EtwEventWriteFull

Declaration

ULONG
EtwEventWriteFull (
    REGHANDLE RegHandle,
    PCEVENT_DESCRIPTOR EventDescriptor,
    USHORT EventProperty,
    LPCGUID ActivityId,
    LPCGUID RelatedActivityId,
    ULONG UserDataCount,
    PEVENT_DATA_DESCRIPTOR UserData);

Parameters

The EventProperty argument specifies properties of the event. The supported values are:

0x0001 EVENT_HEADER_PROPERTY_XML
0x0002 EVENT_HEADER_PROPERTY_FORWARDED_XML
0x0004 EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG

For other arguments (and the return value), refer to Microsoft’s documentation of EventWriteTransfer.

Behaviour

This function is the lowest-level of several NTDLL functions for writing events. The functions EtwEventWrite and EtwEventWriteTransfer are nothing but calls to this one with defaults supplied for one or more arguments. This is the full function. It is the only one with the EventProperty argument. Otherwise, this function is EtwEventWriteTransfer, which is in turn the documented ADVAPI32 function EventWriteTransfer.

Availability

The EtwEventWriteFull function is exported by name from NTDLL in version 6.0 and higher.

Documentation Status

As with many NTDLL functions, Microsoft does not document EtwEventWriteFull. Unlike many, no higher-level function corresponds roughly to it. Though other NTDLL functions whose names begin with EtwEventWrite are exported without the Etw prefix as forwards from ADVAPI32, this one is missed.

The supported values for the EventProperty argument are documented for another purpose, in the EventProperty member of the EVENT_HEADER structure that describes an event when delivered to a consumer.

Use by Microsoft

Three users are known of this function:

Yes, they use one each of the defined bit flags in the additional argument.