windows-nt/Source/XPSP1/NT/public/internal/base/inc/ntwmi.h
2020-09-26 16:20:57 +08:00

1402 lines
60 KiB
C

/*++
Copyright (c) Microsoft Corporation. All rights reserved.
Module Name:
ntwmi.h
Abstract:
definitions for WMI Flags and Event Id's
Author:
Stephen Hsiao
Environment:
Kernel and User modes
Revision History:
--*/
#ifndef _NTWMI_
#define _NTWMI_
#ifndef ETW_WOW6432
#include <evntrace.h>
// Alignment macros
#define DEFAULT_TRACE_ALIGNMENT 8 // 8 byte alignment
#define ALIGN_TO_POWER2( x, n ) (((ULONG)(x) + ((n)-1)) & ~((ULONG)(n)-1))
//
// The predefined event groups or families for NT subsystems
//
#define EVENT_TRACE_GROUP_HEADER 0x0000
#define EVENT_TRACE_GROUP_IO 0x0100
#define EVENT_TRACE_GROUP_MEMORY 0x0200
#define EVENT_TRACE_GROUP_PROCESS 0x0300
#define EVENT_TRACE_GROUP_FILE 0x0400
#define EVENT_TRACE_GROUP_THREAD 0x0500
#define EVENT_TRACE_GROUP_TCPIP 0x0600
#define EVENT_TRACE_GROUP_IPXSPX 0x0700
#define EVENT_TRACE_GROUP_UDPIP 0x0800
#define EVENT_TRACE_GROUP_REGISTRY 0x0900
#define EVENT_TRACE_GROUP_DBGPRINT 0x0A00
#define EVENT_TRACE_GROUP_CONFIG 0x0B00
#define EVENT_TRACE_GROUP_POOL 0x0E00
#define EVENT_TRACE_GROUP_PERFINFO 0x0F00
#define EVENT_TRACE_GROUP_HEAP 0x1000
#define EVENT_TRACE_GROUP_OBJECT 0x1100
#define EVENT_TRACE_GROUP_POWER 0x1200
#define EVENT_TRACE_GROUP_MODBOUND 0x1300
#define EVENT_TRACE_GROUP_TBD 0x1400
#define EVENT_TRACE_GROUP_DPC 0x1500
#define EVENT_TRACE_GROUP_GDI 0x1600
#define EVENT_TRACE_GROUP_CRITSEC 0x1700
//
// The highest order bit of a data block is set if trace, WNODE otherwise
//
#define TRACE_HEADER_FLAG 0x80000000
// Header type for tracing messages
// | Marker(8) | Reserved(8) | Size(16) | MessageNumber(16) | Flags(16)
#define TRACE_MESSAGE 0x10000000
// | MARKER(16) | SIZE (16) | ULONG32 |
#define TRACE_HEADER_ULONG32 0xA0000000
// | MARKER(16) | SIZE (16) | ULONG 32 | TIME_STAMP ...
#define TRACE_HEADER_ULONG32_TIME 0xB0000000
//
// The second bit is set if the trace is used by PM & CP (fixed headers)
// If not, the data block is used by for finer data for performance analysis
//
#define TRACE_HEADER_EVENT_TRACE 0x40000000
//
// If set, the data block is SYSTEM_TRACE_HEADER
//
#define TRACE_HEADER_ENUM_MASK 0x00FF0000
//
// The following are various header type
//
#define TRACE_HEADER_TYPE_SYSTEM32 1
#define TRACE_HEADER_TYPE_SYSTEM64 2
#define TRACE_HEADER_TYPE_FULL_HEADER 10
#define TRACE_HEADER_TYPE_INSTANCE 11
#define TRACE_HEADER_TYPE_TIMED 12
#define TRACE_HEADER_TYPE_ULONG32 13
#define TRACE_HEADER_TYPE_WNODE_HEADER 14
#define TRACE_HEADER_TYPE_MESSAGE 15
#define TRACE_HEADER_TYPE_PERFINFO32 16
#define TRACE_HEADER_TYPE_PERFINFO64 17
#define SYSTEM_TRACE_VERSION 1
#ifdef _WIN64
#define PERFINFO_TRACE_MARKER TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE \
| (TRACE_HEADER_TYPE_PERFINFO64 << 16) | SYSTEM_TRACE_VERSION
#define SYSTEM_TRACE_MARKER TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE \
| (TRACE_HEADER_TYPE_SYSTEM64 << 16) | SYSTEM_TRACE_VERSION
#else
#define PERFINFO_TRACE_MARKER TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE \
| (TRACE_HEADER_TYPE_PERFINFO32 << 16) | SYSTEM_TRACE_VERSION
#define SYSTEM_TRACE_MARKER TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE \
| (TRACE_HEADER_TYPE_SYSTEM32 << 16) | SYSTEM_TRACE_VERSION
#endif
//
// Support a maximum of 64 logger instances. One is reserved for the kernel.
#define MAXLOGGERS 64
//
// Set of Internal Flags passed to the Logger via ClientContext during StartTrace
//
#define EVENT_TRACE_CLOCK_RAW 0x00000000 // Use Raw timestamp
#define EVENT_TRACE_CLOCK_PERFCOUNTER 0x00000001 // Use HighPerfClock (Default)
#define EVENT_TRACE_CLOCK_SYSTEMTIME 0x00000002 // Use SystemTime
#define EVENT_TRACE_CLOCK_CPUCYCLE 0x00000003 // Use CPU cycle counter
// begin_wmikm
//
// Public routines to break down the Loggerhandle
//
#define KERNEL_LOGGER_ID 0xFFFF // USHORT only
typedef struct _TRACE_ENABLE_CONTEXT {
USHORT LoggerId; // Actual Id of the logger
UCHAR Level; // Enable level passed by control caller
UCHAR InternalFlag; // Reserved
ULONG EnableFlags; // Enable flags passed by control caller
} TRACE_ENABLE_CONTEXT, *PTRACE_ENABLE_CONTEXT;
#define WmiGetLoggerId(LoggerContext) \
(((PTRACE_ENABLE_CONTEXT) (&LoggerContext))->LoggerId == \
(USHORT)KERNEL_LOGGER_ID) ? \
KERNEL_LOGGER_ID : \
((PTRACE_ENABLE_CONTEXT) (&LoggerContext))->LoggerId
#define WmiGetLoggerEnableFlags(LoggerContext) \
((PTRACE_ENABLE_CONTEXT) (&LoggerContext))->EnableFlags
#define WmiGetLoggerEnableLevel(LoggerContext) \
((PTRACE_ENABLE_CONTEXT) (&LoggerContext))->Level
#define WmiSetLoggerId(Id, Context) \
(((PTRACE_ENABLE_CONTEXT)Context)->LoggerId = (Id ? \
(USHORT)Id: (USHORT)KERNEL_LOGGER_ID));
// end_wmikm
//
// NOTE: The following should not overlap with other bits in the LogFileMode
// or LoggerMode defined in evntrace.h. Placed here since it is for internal
// use only.
//
#define EVENT_TRACE_KD_FILTER_MODE 0x00080000 // KD_FILTER
//
// see evntrace.h for pre-defined generic event types (0-10)
//
typedef struct _WMI_TRACE_PACKET { // must be ULONG!!
USHORT Size;
union{
USHORT HookId;
struct {
UCHAR Type;
UCHAR Group;
};
};
} WMI_TRACE_PACKET, *PWMI_TRACE_PACKET;
typedef struct _WMI_CLIENT_CONTEXT {
UCHAR ProcessorNumber;
UCHAR Alignment;
USHORT LoggerId;
} WMI_CLIENT_CONTEXT, *PWMI_CLIENT_CONTEXT;
typedef ULONGLONG PERFINFO_TIMESTAMP;
typedef struct _PERFINFO_TRACE_HEADER PERFINFO_TRACE_ENTRY, *PPERFINFO_TRACE_ENTRY;
//
// 64-bit Trace header for NTPERF events
//
// Note. The field "Version" will temporary be used to log CPU Id when log to PerfMem.
// This will be removed after we change the buffer management to be the same as WMI.
// i.e., Each CPU will allocate a block of memory for logging and CPU id is in the header
// of each block.
//
typedef struct _PERFINFO_TRACE_HEADER {
union {
ULONG Marker;
struct {
USHORT Version;
UCHAR HeaderType;
UCHAR Flags; //WMI uses this flag to identify event types
};
};
union {
ULONG Header; // both sizes must be the same!
WMI_TRACE_PACKET Packet;
};
union {
PERFINFO_TIMESTAMP TS;
LARGE_INTEGER SystemTime;
};
UCHAR Data[1];
} PERFINFO_TRACE_HEADER, *PPERFINFO_TRACE_HEADER;
//
// 64-bit Trace header for kernel events
//
typedef struct _SYSTEM_TRACE_HEADER {
union {
ULONG Marker;
struct {
USHORT Version;
UCHAR HeaderType;
UCHAR Flags;
};
};
union {
ULONG Header; // both sizes must be the same!
WMI_TRACE_PACKET Packet;
};
ULONG ThreadId;
ULONG ProcessId;
LARGE_INTEGER SystemTime;
ULONG KernelTime;
ULONG UserTime;
} SYSTEM_TRACE_HEADER, *PSYSTEM_TRACE_HEADER;
//
// 64-bit Trace Header for Tracing Messages
//
typedef struct _WMI_TRACE_MESSAGE_PACKET { // must be ULONG!!
USHORT MessageNumber; // The message Number, index of messages by GUID
// Or ComponentID
USHORT OptionFlags ; // Flags associated with the message
} WMI_TRACE_MESSAGE_PACKET, *PWMI_TRACE_MESSAGE_PACKET;
typedef struct _MESSAGE_TRACE_HEADER {
union {
ULONG Marker;
struct {
USHORT Size; // Total Size of the message including header
UCHAR Reserved; // Unused and reserved
UCHAR Version; // The message structure type (TRACE_MESSAGE_FLAG)
};
};
union {
ULONG Header; // both sizes must be the same!
WMI_TRACE_MESSAGE_PACKET Packet;
};
} MESSAGE_TRACE_HEADER, *PMESSAGE_TRACE_HEADER;
typedef struct _MESSAGE_TRACE {
MESSAGE_TRACE_HEADER MessageHeader ;
UCHAR Data ;
} MESSAGE_TRACE, *PMESSAGE_TRACE ;
//
// Structure used to pass user log messages to the kernel
//
typedef struct _MESSAGE_TRACE_USER {
MESSAGE_TRACE_HEADER MessageHeader ;
ULONG MessageFlags ;
ULONG64 LoggerHandle ;
GUID MessageGuid ;
ULONG DataSize ;
UCHAR Data ;
} MESSAGE_TRACE_USER, *PMESSAGE_TRACE_USER ;
#ifndef MEMPHIS
//
// Logger configuration and running statistics. This structure is used
// by WMI.DLL to convert to UNICODE_STRING
//
// begin_wmikm
typedef struct _WMI_LOGGER_INFORMATION {
WNODE_HEADER Wnode; // Had to do this since wmium.h comes later
//
// data provider by caller
ULONG BufferSize; // buffer size for logging (in kbytes)
ULONG MinimumBuffers; // minimum to preallocate
ULONG MaximumBuffers; // maximum buffers allowed
ULONG MaximumFileSize; // maximum logfile size (in MBytes)
ULONG LogFileMode; // sequential, circular
ULONG FlushTimer; // buffer flush timer, in seconds
ULONG EnableFlags; // trace enable flags
LONG AgeLimit; // aging decay time, in minutes
union {
HANDLE LogFileHandle; // handle to logfile
ULONG64 LogFileHandle64;
};
// data returned to caller
// end_wmikm
union {
// begin_wmikm
ULONG NumberOfBuffers; // no of buffers in use
// end_wmikm
ULONG InstanceCount; // Number of Provider Instances
};
union {
// begin_wmikm
ULONG FreeBuffers; // no of buffers free
// end_wmikm
ULONG InstanceId; // Current Provider's Id for UmLogger
};
union {
// begin_wmikm
ULONG EventsLost; // event records lost
// end_wmikm
ULONG NumberOfProcessors; // Passed on to UmLogger
};
// begin_wmikm
ULONG BuffersWritten; // no of buffers written to file
ULONG LogBuffersLost; // no of logfile write failures
ULONG RealTimeBuffersLost; // no of rt delivery failures
union {
HANDLE LoggerThreadId; // thread id of Logger
ULONG64 LoggerThreadId64; // thread is of Logger
};
union {
UNICODE_STRING LogFileName; // used only in WIN64
UNICODE_STRING64 LogFileName64; // Logfile name: only in WIN32
};
// mandatory data provided by caller
union {
UNICODE_STRING LoggerName; // Logger instance name in WIN64
UNICODE_STRING64 LoggerName64; // Logger Instance name in WIN32
};
// private
union {
PVOID Checksum;
ULONG64 Checksum64;
};
union {
PVOID LoggerExtension;
ULONG64 LoggerExtension64;
};
} WMI_LOGGER_INFORMATION, *PWMI_LOGGER_INFORMATION;
//
// structure for NTDLL tracing
//
typedef struct
{
BOOLEAN IsGet;
PWMI_LOGGER_INFORMATION LoggerInfo;
} WMINTDLLLOGGERINFO, *PWMINTDLLLOGGERINFO;
typedef struct _TIMED_TRACE_HEADER {
USHORT Size;
USHORT Marker;
ULONG32 EventId;
union {
LARGE_INTEGER TimeStamp;
ULONG64 LoggerId;
};
} TIMED_TRACE_HEADER, *PTIMED_TRACE_HEADER;
// end_wmikm
// the circular buffer pool, using forward linked list
#endif //!MEMPHIS
#define WMI_NON_BLOCKING
#ifdef WMI_NON_BLOCKING
typedef struct _WMI_BUFFER_STATE {
ULONG Free:1;
ULONG InUse:1;
ULONG Flush:1;
ULONG Unused:29;
} WMI_BUFFER_STATE, *PWMI_BUFFER_STATE;
#endif //WMI_NON_BLOCKING
#define WNODE_FLAG_THREAD_BUFFER 0x00800000
typedef struct _WMI_BUFFER_HEADER {
union {
WNODE_HEADER Wnode;
struct {
ULONG64 Reserved1;
ULONG64 Reserved2;
LARGE_INTEGER Reserved3;
#ifdef WMI_NON_BLOCKING
union{
struct {
PVOID Alignment;
SINGLE_LIST_ENTRY SlistEntry;
};
LIST_ENTRY Entry;
};
#else
LIST_ENTRY Entry;
#endif //WMI_NON_BLOCKING
};
struct {
LONG ReferenceCount; // Buffer reference count
ULONG SavedOffset; // Temp saved offset
ULONG CurrentOffset; // Current offset
ULONG UsePerfClock; // UsePerfClock flag
LARGE_INTEGER TimeStamp;
GUID Guid;
WMI_CLIENT_CONTEXT ClientContext;
#ifdef WMI_NON_BLOCKING
union {
WMI_BUFFER_STATE State;
ULONG Flags;
};
#else
ULONG Flags;
#endif //WMI_NON_BLOCKING
};
};
ULONG Offset;
ULONG EventsLost;
union {
GUID InstanceGuid;
struct {
PVOID LoggerContext;
#ifdef WMI_NON_BLOCKING
SINGLE_LIST_ENTRY GlobalEntry;
#endif //WMI_NON_BLOCKING
};
};
} WMI_BUFFER_HEADER, *PWMI_BUFFER_HEADER;
typedef struct _TRACE_ENABLE_FLAG_EXTENSION {
USHORT Offset; // Offset to the flag array in structure
UCHAR Length; // Length of flag array in ULONGs
UCHAR Flag; // Must be set to EVENT_TRACE_FLAG_EXTENSION
} TRACE_ENABLE_FLAG_EXTENSION, *PTRACE_ENABLE_FLAG_EXTENSION;
typedef struct _WMI_SET_MARK_INFORMATION {
ULONG Flag;
WCHAR Mark[1];
} WMI_SET_MARK_INFORMATION, *PWMI_SET_MARK_INFORMATION;
#define WMI_SET_MARK_WITH_FLUSH 0x00000001
#ifdef NTPERF
typedef struct _WMI_SWITCH_PERFMEM_BUFFER_INFORMATION {
PWMI_BUFFER_HEADER Buffer;
ULONG ProcessorId;
} WMI_SWITCH_PERFMEM_BUFFER_INFORMATION, *PWMI_SWITCH_PERFMEM_BUFFER_INFORMATION;
#endif //NTPERF
// Public Enable flags are defined in envtrace.h.
//
// This section contains extended enable flags whcih are private.
//
// Each PerfMacros Hook Contains a GlobalMask and a Hook Id.
// The Global Mask is Used For Grouping Hooks by logical type
// - I/O related Hooks are Grouped together under
// PERF_FILE_IO or PERF_DISK_IO
// - Loader related Hooks are grouped together
// under PERF_LOADER,
// - etc
// The data for a particular hook will only be logged
// if the Global Mask of the particular Hook is set.
//
// WHEN YOU ADD NEW GROUPS, UPDATE THE NAME TABLE in perfgroups.c:
// PerfGroupNames Note: If you modify numeric value of a group, update
// PerfKnownFlags table
//
// we have a set of 8 global masks available. the highest 3 bits in
// PERF_MASK_INDEX region determine to which set a particular
// global group belongs. if PERF_MASK_INDEX is 0xe0000000
// all of the following can be unique groups that can be
// turned on or of individually and used when logging data:
//
// #define PERF_GROUP1 0x00400000 in the 0th set
// #define PERF_GROUP2 0x20400000 in the 1st set
// #define PERF_GROUP3 0x40400000 in the 2nd set
// ...
// #define PERF_GROUP2 0xe0400000 in the 7th set
//
// See ntperf.h for the manupulation of flags
//
//
// Currently, no GlobalMask change is supported.
//
// Merging logging with WMI, we will use the first global mask for flags used
// by both PERF and WMI
//
// GlobalMask 0: ALL masks used in WMI defined in evntrace.h.
// These PERF_xxx are going away after we merge with WMI completely.
//
#define PERF_REGISTRY EVENT_TRACE_FLAG_REGISTRY
#define PERF_FILE_IO EVENT_TRACE_FLAG_MEMORY_HARD_FAULTS
#define PERF_PROC_THREAD EVENT_TRACE_FLAG_PROCESS | EVENT_TRACE_FLAG_THREAD
#define PERF_DISK_IO EVENT_TRACE_FLAG_DISK_FILE_IO | EVENT_TRACE_FLAG_DISK_IO
#define PERF_LOADER EVENT_TRACE_FLAG_IMAGE_LOAD
#define PERF_ALL_FAULTS EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS
#define PERF_FILENAME EVENT_TRACE_FLAG_DISK_FILE_IO
#define PERF_NETWORK EVENT_TRACE_FLAG_NETWORK_TCPIP
//
// GlobalMask 1: The candidates to be checked into retails
//
#define PERF_MEMORY 0x20000001 // High level WS manager activities, PFN changes
#define PERF_PROFILE 0x20000002 // Sysprof
#define PERF_CONTEXT_SWITCH 0x20000004 // Context Switch
#define PERF_FOOTPRINT 0x20000008 // Flush WS on every mark_with_flush
#define PERF_DRIVERS 0x20000010
#define PERF_ADDTOWS 0x20000020
#define PERF_VERSION 0x20000040
#define PERF_DPC 0x20000080
#define PERF_SHUTDOWN 0x20000100
#define PERF_HIBER 0x20000200
#define PERF_RESUME 0x20000400
#define PERF_EXCEPTION 0x20000800
#define PERF_FILENAME_ALL 0x20001000
#define PERF_INTERRUPT 0x20004000
//
// GlobalMask 2: The candidate to remain in NTPERF
//
#define PERF_UNDEFINED 0x40000001
#define PERF_POOL 0x40000002
#define PERF_FOOTPRINT_PROC 0x40000004 // Get details WS count or pfn
#define PERF_WS_DETAIL 0x40000008 //
#define PERF_WS_ENTRY 0x40000010 //
#define PERF_HEAP 0x40000020
#define PERF_SYSCALL 0x40000040
#define PERF_WMI_TRACE 0x40000080 // Indicate to log all WMI events
#define PERF_BACKTRACE 0x40000100
#define PERF_VULCAN 0x40000200
#define PERF_OBJECTS 0x40000400
#define PERF_EVENTS 0x40000800
#define PERF_FULLTRACE 0x40001000
#define PERF_FAILED_STKDUMP 0x40002000
#define PERF_PREFETCH 0x40004000
#define PERF_FONTS 0x40008000
//
// GlobalMask 3: The candidate to be removed soon
//
#define PERF_SERVICES 0x80000002
#define PERF_MASK_CHANGE 0x80000004
#define PERF_DLL_INFO 0x80000008
#define PERF_DLL_FLUSH_WS 0x80000010
#define PERF_CLEARWS 0x80000020
#define PERF_MEMORY_SNAPSHOT 0x80000040
#define PERF_NO_MASK_CHANGE 0x80000080
#define PERF_DATA_ACCESS 0x80000100
#define PERF_MISC 0x80000200
#define PERF_READYQUEUE 0x80000400
#define PERF_MULTIMEDIA 0x80000800
#define PERF_PROC_ATTACH 0x80001000
#define PERF_DSHOW_DETAILED 0x80002000
#define PERF_DSHOW_SAMPLES 0x80004000
#define PERF_POWER 0x80008000
#define PERF_SOFT_TRIM 0x80010000
#define PERF_DLL_THREAD_ATTACH_FLUSH_WS 0x80020000
#define PERF_DLL_THREAD_DETACH_FLUSH_WS 0x80040000
//
// GlobalMask 7: The mark is a control mask. All flags that changes system
// behaviors go here.
//
#define PERF_CLUSTER_OFF 0xe0000001
#define PERF_BIGFOOT 0xe0000002
//
// Converting old PERF hooks into WMI format. More clean up to be done.
//
// WHEN YOU ADD NEW TYPES UPDATE THE NAME TABLE in perfgroups.c:
// PerfLogTypeNames ALSO UPDATE VERIFICATION TABLE IN PERFPOSTTBLS.C
//
//
// Event for header
//
#define WMI_LOG_TYPE_HEADER (EVENT_TRACE_GROUP_HEADER | EVENT_TRACE_TYPE_INFO)
//
// Event for hardware config
//
#define WMI_LOG_TYPE_CONFIG_CPU (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_CPU)
#define WMI_LOG_TYPE_CONFIG_PHYSICALDISK (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PHYSICALDISK)
#define WMI_LOG_TYPE_CONFIG_LOGICALDISK (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_LOGICALDISK)
#define WMI_LOG_TYPE_CONFIG_NIC (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_NIC)
#define WMI_LOG_TYPE_CONFIG_VIDEO (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_VIDEO)
//
//Event for Image and File Name
//
#define PERFINFO_LOG_TYPE_FILENAME (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_INFO)
#define PERFINFO_LOG_TYPE_FILENAME_CREATE (EVENT_TRACE_GROUP_FILE | 0x20)
#define PERFINFO_LOG_TYPE_FILENAME_SECTION1 (EVENT_TRACE_GROUP_FILE | 0x21)
//
//Event types for Process
//
#define WMI_LOG_TYPE_PROCESS_CREATE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_START)
#define WMI_LOG_TYPE_PROCESS_DELETE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_END)
#define WMI_LOG_TYPE_PROCESS_DC_START (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_DC_START)
#define WMI_LOG_TYPE_PROCESS_DC_END (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_DC_END)
#define WMI_LOG_TYPE_PROCESS_LOAD_IMAGE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_LOAD)
#define PERFINFO_LOG_TYPE_PROCESSNAME (EVENT_TRACE_GROUP_PROCESS | 0x20) // To be replaced with WMI hooks
#define PERFINFO_LOG_TYPE_DIEDPROCESS (EVENT_TRACE_GROUP_PROCESS | 0x21) // To be replaced with WMI hooks
#define PERFINFO_LOG_TYPE_OUTSWAPPROCESS (EVENT_TRACE_GROUP_PROCESS | 0x22) // going away
#define PERFINFO_LOG_TYPE_INSWAPPROCESS (EVENT_TRACE_GROUP_PROCESS | 0x23)
#define PERFINFO_LOG_TYPE_IMAGELOAD (EVENT_TRACE_GROUP_PROCESS | 0x24) // To be replaced with WMI hooks
#define PERFINFO_LOG_TYPE_IMAGEUNLOAD (EVENT_TRACE_GROUP_PROCESS | 0x25)
#define PERFINFO_LOG_TYPE_BOOT_PHASE_START (EVENT_TRACE_GROUP_PROCESS | 0x26)
//
//Event types for Thread
//
#define WMI_LOG_TYPE_THREAD_CREATE (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_START)
#define WMI_LOG_TYPE_THREAD_DELETE (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_END)
#define WMI_LOG_TYPE_THREAD_DC_START (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_DC_START)
#define WMI_LOG_TYPE_THREAD_DC_END (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_DC_END)
#define PERFINFO_LOG_TYPE_CREATETHREAD (EVENT_TRACE_GROUP_THREAD | 0x20) // To be replaced with WMI hooks
#define PERFINFO_LOG_TYPE_TERMINATETHREAD (EVENT_TRACE_GROUP_THREAD | 0x21) // To be replaced with WMI hooks
#define PERFINFO_LOG_TYPE_GROWKERNELSTACK (EVENT_TRACE_GROUP_THREAD | 0x22)
#define PERFINFO_LOG_TYPE_CONVERTTOGUITHREAD (EVENT_TRACE_GROUP_THREAD | 0x23)
#define PERFINFO_LOG_TYPE_CONTEXTSWAP (EVENT_TRACE_GROUP_THREAD | 0x24) // new context swap struct
#define PERFINFO_LOG_TYPE_THREAD_RESERVED1 (EVENT_TRACE_GROUP_THREAD | 0x25)
#define PERFINFO_LOG_TYPE_THREAD_RESERVED2 (EVENT_TRACE_GROUP_THREAD | 0x26)
#define PERFINFO_LOG_TYPE_OUTSWAPSTACK (EVENT_TRACE_GROUP_THREAD | 0x27) // going away
#define PERFINFO_LOG_TYPE_INSWAPSTACK (EVENT_TRACE_GROUP_THREAD | 0x28) // going away
//
// Event types for IO subsystem
//
#define WMI_LOG_TYPE_TCPIP_SEND (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_SEND)
#define WMI_LOG_TYPE_TCPIP_RECEIVE (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_RECEIVE)
#define WMI_LOG_TYPE_TCPIP_CONNECT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_CONNECT)
#define WMI_LOG_TYPE_TCPIP_DISCONNECT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_DISCONNECT)
#define WMI_LOG_TYPE_TCPIP_RETRANSMIT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_RETRANSMIT)
#define WMI_LOG_TYPE_TCPIP_ACCEPT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_ACCEPT)
#define WMI_LOG_TYPE_UDP_SEND (EVENT_TRACE_GROUP_UDPIP | EVENT_TRACE_TYPE_SEND)
#define WMI_LOG_TYPE_UDP_RECEIVE (EVENT_TRACE_GROUP_UDPIP | EVENT_TRACE_TYPE_RECEIVE)
#define WMI_LOG_TYPE_IO_READ (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_READ)
#define WMI_LOG_TYPE_IO_WRITE (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_WRITE)
#define PERFINFO_LOG_TYPE_DRIVER_INIT (EVENT_TRACE_GROUP_IO | 0x20)
#define PERFINFO_LOG_TYPE_DRIVER_INIT_COMPLETE (EVENT_TRACE_GROUP_IO | 0x21)
#define PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_CALL (EVENT_TRACE_GROUP_IO | 0x22)
#define PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_RETURN (EVENT_TRACE_GROUP_IO | 0x23)
#define PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_CALL (EVENT_TRACE_GROUP_IO | 0x24)
#define PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_RETURN (EVENT_TRACE_GROUP_IO | 0x25)
#define PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_CALL (EVENT_TRACE_GROUP_IO | 0x26)
#define PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_RETURN (EVENT_TRACE_GROUP_IO | 0x27)
#define PERFINFO_LOG_TYPE_DRIVER_STARTIO_CALL (EVENT_TRACE_GROUP_IO | 0x28)
#define PERFINFO_LOG_TYPE_DRIVER_STARTIO_RETURN (EVENT_TRACE_GROUP_IO | 0x29)
#define PERFINFO_LOG_TYPE_WMI_DISKPERF_READ (EVENT_TRACE_GROUP_IO | 0x2a) // To be replaced with WMI hooks
#define PERFINFO_LOG_TYPE_WMI_DISKPERF_WRITE (EVENT_TRACE_GROUP_IO | 0x2b) // To be replaced with WMI hooks
#define PERFINFO_LOG_TYPE_WMI_DISKPERF_READ_COMPLETE (EVENT_TRACE_GROUP_IO | 0x2c) // To be replaced with WMI hooks
#define PERFINFO_LOG_TYPE_WMI_DISKPERF_WRITE_COMPLETE (EVENT_TRACE_GROUP_IO | 0x2d) // To be replaced with WMI hooks
#define PERFINFO_LOG_TYPE_WMI_DISKPERF_CACHED_READ_COMPLETE (EVENT_TRACE_GROUP_IO | 0x2e)
#define PERFINFO_LOG_TYPE_WMI_DISKPERF_CACHE_WARM_COMPLETE (EVENT_TRACE_GROUP_IO | 0x2f)
#define PERFINFO_LOG_TYPE_PREFETCH_ACTION (EVENT_TRACE_GROUP_IO | 0x30)
#define PERFINFO_LOG_TYPE_PREFETCH_REQUEST (EVENT_TRACE_GROUP_IO | 0x31)
#define PERFINFO_LOG_TYPE_PREFETCH_READLIST (EVENT_TRACE_GROUP_IO | 0x32)
#define PERFINFO_LOG_TYPE_PREFETCH_READ (EVENT_TRACE_GROUP_IO | 0x33)
#define PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST (EVENT_TRACE_GROUP_IO | 0x34)
#define PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST_RETURN (EVENT_TRACE_GROUP_IO | 0x35)
#define PERFINFO_LOG_TYPE_BOOT_PREFETCH_INFORMATION (EVENT_TRACE_GROUP_IO | 0x36)
//
// Event types for Memory subsystem
//
#define WMI_LOG_TYPE_PAGE_FAULT_TRANSITION (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_TF)
#define WMI_LOG_TYPE_PAGE_FAULT_DEMAND_ZERO (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_DZF)
#define WMI_LOG_TYPE_PAGE_FAULT_COPY_ON_WRITE (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_COW)
#define WMI_LOG_TYPE_PAGE_FAULT_GUARD_PAGE (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_GPF)
#define WMI_LOG_TYPE_PAGE_FAULT_HARD_PAGE_FAULT (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_HPF)
#define PERFINFO_LOG_TYPE_HARDFAULT (EVENT_TRACE_GROUP_MEMORY | 0x20)
#define PERFINFO_LOG_TYPE_REMOVEPAGEBYCOLOR (EVENT_TRACE_GROUP_MEMORY | 0x21)
#define PERFINFO_LOG_TYPE_REMOVEPAGEFROMLIST (EVENT_TRACE_GROUP_MEMORY | 0x22)
#define PERFINFO_LOG_TYPE_PAGEINMEMORY (EVENT_TRACE_GROUP_MEMORY | 0x23)
#define PERFINFO_LOG_TYPE_INSERTINFREELIST (EVENT_TRACE_GROUP_MEMORY | 0x24)
#define PERFINFO_LOG_TYPE_SECTIONREMOVED (EVENT_TRACE_GROUP_MEMORY | 0x25)
#define PERFINFO_LOG_TYPE_INSERTINLIST (EVENT_TRACE_GROUP_MEMORY | 0x26)
#define PERFINFO_LOG_TYPE_INSERTATFRONT (EVENT_TRACE_GROUP_MEMORY | 0x28)
#define PERFINFO_LOG_TYPE_UNLINKFROMSTANDBY (EVENT_TRACE_GROUP_MEMORY | 0x29)
#define PERFINFO_LOG_TYPE_UNLINKFFREEORZERO (EVENT_TRACE_GROUP_MEMORY | 0x2a)
#define PERFINFO_LOG_TYPE_WORKINGSETMANAGER (EVENT_TRACE_GROUP_MEMORY | 0x2b)
#define PERFINFO_LOG_TYPE_TRIMPROCESS (EVENT_TRACE_GROUP_MEMORY | 0x2c)
#define PERFINFO_LOG_TYPE_MEMORYSNAP (EVENT_TRACE_GROUP_MEMORY | 0x2d)
#define PERFINFO_LOG_TYPE_ZEROSHARECOUNT (EVENT_TRACE_GROUP_MEMORY | 0x2e)
#define PERFINFO_LOG_TYPE_TRANSITIONFAULT (EVENT_TRACE_GROUP_MEMORY | 0x2f)
#define PERFINFO_LOG_TYPE_DEMANDZEROFAULT (EVENT_TRACE_GROUP_MEMORY | 0x30)
#define PERFINFO_LOG_TYPE_ADDVALIDPAGETOWS (EVENT_TRACE_GROUP_MEMORY | 0x31)
#define PERFINFO_LOG_TYPE_OUTWS_REPLACEUSED (EVENT_TRACE_GROUP_MEMORY | 0x32)
#define PERFINFO_LOG_TYPE_OUTWS_REPLACEUNUSED (EVENT_TRACE_GROUP_MEMORY | 0x33)
#define PERFINFO_LOG_TYPE_OUTWS_VOLUNTRIM (EVENT_TRACE_GROUP_MEMORY | 0x34)
#define PERFINFO_LOG_TYPE_OUTWS_FORCETRIM (EVENT_TRACE_GROUP_MEMORY | 0x35)
#define PERFINFO_LOG_TYPE_OUTWS_ADJUSTWS (EVENT_TRACE_GROUP_MEMORY | 0x36)
#define PERFINFO_LOG_TYPE_OUTWS_EMPTYQ (EVENT_TRACE_GROUP_MEMORY | 0x37)
#define PERFINFO_LOG_TYPE_WORKINGSETSNAP (EVENT_TRACE_GROUP_MEMORY | 0x38)
#define PERFINFO_LOG_TYPE_DECREFCNT (EVENT_TRACE_GROUP_MEMORY | 0x39)
#define PERFINFO_LOG_TYPE_DECSHARCNT (EVENT_TRACE_GROUP_MEMORY | 0x3a)
#define PERFINFO_LOG_TYPE_ZEROREFCOUNT (EVENT_TRACE_GROUP_MEMORY | 0x3b)
#define PERFINFO_LOG_TYPE_WSINFOPROCESS (EVENT_TRACE_GROUP_MEMORY | 0x3c)
#define PERFINFO_LOG_TYPE_ADDTOWORKINGSET (EVENT_TRACE_GROUP_MEMORY | 0x3d)
#define PERFINFO_LOG_TYPE_DELETEKERNELSTACK (EVENT_TRACE_GROUP_MEMORY | 0x3e)
#define PERFINFO_LOG_TYPE_PROTOPTEFAULT (EVENT_TRACE_GROUP_MEMORY | 0x3f)
#define PERFINFO_LOG_TYPE_ADDTOWS (EVENT_TRACE_GROUP_MEMORY | 0x40)
#define PERFINFO_LOG_TYPE_OUTWS_HASHFULL (EVENT_TRACE_GROUP_MEMORY | 0x41)
#define PERFINFO_LOG_TYPE_MOD_PAGE_WRITER1 (EVENT_TRACE_GROUP_MEMORY | 0x42)
#define PERFINFO_LOG_TYPE_MOD_PAGE_WRITER2 (EVENT_TRACE_GROUP_MEMORY | 0x43)
#define PERFINFO_LOG_TYPE_MOD_PAGE_WRITER3 (EVENT_TRACE_GROUP_MEMORY | 0x44)
#define PERFINFO_LOG_TYPE_FAULTADDR_WITH_IP (EVENT_TRACE_GROUP_MEMORY | 0x45)
#define PERFINFO_LOG_TYPE_TRIMSESSION (EVENT_TRACE_GROUP_MEMORY | 0x46)
#define PERFINFO_LOG_TYPE_MEMORYSNAPLITE (EVENT_TRACE_GROUP_MEMORY | 0x47)
#define PERFINFO_LOG_TYPE_WS_SESSION (EVENT_TRACE_GROUP_MEMORY | 0x48)
// (EVENT_TRACE_GROUP_POOL
//
//
// Event types for Registry subsystem
//
#define WMI_LOG_TYPE_REG_CREATE (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGCREATE)
#define WMI_LOG_TYPE_REG_OPEN (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGOPEN)
#define WMI_LOG_TYPE_REG_DELETE (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGDELETE)
#define WMI_LOG_TYPE_REG_QUERY (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGQUERY)
#define WMI_LOG_TYPE_REG_SET_VALUE (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGSETVALUE)
#define WMI_LOG_TYPE_REG_DELETE_VALUE (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGDELETEVALUE)
#define WMI_LOG_TYPE_REG_QUERY_VALUE (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGQUERYVALUE)
#define WMI_LOG_TYPE_REG_ENUM_KEY (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGENUMERATEKEY)
#define WMI_LOG_TYPE_REG_ENUM_VALUE (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGENUMERATEVALUEKEY)
#define WMI_LOG_TYPE_REG_QUERY_MULTIVALUE (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGQUERYMULTIPLEVALUE)
#define WMI_LOG_TYPE_REG_SET_INFO (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGSETINFORMATION)
#define WMI_LOG_TYPE_REG_FLUSH (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGFLUSH)
#define WMI_LOG_TYPE_REG_RUNDOWN (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGKCBDMP)
#define PERFINFO_LOG_TYPE_CMCELLREFERRED (EVENT_TRACE_GROUP_REGISTRY | 0x20)
#define PERFINFO_LOG_TYPE_REG_KCB_KEYNAME (EVENT_TRACE_GROUP_REGISTRY | 0x21)
#define PERFINFO_LOG_TYPE_REG_KCB_CREATE (EVENT_TRACE_GROUP_REGISTRY | 0x22)
#define PERFINFO_LOG_TYPE_REG_PARSEKEY_START (EVENT_TRACE_GROUP_REGISTRY | 0x23)
#define PERFINFO_LOG_TYPE_REG_PARSEKEY_END (EVENT_TRACE_GROUP_REGISTRY | 0x24)
#define PERFINFO_LOG_TYPE_REG_DELETE_KEY (EVENT_TRACE_GROUP_REGISTRY | 0x25)
#define PERFINFO_LOG_TYPE_REG_DELETE_VALUE (EVENT_TRACE_GROUP_REGISTRY | 0x26)
#define PERFINFO_LOG_TYPE_REG_ENUM_KEY (EVENT_TRACE_GROUP_REGISTRY | 0x27)
#define PERFINFO_LOG_TYPE_REG_ENUM_VALUE (EVENT_TRACE_GROUP_REGISTRY | 0x28)
#define PERFINFO_LOG_TYPE_REG_QUERY_KEY (EVENT_TRACE_GROUP_REGISTRY | 0x29)
#define PERFINFO_LOG_TYPE_REG_QUERY_VALUE (EVENT_TRACE_GROUP_REGISTRY | 0x2a)
#define PERFINFO_LOG_TYPE_REG_QUERY_MULTIVALUE (EVENT_TRACE_GROUP_REGISTRY | 0x2b)
#define PERFINFO_LOG_TYPE_REG_SET_VALUE (EVENT_TRACE_GROUP_REGISTRY | 0x2c)
#define PERFINFO_LOG_TYPE_REG_NOTIFY_POST (EVENT_TRACE_GROUP_REGISTRY | 0x2d)
#define PERFINFO_LOG_TYPE_REG_NOTIFY_KCB (EVENT_TRACE_GROUP_REGISTRY | 0x2e)
//
// Event types for PERF tracing specific subsystem
//
#define PERFINFO_LOG_TYPE_PERFFREQUENCY (EVENT_TRACE_GROUP_PERFINFO | 0x20)
#define PERFINFO_LOG_TYPE_PERFCOUNTERSTART (EVENT_TRACE_GROUP_PERFINFO | 0x21)
#define PERFINFO_LOG_TYPE_MARK (EVENT_TRACE_GROUP_PERFINFO | 0x22)
#define PERFINFO_LOG_TYPE_VERSION (EVENT_TRACE_GROUP_PERFINFO | 0x23)
#define PERFINFO_LOG_TYPE_ASYNCMARK (EVENT_TRACE_GROUP_PERFINFO | 0x24)
#define PERFINFO_LOG_TYPE_FILENAMEBUFFER (EVENT_TRACE_GROUP_PERFINFO | 0x25) // to be cleaned up
#define PERFINFO_LOG_TYPE_IMAGENAME (EVENT_TRACE_GROUP_PERFINFO | 0x26)
#define PERFINFO_LOG_TYPE_RESERVED1 (EVENT_TRACE_GROUP_PERFINFO | 0x27)
#define PERFINFO_LOG_TYPE_RESERVED2 (EVENT_TRACE_GROUP_PERFINFO | 0x28)
#define PERFINFO_LOG_TYPE_RESERVED3 (EVENT_TRACE_GROUP_PERFINFO | 0x29)
#define PERFINFO_LOG_TYPE_WMI_TRACE_IO (EVENT_TRACE_GROUP_PERFINFO | 0x2a)
#define PERFINFO_LOG_TYPE_WMI_TRACE_FILENAME_EVENT (EVENT_TRACE_GROUP_PERFINFO | 0x2b)
#define PERFINFO_LOG_TYPE_GLOBAL_MASK_CHANGE (EVENT_TRACE_GROUP_PERFINFO | 0x2c)
#define PERFINFO_LOG_TYPE_TRACEINFO (EVENT_TRACE_GROUP_PERFINFO | 0x2d) // go away
#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE (EVENT_TRACE_GROUP_PERFINFO | 0x2e)
#define PERFINFO_LOG_TYPE_TIMERDPC_ENTER (EVENT_TRACE_GROUP_PERFINFO | 0x2f)
#define PERFINFO_LOG_TYPE_TIMERDPC_EXIT (EVENT_TRACE_GROUP_PERFINFO | 0x30)
#define PERFINFO_LOG_TYPE_DPC_ENTER (EVENT_TRACE_GROUP_PERFINFO | 0x31)
#define PERFINFO_LOG_TYPE_DPC_EXIT (EVENT_TRACE_GROUP_PERFINFO | 0x32)
#define PERFINFO_LOG_TYPE_SYSCALL_ENTER (EVENT_TRACE_GROUP_PERFINFO | 0x33)
#define PERFINFO_LOG_TYPE_SYSCALL_EXIT (EVENT_TRACE_GROUP_PERFINFO | 0x34)
#define PERFINFO_LOG_TYPE_BACKTRACE (EVENT_TRACE_GROUP_PERFINFO | 0x35)
#define PERFINFO_LOG_TYPE_BACKTRACE_USERSTACK (EVENT_TRACE_GROUP_PERFINFO | 0x36)
#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_CACHE (EVENT_TRACE_GROUP_PERFINFO | 0x37)
#define PERFINFO_LOG_TYPE_EXCEPTION_STACK (EVENT_TRACE_GROUP_PERFINFO | 0x38)
#define PERFINFO_LOG_TYPE_BRANCH_TRACE (EVENT_TRACE_GROUP_PERFINFO | 0x39)
#define PERFINFO_LOG_TYPE_BRANCH_TRACE_DEBUG (EVENT_TRACE_GROUP_PERFINFO | 0x40)
#define PERFINFO_LOG_TYPE_BRANCH_ADDRESS_DEBUG (EVENT_TRACE_GROUP_PERFINFO | 0x41)
#define PERFINFO_LOG_TYPE_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x43)
#define PERFINFO_LOG_TYPE_DPC (EVENT_TRACE_GROUP_PERFINFO | 0x44)
#define PERFINFO_LOG_TYPE_TIMERDPC (EVENT_TRACE_GROUP_PERFINFO | 0x45)
//
// Event types for Pool subsystem
//
#define PERFINFO_LOG_TYPE_ALLOCATEPOOL (EVENT_TRACE_GROUP_POOL | 0x20)
#define PERFINFO_LOG_TYPE_FREEPOOL (EVENT_TRACE_GROUP_POOL | 0x21)
#define PERFINFO_LOG_TYPE_POOLSTAT (EVENT_TRACE_GROUP_POOL | 0x22)
#define PERFINFO_LOG_TYPE_ADDPOOLPAGE (EVENT_TRACE_GROUP_POOL | 0x23)
#define PERFINFO_LOG_TYPE_FREEPOOLPAGE (EVENT_TRACE_GROUP_POOL | 0x24)
#define PERFINFO_LOG_TYPE_BIGPOOLPAGE (EVENT_TRACE_GROUP_POOL | 0x25)
#define PERFINFO_LOG_TYPE_POOLSNAP (EVENT_TRACE_GROUP_POOL | 0x26)
//
// Event types for Heap subsystem
//
#define PERFINFO_LOG_TYPE_HEAP_CREATE (EVENT_TRACE_GROUP_HEAP | 0x20)
#define PERFINFO_LOG_TYPE_HEAP_ALLOC (EVENT_TRACE_GROUP_HEAP | 0x21)
#define PERFINFO_LOG_TYPE_HEAP_REALLOC (EVENT_TRACE_GROUP_HEAP | 0x22)
#define PERFINFO_LOG_TYPE_HEAP_DESTROY (EVENT_TRACE_GROUP_HEAP | 0x23)
#define PERFINFO_LOG_TYPE_HEAP_FREE (EVENT_TRACE_GROUP_HEAP | 0x24)
#define PERFINFO_LOG_TYPE_HEAP_EXTEND (EVENT_TRACE_GROUP_HEAP | 0x25)
#define PERFINFO_LOG_TYPE_HEAP_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x26)
#define PERFINFO_LOG_TYPE_HEAP_CREATE_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x27)
#define PERFINFO_LOG_TYPE_HEAP_DESTROY_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x28)
#define PERFINFO_LOG_TYPE_HEAP_EXTEND_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x29)
#define PERFINFO_LOG_TYPE_HEAP_CONTRACT (EVENT_TRACE_GROUP_HEAP | 0x2a)
#define PERFINFO_LOG_TYPE_HEAP_LOCK (EVENT_TRACE_GROUP_HEAP | 0x2b)
#define PERFINFO_LOG_TYPE_HEAP_UNLOCK (EVENT_TRACE_GROUP_HEAP | 0x2c)
#define PERFINFO_LOG_TYPE_HEAP_VALIDATE (EVENT_TRACE_GROUP_HEAP | 0x2d)
#define PERFINFO_LOG_TYPE_HEAP_WALK (EVENT_TRACE_GROUP_HEAP | 0x2e)
//
// Event Types for Critical Section Subsystem
//
#define PERFINFO_LOG_TYPE_CRITSEC_ENTER (EVENT_TRACE_GROUP_CRITSEC | 0x20)
#define PERFINFO_LOG_TYPE_CRITSEC_LEAVE (EVENT_TRACE_GROUP_CRITSEC | 0x21)
#define PERFINFO_LOG_TYPE_CRITSEC_COLLISION (EVENT_TRACE_GROUP_CRITSEC | 0x22)
//
// Event types for Object subsystem
//
#define PERFINFO_LOG_TYPE_DECLARE_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x20)
#define PERFINFO_LOG_TYPE_WAIT_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x21)
#define PERFINFO_LOG_TYPE_UNWAIT_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x22)
#define PERFINFO_LOG_TYPE_SIGNAL_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x23)
#define PERFINFO_LOG_TYPE_CLEAR_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x24)
#define PERFINFO_LOG_TYPE_UNWAIT_SIGNALED_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x25)
//
// Event types for Power subsystem
//
#define PERFINFO_LOG_TYPE_BATTERY_LIFE_INFO (EVENT_TRACE_GROUP_POWER | 0x20)
#define PERFINFO_LOG_TYPE_IDLE_STATE_CHANGE (EVENT_TRACE_GROUP_POWER | 0x21)
#define PERFINFO_LOG_TYPE_SET_POWER_ACTION (EVENT_TRACE_GROUP_POWER | 0x22)
#define PERFINFO_LOG_TYPE_SET_POWER_ACTION_RET (EVENT_TRACE_GROUP_POWER | 0x23)
#define PERFINFO_LOG_TYPE_SET_DEVICES_STATE (EVENT_TRACE_GROUP_POWER | 0x24)
#define PERFINFO_LOG_TYPE_SET_DEVICES_STATE_RET (EVENT_TRACE_GROUP_POWER | 0x25)
#define PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE (EVENT_TRACE_GROUP_POWER | 0x26)
#define PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE_COMPLETE (EVENT_TRACE_GROUP_POWER | 0x27)
#define PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT (EVENT_TRACE_GROUP_POWER | 0x28)
#define PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT_RET (EVENT_TRACE_GROUP_POWER | 0x29)
#define PERFINFO_LOG_TYPE_PO_PRESLEEP (EVENT_TRACE_GROUP_POWER | 0x30)
#define PERFINFO_LOG_TYPE_PO_POSTSLEEP (EVENT_TRACE_GROUP_POWER | 0x31)
//
// Event types for MODBound subsystem
//
#define PERFINFO_LOG_TYPE_MODULEBOUND_ENT (EVENT_TRACE_GROUP_MODBOUND | 0x20)
#define PERFINFO_LOG_TYPE_MODULEBOUND_JUMP (EVENT_TRACE_GROUP_MODBOUND | 0x21)
#define PERFINFO_LOG_TYPE_MODULEBOUND_RET (EVENT_TRACE_GROUP_MODBOUND | 0x22)
#define PERFINFO_LOG_TYPE_MODULEBOUND_CALL (EVENT_TRACE_GROUP_MODBOUND | 0x23)
#define PERFINFO_LOG_TYPE_MODULEBOUND_CALLRET (EVENT_TRACE_GROUP_MODBOUND | 0x24)
#define PERFINFO_LOG_TYPE_MODULEBOUND_INT2E (EVENT_TRACE_GROUP_MODBOUND | 0x25)
#define PERFINFO_LOG_TYPE_MODULEBOUND_INT2B (EVENT_TRACE_GROUP_MODBOUND | 0x26)
#define PERFINFO_LOG_TYPE_MODULEBOUND_FULLTRACE (EVENT_TRACE_GROUP_MODBOUND | 0x27)
//
// Event types for gdi subsystem
#define PERFINFO_LOG_TYPE_FONT_REALIZE (EVENT_TRACE_GROUP_GDI | 0x20)
#define PERFINFO_LOG_TYPE_FONT_DELETE (EVENT_TRACE_GROUP_GDI | 0x21)
#define PERFINFO_LOG_TYPE_FONT_ACTIVATE (EVENT_TRACE_GROUP_GDI | 0x22)
#define PERFINFO_LOG_TYPE_FONT_FLUSH (EVENT_TRACE_GROUP_GDI | 0x23)
//
// Event types To be Decided if they are still needed?
//
#define PERFINFO_LOG_TYPE_DISPATCHMSG (EVENT_TRACE_GROUP_TBD | 0x00)
#define PERFINFO_LOG_TYPE_GLYPHCACHE (EVENT_TRACE_GROUP_TBD | 0x01)
#define PERFINFO_LOG_TYPE_GLYPHS (EVENT_TRACE_GROUP_TBD | 0x02)
#define PERFINFO_LOG_TYPE_READWRITE (EVENT_TRACE_GROUP_TBD | 0x03)
#define PERFINFO_LOG_TYPE_EXPLICIT_LOAD (EVENT_TRACE_GROUP_TBD | 0x04)
#define PERFINFO_LOG_TYPE_IMPLICIT_LOAD (EVENT_TRACE_GROUP_TBD | 0x05)
#define PERFINFO_LOG_TYPE_CHECKSUM (EVENT_TRACE_GROUP_TBD | 0x06)
#define PERFINFO_LOG_TYPE_DLL_INIT (EVENT_TRACE_GROUP_TBD | 0x07)
#define PERFINFO_LOG_TYPE_SERVICE_DD_START_INIT (EVENT_TRACE_GROUP_TBD | 0x08)
#define PERFINFO_LOG_TYPE_SERVICE_DD_DONE_INIT (EVENT_TRACE_GROUP_TBD | 0x09)
#define PERFINFO_LOG_TYPE_SERVICE_START_INIT (EVENT_TRACE_GROUP_TBD | 0x0a)
#define PERFINFO_LOG_TYPE_SERVICE_DONE_INIT (EVENT_TRACE_GROUP_TBD | 0x0b)
#define PERFINFO_LOG_TYPE_SERVICE_NAME (EVENT_TRACE_GROUP_TBD | 0x0c)
#define PERFINFO_LOG_TYPE_WSINFOSESSION (EVENT_TRACE_GROUP_TBD | 0x0d)
#define PERFINFO_LOG_TIMED_ENTER_ROUTINE (EVENT_TRACE_GROUP_TBD | 0x0e)
#define PERFINFO_LOG_TIMED_EXIT_ROUTINE (EVENT_TRACE_GROUP_TBD | 0x0f)
#define PERFINFO_LOG_TYPE_CTIME_STATS (EVENT_TRACE_GROUP_TBD | 0x10)
#define PERFINFO_LOG_TYPE_MARKED_DIRTY (EVENT_TRACE_GROUP_TBD | 0x11)
#define PERFINFO_LOG_TYPE_MARKED_CELL_DIRTY (EVENT_TRACE_GROUP_TBD | 0x12)
#define PERFINFO_LOG_TYPE_HIVE_WRITE_DIRTY (EVENT_TRACE_GROUP_TBD | 0x13)
#define PERFINFO_LOG_TYPE_DUMP_HIVECELL (EVENT_TRACE_GROUP_TBD | 0x14)
#define PERFINFO_LOG_TYPE_HIVE_STAT (EVENT_TRACE_GROUP_TBD | 0x16)
#define PERFINFO_LOG_TYPE_CLOCKREF (EVENT_TRACE_GROUP_TBD | 0x17)
#define PERFINFO_LOG_TYPE_COWHEADER (EVENT_TRACE_GROUP_TBD | 0x18)
#define PERFINFO_LOG_TYPE_COWBLOB (EVENT_TRACE_GROUP_TBD | 0x19)
#define PERFINFO_LOG_TYPE_COWBLOB_CLOSED (EVENT_TRACE_GROUP_TBD | 0x1a)
#define PERFINFO_LOG_TYPE_WMIPERFFREQUENCY (EVENT_TRACE_GROUP_TBD | 0x1d)
#define PERFINFO_LOG_TYPE_CDROM_READ (EVENT_TRACE_GROUP_TBD | 0x1e)
#define PERFINFO_LOG_TYPE_CDROM_READ_COMPLETE (EVENT_TRACE_GROUP_TBD | 0x1f)
#define PERFINFO_LOG_TYPE_KE_SET_EVENT (EVENT_TRACE_GROUP_TBD | 0x20)
#define PERFINFO_LOG_TYPE_REG_PARSEKEY (EVENT_TRACE_GROUP_TBD | 0x21)
#define PERFINFO_LOG_TYPE_REG_PARSEKEYEND (EVENT_TRACE_GROUP_TBD | 0x22)
#define PERFINFO_LOG_TYPE_ATTACH_PROCESS (EVENT_TRACE_GROUP_TBD | 0x24)
#define PERFINFO_LOG_TYPE_DETACH_PROCESS (EVENT_TRACE_GROUP_TBD | 0x25)
#define PERFINFO_LOG_TYPE_DATA_ACCESS (EVENT_TRACE_GROUP_TBD | 0x26)
#define PERFINFO_LOG_TYPE_KDHELP (EVENT_TRACE_GROUP_TBD | 0x27)
#define PERFINFO_LOG_TYPE_BOOT_OPTIONS (EVENT_TRACE_GROUP_TBD | 0x28)
#define PERFINFO_LOG_TYPE_FAILED_STKDUMP (EVENT_TRACE_GROUP_TBD | 0x2c)
#define PERFINFO_LOG_TYPE_SYSTEM_TIME (EVENT_TRACE_GROUP_TBD | 0x2f)
#define PERFINFO_LOG_TYPE_READYQUEUE (EVENT_TRACE_GROUP_TBD | 0x30)
//
// KMIXER hooks are in audio\filters\kmixer\pins.c
//
#define PERFINFO_LOG_TYPE_KMIXER_DRIVER_ENTRY (EVENT_TRACE_GROUP_TBD | 0x31)
#define PERFINFO_LOG_TYPE_KMIXER_DSOUND_STARVATION (EVENT_TRACE_GROUP_TBD | 0x32)
#define PERFINFO_LOG_TYPE_KMIXER_DPC_STARVATION (EVENT_TRACE_GROUP_TBD | 0x33)
#define PERFINFO_LOG_TYPE_KMIXER_WAVE_TOP_STARVATION (EVENT_TRACE_GROUP_TBD | 0x34)
#define PERFINFO_LOG_TYPE_OVERLAY_QUALITY (EVENT_TRACE_GROUP_TBD | 0x35)
// in amovie\filters\mixer\ovmixer\ominpin.cpp
#define PERFINFO_LOG_TYPE_DVD_RENDER_SAMPLE (EVENT_TRACE_GROUP_TBD | 0x36)
#define PERFINFO_LOG_TYPE_CDVD_SET_DISCONTINUITY (EVENT_TRACE_GROUP_TBD | 0x37)
// in amovie\filters\dvdnav\dvdnav\dvd.cpp
#define PERFINFO_LOG_TYPE_CSPLITTER_SET_DISCONTINUITY (EVENT_TRACE_GROUP_TBD | 0x38)
// in amovie\filters\dvdnav\base\splitter.cpp
// following hooks are in amovie\sdk\classes\base
#define PERFINFO_LOG_TYPE_DSHOW_CTOR (EVENT_TRACE_GROUP_TBD | 0x39)
#define PERFINFO_LOG_TYPE_DSHOW_DTOR (EVENT_TRACE_GROUP_TBD | 0x3a)
#define PERFINFO_LOG_TYPE_DSHOW_DELIVER (EVENT_TRACE_GROUP_TBD | 0x3b)
#define PERFINFO_LOG_TYPE_DSHOW_RECEIVE (EVENT_TRACE_GROUP_TBD | 0x3c)
#define PERFINFO_LOG_TYPE_DSHOW_RUN (EVENT_TRACE_GROUP_TBD | 0x3d)
#define PERFINFO_LOG_TYPE_DSHOW_PAUSE (EVENT_TRACE_GROUP_TBD | 0x3e)
#define PERFINFO_LOG_TYPE_DSHOW_STOP (EVENT_TRACE_GROUP_TBD | 0x3f)
#define PERFINFO_LOG_TYPE_DSHOW_JOINGRAPH (EVENT_TRACE_GROUP_TBD | 0x40)
#define PERFINFO_LOG_TYPE_DSHOW_GETBUFFER (EVENT_TRACE_GROUP_TBD | 0x41)
#define PERFINFO_LOG_TYPE_DSHOW_RELBUFFER (EVENT_TRACE_GROUP_TBD | 0x42)
#define PERFINFO_LOG_TYPE_DSHOW_CONNECT (EVENT_TRACE_GROUP_TBD | 0x43)
#define PERFINFO_LOG_TYPE_DSHOW_RXCONNECT (EVENT_TRACE_GROUP_TBD | 0x44)
#define PERFINFO_LOG_TYPE_DSHOW_DISCONNECT (EVENT_TRACE_GROUP_TBD | 0x45)
#define PERFINFO_LOG_TYPE_DSHOW_GETTIME (EVENT_TRACE_GROUP_TBD | 0x46)
#define PERFINFO_LOG_TYPE_DSHOW_AUDIOREND (EVENT_TRACE_GROUP_TBD | 0x47)
#define PERFINFO_LOG_TYPE_DSHOW_VIDEOREND (EVENT_TRACE_GROUP_TBD | 0x48)
#define PERFINFO_LOG_TYPE_DSHOW_FRAMEDROP (EVENT_TRACE_GROUP_TBD | 0x49)
#define PERFINFO_LOG_TYPE_DSHOW_AUDIOBREAK (EVENT_TRACE_GROUP_TBD | 0x4a)
#define PERFINFO_LOG_TYPE_DSHOW_SAMPLE_DATADISCONTINUITY (EVENT_TRACE_GROUP_TBD | 0x4b)
#define PERFINFO_LOG_TYPE_DSHOW_MEDIASAMPLE_SET_DISCONTINUITY (EVENT_TRACE_GROUP_TBD | 0x4c)
#define PERFINFO_LOG_TYPE_DSHOW_TRANSFORM_INITSAMPLE_SET_DISCONTINUITY (EVENT_TRACE_GROUP_TBD | 0x4d)
#define PERFINFO_LOG_TYPE_DSHOW_TRANSFORM_COPY_SET_DISCONTINUITY (EVENT_TRACE_GROUP_TBD | 0x4e)
#define PERFINFO_LOG_TYPE_DSHOW_SYNCOBJ_ADVICE_FRAME_SKIP (EVENT_TRACE_GROUP_TBD | 0x4f)
#define PERFINFO_LOG_TYPE_WMI_REFLECT_DISK_IO_READ (EVENT_TRACE_GROUP_TBD | 0x50)
#define PERFINFO_LOG_TYPE_WMI_REFLECT_DISK_IO_WRITE (EVENT_TRACE_GROUP_TBD | 0x51)
#if 0
//
// 2000-2199 reserved for SQL Server
//
#define PERFINFO_LOG_TYPE_SQLSERVER_FIRST (2000)
#define PERFINFO_LOG_TYPE_SQLSERVER_LAST (PERFINFO_LOG_TYPE_SQLSERVER_FIRST + 199)
//
// 2200-2299 reserved for reflection of WMI events
//
#define PERFINFO_LOG_TYPE_WMI_REFLECT_FIRST (2200)
#define PERFINFO_LOG_TYPE_WMI_REFLECT_LAST (PERFINFO_LOG_TYPE_WMI_REFLECT_FIRST + 199)
#endif //0
//
// Data structure used for WMI Kernel Events
//
// **NB** the hardware events are described in software traceing, if they
// change in layout please update sdktools\trace\tracefmt\default.tmf
#define MAX_DEVICE_ID_LENGTH 256
#define CONFIG_MAX_DOMAIN_NAME_LEN 132
typedef struct _CPU_CONFIG_RECORD {
ULONG ProcessorSpeed;
ULONG NumberOfProcessors;
ULONG MemorySize; // in MBytes
ULONG PageSize; // in Bytes
ULONG AllocationGranularity; // in Bytes
WCHAR ComputerName[MAX_DEVICE_ID_LENGTH];
WCHAR DomainName[CONFIG_MAX_DOMAIN_NAME_LEN];
} CPU_CONFIG_RECORD, *PCPU_CONFIG_RECORD;
#define CONFIG_WRITE_CACHE_ENABLED 0x00000001
#define CONFIG_FS_NAME_LEN 16
#define CONFIG_BOOT_DRIVE_LEN 3
typedef struct _PHYSICAL_DISK_RECORD {
ULONG DiskNumber;
ULONG BytesPerSector;
ULONG SectorsPerTrack;
ULONG TracksPerCylinder;
ULONGLONG Cylinders;
ULONG SCSIPortNumber;
ULONG SCSIPathId;
ULONG SCSITargetId;
ULONG SCSILun;
WCHAR Manufacturer[MAX_DEVICE_ID_LENGTH];
ULONG PartitionCount;
BOOLEAN WriteCacheEnabled;
WCHAR BootDriveLetter[CONFIG_BOOT_DRIVE_LEN];
} PHYSICAL_DISK_RECORD, *PPHYSICAL_DISK_RECORD;
//
// Types of logical drive
//
#define CONFIG_DRIVE_PARTITION 0x00000001
#define CONFIG_DRIVE_VOLUME 0x00000002
#define CONFIG_DRIVE_EXTENT 0x00000004
#define CONFIG_DRIVE_LETTER_LEN 4
typedef struct _LOGICAL_DISK_EXTENTS {
ULONGLONG StartingOffset;
ULONGLONG PartitionSize;
ULONG DiskNumber; // The physical disk number where the logical drive resides
ULONG Size; // The size in bytes of the structure.
ULONG DriveType; // Logical drive type partition/volume/extend-partition
WCHAR DriveLetterString[CONFIG_DRIVE_LETTER_LEN];
ULONG Pad;
ULONG PartitionNumber; // The partition number where the logical drive resides
ULONG SectorsPerCluster;
ULONG BytesPerSector;
LONGLONG NumberOfFreeClusters;
LONGLONG TotalNumberOfClusters;
WCHAR FileSystemType[CONFIG_FS_NAME_LEN];
ULONG VolumeExt; // Offset to VOLUME_DISK_EXTENTS structure
} LOGICAL_DISK_EXTENTS, *PLOGICAL_DISK_EXTENTS;
#define CONFIG_MAX_DNS_SERVER 4
#define CONFIG_MAX_ADAPTER_ADDRESS_LENGTH 8
//
// Note: Data is an array of structures of type IP_ADDRESS_STRING defined in iptypes.h
//
typedef struct _NIC_RECORD {
WCHAR NICName[MAX_DEVICE_ID_LENGTH];
ULONG Index;
ULONG PhysicalAddrLen;
WCHAR PhysicalAddr[CONFIG_MAX_ADAPTER_ADDRESS_LENGTH];
ULONG Size; // Size of the Data
LONG IpAddress; // IP Address offset. Copy bytes = sizeof(IP_ADDRESS_STRING)
LONG SubnetMask; // subnet mask offset. Copy bytes = sizeof(IP_ADDRESS_STRING)
LONG DhcpServer; // dhcp server offset. Copy bytes = sizeof(IP_ADDRESS_STRING)
LONG Gateway; // gateway offset. Copy bytes = sizeof(IP_ADDRESS_STRING)
LONG PrimaryWinsServer; // primary wins server offset. Copy bytes = sizeof(IP_ADDRESS_STRING)
LONG SecondaryWinsServer;// secondary wins server offset. Copy bytes = sizeof(IP_ADDRESS_STRING)
LONG DnsServer[CONFIG_MAX_DNS_SERVER]; // dns server offset. Copy bytes = sizeof(IP_ADDRESS_STRING)
ULONG Data; // Offset to an array of IP_ADDRESS_STRING
} NIC_RECORD, *PNIC_RECORD;
typedef struct _VIDEO_RECORD {
ULONG MemorySize;
ULONG XResolution;
ULONG YResolution;
ULONG BitsPerPixel;
ULONG VRefresh;
WCHAR ChipType[MAX_DEVICE_ID_LENGTH];
WCHAR DACType[MAX_DEVICE_ID_LENGTH];
WCHAR AdapterString[MAX_DEVICE_ID_LENGTH];
WCHAR BiosString[MAX_DEVICE_ID_LENGTH];
WCHAR DeviceId[MAX_DEVICE_ID_LENGTH];
ULONG StateFlags;
} VIDEO_RECORD, *PVIDEO_RECORD;
#define CONFIG_MAX_NAME_LENGTH 34
#define CONFIG_MAX_DISPLAY_NAME 256
typedef struct _WMI_SERVICE_INFO {
WCHAR ServiceName[CONFIG_MAX_NAME_LENGTH];
WCHAR DisplayName[CONFIG_MAX_DISPLAY_NAME];
WCHAR ProcessName[CONFIG_MAX_NAME_LENGTH];
ULONG ProcessId;
} WMI_SERVICE_INFO, *PWMI_SERVICE_INFO;
//
// Stores the ACPI Power Information
//
typedef struct _WMI_POWER_RECORD {
BOOLEAN SystemS1;
BOOLEAN SystemS2;
BOOLEAN SystemS3;
BOOLEAN SystemS4; // hibernate
BOOLEAN SystemS5; // off
CHAR Pad1;
CHAR Pad2;
CHAR Pad3;
} WMI_POWER_RECORD, *PWMI_POWER_RECORD;
typedef struct _WMI_PROCESS_INFORMATION {
ULONG_PTR PageDirectoryBase;
ULONG ProcessId;
ULONG ParentId;
ULONG SessionId;
NTSTATUS ExitStatus;
ULONG Sid;
// Filename is added at the ned of the structure.
// Since Sid is variable length field,
// FileName is not defined in the structure.
} WMI_PROCESS_INFORMATION, *PWMI_PROCESS_INFORMATION;
typedef struct _WMI_THREAD_INFORMATION {
ULONG ProcessId;
ULONG ThreadId;
} WMI_THREAD_INFORMATION, *PWMI_THREAD_INFORMATION;
typedef struct _WMI_EXTENDED_THREAD_INFORMATION {
ULONG ProcessId;
ULONG ThreadId;
PVOID StackBase;
PVOID StackLimit;
PVOID UserStackBase;
PVOID UserStackLimit;
PVOID StartAddr;
PVOID Win32StartAddr;
CHAR WaitMode;
} WMI_EXTENDED_THREAD_INFORMATION, *PWMI_EXTENDED_THREAD_INFORMATION;
typedef struct _WMI_IMAGELOAD_INFORMATION {
PVOID ImageBase;
SIZE_T ImageSize;
ULONG ProcessId;
WCHAR FileName[1];
} WMI_IMAGELOAD_INFORMATION, *PWMI_IMAGELOAD_INFORMATION;
typedef struct _WMI_DISKIO_READWRITE {
ULONG DiskNumber;
ULONG IrpFlags;
ULONG Size;
ULONG ResponseTime;
ULONGLONG ByteOffset;
PVOID FileObject;
ULONGLONG HighResResponseTime;
} WMI_DISKIO_READWRITE, *PWMI_DISKIO_READWRITE;
typedef struct _WMI_REGISTRY {
ULONG_PTR Status;
PVOID Kcb;
LONGLONG ElapsedTime;
union{
ULONG Index;
ULONG InfoClass;
};
WCHAR Name[1];
} WMI_REGISTRY, *PWMI_REGISTRY;
typedef struct _WMI_FILE_IO {
PVOID FileObject;
WCHAR FileName[1];
} WMI_FILE_IO, *PWMI_FILE_IO;
typedef struct _WMI_TCPIP {
ULONG Context;
ULONG Size;
ULONG DestAddr;
ULONG SrcAddr;
USHORT DestPort;
USHORT SrcPort;
} WMI_TCPIP, *PWMI_TCPIP;
typedef struct _WMI_UDP {
ULONG PID;
USHORT Size;
ULONG DestAddr;
ULONG SrcAddr;
USHORT DestPort;
USHORT SrcPort;
}WMI_UDP, *PWMI_UDP;
typedef struct _WMI_PAGE_FAULT {
PVOID VirtualAddress;
PVOID ProgramCounter;
} WMI_PAGE_FAULT, *PWMI_PAGE_FAULT;
typedef struct _WMI_CONTEXTSWAP {
ULONG NewThreadId;
ULONG OldThreadId;
CHAR NewThreadPriority;
CHAR OldThreadPriority;
CHAR NewThreadQuantum;
CHAR OldThreadQuantum;
UCHAR OldThreadWaitReason;
CHAR OldThreadWaitMode;
UCHAR OldThreadState;
UCHAR OldThreadIdealProcessor;
} WMI_CONTEXTSWAP, *PWMI_CONTEXTSWAP;
typedef struct _HEAP_EVENT_ALLOC {
PVOID HeapHandle; //Handle of Heap
SIZE_T Size; //Size of allocation in bytes
PVOID Address; //Address of Allocation
ULONG Source; //Type ie Lookaside, Lowfrag or main path
}HEAP_EVENT_ALLOC, *PHEAP_EVENT_ALLOC;
typedef struct _HEAP_EVENT_FREE {
PVOID HeapHandle; //Handle of Heap
PVOID Address; //Address to free
ULONG Source; //Type ie Lookaside, Lowfrag or main path
}HEAP_EVENT_FREE, *PHEAP_EVENT_FREE;
typedef struct _HEAP_EVENT_REALLOC {
PVOID HeapHandle; //Handle of Heap
PVOID NewAddress; //New Address returned to user
PVOID OldAddress; //Old Address got from user
SIZE_T NewSize; //New Size in bytes
SIZE_T OldSize; //Old Size in bytes
ULONG Source; //Type ie Lookaside, Lowfrag or main path
}HEAP_EVENT_REALLOC, *PHEAP_EVENT_REALLOC;
typedef struct _HEAP_EVENT_EXPANSION {
PVOID HeapHandle; //Handle of Heap
SIZE_T CommittedSize; //Memory Size in bytes actually committed
PVOID Address; //Address of free block or segment
SIZE_T FreeSpace; //Total free Space in Heap
SIZE_T CommittedSpace; //Memory Committed
SIZE_T ReservedSpace; //Memory reserved
ULONG NoOfUCRs; //Number of UnCommitted Ranges
}HEAP_EVENT_EXPANSION, *PHEAP_EVENT_EXPANSION;
typedef struct _HEAP_EVENT_CONTRACTION {
PVOID HeapHandle; //Handle of Heap
SIZE_T DeCommitSize; //The size of DeCommitted Block
PVOID DeCommitAddress; //Address of the Decommitted block
SIZE_T FreeSpace; //Total free Space in Heap in bytes
SIZE_T CommittedSpace; //Memory Committed in bytes
SIZE_T ReservedSpace; //Memory reserved in bytes
ULONG NoOfUCRs; //Number of UnCommitted Ranges
}HEAP_EVENT_CONTRACTION, *PHEAP_EVENT_CONTRACTION;
typedef struct _HEAP_EVENT_CREATE {
PVOID HeapHandle; //Handle of Heap
ULONG Flags; //Flags passed while creating heap.
}HEAP_EVENT_CREATE, *PHEAP_EVENT_CREATE;
typedef struct _CRIT_SEC_COLLISION_EVENT_DATA {
ULONG LockCount; //Lock Count
PVOID SpinCount; //Spin Count
PVOID OwningThread; //Thread having Lock
PVOID Address; //Adress of Critical Section
}CRIT_SEC_COLLISION_EVENT_DATA, *PCRIT_SEC_COLLISION_EVENT_DATA;
//
// Additional Guid used for NTPERF
//
DEFINE_GUID( /* 0268a8b6-74fd-4302-9dd0-6e8f1795c0cf */
PoolGuid,
0x0268a8b6,
0x74fd,
0x4302,
0x9d, 0xd0, 0x6e, 0x8f, 0x17, 0x95, 0xc0, 0xcf
);
DEFINE_GUID( /* ce1dbfb4-137e-4da6-87b0-3f59aa102cbc */
PerfinfoGuid,
0xce1dbfb4,
0x137e,
0x4da6,
0x87, 0xb0, 0x3f, 0x59, 0xaa, 0x10, 0x2c, 0xbc
);
DEFINE_GUID( /* 222962ab-6180-4b88-a825-346b75f2a24a */
HeapGuid,
0x222962ab,
0x6180,
0x4b88,
0xa8, 0x25, 0x34, 0x6b, 0x75, 0xf2, 0xa2, 0x4a
);
DEFINE_GUID ( /* 3AC66736-CC59-4cff-8115-8DF50E39816B */
CritSecGuid,
0x3ac66736,
0xcc59,
0x4cff,
0x81, 0x15, 0x8d, 0xf5, 0xe, 0x39, 0x81, 0x6b
);
DEFINE_GUID ( /* E21D2142-DF90-4d93-BBD9-30E63D5A4AD6 */
NtdllTraceGuid,
0xe21d2142,
0xdf90,
0x4d93,
0xbb, 0xd9, 0x30, 0xe6, 0x3d, 0x5a, 0x4a, 0xd6
);
DEFINE_GUID( /* 89497f50-effe-4440-8cf2-ce6b1cdcaca7 */
ObjectGuid,
0x89497f50,
0xeffe,
0x4440,
0x8c, 0xf2, 0xce, 0x6b, 0x1c, 0xdc, 0xac, 0xa7
);
DEFINE_GUID( /* a9152f00-3f58-4bee-92a1-70c7d079d5dd */
ModBoundGuid,
0xa9152f00,
0x3f58,
0x4bee,
0x92, 0xa1, 0x70, 0xc7, 0xd0, 0x79, 0xd5, 0xdd
);
DEFINE_GUID ( /* E43445E0-0903-48c3-B878-FF0FCCEBDD04 */
PowerGuid,
0xe43445e0,
0x903,
0x48c3,
0xb8, 0x78, 0xff, 0xf, 0xcc, 0xeb, 0xdd, 0x4
);
DEFINE_GUID ( /* b2d14872-7c5b-463d-8419-ee9bf7d23e04 */
DpcGuid,
0xb2d14872,
0x7c5b,
0x463d,
0x84, 0x19, 0xee, 0x9b, 0xf7, 0xd2, 0x3e, 0x04
);
#endif // ifndef ETW_WOW6432
//
// The following flags denotes what Fields actually contains
//
#define ETW_NT_FLAGS_TRACE_HEADER 0X00000001 // Contiguous Event Trace Header
#define ETW_NT_FLAGS_TRACE_MESSAGE 0X00000002 // Trace Message
NTSYSCALLAPI
NTSTATUS
NTAPI
NtTraceEvent(
IN HANDLE TraceHandle,
IN ULONG Flags,
IN ULONG FieldSize,
IN PVOID Fields
);
#endif // _NTWMI_