Send Reply Data Block

When given 0x12 as its FunctionCode argument, the NtTraceControl function sends a data block in reply to some receipt. Microsoft’s name for this function code is not known. This note deals only with the function’s behaviour that is specific to this function code. The function’s general behaviour is here taken as assumed knowledge.

In the expected circumstances of execution, the calling process has a user-mode registration of some event provider. A sender, typically some other process, called NtTraceControl with 0x11 as the FunctionCode to send a data block to this registration. The calling process received this data block by calling NtTraceControl with 0x10 as the FunctionCode and distributed it to the event provider by calling EtwDeliverDataBlock. The event provider received it in the callback routine that it specified when registering. In the data block was a request for a reply. The stage is set. The event provider now seeks to reply by calling what will henceforth be referred to as this function, i.e., NtTraceControl with 0x12 as the FunctionCode. With this, the event provider sends a data block back. It can be the same data block, possibly edited, or be an entirely new one. To the sender of the first data block, this second is a reply, and is received by the sender’s calling NtTraceControl with 0x13 as the FunctionCode.

Parameter Validation

The input buffer must provide a fixed-size ETWP_NOTIFICATION_HEADER and some variable amount of other data. The function returns STATUS_INVALID_PARAMETER if either of the following is true: