
0x81000000 PERF_WDF_DPC
0x82000000 PERF_WDF_INTERRUPT
0x84000000 PERF_CACHE_FLUSH

Mask [5]

Value Name
0xA0000001 PERF_HIBER_RUNDOWN

Mask [6]

Value Name
0xC0000001 PERF_SYSCFG_SYSTEM
0xC0000002 PERF_SYSCFG_GRAPHICS
0xC0000004 PERF_SYSCFG_STORAGE
0xC0000008 PERF_SYSCFG_NETWORK
0xC0000010 PERF_SYSCFG_SERVICES
0xC0000020 PERF_SYSCFG_PNP
0xC0000040 PERF_SYSCFG_OPTICAL
0xDFFFFFFF PERF_SYSCFG_ALL

Mask [7]

Value Name
0xE0000001 PERF_CLUSTER_OFF
0xE0000002 PERF_MEMORY_CONTROL