Geoff Chappell - Software Analyst
The EVENT_TRACE_VERSION_INFORMATION structure is one of many that the ZwQuerySystemInformation (or NtQuerySystemInformation) function expects in its information buffer when given the information class SystemPerformanceTraceInformation (0x1F). This particular structure is selected when the first dword in the information buffer on input is EventTraceKernelVersionInformation (0x00).
The EVENT_TRACE_VERSION_INFORMATION structure is not documented.
A few public disclosures are known from Microsoft, though not as any sort of plain-English documentation. One is that a previously unpublished header named NTETW.H was published in the original and Version 1511 editions of the Windows Driver Kit (WDK) for Windows 10, and this header contains a C-language definition of the structure.
Were it not for this limited and possibly unintended disclosure of NTETW.H, a practical equivalent of the C-language definition (but missing comments, of course) would anyway be known from type information in symbol files. But this too has the look of an oversight. Type information for this structure has never appeared in any public symbol files for the kernel or for the obvious low-level user-mode DLLs. It has instead slipped out in symbol files for a smattering of higher-level user-mode DLLs, starting with Windows 8. For these few, the readily available symbol files actually are private symbol files and show that the unpublished NTETW.H was included when compiling the corresponding binaries.
Type information also has been published in a statically linked library, named CLFSMGMT.LIB, which Microsoft distributes with the Software Development Kit (SDK) starting for Windows Vista. This does not have the forensic quality as has type information in symbol files for the binaries that ship with an operating system, for although it is as accurate for when the library was built, there is no requirement that the library have been built with the operating system that it targets. There can be, and often is, some discrepancy, and there is anyway not always a fresh library for each service pack.
The EVENT_TRACE_VERSION_INFORMATION is eight bytes in both 32-bit and 64-bit Windows. Offsets, names and types in the table that follows are from type information in symbol files and libraries, and from the published C-language definition, as described above.
One member is meaningful only for input, the other only as output:
|Offset||Definition||Versions||Input or Output|
|6.0 and higher||input|
|6.0 and higher||output|
The EVENT_TRACE_VERSION_INFORMATION structure is meaningful only as input to and output from one case of the ZwQuerySystemInformation function. The behaviour is as well picked up here. This review takes as understood all the general points and shorthands that are noted in the separate attempt at documenting the function, and takes as granted that the information class is SystemPerformanceTraceInformation and that the information buffer is exactly the size of an EVENT_TRACE_VERSION_INFORMATION in which the EventTraceInformationClass is EventTraceKernelVersionInformation.
The implementation is simply to set the EventTraceKernelversion in the given structure. The function then returns STATUS_SUCCESS.
Known values for EventTraceKernelVersion on output are:
Beware that my holdings of Kernel Versions are limited at best to the formally released service packs and updates, notably the ones that Microsoft considers significant enough for a corresponding release of downloadable packages of symbol files.
Comments in NTETW.H, introduced by talk of “The Kernel Event Version”, describe in welcome detail what behaviour is indicated by each advance in the number, though not reliably which increments came with which builds. The current number, which was 60 when Microsoft last published NTETW.H, is defined as ETW_KERNEL_EVENT_VERSION.