Geoff Chappell, Software Analyst
The ETW_PMC_SUPPORT structure is created whenever for an event logger when processor performance monitoring is enabled for it. Such requests reach the kernel only through ZwSetSystemInformation or NtSetSystemInformation when given the information class SystemPerformanceTraceInformation (0x1F) with an information buffer whose first dword is EventTraceProfileEventListInformation (0x0E) or EventTraceProfileCounterListInformation (0x0F).
The ETW_PMC_SUPPORT structure is not documented.
The ETW_PMC_SUPPORT structure is 0x24 or 0x28 bytes in 32-bit and 64-bit Windows, respectively. Offsets, types and names in the table below are from symbol files for the kernel in Windows 8 and higher.
KPROFILE_SOURCE Source ;
ULONG volatile HookIdCount;
USHORT HookId ;
ULONG volatile CountersCount;
PMC_HANDLE ProcessorCtrs [ANYSIZE_ARRAY];
The structure is always allocated from non-paged no-execute pool. Its address is kept as the PmcData member of the WMI_LOGGER_CONTEXT that represents the event logger.
Each logger can nominate up to four counters. These are selected from the KPROFILE_SOURCE enumeration that is defined in WDM.H and lists the types of information that the HAL may keep about processor performance. The profile sources are provided as the ProfileSources member of the EVENT_TRACE_PROFILE_COUNTER_INFORMATION that is the required input for the relevant case of ZwSetSystemInformation.
The ProcessorCtrs array has as many elements as there can ever be processors. That Microsoft defines the PMC_HANDLE type is known from the NTOSP.H header in the Windows Driver Kit (WDK) for Windows 10. It is a pointer to a HAL_PMC_COUNTERS structure for which Microsoft’s symbol files do not provide type information.