Geoff Chappell, Software Analyst
PLACEHOLDER FOR WORK THAT MAY NEVER BE DONE - PREVIEW ONLY
When given 0x1A as its FunctionCode argument, the NtTraceControl function in version 6.2 and higher enables the tracking of binaries for providers that are enabled for a given tracing session. Microsoft’s name for this function code is not known. This note deals only with the function’s behaviour that is specific to this function code. The function’s general behaviour is here taken as assumed knowledge.
Well-behaved user-mode software does not call NtTraceControl. The documented user-mode API for reaching this functionality is EventSetInformation, which is exported by name from ADVAPI32.DLL in version 6.2 and higher, though only ever as a forward to the undocumened NTDLL function EtwEventSetInformation. These higher-level functions vary their behaviour according to an InformationClass argument. The case that enables tracking is EventProviderBinaryTrackInfo (0).
There is no kernel-mode access to this functionality except through NtTraceControl. To what is otherwise the equivalent kernel-mode API, namely EtwSetInformation, the information class EventProviderBinaryTrackInfo is an invalid device request. Kernel-mode access through NtTraceControl appears to be unwanted, if not unexpected. The handle that is expected as input (see below) has its access checked as if for a user-mode caller.
If the input buffer does not provide exactly 8 bytes, the function returns STATUS_INVALID_PARAMETER. The expected input is a handle to an event registration object, i.e., to an ETW_REG_ENTRY. Failure to reference the object and discover that it grants TRACELOG_REGISTER_GUIDS access is failure for the function.
TO BE DONE
The output on success is necessarily zero bytes.