PLACEHOLDER FOR WORK THAT MAY NEVER BE DONE - PREVIEW ONLY

ETW_SILODRIVERSTATE

The ETW_SILODRIVERSTATE structure is the state that Event Tracing for Windows (ETW) keeps separately for each silo.

Documentation Status

The ETW_SILODRIVERSTATE structure is not documented.

Layout

Given that Microsoft discloses relatively little architectural detail about silos, it should not surprise that the ETW_SILODRIVERSTATE changes even between the half-yearly releases of Windows 10.

Version Size (x86) Size (x64)
10.0 0x0190 0x01B0
1511 to 1607 0x0A80 0x13A8
1703 0x0AC0 0x13F8
1709 0x0A48 0x1190
1803 0x0A70 0x11C0

The preceding sizes, and the offsets, types and names in the table below are from public symbol files for the kernel.

Offset (x86) Offset (x64) Definition Versions Remarks
0x00 (10.0) 0x00 (10.0)
ULONG EtwpSecurityProviderPID;
10.0 only next at 0x0A7C
0x00 0x00
EJOB *Silo;
1803 and higher  
0x00 (1703 to 1709);
0x04
0x00 (1703 to 1709);
0x08
ESERVERSILO_GLOBALS *SiloGlobals;
1703 and higher  
0x04 (1709);
0x08
0x08 (1709);
0x10
ULONG MaxLoggers;
1709 and higher  
0x08 (10.0);
0x00 (1511 to 1607);
0x08 (1703 to 1709);
0x10
0x08 (10.0);
0x00 (1511 to 1607);
0x08 (1703);
0x10 (1709);
0x18
ETW_GUID_ENTRY EtwpSecurityProviderGuidEntry;
10.0 and higher  
0x0168 (10.0) 0x0188 (10.0)
ULONG AuditLoggerId;
10.0 only  
0x0170 (10.0) 0x0190 (10.0)
REGHANDLE EtwPsProvRegHandle;
10.0 only  
0x0168 (1511 to 1607);
0x0170 (1703 to 1709);
0x0178
0x0190 (1511 to 1607);
0x0198 (1703);
0x01A0 (1709);
0x01A8
EX_RUNDOWN_REF_CACHE_AWARE EtwpLoggerRundown [0x10];
1511 and higher  
0x0268 (1511 to 1607);
0x0270 (1703);
0x0174 (1709);
0x017C
0x0390 (1511 to 1607);
0x0398 (1703);
0x01A8 (1709);
0x01B0
WMI_LOGGER_CONTEXT *WmipLoggerContext [0x40];
1511 to 1703  
WMI_LOGGER_CONTEXT **EtwpLoggerContext;
1709 and higher  
0x0368 (1511 to 1607);
0x0370 (1703);
0x0178 (1709);
0x0180
0x0590 (1511 to 1607);
0x0598 (1703);
0x01B0 (1709);
0x01B8
ETW_HASH_BUCKET EtwpGuidHashTable [0x40];
1511 and higher  
0x0178 (10.0);
0x0A68 (1511 to 1607);
0x0A70 (1703);
0x0878 (1709);
0x0880
0x0198 (10.0);
0x1390 (1511 to 1607);
0x1398 (1703);
0x0FB0 (1709);
0x0FB8
USHORT EtwpSecurityLoggers [8];
10.0 and higher  
0x0188 (10.0);
0x0A78 (1511 to 1607);
0x0A80 (1703);
0x0888 (1709);
0x0890
0x01A8 (10.0);
0x13A0 (1511 to 1607);
0x13A8 (1703);
0x0FC0 (1709);
0x0FC8
UCHAR EtwpSecurityProviderEnableMask;
10.0 and higher  
0x0189 (10.0);
0x0A79 (1511 to 1607);
0x0A84 (1703);
0x088C (1709);
0x0894
0x01A9 (10.0);
0x13A1 (1511 to 1607);
0x13AC (1703);
0x0FC4 (1709);
0x0FCC
BOOLEAN EtwpShutdownInProgress;
10.0 to 1607  
LONG EtwpShutdownInProgress;
1703 and higher  
0x0A7C (1511 to 1607);
0x0A88 (1703);
0x0890 (1709);
0x0898
0x13A4 (1511 to 1607);
0x13B0 (1703);
0x0FC8 (1709);
0x0FD0
ULONG EtwpSecurityProviderPID;
1511 and higher previously at 0x00
0x0A8C (1703);
0x0894 (1709);
0x089C
0x13B8 (1703);
0x0FD0 (1709);
0x0FD8
ETW_PRIV_HANDLE_DEMUX_TABLE PrivHandleDemuxTable;
1703 and higher  
0x0A9C (1703);
0x08A4 (1709);
0x08AC
0x13D8 (1703);
0x0FF0 (1709);
0x0FF8
ETW_COUNTERS EtwpCounters;
1703 and higher  
0x0AB0 (1703);
0x08B8 (1709);
0x08C0
0x13E8 (1703);
0x1000 (1709);
0x1008
LARGE_INTEGER LogfileBytesWritten;
1703 and higher  
0x0AB8 (1703);
0x08C0 (1709);
0x08C8
0x13F0 (1703);
0x1008 (1709);
0x1010
ETW_SILO_TRACING_BLOCK *ProcessorBlocks;
1703 and higher  
0x08CC 0x1018
EX_WNF_SUBSCRIPTION *ContainerRestoreWnfSubscription;
1803 and higher  
0x08C4 (1709);
0x08D0
0x1010 (1709);
0x1020
GUID PartitionId;
1709 and higher  
0x08D4 (1709);
0x08E0
0x1020 (1709);
0x1030
GUID ParentId;
1709 and higher  
0x08E8 (1709);
0x08F0
0x1030 (1709);
0x1040
LARGE_INTEGER QpcOffsetFromRoot;
1709 and higher  
0x08F0 (1709);
0x08F8
0x1038 (1709);
0x1048
ULONG PartitionType;
1709 and higher  
0x08F4 (1709);
0x08FC
0x103C (1709);
0x104C
ETW_SYSTEM_LOGGER_SETTINGS SystemLoggerSettings;
1709 and higher  

TO BE DONE?