1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
|
/**
* This file has no copyright assigned and is placed in the Public Domain.
* This file is part of the w64 mingw-runtime package.
* No warranty is given; refer to the file DISCLAIMER.PD within this package.
*/
#ifndef _EVNTRACE_
#define _EVNTRACE_
/* --- start added by kenj */
#undef __MINGW_EXTENSION
#if defined(__GNUC__) || defined(__GNUG__)
#define __MINGW_EXTENSION __extension__
#else
#define __MINGW_EXTENSION
#endif
/* --- end added by kenj */
#if defined(_WINNT_) || defined(WINNT)
#ifndef WMIAPI
#ifndef MIDL_PASS
#ifdef _WMI_SOURCE_
#define WMIAPI __stdcall
#else
#define WMIAPI DECLSPEC_IMPORT __stdcall
#endif
#endif /* MIDL_PASS */
#endif /* WMIAPI */
DEFINE_GUID (EventTraceGuid,0x68fdd900,0x4a3e,0x11d1,0x84,0xf4,0x00,0x00,0xf8,0x04,0x64,0xe3);
DEFINE_GUID (SystemTraceControlGuid,0x9e814aad,0x3204,0x11d2,0x9a,0x82,0x00,0x60,0x08,0xa8,0x69,0x39);
DEFINE_GUID (EventTraceConfigGuid,0x01853a65,0x418f,0x4f36,0xae,0xfc,0xdc,0x0f,0x1d,0x2f,0xd2,0x35);
DEFINE_GUID (DefaultTraceSecurityGuid,0x0811c1af,0x7a07,0x4a06,0x82,0xed,0x86,0x94,0x55,0xcd,0xf7,0x13);
#define KERNEL_LOGGER_NAMEW L"NT Kernel Logger"
#define GLOBAL_LOGGER_NAMEW L"GlobalLogger"
#define EVENT_LOGGER_NAMEW L"Event Log"
#define DIAG_LOGGER_NAMEW L"DiagLog"
#define KERNEL_LOGGER_NAMEA "NT Kernel Logger"
#define GLOBAL_LOGGER_NAMEA "GlobalLogger"
#define EVENT_LOGGER_NAMEA "Event Log"
#define DIAG_LOGGER_NAMEA "DiagLog"
#define MAX_MOF_FIELDS 16
#ifndef _TRACEHANDLE_DEFINED
#define _TRACEHANDLE_DEFINED
typedef ULONG64 TRACEHANDLE,*PTRACEHANDLE;
#endif
#define SYSTEM_EVENT_TYPE 1
#define EVENT_TRACE_TYPE_INFO 0x00
#define EVENT_TRACE_TYPE_START 0x01
#define EVENT_TRACE_TYPE_END 0x02
#define EVENT_TRACE_TYPE_STOP 0x02
#define EVENT_TRACE_TYPE_DC_START 0x03
#define EVENT_TRACE_TYPE_DC_END 0x04
#define EVENT_TRACE_TYPE_EXTENSION 0x05
#define EVENT_TRACE_TYPE_REPLY 0x06
#define EVENT_TRACE_TYPE_DEQUEUE 0x07
#define EVENT_TRACE_TYPE_RESUME 0x07
#define EVENT_TRACE_TYPE_CHECKPOINT 0x08
#define EVENT_TRACE_TYPE_SUSPEND 0x08
#define EVENT_TRACE_TYPE_WINEVT_SEND 0x09
#define EVENT_TRACE_TYPE_WINEVT_RECEIVE 0XF0
#define TRACE_LEVEL_NONE 0
#define TRACE_LEVEL_CRITICAL 1
#define TRACE_LEVEL_FATAL 1
#define TRACE_LEVEL_ERROR 2
#define TRACE_LEVEL_WARNING 3
#define TRACE_LEVEL_INFORMATION 4
#define TRACE_LEVEL_VERBOSE 5
#define TRACE_LEVEL_RESERVED6 6
#define TRACE_LEVEL_RESERVED7 7
#define TRACE_LEVEL_RESERVED8 8
#define TRACE_LEVEL_RESERVED9 9
#define EVENT_TRACE_TYPE_LOAD 0x0A
#define EVENT_TRACE_TYPE_IO_READ 0x0A
#define EVENT_TRACE_TYPE_IO_WRITE 0x0B
#define EVENT_TRACE_TYPE_IO_READ_INIT 0x0C
#define EVENT_TRACE_TYPE_IO_WRITE_INIT 0x0D
#define EVENT_TRACE_TYPE_IO_FLUSH 0x0E
#define EVENT_TRACE_TYPE_IO_FLUSH_INIT 0x0F
#define EVENT_TRACE_TYPE_MM_TF 0x0A
#define EVENT_TRACE_TYPE_MM_DZF 0x0B
#define EVENT_TRACE_TYPE_MM_COW 0x0C
#define EVENT_TRACE_TYPE_MM_GPF 0x0D
#define EVENT_TRACE_TYPE_MM_HPF 0x0E
#define EVENT_TRACE_TYPE_MM_AV 0x0F
#define EVENT_TRACE_TYPE_SEND 0x0A
#define EVENT_TRACE_TYPE_RECEIVE 0x0B
#define EVENT_TRACE_TYPE_CONNECT 0x0C
#define EVENT_TRACE_TYPE_DISCONNECT 0x0D
#define EVENT_TRACE_TYPE_RETRANSMIT 0x0E
#define EVENT_TRACE_TYPE_ACCEPT 0x0F
#define EVENT_TRACE_TYPE_RECONNECT 0x10
#define EVENT_TRACE_TYPE_CONNFAIL 0x11
#define EVENT_TRACE_TYPE_COPY_TCP 0x12
#define EVENT_TRACE_TYPE_COPY_ARP 0x13
#define EVENT_TRACE_TYPE_ACKFULL 0x14
#define EVENT_TRACE_TYPE_ACKPART 0x15
#define EVENT_TRACE_TYPE_ACKDUP 0x16
#define EVENT_TRACE_TYPE_GUIDMAP 0x0A
#define EVENT_TRACE_TYPE_CONFIG 0x0B
#define EVENT_TRACE_TYPE_SIDINFO 0x0C
#define EVENT_TRACE_TYPE_SECURITY 0x0D
#define EVENT_TRACE_TYPE_REGCREATE 0x0A
#define EVENT_TRACE_TYPE_REGOPEN 0x0B
#define EVENT_TRACE_TYPE_REGDELETE 0x0C
#define EVENT_TRACE_TYPE_REGQUERY 0x0D
#define EVENT_TRACE_TYPE_REGSETVALUE 0x0E
#define EVENT_TRACE_TYPE_REGDELETEVALUE 0x0F
#define EVENT_TRACE_TYPE_REGQUERYVALUE 0x10
#define EVENT_TRACE_TYPE_REGENUMERATEKEY 0x11
#define EVENT_TRACE_TYPE_REGENUMERATEVALUEKEY 0x12
#define EVENT_TRACE_TYPE_REGQUERYMULTIPLEVALUE 0x13
#define EVENT_TRACE_TYPE_REGSETINFORMATION 0x14
#define EVENT_TRACE_TYPE_REGFLUSH 0x15
#define EVENT_TRACE_TYPE_REGKCBCREATE 0x16
#define EVENT_TRACE_TYPE_REGKCBDELETE 0x17
#define EVENT_TRACE_TYPE_REGKCBRUNDOWNBEGIN 0x18
#define EVENT_TRACE_TYPE_REGKCBRUNDOWNEND 0x19
#define EVENT_TRACE_TYPE_REGVIRTUALIZE 0x1A
#define EVENT_TRACE_TYPE_REGCLOSE 0x1B
#define EVENT_TRACE_TYPE_REGSETSECURITY 0x1C
#define EVENT_TRACE_TYPE_REGQUERYSECURITY 0x1D
#define EVENT_TRACE_TYPE_REGCOMMIT 0x1E
#define EVENT_TRACE_TYPE_REGPREPARE 0x1F
#define EVENT_TRACE_TYPE_REGROLLBACK 0x20
#define EVENT_TRACE_TYPE_REGMOUNTHIVE 0x21
#define EVENT_TRACE_TYPE_CONFIG_CPU 0x0A
#define EVENT_TRACE_TYPE_CONFIG_PHYSICALDISK 0x0B
#define EVENT_TRACE_TYPE_CONFIG_LOGICALDISK 0x0C
#define EVENT_TRACE_TYPE_CONFIG_NIC 0x0D
#define EVENT_TRACE_TYPE_CONFIG_VIDEO 0x0E
#define EVENT_TRACE_TYPE_CONFIG_SERVICES 0x0F
#define EVENT_TRACE_TYPE_CONFIG_POWER 0x10
#define EVENT_TRACE_TYPE_CONFIG_NETINFO 0x11
#define EVENT_TRACE_TYPE_CONFIG_IRQ 0x15
#define EVENT_TRACE_TYPE_CONFIG_PNP 0x16
#define EVENT_TRACE_TYPE_CONFIG_IDECHANNEL 0x17
#define EVENT_TRACE_TYPE_CONFIG_PLATFORM 0x19
#define EVENT_TRACE_FLAG_PROCESS 0x00000001
#define EVENT_TRACE_FLAG_THREAD 0x00000002
#define EVENT_TRACE_FLAG_IMAGE_LOAD 0x00000004
#define EVENT_TRACE_FLAG_DISK_IO 0x00000100
#define EVENT_TRACE_FLAG_DISK_FILE_IO 0x00000200
#define EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS 0x00001000
#define EVENT_TRACE_FLAG_MEMORY_HARD_FAULTS 0x00002000
#define EVENT_TRACE_FLAG_NETWORK_TCPIP 0x00010000
#define EVENT_TRACE_FLAG_REGISTRY 0x00020000
#define EVENT_TRACE_FLAG_DBGPRINT 0x00040000
#define EVENT_TRACE_FLAG_PROCESS_COUNTERS 0x00000008
#define EVENT_TRACE_FLAG_CSWITCH 0x00000010
#define EVENT_TRACE_FLAG_DPC 0x00000020
#define EVENT_TRACE_FLAG_INTERRUPT 0x00000040
#define EVENT_TRACE_FLAG_SYSTEMCALL 0x00000080
#define EVENT_TRACE_FLAG_DISK_IO_INIT 0x00000400
#define EVENT_TRACE_FLAG_ALPC 0x00100000
#define EVENT_TRACE_FLAG_SPLIT_IO 0x00200000
#define EVENT_TRACE_FLAG_DRIVER 0x00800000
#define EVENT_TRACE_FLAG_PROFILE 0x01000000
#define EVENT_TRACE_FLAG_FILE_IO 0x02000000
#define EVENT_TRACE_FLAG_FILE_IO_INIT 0x04000000
#define EVENT_TRACE_FLAG_DISPATCHER 0x00000800
#define EVENT_TRACE_FLAG_VIRTUAL_ALLOC 0x00004000
#define EVENT_TRACE_FLAG_EXTENSION 0x80000000
#define EVENT_TRACE_FLAG_FORWARD_WMI 0x40000000
#define EVENT_TRACE_FLAG_ENABLE_RESERVE 0x20000000
#define EVENT_TRACE_FILE_MODE_NONE 0x00000000
#define EVENT_TRACE_FILE_MODE_SEQUENTIAL 0x00000001
#define EVENT_TRACE_FILE_MODE_CIRCULAR 0x00000002
#define EVENT_TRACE_FILE_MODE_APPEND 0x00000004
#define EVENT_TRACE_FILE_MODE_NEWFILE 0x00000008
#define EVENT_TRACE_FILE_MODE_PREALLOCATE 0x00000020
#define EVENT_TRACE_NONSTOPPABLE_MODE 0x00000040
#define EVENT_TRACE_SECURE_MODE 0x00000080
#define EVENT_TRACE_USE_KBYTES_FOR_SIZE 0x00002000
#define EVENT_TRACE_PRIVATE_IN_PROC 0x00020000
#define EVENT_TRACE_MODE_RESERVED 0x00100000
#define EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING 0x10000000
#define EVENT_TRACE_REAL_TIME_MODE 0x00000100
#define EVENT_TRACE_DELAY_OPEN_FILE_MODE 0x00000200
#define EVENT_TRACE_BUFFERING_MODE 0x00000400
#define EVENT_TRACE_PRIVATE_LOGGER_MODE 0x00000800
#define EVENT_TRACE_ADD_HEADER_MODE 0x00001000
#define EVENT_TRACE_USE_GLOBAL_SEQUENCE 0x00004000
#define EVENT_TRACE_USE_LOCAL_SEQUENCE 0x00008000
#define EVENT_TRACE_RELOG_MODE 0x00010000
#define EVENT_TRACE_USE_PAGED_MEMORY 0x01000000
#define EVENT_TRACE_CONTROL_QUERY 0
#define EVENT_TRACE_CONTROL_STOP 1
#define EVENT_TRACE_CONTROL_UPDATE 2
#define EVENT_TRACE_CONTROL_FLUSH 3
#define TRACE_MESSAGE_SEQUENCE 1
#define TRACE_MESSAGE_GUID 2
#define TRACE_MESSAGE_COMPONENTID 4
#define TRACE_MESSAGE_TIMESTAMP 8
#define TRACE_MESSAGE_PERFORMANCE_TIMESTAMP 16
#define TRACE_MESSAGE_SYSTEMINFO 32
#define TRACE_MESSAGE_POINTER32 0x0040
#define TRACE_MESSAGE_POINTER64 0x0080
#define TRACE_MESSAGE_FLAG_MASK 0xFFFF
#define TRACE_HEADER_FLAG_USE_TIMESTAMP 0x00000200
#define TRACE_HEADER_FLAG_TRACED_GUID 0x00020000
#define TRACE_HEADER_FLAG_LOG_WNODE 0x00040000
#define TRACE_HEADER_FLAG_USE_GUID_PTR 0x00080000
#define TRACE_HEADER_FLAG_USE_MOF_PTR 0x00100000
#define TRACE_MESSAGE_MAXIMUM_SIZE 8*1024
#define ETW_NULL_TYPE_VALUE 0
#define ETW_OBJECT_TYPE_VALUE 1
#define ETW_STRING_TYPE_VALUE 2
#define ETW_SBYTE_TYPE_VALUE 3
#define ETW_BYTE_TYPE_VALUE 4
#define ETW_INT16_TYPE_VALUE 5
#define ETW_UINT16_TYPE_VALUE 6
#define ETW_INT32_TYPE_VALUE 7
#define ETW_UINT32_TYPE_VALUE 8
#define ETW_INT64_TYPE_VALUE 9
#define ETW_UINT64_TYPE_VALUE 10
#define ETW_CHAR_TYPE_VALUE 11
#define ETW_SINGLE_TYPE_VALUE 12
#define ETW_DOUBLE_TYPE_VALUE 13
#define ETW_BOOLEAN_TYPE_VALUE 14
#define ETW_DECIMAL_TYPE_VALUE 15
#define ETW_GUID_TYPE_VALUE 101
#define ETW_ASCIICHAR_TYPE_VALUE 102
#define ETW_ASCIISTRING_TYPE_VALUE 103
#define ETW_COUNTED_STRING_TYPE_VALUE 104
#define ETW_POINTER_TYPE_VALUE 105
#define ETW_SIZET_TYPE_VALUE 106
#define ETW_HIDDEN_TYPE_VALUE 107
#define ETW_BOOL_TYPE_VALUE 108
#define ETW_COUNTED_ANSISTRING_TYPE_VALUE 109
#define ETW_REVERSED_COUNTED_STRING_TYPE_VALUE 110
#define ETW_REVERSED_COUNTED_ANSISTRING_TYPE_VALUE 111
#define ETW_NON_NULL_TERMINATED_STRING_TYPE_VALUE 112
#define ETW_REDUCED_ANSISTRING_TYPE_VALUE 113
#define ETW_REDUCED_STRING_TYPE_VALUE 114
#define ETW_SID_TYPE_VALUE 115
#define ETW_VARIANT_TYPE_VALUE 116
#define ETW_PTVECTOR_TYPE_VALUE 117
#define ETW_WMITIME_TYPE_VALUE 118
#define ETW_DATETIME_TYPE_VALUE 119
#define ETW_REFRENCE_TYPE_VALUE 120
#define TRACE_PROVIDER_FLAG_LEGACY 0x00000001
#define TRACE_PROVIDER_FLAG_PRE_ENABLE 0x00000002
#define EVENT_CONTROL_CODE_DISABLE_PROVIDER 0
#define EVENT_CONTROL_CODE_ENABLE_PROVIDER 1
#define EVENT_CONTROL_CODE_CAPTURE_STATE 2
#define EVENT_TRACE_USE_PROCTIME 0x0001
#define EVENT_TRACE_USE_NOCPUTIME 0x0002
typedef struct _EVENT_TRACE_HEADER {
USHORT Size;
__MINGW_EXTENSION union {
USHORT FieldTypeFlags;
__MINGW_EXTENSION struct {
UCHAR HeaderType;
UCHAR MarkerFlags;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
__MINGW_EXTENSION union {
ULONG Version;
struct {
UCHAR Type;
UCHAR Level;
USHORT Version;
} Class;
} DUMMYUNIONNAME2;
ULONG ThreadId;
ULONG ProcessId;
LARGE_INTEGER TimeStamp;
__MINGW_EXTENSION union {
GUID Guid;
ULONGLONG GuidPtr;
} DUMMYUNIONNAME3;
__MINGW_EXTENSION union {
__MINGW_EXTENSION struct {
ULONG KernelTime;
ULONG UserTime;
} DUMMYSTRUCTNAME;
ULONG64 ProcessorTime;
__MINGW_EXTENSION struct {
ULONG ClientContext;
ULONG Flags;
} DUMMYSTRUCTNAME2;
} DUMMYUNIONNAME4;
} EVENT_TRACE_HEADER,*PEVENT_TRACE_HEADER;
typedef struct _EVENT_INSTANCE_HEADER {
USHORT Size;
__MINGW_EXTENSION union {
USHORT FieldTypeFlags;
__MINGW_EXTENSION struct {
UCHAR HeaderType;
UCHAR MarkerFlags;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
__MINGW_EXTENSION union {
ULONG Version;
struct {
UCHAR Type;
UCHAR Level;
USHORT Version;
} Class;
} DUMMYUNIONNAME2;
ULONG ThreadId;
ULONG ProcessId;
LARGE_INTEGER TimeStamp;
ULONGLONG RegHandle;
ULONG InstanceId;
ULONG ParentInstanceId;
__MINGW_EXTENSION union {
__MINGW_EXTENSION struct {
ULONG KernelTime;
ULONG UserTime;
} DUMMYSTRUCTNAME;
ULONG64 ProcessorTime;
__MINGW_EXTENSION struct {
ULONG EventId;
ULONG Flags;
} DUMMYSTRUCTNAME2;
} DUMMYUNIONNAME3;
ULONGLONG ParentRegHandle;
} EVENT_INSTANCE_HEADER,*PEVENT_INSTANCE_HEADER;
#define DEFINE_TRACE_MOF_FIELD(MOF,ptr,length,type) \
(MOF)->DataPtr = (ULONG64) (ULONG_PTR) ptr; \
(MOF)->Length = (ULONG) length; \
(MOF)->DataType = (ULONG) type;
typedef struct _MOF_FIELD {
ULONG64 DataPtr;
ULONG Length;
ULONG DataType;
} MOF_FIELD,*PMOF_FIELD;
#if !(defined(_NTDDK_) || defined(_NTIFS_)) || defined(_WMIKM_)
typedef struct _TRACE_LOGFILE_HEADER {
ULONG BufferSize;
__MINGW_EXTENSION union {
ULONG Version;
struct {
UCHAR MajorVersion;
UCHAR MinorVersion;
UCHAR SubVersion;
UCHAR SubMinorVersion;
} VersionDetail;
} DUMMYUNIONNAME;
ULONG ProviderVersion;
ULONG NumberOfProcessors;
LARGE_INTEGER EndTime;
ULONG TimerResolution;
ULONG MaximumFileSize;
ULONG LogFileMode;
ULONG BuffersWritten;
__MINGW_EXTENSION union {
GUID LogInstanceGuid;
__MINGW_EXTENSION struct {
ULONG StartBuffers;
ULONG PointerSize;
ULONG EventsLost;
ULONG CpuSpeedInMHz;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME2;
#if defined(_WMIKM_)
PWCHAR LoggerName;
PWCHAR LogFileName;
RTL_TIME_ZONE_INFORMATION TimeZone;
#else
LPWSTR LoggerName;
LPWSTR LogFileName;
TIME_ZONE_INFORMATION TimeZone;
#endif
LARGE_INTEGER BootTime;
LARGE_INTEGER PerfFreq;
LARGE_INTEGER StartTime;
ULONG ReservedFlags;
ULONG BuffersLost;
} TRACE_LOGFILE_HEADER,*PTRACE_LOGFILE_HEADER;
typedef struct _TRACE_LOGFILE_HEADER32 {
ULONG BufferSize;
__MINGW_EXTENSION union {
ULONG Version;
struct {
UCHAR MajorVersion;
UCHAR MinorVersion;
UCHAR SubVersion;
UCHAR SubMinorVersion;
} VersionDetail;
};
ULONG ProviderVersion;
ULONG NumberOfProcessors;
LARGE_INTEGER EndTime;
ULONG TimerResolution;
ULONG MaximumFileSize;
ULONG LogFileMode;
ULONG BuffersWritten;
__MINGW_EXTENSION union {
GUID LogInstanceGuid;
__MINGW_EXTENSION struct {
ULONG StartBuffers;
ULONG PointerSize;
ULONG EventsLost;
ULONG CpuSpeedInMHz;
};
};
#if defined(_WMIKM_)
ULONG32 LoggerName;
ULONG32 LogFileName;
RTL_TIME_ZONE_INFORMATION TimeZone;
#else
ULONG32 LoggerName;
ULONG32 LogFileName;
TIME_ZONE_INFORMATION TimeZone;
#endif
LARGE_INTEGER BootTime;
LARGE_INTEGER PerfFreq;
LARGE_INTEGER StartTime;
ULONG ReservedFlags;
ULONG BuffersLost;
} TRACE_LOGFILE_HEADER32, *PTRACE_LOGFILE_HEADER32;
typedef struct _TRACE_LOGFILE_HEADER64 {
ULONG BufferSize;
__MINGW_EXTENSION union {
ULONG Version;
struct {
UCHAR MajorVersion;
UCHAR MinorVersion;
UCHAR SubVersion;
UCHAR SubMinorVersion;
} VersionDetail;
};
ULONG ProviderVersion;
ULONG NumberOfProcessors;
LARGE_INTEGER EndTime;
ULONG TimerResolution;
ULONG MaximumFileSize;
ULONG LogFileMode;
ULONG BuffersWritten;
__MINGW_EXTENSION union {
GUID LogInstanceGuid;
__MINGW_EXTENSION struct {
ULONG StartBuffers;
ULONG PointerSize;
ULONG EventsLost;
ULONG CpuSpeedInMHz;
};
};
#if defined(_WMIKM_)
ULONG64 LoggerName;
ULONG64 LogFileName;
RTL_TIME_ZONE_INFORMATION TimeZone;
#else
ULONG64 LoggerName;
ULONG64 LogFileName;
TIME_ZONE_INFORMATION TimeZone;
#endif
LARGE_INTEGER BootTime;
LARGE_INTEGER PerfFreq;
LARGE_INTEGER StartTime;
ULONG ReservedFlags;
ULONG BuffersLost;
} TRACE_LOGFILE_HEADER64, *PTRACE_LOGFILE_HEADER64;
#endif /* !_NTDDK_ || _WMIKM_ */
typedef struct _EVENT_INSTANCE_INFO {
HANDLE RegHandle;
ULONG InstanceId;
} EVENT_INSTANCE_INFO,*PEVENT_INSTANCE_INFO;
#if !defined(_WMIKM_) && !defined(_NTDDK_) && !defined(_NTIFS_)
typedef struct _EVENT_TRACE_PROPERTIES {
WNODE_HEADER Wnode;
ULONG BufferSize;
ULONG MinimumBuffers;
ULONG MaximumBuffers;
ULONG MaximumFileSize;
ULONG LogFileMode;
ULONG FlushTimer;
ULONG EnableFlags;
LONG AgeLimit;
ULONG NumberOfBuffers;
ULONG FreeBuffers;
ULONG EventsLost;
ULONG BuffersWritten;
ULONG LogBuffersLost;
ULONG RealTimeBuffersLost;
HANDLE LoggerThreadId;
ULONG LogFileNameOffset;
ULONG LoggerNameOffset;
} EVENT_TRACE_PROPERTIES,*PEVENT_TRACE_PROPERTIES;
typedef struct _TRACE_GUID_REGISTRATION {
LPCGUID Guid;
HANDLE RegHandle;
} TRACE_GUID_REGISTRATION,*PTRACE_GUID_REGISTRATION;
#endif /* !_NTDDK_ || _WMIKM_ */
typedef struct _TRACE_GUID_PROPERTIES {
GUID Guid;
ULONG GuidType;
ULONG LoggerId;
ULONG EnableLevel;
ULONG EnableFlags;
BOOLEAN IsEnable;
} TRACE_GUID_PROPERTIES,*PTRACE_GUID_PROPERTIES;
typedef struct _ETW_BUFFER_CONTEXT {
UCHAR ProcessorNumber;
UCHAR Alignment;
USHORT LoggerId;
} ETW_BUFFER_CONTEXT, *PETW_BUFFER_CONTEXT;
typedef struct _TRACE_ENABLE_INFO {
ULONG IsEnabled;
UCHAR Level;
UCHAR Reserved1;
USHORT LoggerId;
ULONG EnableProperty;
ULONG Reserved2;
ULONGLONG MatchAnyKeyword;
ULONGLONG MatchAllKeyword;
} TRACE_ENABLE_INFO, *PTRACE_ENABLE_INFO;
typedef struct _TRACE_PROVIDER_INSTANCE_INFO {
ULONG NextOffset;
ULONG EnableCount;
ULONG Pid;
ULONG Flags;
} TRACE_PROVIDER_INSTANCE_INFO, *PTRACE_PROVIDER_INSTANCE_INFO;
typedef struct _TRACE_GUID_INFO {
ULONG InstanceCount;
ULONG Reserved;
} TRACE_GUID_INFO, *PTRACE_GUID_INFO;
typedef struct _EVENT_TRACE {
EVENT_TRACE_HEADER Header;
ULONG InstanceId;
ULONG ParentInstanceId;
GUID ParentGuid;
PVOID MofData;
ULONG MofLength;
__MINGW_EXTENSION union {
ULONG ClientContext;
ETW_BUFFER_CONTEXT BufferContext; /* MSDN says ULONG, for XP and older? */
} DUMMYUNIONNAME;
} EVENT_TRACE,*PEVENT_TRACE;
#if !defined(_WMIKM_) && !defined(_NTDDK_) && !defined(_NTIFS_)
#ifndef DEFINED_PEVENT_RECORD
typedef struct _EVENT_RECORD EVENT_RECORD, *PEVENT_RECORD;
#define DEFINED_PEVENT_RECORD 1
#endif /* for evntcons.h */
#ifndef DEFINED_PEVENT_FILTER_DESC
typedef struct _EVENT_FILTER_DESCRIPTOR EVENT_FILTER_DESCRIPTOR, *PEVENT_FILTER_DESCRIPTOR;
#define DEFINED_PEVENT_FILTER_DESC 1
#endif /* for evntprov.h */
typedef struct _EVENT_TRACE_LOGFILEW EVENT_TRACE_LOGFILEW,*PEVENT_TRACE_LOGFILEW;
typedef struct _EVENT_TRACE_LOGFILEA EVENT_TRACE_LOGFILEA,*PEVENT_TRACE_LOGFILEA;
typedef ULONG (WINAPI *PEVENT_TRACE_BUFFER_CALLBACKW)(PEVENT_TRACE_LOGFILEW Logfile);
typedef ULONG (WINAPI *PEVENT_TRACE_BUFFER_CALLBACKA)(PEVENT_TRACE_LOGFILEA Logfile);
typedef VOID (WINAPI *PEVENT_CALLBACK)(PEVENT_TRACE pEvent);
typedef VOID (WINAPI *PEVENT_RECORD_CALLBACK)(PEVENT_RECORD EventRecord);
typedef ULONG (WINAPI *WMIDPREQUEST)(WMIDPREQUESTCODE RequestCode,PVOID RequestContext,ULONG *BufferSize,PVOID Buffer);
struct _EVENT_TRACE_LOGFILEW {
LPWSTR LogFileName;
LPWSTR LoggerName;
LONGLONG CurrentTime;
ULONG BuffersRead;
__MINGW_EXTENSION union {
ULONG LogFileMode;
ULONG ProcessTraceMode;
} DUMMYUNIONNAME;
EVENT_TRACE CurrentEvent;
TRACE_LOGFILE_HEADER LogfileHeader;
PEVENT_TRACE_BUFFER_CALLBACKW BufferCallback;
ULONG BufferSize;
ULONG Filled;
ULONG EventsLost;
__MINGW_EXTENSION union {
PEVENT_CALLBACK EventCallback;
PEVENT_RECORD_CALLBACK EventRecordCallback;
} DUMMYUNIONNAME2;
ULONG IsKernelTrace;
PVOID Context;
};
struct _EVENT_TRACE_LOGFILEA {
LPSTR LogFileName;
LPSTR LoggerName;
LONGLONG CurrentTime;
ULONG BuffersRead;
__MINGW_EXTENSION union {
ULONG LogFileMode;
ULONG ProcessTraceMode;
} DUMMYUNIONNAME;
EVENT_TRACE CurrentEvent;
TRACE_LOGFILE_HEADER LogfileHeader;
PEVENT_TRACE_BUFFER_CALLBACKA BufferCallback;
ULONG BufferSize;
ULONG Filled;
ULONG EventsLost;
__MINGW_EXTENSION union {
PEVENT_CALLBACK EventCallback;
PEVENT_RECORD_CALLBACK EventRecordCallback;
} DUMMYUNIONNAME2;
ULONG IsKernelTrace;
PVOID Context;
};
#if defined(_UNICODE) || defined(UNICODE)
#define PEVENT_TRACE_BUFFER_CALLBACK PEVENT_TRACE_BUFFER_CALLBACKW
#define EVENT_TRACE_LOGFILE EVENT_TRACE_LOGFILEW
#define PEVENT_TRACE_LOGFILE PEVENT_TRACE_LOGFILEW
#define KERNEL_LOGGER_NAME KERNEL_LOGGER_NAMEW
#define GLOBAL_LOGGER_NAME GLOBAL_LOGGER_NAMEW
#define EVENT_LOGGER_NAME EVENT_LOGGER_NAMEW
#else
#define PEVENT_TRACE_BUFFER_CALLBACK PEVENT_TRACE_BUFFER_CALLBACKA
#define EVENT_TRACE_LOGFILE EVENT_TRACE_LOGFILEA
#define PEVENT_TRACE_LOGFILE PEVENT_TRACE_LOGFILEA
#define KERNEL_LOGGER_NAME KERNEL_LOGGER_NAMEA
#define GLOBAL_LOGGER_NAME GLOBAL_LOGGER_NAMEA
#define EVENT_LOGGER_NAME EVENT_LOGGER_NAMEA
#endif /* defined(_UNICODE) || defined(UNICODE) */
#ifdef __cplusplus
extern "C" {
#endif
EXTERN_C ULONG WMIAPI StartTraceW(PTRACEHANDLE TraceHandle,LPCWSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI StartTraceA(PTRACEHANDLE TraceHandle,LPCSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI StopTraceW(TRACEHANDLE TraceHandle,LPCWSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI StopTraceA(TRACEHANDLE TraceHandle,LPCSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI QueryTraceW(TRACEHANDLE TraceHandle,LPCWSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI QueryTraceA(TRACEHANDLE TraceHandle,LPCSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI UpdateTraceW(TRACEHANDLE TraceHandle,LPCWSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI UpdateTraceA(TRACEHANDLE TraceHandle,LPCSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI FlushTraceW(TRACEHANDLE TraceHandle,LPCWSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI FlushTraceA(TRACEHANDLE TraceHandle,LPCSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties);
EXTERN_C ULONG WMIAPI ControlTraceW(TRACEHANDLE TraceHandle,LPCWSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties,ULONG ControlCode);
EXTERN_C ULONG WMIAPI ControlTraceA(TRACEHANDLE TraceHandle,LPCSTR InstanceName,PEVENT_TRACE_PROPERTIES Properties,ULONG ControlCode);
EXTERN_C ULONG WMIAPI QueryAllTracesW(PEVENT_TRACE_PROPERTIES *PropertyArray,ULONG PropertyArrayCount,PULONG LoggerCount);
EXTERN_C ULONG WMIAPI QueryAllTracesA(PEVENT_TRACE_PROPERTIES *PropertyArray,ULONG PropertyArrayCount,PULONG LoggerCount);
EXTERN_C ULONG WMIAPI EnableTrace(ULONG Enable,ULONG EnableFlag,ULONG EnableLevel,LPCGUID ControlGuid,TRACEHANDLE TraceHandle);
#if (_WIN32_WINNT >= 0x0600)
EXTERN_C ULONG WMIAPI EnableTraceEx(
LPCGUID ProviderId,
LPCGUID SourceId,
TRACEHANDLE TraceHandle,
ULONG IsEnabled,
UCHAR Level,
ULONGLONG MatchAnyKeyword,
ULONGLONG MatchAllKeyword,
ULONG EnableProperty,
PEVENT_FILTER_DESCRIPTOR EnableFilterDesc
);
#endif /* _WIN32_WINNT >= 0x0600 */
#define ENABLE_TRACE_PARAMETERS_VERSION 1
typedef struct _ENABLE_TRACE_PARAMETERS {
ULONG Version;
ULONG EnableProperty;
ULONG ControlFlags;
GUID SourceId;
PEVENT_FILTER_DESCRIPTOR EnableFilterDesc;
} ENABLE_TRACE_PARAMETERS, *PENABLE_TRACE_PARAMETERS;
#if (_WIN32_WINNT >= 0x0601)
EXTERN_C ULONG WMIAPI EnableTraceEx2(
TRACEHANDLE TraceHandle,
LPCGUID ProviderId,
ULONG ControlCode,
UCHAR Level,
ULONGLONG MatchAnyKeyword,
ULONGLONG MatchAllKeyword,
ULONG Timeout,
PENABLE_TRACE_PARAMETERS EnableParameters
);
#endif /* _WIN32_WINNT >= 0x0601 */
typedef enum _TRACE_QUERY_INFO_CLASS {
TraceGuidQueryList,
TraceGuidQueryInfo,
TraceGuidQueryProcess,
TraceStackTracingInfo,
MaxTraceSetInfoClass
} TRACE_QUERY_INFO_CLASS, TRACE_INFO_CLASS;
#if (_WIN32_WINNT >= 0x0600)
EXTERN_C ULONG WMIAPI EnumerateTraceGuidsEx(
TRACE_QUERY_INFO_CLASS TraceQueryInfoClass,
PVOID InBuffer,
ULONG InBufferSize,
PVOID OutBuffer,
ULONG OutBufferSize,
PULONG ReturnLength
);
#endif /* _WIN32_WINNT >= 0x0600 */
/*To enable the read event type for disk IO events, set GUID to 3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c and Type to 10.*/
typedef struct _CLASSIC_EVENT_ID {
GUID EventGuid;
UCHAR Type;
UCHAR Reserved[7];
} CLASSIC_EVENT_ID, *PCLASSIC_EVENT_ID;
#if (_WIN32_WINNT >= 0x0601)
EXTERN_C ULONG WMIAPI TraceSetInformation(
TRACEHANDLE SessionHandle,
TRACE_INFO_CLASS InformationClass,
PVOID TraceInformation,
ULONG InformationLength
);
#endif /* _WIN32_WINNT >= 0x0601 */
EXTERN_C ULONG WMIAPI CreateTraceInstanceId(HANDLE RegHandle,PEVENT_INSTANCE_INFO pInstInfo);
EXTERN_C ULONG WMIAPI TraceEvent(TRACEHANDLE TraceHandle,PEVENT_TRACE_HEADER EventTrace);
EXTERN_C ULONG WMIAPI TraceEventInstance(TRACEHANDLE TraceHandle,PEVENT_INSTANCE_HEADER EventTrace,PEVENT_INSTANCE_INFO pInstInfo,PEVENT_INSTANCE_INFO pParentInstInfo);
EXTERN_C ULONG WMIAPI RegisterTraceGuidsW(WMIDPREQUEST RequestAddress,PVOID RequestContext,LPCGUID ControlGuid,ULONG GuidCount,PTRACE_GUID_REGISTRATION TraceGuidReg,LPCWSTR MofImagePath,LPCWSTR MofResourceName,PTRACEHANDLE RegistrationHandle);
EXTERN_C ULONG WMIAPI RegisterTraceGuidsA(WMIDPREQUEST RequestAddress,PVOID RequestContext,LPCGUID ControlGuid,ULONG GuidCount,PTRACE_GUID_REGISTRATION TraceGuidReg,LPCSTR MofImagePath,LPCSTR MofResourceName,PTRACEHANDLE RegistrationHandle);
EXTERN_C ULONG WMIAPI EnumerateTraceGuids(PTRACE_GUID_PROPERTIES *GuidPropertiesArray,ULONG PropertyArrayCount,PULONG GuidCount);
EXTERN_C ULONG WMIAPI UnregisterTraceGuids(TRACEHANDLE RegistrationHandle);
EXTERN_C TRACEHANDLE WMIAPI GetTraceLoggerHandle(PVOID Buffer);
EXTERN_C UCHAR WMIAPI GetTraceEnableLevel(TRACEHANDLE TraceHandle);
EXTERN_C ULONG WMIAPI GetTraceEnableFlags(TRACEHANDLE TraceHandle);
EXTERN_C TRACEHANDLE WMIAPI OpenTraceA(PEVENT_TRACE_LOGFILEA Logfile);
EXTERN_C TRACEHANDLE WMIAPI OpenTraceW(PEVENT_TRACE_LOGFILEW Logfile);
EXTERN_C ULONG WMIAPI ProcessTrace(PTRACEHANDLE HandleArray,ULONG HandleCount,LPFILETIME StartTime,LPFILETIME EndTime);
EXTERN_C ULONG WMIAPI CloseTrace(TRACEHANDLE TraceHandle);
EXTERN_C ULONG WMIAPI SetTraceCallback(LPCGUID pGuid,PEVENT_CALLBACK EventCallback);
EXTERN_C ULONG WMIAPI RemoveTraceCallback (LPCGUID pGuid);
EXTERN_C ULONG __cdecl TraceMessage(TRACEHANDLE LoggerHandle,ULONG MessageFlags,LPCGUID MessageGuid,USHORT MessageNumber,...);
EXTERN_C ULONG WMIAPI TraceMessageVa(TRACEHANDLE LoggerHandle,ULONG MessageFlags,LPCGUID MessageGuid,USHORT MessageNumber,va_list MessageArgList);
#ifdef __cplusplus
}
#endif
#define INVALID_PROCESSTRACE_HANDLE ((TRACEHANDLE)INVALID_HANDLE_VALUE)
#if defined(UNICODE) || defined(_UNICODE)
#define RegisterTraceGuids RegisterTraceGuidsW
#define StartTrace StartTraceW
#define ControlTrace ControlTraceW
#if defined(__TRACE_W2K_COMPATIBLE)
#define StopTrace(a,b,c) ControlTraceW((a),(b),(c),EVENT_TRACE_CONTROL_STOP)
#define QueryTrace(a,b,c) ControlTraceW((a),(b),(c),EVENT_TRACE_CONTROL_QUERY)
#define UpdateTrace(a,b,c) ControlTraceW((a),(b),(c),EVENT_TRACE_CONTROL_UPDATE)
#else
#define StopTrace StopTraceW
#define QueryTrace QueryTraceW
#define UpdateTrace UpdateTraceW
#endif /* defined(__TRACE_W2K_COMPATIBLE) */
#define FlushTrace FlushTraceW
#define QueryAllTraces QueryAllTracesW
#define OpenTrace OpenTraceW
#else /* defined(UNICODE) || defined(_UNICODE) */
#define RegisterTraceGuids RegisterTraceGuidsA
#define StartTrace StartTraceA
#define ControlTrace ControlTraceA
#if defined(__TRACE_W2K_COMPATIBLE)
#define StopTrace(a,b,c) ControlTraceA((a),(b),(c),EVENT_TRACE_CONTROL_STOP)
#define QueryTrace(a,b,c) ControlTraceA((a),(b),(c),EVENT_TRACE_CONTROL_QUERY)
#define UpdateTrace(a,b,c) ControlTraceA((a),(b),(c),EVENT_TRACE_CONTROL_UPDATE)
#else
#define StopTrace StopTraceA
#define QueryTrace QueryTraceA
#define UpdateTrace UpdateTraceA
#endif /* defined(__TRACE_W2K_COMPATIBLE) */
#define FlushTrace FlushTraceA
#define QueryAllTraces QueryAllTracesA
#define OpenTrace OpenTraceA
#endif /* defined(UNICODE) || defined(_UNICODE) */
#endif /* !defined(_WMIKM_) && !defined(_NTDDK_) && !defined(_NTIFS_) */
#endif /* defined(_WINNT_) || defined(WINNT) */
#endif /* _EVNTRACE_ */
|
