Geoff Chappell - Software Analyst
The ETW_KERNEL_HEADER_EXTENSION is event-specific data for the WMI_LOG_TYPE_HEADER_EXTENSION (0x0005) and WMI_LOG_TYPE_GROUP_MASKS_END (0x0020) events as held in the trace buffers or flushed to an Event Trace Log (ETL) file for a system-logging session, which typically means an NT Kernel Logger session.
The WMI_LOG_TYPE_HEADER_EXTENSION and WMI_LOG_TYPE_GROUP_MASKS_END events make a pair for tracking what types of event get enabled and disabled for the session. They show this by reporting the logger’s PERFINFO_GROUPMASK. This is an undocumented elaboration of the EnableFlags that are documented for the EVENT_TRACE_PROPERTIES structure as input to the StartTrace and ControlTrace functions.
In telling what types of event were initially enabled for the session, the ETW_KERNEL_HEADER_EXTENSION is arguably as important a record of what to expect in an ETL file as is the TRACE_LOGFILE_HEADER that is the event-specific data for the WMI_LOG_TYPE_HEADER event that is the first even in every ETL file. For sessions that have the EVENT_TRACE_SYSTEM_LOGGER_MODE (0x02000000), the WMI_LOG_TYPE_HEADER_EXTENSION event is so important that it is always the second event. As the session continues, WMI_LOG_TYPE_GROUP_MASKS_END and WMI_LOG_TYPE_HEADER_EXTENSION events are logged in pairs on each update of the session’s group masks, to report the old and new masks, respectively.
Data for a WMI_LOG_TYPE_HEADER_EXTENSION or WMI_LOG_TYPE_GROUP_MASKS_END event comprises:
In the Marker that begins the SYSTEM_TRACE_HEADER, the Flags are 0xC0, the HeaderType is 0x01 or 0x02 for a 32-bit or 64-bit trace session, respectively, and the Version is nowadays 0x02 but is 0x01 in traces written by Windows versions before 6.0. The Size is the total in bytes of both structures. The HookId, as the identifier of the event and thus of how the event-specific data that follows is interpreted, is WMI_LOG_TYPE_HEADER_EXTENSION or WMI_LOG_TYPE_GROUP_MASKS_END.
The ETW_KERNEL_HEADER_EXTENSION is not documented.
A few public disclosures are known from Microsoft, though not as any sort of plain-English documentation. One is that a previously unpublished header named NTETW.H was published in the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10, and this header contains a C-language definition of the structure.
Were it not for this limited and possibly unintended disclosure of NTETW.H, a practical equivalent of the C-language definition (but missing comments, of course) would anyway be known from type information in symbol files. But this too has the look of an oversight. Type information for this structure has never appeared in any public symbol files for the kernel or for the obvious low-level user-mode DLLs. It has instead slipped out in symbol files for a smattering of higher-level user-mode DLLs, starting with Windows 8. For these few, the readily available symbol files actually are private symbol files and show that the unpublished NTETW.H was included when compiling the corresponding binaries.
Type information also has been published in a statically linked library, named CLFSMGMT.LIB, which Microsoft distributes with the Software Development Kit (SDK) starting for Windows Vista. This does not have the forensic quality as has type information in symbol files for the binaries that ship with an operating system, for although it is as accurate for when the library was built, there is no requirement that the library have been built with the operating system that it targets. There can be, and often is, some discrepancy, and there is anyway not always a fresh library for each service pack.
The ETW_KERNEL_HEADER_EXTENSION is nowadays 0x24 bytes in both 32-bit and 64-bit Windows, but it began as 0x20 bytes. Offsets, types and names in the table that follows are from type information in symbol files and libraries, and from the published C-language definition, as described above. What’s known for versions that predate the known availability of type information is from inspection of binaries.
|5.2 and higher|
|6.0 and higher|
Taking the ETW_KERNEL_HEADER_EXTENSION as a persistent description of a logging session that may have long ended, the GroupMasks tells which types of event were enabled for the session and the Version records how advanced is the kernel that logged the events.
The Version is observed to be the same as produced in the EventTraceKernelVersion member of the EVENT_TRACE_VERSION_INFORMATION.