Geoff Chappell - Software Analyst
The ETW_NOTIFICATION_HEADER structure describes an event notification for multiple cases of the NtTraceControl function.
The ETW_NOTIFICATION_HEADER structure is not documented.
A few public disclosures are known from Microsoft, though not as any sort of plain-English documentation. One is that a previously unpublished header named NTETW.H was published in the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10, and this header contains a C-language definition of the structure.
Were it not for this limited and possibly unintended disclosure of NTETW.H, a practical equivalent of the C-language definition (but missing comments, of course) would anyway be known from type information in symbol files. But this too has the look of an oversight. Type information for this structure has never appeared in any public symbol files for the kernel or for the obvious low-level user-mode DLLs. It has instead slipped out in symbol files for a smattering of higher-level user-mode DLLs, starting with Windows 8. For these few, the readily available symbol files actually are private symbol files and show that the unpublished NTETW.H was included when compiling the corresponding binaries.
Type information also has been published in a statically linked library, named CLFSMGMT.LIB, which Microsoft distributes with the Software Development Kit (SDK) starting for Windows Vista. This does not have the forensic quality as has type information in symbol files for the binaries that ship with an operating system, for although it is as accurate for when the library was built, there is no requirement that the library have been built with the operating system that it targets. There can be, and often is, some discrepancy, and there is anyway not always a fresh library for each service pack.
The ETW_NOTIFICATION_HEADER is 0x48 bytes in both 32-bit and 64-bit Windows in versions 6.0 and higher. Whether it or something enough like it exists in versions before 6.0, i.e., before NtTraceControl, is left for another time. Offsets, types and names in the table that follows are from type information in symbol files and libraries, and from the published C-language definition, as described above.
| Offset | Definition | Versions |
|---|---|---|
| 0x00 |
ETW_NOTIFICATION_TYPE NotificationType; |
6.0 and higher |
| 0x04 |
ULONG NotificationSize; |
6.0 and higher |
| 0x08 |
ULONG Offset; |
6.0 and higher |
| 0x0C |
BOOLEAN ReplyRequested; |
6.0 and higher |
| 0x10 |
ULONG Reserved1; |
6.0 only |
ULONG Timeout; |
6.1 and higher | |
| 0x14 |
union {
ULONG ReplyCount;
ULONG NotifyeeCount;
};
|
6.0 and higher |
| 0x18 |
ULONGLONG Reserved2; |
6.0 and higher |
| 0x20 |
ULONG TargetPID; |
6.0 and higher |
| 0x24 |
ULONG SourcePID; |
6.0 and higher |
| 0x28 |
GUID DestinationGuid; |
6.0 and higher |
| 0x38 |
GUID SourceGuid; |
6.0 and higher |
When Reserved1 gave way to Timeout is not yet known. The former is known from type information in CLFSMGMT.LIB but this library is not known in a version that targets any Windows Vista service pack. Inspection of binaries can reveal when Timeout was first used. More research is required.