ETW_NOTIFICATION_TYPE

The ETW_NOTIFICATION_TYPE enumeration has the values that are meaningful for the NotificationType in an ETW_NOTIFICATION_HEADER or ETWP_NOTIFICATION_HEADER.

Documentation Status

The ETW_NOTIFICATION_TYPE enumeration is not documented, but Microsoft has published a C-language definition in the NTETW.H header from the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 version 1511.

Were it not for this relatively recent and possibly unintended disclosure, much would anyway be known from type information in symbol files. Curiously though, type information for this structure has never appeared in any public symbol files for the kernel or for the obvious low-level user-mode DLLs. In the whole of Microsoft’s packages of public symbol files, at least to the original Windows 10, relevant type information is unknown before Windows 8 and appears in symbol files only for AppXDeploymentClient.dll, CertEnroll.dll (before Windows 10) and Windows.Storage.ApplicationData.dll.

Values

Possible values and Microsoft’s names for them are known from public symbol files and the one C-language definition, as described above. Meaningfulness in versions that predate this availability is established by finding the binaries that prepare notifications of each type.

Value Name Versions
0x01 EtwNotificationTypeNoReply 6.0 and higher
0x02 EtwNotificationTypeLegacyEnable 6.0 and higher
0x03 EtwNotificationTypeEnable 6.0 and higher
0x04 EtwNotificationTypePrivateLogger 6.0 and higher
0x05 EtwNotificationTypePerfLib 6.0 and higher
0x06 EtwNotificationTypeAudio 6.0 and higher
0x07 EtwNotificationTypeSession 6.0 and higher
0x08 EtwNotificationTypeReserved 6.2 and higher
0x09 EtwNotificationTypeCredentialUI 6.0 and higher
0x0A EtwNotificationTypeInProcSession 6.3 and higher
0x0B EtwNotificationTypeFilteredPrivateLogger 1703 and higher
0x0A (6.0 to 6.2);
0x0B (6.3 to 1607);
0x0C
EtwNotificationTypeMax 6.0 and higher

No use of EtwNotificationTypeReserved is yet known in any version.

Some notification types are not possible for notifications from user mode just from calling documented API functions. They instead require such NTDLL functions as EtwSendNotification and look to have very particular reasons for existence. For instance, EtwNotificationTypeCredentialUI is known only in notifications from CONSENT.EXE as it enters and leaves the secure desktop.