EVENT_TRACE_PERFORMANCE_INFORMATION

The EVENT_TRACE_PERFORMANCE_INFORMATION structure is one of many that the ZwQuerySystemInformation (or NtQuerySystemInformation) function expects in its information buffer when given the information class SystemPerformanceTraceInformation (0x1F). This particular structure is selected when the first dword in the information buffer on input is EventTracePerformanceInformation (0x02).

Documentation Status

The EVENT_TRACE_PERFORMANCE_INFORMATION structure is not documented. Its only known public existence in anything like plain text is a C-language definition in a header file named NTETW.H that appears in some editions of the Windows Driver Kit (WDK) for Windows 10.

Layout

The EVENT_TRACE_PERFORMANCE_INFORMATION is 0x10 bytes in both 32-bit and 64-bit Windows.

Offset Definition Remarks
0x00
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
input
0x08
ULONGLONG LogfileBytesWritten;
output

Behaviour

The EVENT_TRACE_PERFORMANCE_INFORMATION structure is meaningful only as input to and output from one case of the ZwQuerySystemInformation function. The behaviour is as well picked up here. This review takes as understood all the general points and shorthands that are noted in the separate attempt at documenting the function, and takes as granted that the information class is SystemPerformanceTraceInformation and that the information buffer is exactly the size of an EVENT_TRACE_PERFORMANCE_INFORMATION in which the EventTraceInformationClass is EventTracePerformanceInformation.

The implementation is simply to set the LogfileBytesWritten in the given structure to the running total over all processors of bytes written from trace buffers to log files. The function then returns STATUS_SUCCESS.