Geoff Chappell, Software Analyst
The EVENT_TRACE_SYSTEM_EVENT_INFORMATION structure is one of many that the ZwQuerySystemInformation (or NtQuerySystemInformation) and ZwSetSystemInformation (or NtSetSystemInformation) functions expect in their information buffer when given the information class SystemPerformanceTraceInformation (0x1F). This particular structure is selected when the first dword in the information buffer on input is one of:
All are accepted when setting information but only the first when querying.
All these information classes reveal or specify which events that can be sent to an NT Kernel Logger session should have some additional feature such as call-stack tracing.
At least in user mode, the EVENT_TRACE_SYSTEM_EVENT_INFORMATION structure supports the documented ADVAPI32 (or SECHOST) function TraceSetInformation for its information classes TraceStackTracingInfo (0x03) and TracePmcEventListInfo (0x08). In these cases, well-behaved user-mode software executing above ADVAPI32 does not call NtSetSystemInformation but prefers TraceSetInformation and therefore has no need of this structure.
The EVENT_TRACE_SYSTEM_EVENT_INFORMATION structure is not documented. Its only known public existence in anything like plain text is a C-language definition in a header file named NTETW.H that appears in some editions of the Windows Driver Kit (WDK) for Windows 10.
The EVENT_TRACE_SYSTEM_EVENT_INFORMATION is 0x18 bytes in both 32-bit and 64-bit Windows.
ULONG HookId [ANYSIZE_ARRAY];
|output for query;
input for set
The HookId array lists the applicable events. From other use of these 16-bit event identifiers, notably in the PERFINFO_TRACE_HEADER and SYSTEM_TRACE_HEADER that begin all events that are sent to an NT Kernel Logger session, it is known that the high and low bytes of the hook ID are a Group and Type, respectively. User-mode interfaces identify these events by a CLASSIC_EVENT_ID structure in which the Group is a GUID not a byte. The CLASSIC_EVENT_ID is documented but the hundreds of combinations of Group and Type seem not to be.
Though the one EVENT_TRACE_SYSTEM_EVENT_INFORMATION structure serves all three information classes that work with lists of events, NTETW.H helpfully defines aliases: