The ETW_KERNEL_HEADER_EXTENSION is one of many types of fixed-size header that begin the data for an event as held in the trace buffers or flushed to an Event Trace Log (ETL) file for a system-logging session, which typically means an NT Kernel Logger session.

The types of event for which the ETW_KERNEL_HEADER_EXTENSION can be the event-specific data are WMI_LOG_TYPE_HEADER_EXTENSION (0x0005) and WMI_LOG_TYPE_GROUP_MASKS_END (0x0020).


As a pair, the WMI_LOG_TYPE_HEADER_EXTENSION and WMI_LOG_TYPE_GROUP_MASKS_END events track what types of event get enabled and disabled for the session. They show this by reporting the logger’s PERFINFO_GROUPMASK. This is an undocumented elaboration of the EnableFlags that are documented for the EVENT_TRACE_PROPERTIES structure as input to the StartTrace and ControlTrace functions.

In telling what types of event were initially enabled for the session, the ETW_KERNEL_HEADER_EXTENSION is arguably as important a record of what to expect in an ETL file as is the TRACE_LOGFILE_HEADER that is the event-specific data for the WMI_LOG_TYPE_HEADER event that begins each ETL file. Indeed, for sessions that have the EVENT_TRACE_SYSTEM_LOGGER_MODE (0x02000000), an initial WMI_LOG_TYPE_HEADER_EXTENSION event is always the second event.

As the session continues, WMI_LOG_TYPE_GROUP_MASKS_END and WMI_LOG_TYPE_HEADER_EXTENSION events are logged in pairs on each update of the session’s group masks, to report the old and new masks, respectively.

Documentation Status

The ETW_KERNEL_HEADER_EXTENSION is not documented. Only two public disclosures are known from Microsoft, not that either is any sort of plain-English documentation. One is as type information in public symbol files, but not as usual in the symbol files for the kernel, where the structure is created and written, but instead in symbol files for such user-mode oddities as appxdeploymentclient.dll and (and only then in Windows 8 and higher). The other public disclosure is a C-language definition in NTWMI.H from the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 version 1511. This disclosure is not repeated in subsequent editions and is here thought to be an oversight. Still, published it is, which means that this note benefits from using Microsoft’s names.



Trace Header

In the Marker that begins the SYSTEM_TRACE_HEADER, the Flags are 0xC0, the HeaderType is 0x01 or 0x02 for a 32-bit or 64-bit trace session, respectively, and the Version is nowadays 0x02 but is 0x01 in traces written by Windows versions before 6.0. The Size is the total in bytes of both structures. The HookId, as the identifier of the event and thus of how the event-specific data that follows is interpreted, is WMI_LOG_TYPE_HEADER_EXTENSION or WMI_LOG_TYPE_GROUP_MASKS_END.

Event-Specific Data

The ETW_KERNEL_HEADER_EXTENSION is nowadays 0x24 bytes in both 32-bit and 64-bit Windows, but it began as 0x20 bytes:

Offset Definition Versions
5.2 and higher
ULONG Version;
6.0 and higher

The GroupMasks member tells which types of event are enabled for the session. It is the same as one of the many cases of ZwQuerySystemInformation would produce as the EventTraceGroupMasks member of the EVENT_TRACE_GROUPMASK_INFORMATION structure if asked about this same logger.

The Version is observed to be the same as another of the many cases of ZwQuerySystemInformation produces as the EventTraceKernelVersion member of the EVENT_TRACE_VERSION_INFORMATION structure.