WMI_LOGGER_MODE

Public symbol files for the kernel starting with Windows XP SP3 and Windows Server 2003 SP2 show that the LoggerMode in the WMI_LOGGER_CONTEXT was once defined in union with a WMI_LOGGER_MODE structure of ULONG bit fields:

Mask Definition Versions
0x00000001
ULONG SequentialFile : 1;
5.1 to 5.2
0x00000002
ULONG CircularFile : 1;
5.1 to 5.2
0x00000004
ULONG AppendFile : 1;
5.1 to 5.2
 
ULONG Unused1 : 5;
5.1 to 5.2
0x00000100
ULONG RealTime : 1;
5.1 to 5.2
0x00000200
ULONG DelayOpenFile : 1;
5.1 to 5.2
0x00000400
ULONG BufferOnly : 1;
5.1 to 5.2
0x00000800
ULONG PrivateLogger : 1;
5.1 to 5.2
0x00001000
ULONG AddHeader : 1;
5.1 to 5.2
0x00002000
ULONG UseExisting : 1;
5.1 to 5.2
0x00004000
ULONG UseGlobalSequence : 1;
5.1 to 5.2
0x00008000
ULONG UseLocalSequence : 1;
5.1 to 5.2
 
ULONG Unused2 : 16;
5.1 to 5.2

The symbol files show that this stopped for version 6.0. When it began is an open question. That it was established for all builds of versions 5.1 and 5.2 must be almost certain. The suggestion is strong that it dates from version 5.0. See especially that PrivateLogger is defined for the kernel’s symbol files even though it is not known to the kernel. It is, however, meaningful to the user-mode implementation. Though the two implementations, kernel-mode and user-mode, soon diverged, their WMI_LOGGER_CONTEXT structures very plainly had a common origin for version 5.0, presumably with the WMI_LOGGER_MODE in common too.

It is perhaps as well to collect here the various bits that represent the wide variety of possible logger modes, as kept in the LoggerMode member. Some are documented, and are defined as macros in EVNTRACE.H, but Microsoft’s names for some are known only from the NTWMI.H header. The reckoning of which flags are supported in which versions is in preparation: do not rely on it.

Value Name Versions Remarks
0x00000001 EVENT_TRACE_FILE_MODE_SEQUENTIAL 5.0 and higher  
0x00000002 EVENT_TRACE_FILE_MODE_CIRCULAR 5.0 and higher  
0x00000004 EVENT_TRACE_FILE_MODE_APPEND 5.1 and higher  
0x00000008 EVENT_TRACE_FILE_MODE_NEWFILE 5.1 and higher  
0x00000010 unknown 5.2 only but not defined for 5.2 DDK
EVENT_TRACE_USE_MS_FLUSH_TIMER    
0x00000020 EVENT_TRACE_FILE_MODE_PREALLOCATE 5.1 and higher  
0x00000040 EVENT_TRACE_NONSTOPPABLE_MODE    
0x00000080 EVENT_TRACE_SECURE_MODE    
0x00000100 EVENT_TRACE_REAL_TIME_MODE 5.0 and higher  
0x00000200 EVENT_TRACE_DELAY_OPEN_FILE_MODE 5.0 and higher  
0x00000400 EVENT_TRACE_BUFFERING_MODE 5.0 and higher  
0x00000800 EVENT_TRACE_PRIVATE_LOGGER_MODE   defined for 5.0 and higher;
but not used by kernel
0x00001000 EVENT_TRACE_ADD_HEADER_MODE 5.0 only  
0x00002000 EVENT_TRACE_USE_KBYTES_FOR_SIZE 5.2 and higher but not defined for 5.2 DDK
0x00004000 EVENT_TRACE_USE_GLOBAL_SEQUENCE 5.1 and higher  
0x00008000 EVENT_TRACE_USE_LOCAL_SEQUENCE 5.1 and higher  
0x00010000 EVENT_TRACE_RELOG_MODE   defined for 5.1 and higher;
but not used by kernel
0x00020000 EVENT_TRACE_PRIVATE_IN_PROC    
0x00040000 EVENT_TRACE_BUFFER_INTERFACE_MODE    
0x00080000 EVENT_TRACE_KD_FILTER_MODE 5.1 and higher but not defined for 5.1 DDK
0x00100000 EVENT_TRACE_REAL_TIME_RELOG_MODE    
0x00200000 EVENT_TRACE_LOST_EVENTS_DEBUG_MODE    
0x00400000 EVENT_TRACE_STOP_ON_HYBRID_SHUTDOWN    
0x00800000 EVENT_TRACE_PERSIST_ON_HYBRID_SHUTDOWN    
0x01000000 EVENT_TRACE_USE_PAGED_MEMORY 5.1 and higher  
0x02000000 EVENT_TRACE_SYSTEM_LOGGER_MODE    
0x04000000 EVENT_TRACE_COMPRESSED_MODE    
0x08000000 EVENT_TRACE_INDEPENDENT_SESSION_MODE    
0x10000000 EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING    
0x20000000 EVENT_TRACE_BLOCKING_MODE    
0x40000000 apparently unused    
0x80000000 EVENT_TRACE_ADDTO_TRIAGE_DUMP    

Very many combinations of these bits are invalid. Some bits are not known to the kernel but are instead vital to the separate NTDLL implementation that lets user-mode processes do their own event tracing.