Geoff Chappell, Software Analyst
The ETW_KERNEL_HEADER_EXTENSION is one of many types of fixed-size header that begin the data for an event as held in the trace buffers or flushed to an Event Trace Log (ETL) file for an NT Kernel Logger session. The event is specifically WMI_LOG_TYPE_HEADER_EXTENSION (0x0005) or WMI_LOG_TYPE_GROUP_MASKS_END (0x0020).
As a pair, the WMI_LOG_TYPE_HEADER_EXTENSION and WMI_LOG_TYPE_GROUP_MASKS_END events track what types of event get enabled and disabled for the session. They show this by reporting the logger’s group masks. These are an undocumented elaboration of the EnableFlags that are documented for the EVENT_TRACE_PROPERTIES structure as input to the StartTrace and ControlTrace functions.
In telling what types of event were initially enabled for the session, the ETW_KERNEL_HEADER_EXTENSION is arguably as important a record of what to expect in an ETL file as is the TRACE_LOGFILE_HEADER. Indeed, for all sessions that have the EVENT_TRACE_SYSTEM_LOGGER_MODE (0x02000000), an initial WMI_LOG_TYPE_HEADER_EXTENSION event is the second event.
As the session continues, WMI_LOG_TYPE_GROUP_MASKS_END and WMI_LOG_TYPE_HEADER_EXTENSION events are logged in pairs on each update of the session’s group masks, to report the old and new masks, respectively.
The ETW_KERNEL_HEADER_EXTENSION is not documented. A C-language definition is published in the NTETW.H header from some editions of the Windows Driver Kit (WDK) for Windows 10.
Data for the WMI_LOG_TYPE_HEADER_EXTENSION and WMI_LOG_TYPE_GROUP_MASKS_END events comprises:
In the SYSTEM_TRACE_HEADER, the Marker is 0xC0010002 for a 32-bit trace session, else 0xC0020002. The Size is the total in bytes of both structures. The HookId is WMI_LOG_TYPE_HEADER_EXTENSION or WMI_LOG_TYPE_GROUP_MASKS_END, which identifies the event.
The ETW_KERNEL_HEADER_EXTENSION is 0x24 bytes in both 32-bit and 64-bit Windows.
The GroupMasks member tells which types of event are enabled for the session. It is the same as one of the many cases of ZwQuerySystemInformation would produce as the EventTraceGroupMasks member of the EVENT_TRACE_GROUPMASK_INFORMATION structure if asked about this same logger.
The Version in Windows 10 is 60, apparently intended to be the same as another of the many cases of ZwQuerySystemInformation produces as the EventTraceKernelVersion member of the EVENT_TRACE_VERSION_INFORMATION structure.