Geoff Chappell, Software Analyst
As its name suggests, the ETW_GUID_TYPE enumeration distinguishes different types of event providers.
The ETW_GUID_TYPE enumeration is not documented. Microsoft’s names for it and its values are known from public symbol files for the kernel in some but not all versions: Windows Vista and Windows 7; and then not until the 1511 release of Windows 10.
Each event provider is represented by an ETW_GUID_ENTRY structure. The kernel keeps separate lists of these structures, one for each different type of provider: trace provider; notification provider; and provider group (this last being new for Windows 10):
|0||EtwTraceGuidType||6.0 and higher|
|1||EtwNotificationGuidType||6.0 and higher|
|2||EtwGroupGuidType||10.0 and higher|
|2 (6.0 to 6.3);
|EtwGuidTypeMax||6.0 and higher|
Roughly speaking, the event providers that are presented in Microsoft’s documentation from Windows Vista before Windows 10 are all trace providers.
Notification providers are essentially undocumented. They can be registered only from user mode. As with all user-mode registration of event providers, this goes through the NtTraceControl function when given 0x0F as its information class. What distinguishes a notification provider is the ETW_NOTIFICATION_TYPE in the function’s input: EtwNotificationTypeLegacyEnable and EtwNotificationTypeEnable are for trace providers (old and new); anything else indicates a notification provider. The only way that NTDLL.DLL provides for these other cases is through its undocumented export EtwNotificationRegister.
Windows 10 adds Provider Groups as a special case of Provider Traits.