1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
|
/*
* evntprov.h
*
* This file is part of the ReactOS PSDK package.
*
* Contributors:
* Created by Amine Khaldi.
*
* THIS SOFTWARE IS NOT COPYRIGHTED
*
* This source code is offered for use in the public domain. You may
* use, modify or distribute it freely.
*
* This code is distributed in the hope that it will be useful but
* WITHOUT ANY WARRANTY. ALL WARRANTIES, EXPRESS OR IMPLIED ARE HEREBY
* DISCLAIMED. This includes but is not limited to warranties of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
*/
#ifndef _EVNTPROV_H_
#define _EVNTPROV_H_
#ifndef EVNTAPI
#ifndef MIDL_PASS
#ifdef _EVNT_SOURCE_
#define EVNTAPI __stdcall
#else
#define EVNTAPI DECLSPEC_IMPORT __stdcall
#endif /* _EVNT_SOURCE_ */
#endif /* MIDL_PASS */
#endif /* EVNTAPI */
#ifdef __cplusplus
extern "C" {
#endif
#define EVENT_MIN_LEVEL 0
#define EVENT_MAX_LEVEL 0xff
#define EVENT_ACTIVITY_CTRL_GET_ID 1
#define EVENT_ACTIVITY_CTRL_SET_ID 2
#define EVENT_ACTIVITY_CTRL_CREATE_ID 3
#define EVENT_ACTIVITY_CTRL_GET_SET_ID 4
#define EVENT_ACTIVITY_CTRL_CREATE_SET_ID 5
typedef ULONGLONG REGHANDLE, *PREGHANDLE;
#define MAX_EVENT_DATA_DESCRIPTORS 128
#define MAX_EVENT_FILTER_DATA_SIZE 1024
#define EVENT_FILTER_TYPE_SCHEMATIZED 0x80000000
typedef struct _EVENT_DESCRIPTOR {
USHORT Id;
UCHAR Version;
UCHAR Channel;
UCHAR Level;
UCHAR Opcode;
USHORT Task;
ULONGLONG Keyword;
} EVENT_DESCRIPTOR, *PEVENT_DESCRIPTOR;
typedef const EVENT_DESCRIPTOR *PCEVENT_DESCRIPTOR;
typedef struct _EVENT_DATA_DESCRIPTOR {
ULONGLONG Ptr;
ULONG Size;
ULONG Reserved;
} EVENT_DATA_DESCRIPTOR, *PEVENT_DATA_DESCRIPTOR;
struct _EVENT_FILTER_DESCRIPTOR {
ULONGLONG Ptr;
ULONG Size;
ULONG Type;
};
#ifndef DEFINED_PEVENT_FILTER_DESC
typedef struct _EVENT_FILTER_DESCRIPTOR EVENT_FILTER_DESCRIPTOR, *PEVENT_FILTER_DESCRIPTOR;
#define DEFINED_PEVENT_FILTER_DESC 1
#endif /* for evntrace.h */
typedef struct _EVENT_FILTER_HEADER {
USHORT Id;
UCHAR Version;
UCHAR Reserved[5];
ULONGLONG InstanceId;
ULONG Size;
ULONG NextOffset;
} EVENT_FILTER_HEADER, *PEVENT_FILTER_HEADER;
#ifndef _ETW_KM_ /* for wdm.h */
typedef VOID
(NTAPI *PENABLECALLBACK)(
LPCGUID SourceId,
ULONG IsEnabled,
UCHAR Level,
ULONGLONG MatchAnyKeyword,
ULONGLONG MatchAllKeyword,
PEVENT_FILTER_DESCRIPTOR FilterData,
PVOID CallbackContext);
#if (_WIN32_WINNT >= 0x0600)
ULONG EVNTAPI EventRegister(
LPCGUID ProviderId,
PENABLECALLBACK EnableCallback,
PVOID CallbackContext,
PREGHANDLE RegHandle
);
ULONG EVNTAPI EventUnregister(
REGHANDLE RegHandle
);
BOOLEAN EVNTAPI EventEnabled(
REGHANDLE RegHandle,
PCEVENT_DESCRIPTOR EventDescriptor
);
BOOLEAN EVNTAPI EventProviderEnabled(
REGHANDLE RegHandle,
UCHAR Level,
ULONGLONG Keyword
);
ULONG EVNTAPI EventWrite(
REGHANDLE RegHandle,
PCEVENT_DESCRIPTOR EventDescriptor,
ULONG UserDataCount,
PEVENT_DATA_DESCRIPTOR UserData
);
ULONG EVNTAPI EventWriteTransfer(
REGHANDLE RegHandle,
PCEVENT_DESCRIPTOR EventDescriptor,
LPCGUID ActivityId,
LPCGUID RelatedActivityId,
ULONG UserDataCount,
PEVENT_DATA_DESCRIPTOR UserData
);
ULONG EVNTAPI EventWriteString(
REGHANDLE RegHandle,
UCHAR Level,
ULONGLONG Keyword,
PCWSTR String
);
ULONG EVNTAPI EventActivityIdControl(
ULONG ControlCode,
LPGUID ActivityId
);
#endif /*(_WIN32_WINNT >= 0x0600)*/
#if (_WIN32_WINNT >= 0x0601)
ULONG EVNTAPI EventWriteEx(
REGHANDLE RegHandle,
PCEVENT_DESCRIPTOR EventDescriptor,
ULONG64 Filter,
ULONG Flags,
LPCGUID ActivityId,
LPCGUID RelatedActivityId,
ULONG UserDataCount,
PEVENT_DATA_DESCRIPTOR UserData
);
#endif /*(_WIN32_WINNT >= 0x0601)*/
#endif /* _ETW_KM_ */
FORCEINLINE
VOID
EventDataDescCreate(
PEVENT_DATA_DESCRIPTOR EventDataDescriptor,
const VOID* DataPtr,
ULONG DataSize)
{
EventDataDescriptor->Ptr = (ULONGLONG)(ULONG_PTR)DataPtr;
EventDataDescriptor->Size = DataSize;
EventDataDescriptor->Reserved = 0;
}
FORCEINLINE
VOID
EventDescCreate(
PEVENT_DESCRIPTOR EventDescriptor,
USHORT Id,
UCHAR Version,
UCHAR Channel,
UCHAR Level,
USHORT Task,
UCHAR Opcode,
ULONGLONG Keyword)
{
EventDescriptor->Id = Id;
EventDescriptor->Version = Version;
EventDescriptor->Channel = Channel;
EventDescriptor->Level = Level;
EventDescriptor->Task = Task;
EventDescriptor->Opcode = Opcode;
EventDescriptor->Keyword = Keyword;
}
FORCEINLINE
VOID
EventDescZero(
PEVENT_DESCRIPTOR EventDescriptor)
{
memset(EventDescriptor, 0, sizeof(EVENT_DESCRIPTOR));
}
FORCEINLINE
USHORT
EventDescGetId(
PCEVENT_DESCRIPTOR EventDescriptor)
{
return (EventDescriptor->Id);
}
FORCEINLINE
UCHAR
EventDescGetVersion(
PCEVENT_DESCRIPTOR EventDescriptor)
{
return (EventDescriptor->Version);
}
FORCEINLINE
USHORT
EventDescGetTask(
PCEVENT_DESCRIPTOR EventDescriptor)
{
return (EventDescriptor->Task);
}
FORCEINLINE
UCHAR
EventDescGetOpcode(
PCEVENT_DESCRIPTOR EventDescriptor)
{
return (EventDescriptor->Opcode);
}
FORCEINLINE
UCHAR
EventDescGetChannel(
PCEVENT_DESCRIPTOR EventDescriptor)
{
return (EventDescriptor->Channel);
}
FORCEINLINE
UCHAR
EventDescGetLevel(
PCEVENT_DESCRIPTOR EventDescriptor)
{
return (EventDescriptor->Level);
}
FORCEINLINE
ULONGLONG
EventDescGetKeyword(
PCEVENT_DESCRIPTOR EventDescriptor)
{
return (EventDescriptor->Keyword);
}
FORCEINLINE
PEVENT_DESCRIPTOR
EventDescSetId(
PEVENT_DESCRIPTOR EventDescriptor,
USHORT Id)
{
EventDescriptor->Id = Id;
return (EventDescriptor);
}
FORCEINLINE
PEVENT_DESCRIPTOR
EventDescSetVersion(
PEVENT_DESCRIPTOR EventDescriptor,
UCHAR Version)
{
EventDescriptor->Version = Version;
return (EventDescriptor);
}
FORCEINLINE
PEVENT_DESCRIPTOR
EventDescSetTask(
PEVENT_DESCRIPTOR EventDescriptor,
USHORT Task)
{
EventDescriptor->Task = Task;
return (EventDescriptor);
}
FORCEINLINE
PEVENT_DESCRIPTOR
EventDescSetOpcode(
PEVENT_DESCRIPTOR EventDescriptor,
UCHAR Opcode)
{
EventDescriptor->Opcode = Opcode;
return (EventDescriptor);
}
FORCEINLINE
PEVENT_DESCRIPTOR
EventDescSetLevel(
PEVENT_DESCRIPTOR EventDescriptor,
UCHAR Level)
{
EventDescriptor->Level = Level;
return (EventDescriptor);
}
FORCEINLINE
PEVENT_DESCRIPTOR
EventDescSetChannel(
PEVENT_DESCRIPTOR EventDescriptor,
UCHAR Channel)
{
EventDescriptor->Channel = Channel;
return (EventDescriptor);
}
FORCEINLINE
PEVENT_DESCRIPTOR
EventDescSetKeyword(
PEVENT_DESCRIPTOR EventDescriptor,
ULONGLONG Keyword)
{
EventDescriptor->Keyword = Keyword;
return (EventDescriptor);
}
FORCEINLINE
PEVENT_DESCRIPTOR
EventDescOrKeyword(
PEVENT_DESCRIPTOR EventDescriptor,
ULONGLONG Keyword)
{
EventDescriptor->Keyword |= Keyword;
return (EventDescriptor);
}
#ifdef __cplusplus
}
#endif
#endif /* _EVNTPROV_H_ */
|
