Geoff Chappell, Software Analyst
The ETW_DATA_SOURCE structure (formally _ETW_DATA_SOURCE) is created by the kernel for a process when the process is first sent a notification, as through NtTraceControl when called with 0x11 as the FunctionCode. It is in essence the queue in which notifications are held until the process retrieves them by calling NtTraceControl with 0x10 as the FunctionCode. The address of a process’s ETW_DATA_SOURCE is kept as the EtwDataSource member of the EPROCESS.
The ETW_DATA_SOURCE structure is not documented. Neither is it known from type information in public symbol files. The only public disclosure that is yet known of this structure’s name by Microsoft is that the WMITRACE.DLL debugger extension expects to read type information for it from private symbol files.
Through the ETW_DATA_SOURCE structure is deeply internal to the kernel’s support for some particular inter-process communication that is not much less deeply internal, it is small and has been very stable. All the known changes come from a substantial reworking for Windows 8.1. Code in WMITRACE.DLL dates the change very precisely to build number 9255. (The first formal releases of versions 6.2 and 6.3 have build numbers 9200 and 9600, respectively.)
|Version||Size (x86)||Size (x64)|
|6.0 to 6.2||0x30||0x50|
|6.3 and higher||0x10||0x20|
The preceding sizes, and the offsets, types and names in the table below are from inspection of the kernel, starting with Windows Vista. Microsoft’s names and types for two members are inferred by matching known use with the names that WMITRACE seeks from private symbol files. Where the use continues to later versions, the corresponding names and types are assumed to too.
|Offset (x86)||Offset (x64)||Definition||Versions|
|0x00 (6.0 to 6.2)||0x00 (6.0 to 6.2)||unknown pointer to EPROCESS||6.0 to 6.2|
|0x00||0x00||unknown pointer to KEVENT||6.3 and higher|
|0x04 (6.0 to 6.2)||0x08 (6.0 to 6.2)||unknown KSEMAPHORE||6.0 to 6.2|
|0x18 (6.0 to 6.2);
|0x28 (6.0 to 6.2);
|unknown EX_PUSH_LOCK||6.0 and higher|
|0x1C (6.0 to 6.2);
|0x30 (6.0 to 6.2);
|6.0 and higher|
|0x24 (6.0 to 6.2)||0x40 (6.0 to 6.2)||
|6.0 to 6.2|
|0x28 (6.0 to 6.2)||0x44 (6.0 to 6.2)||unknown ULONG counter||6.0 to 6.2|
|0x2C (6.0 to 6.2)||0x48 (6.0 to 6.2)||unknown BOOLEAN||6.0 to 6.2|
The double-linked list that is the NotificationQueue holds ETW_QUEUE_ENTRY structures linked through their ListEntry members.