EVENT_TRACE_VERSION_INFORMATION

The EVENT_TRACE_VERSION_INFORMATION structure is one of many that the ZwQuerySystemInformation (or NtQuerySystemInformation) function expects in its information buffer when given the information class SystemPerformanceTraceInformation (0x1F). This particular structure is selected when the first dword in the information buffer on input is EventTraceKernelVersionInformation (0x00).

Documentation Status

The EVENT_TRACE_VERSION_INFORMATION structure is not documented but Microsoft has published a C-language definition in a header file named NTETW.H from the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 version 1511.

Were it not for this relatively recent and possibly unintended disclosure, much would anyway be known from type information in symbol files. Curiously though, type information for this structure has never appeared in any public symbol files for the kernel or for the obvious low-level user-mode DLLs. In the whole of Microsoft’s packages of public symbol files, at least to the original Windows 10, relevant type information is unknown before Windows 8 and appears in symbol files only for AppXDeploymentClient.dll, CertEnroll.dll (before Windows 10) and Windows.Storage.ApplicationData.dll.

Layout

The EVENT_TRACE_VERSION_INFORMATION is 0x08 bytes in both 32-bit and 64-bit Windows.

Offset Definition Input/Output Versions
0x00
EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass;
input 6.0 and higher
0x04
ULONG EventTraceKernelVersion;
output 6.0 and higher

Behaviour

The EVENT_TRACE_VERSION_INFORMATION structure is meaningful only as input to and output from one case of the ZwQuerySystemInformation function. The behaviour is as well picked up here. This review takes as understood all the general points and shorthands that are noted in the separate attempt at documenting the function, and takes as granted that the information class is SystemPerformanceTraceInformation and that the information buffer is exactly the size of an EVENT_TRACE_VERSION_INFORMATION in which the EventTraceInformationClass is EventTraceKernelVersionInformation.

The implementation is simply to set the EventTraceKernelversion in the given structure. The function then returns STATUS_SUCCESS.

Known values for EventTraceKernelVersion on output are:

Beware that my holdings of Kernel Versions are limited at best to the formally released service packs and updates, notably the ones that Microsoft considers significant enough for a corresponding release of downloadable packages of symbol files. Comments in NTETW.H, introduced by talk of “The Kernel Event Version”, describe in welcome detail what behaviour is indicated by each advance in the number, though not reliably which increments came with which builds.