Geoff Chappell, Software Analyst
ULONG EtwEventWriteFull ( REGHANDLE RegHandle, PCEVENT_DESCRIPTOR EventDescriptor, USHORT EventProperty, LPCGUID ActivityId, LPCGUID RelatedActivityId, ULONG UserDataCount, PEVENT_DATA_DESCRIPTOR UserData);
The EventProperty argument specifies properties of the event. The supported values are:
For other arguments (and the return value), refer to Microsoft’s documentation of EventWriteTransfer.
This function is the lowest-level of several NTDLL functions for writing events. The functions EtwEventWrite and EtwEventWriteTransfer are nothing but calls to this one with defaults supplied for one or more arguments. This is the full function. It is the only one with the EventProperty argument. Otherwise, this function is EtwEventWriteTransfer, which is in turn the documented ADVAPI32 function EventWriteTransfer.
The EtwEventWriteFull function is exported by name from NTDLL in version 6.0 and higher.
As with many NTDLL functions, Microsoft does not document EtwEventWriteFull. Unlike many, no higher-level function corresponds roughly to it. Though other NTDLL functions whose names begin with EtwEventWrite are exported without the Etw prefix as forwards from ADVAPI32, this one is missed.
The supported values for the EventProperty argument are documented for another purpose, in the EventProperty member of the EVENT_HEADER structure that describes an event when delivered to a consumer.
Three users are known of this function:
Yes, they use one each of the defined bit flags in the additional argument.