Geoff Chappell - Software Analyst
The only known use of the ETW_BUFFER_STATE enumeration (formally _ETW_BUFFER_STATE) is as the State at offset 0x2C in the WMI_BUFFER_HEADER structure. It there has fully replaced the Flags that the structure inherited from some loose compatibility with the WNODE_HEADER. In versions 5.1 to 5.2, if not in version 5.0 too, these Flags are in union with a WMI_BUFFER_STATE that is itself a structure of ULONG bit fields. When version 6.0 changed to keeping similar state as an enumeration, the WMI_BUFFER_STATE was replaced by the ETW_BUFFER_STATE, but the union with the Flags was not tidied away until version 6.1.
Values and names are known from public symbol files for the kernel, starting with Windows Vista.
|0||EtwBufferStateFree||6.0 and higher|
|1||EtwBufferStateGeneralLogging||6.0 and higher|
|2||EtwBufferStateCSwitch||6.0 and higher|
|3||EtwBufferStateFlush||6.0 and higher|
|4||EtwBufferStatePendingCompression||1607 and higher|
|5||EtwBufferStateCompressed||1607 and higher|
|6||EtwBufferStatePlaceholder||1607 and higher|
|4 (6.0 to 1511);
|EtwBufferStateMaximum||6.0 and higher|