Geoff Chappell, Software Analyst
The ETW_NOTIFICATION_TYPE enumeration has the values that are meaningful for the NotificationType in an ETW_NOTIFICATION_HEADER or ETWP_NOTIFICATION_HEADER.
The ETW_NOTIFICATION_TYPE enumeration is not documented, but Microsoft has published a C-language definition in the NTETW.H header from the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 version 1511.
Were it not for this relatively recent and possibly unintended disclosure, much would anyway be known from type information in symbol files. Curiously though, type information for this structure has never appeared in any public symbol files for the kernel or for the obvious low-level user-mode DLLs. In the whole of Microsoft’s packages of public symbol files, at least to the original Windows 10, relevant type information is unknown before Windows 8 and appears in symbol files only for AppXDeploymentClient.dll, CertEnroll.dll (before Windows 10) and Windows.Storage.ApplicationData.dll.
Possible values and Microsoft’s names for them are known from public symbol files and the one C-language definition, as described above. Meaningfulness in versions that predate this availability is established by finding the binaries that prepare notifications of each type.
|0x01||EtwNotificationTypeNoReply||6.0 and higher|
|0x02||EtwNotificationTypeLegacyEnable||6.0 and higher|
|0x03||EtwNotificationTypeEnable||6.0 and higher|
|0x04||EtwNotificationTypePrivateLogger||6.0 and higher|
|0x05||EtwNotificationTypePerfLib||6.0 and higher|
|0x06||EtwNotificationTypeAudio||6.0 and higher|
|0x07||EtwNotificationTypeSession||6.0 and higher|
|0x08||EtwNotificationTypeReserved||6.2 and higher|
|0x09||EtwNotificationTypeCredentialUI||6.0 and higher|
|0x0A||EtwNotificationTypeInProcSession||6.3 and higher|
|0x0B||EtwNotificationTypeFilteredPrivateLogger||1703 and higher|
|0x0A (6.0 to 6.2);
0x0B (6.3 to 1607);
|EtwNotificationTypeMax||6.0 and higher|
No use of EtwNotificationTypeReserved is yet known in any version.
Some notification types are not possible for notifications from user mode just from calling documented API functions. They instead require such NTDLL functions as EtwSendNotification and look to have very particular reasons for existence. For instance, EtwNotificationTypeCredentialUI is known only in notifications from CONSENT.EXE as it enters and leaves the secure desktop.