The EVENT_TRACE_HEADER structure is used to pass a WMI event to the WMI event logger. It is overlaid on the WNODE_HEADER portion of the WNODE_EVENT_ITEM passed to IoWMIWriteEvent. Information contained in the EVENT_TRACE_HEADER is written to the WMI log file.


typedef struct _EVENT_TRACE_HEADER {
  USHORT        Size;
  union {
    USHORT FieldTypeFlags;
    struct {
      UCHAR HeaderType;
      UCHAR MarkerFlags;
  union {
    ULONG Version;
    struct {
      UCHAR  Type;
      UCHAR  Level;
      USHORT Version;
    } Class;
  ULONG         ThreadId;
  ULONG         ProcessId;
  union {
    GUID      Guid;
    ULONGLONG GuidPtr;
  union {
    struct {
      ULONG KernelTime;
      ULONG UserTime;
    ULONG64 ProcessorTime;
    struct {
      ULONG ClientContext;
      ULONG Flags;



Specifies the size, in bytes, of the buffer that is allocated to hold event tracing information. The value that is specified must include both the size of the EVENT_TRACE_HEADER structure and the size of any driver-specific data. (EVENT_TRACE_HEADER is overlaid on a WNODE_HEADER structure, but the Size member of EVENT_TRACE_HEADER and the BufferSize member of WNODE_HEADER do not specify the same size. Do not use the BufferSize member of WNODE_HEADER to set the Size member.)


Reserved for internal use.


Reserved for internal use.


Trace event type. This can be one of the predefined EVENT_TRACE_TYPE_XXX values contained in Evntrace.h or can be a driver-defined value. Callers are free to define private event types with values greater than the reserved values in Evntrace.h.


Trace instrumentation level. A driver-defined value meant to represent the degree of detail of the trace instrumentation. Drivers are free to give this value meaning. This value should be 0 by default. More information about how consumers can request different levels of trace information will be provided in a future version of the documentation.


Version of trace record. Version information that can be used by the driver to track different event formats.


Thread identifier.


Process identifier.


The time at which the driver event occurred. This time value is expressed in absolute system time format. Absolute system time is the number of 100-nanosecond intervals since the start of the year 1601 in the Gregorian calendar. If the WNODE_FLAG_USE_TIMESTAMP is set in Flags, the system logger will leave the value of TimeStamp unchanged. Otherwise, the system logger will set the value of TimeStamp at the time it receives the event. A driver can call KeQuerySystemTime to set the value of TimeStamp.


Reserved for internal use.


Reserved for internal use.


Reserved for internal use.


Provides information about the contents of this structure. For information about EVENT_TRACE_HEADER Flags values, see the Flags description in WNODE_HEADER.


A driver that supports trace events will use this structure to report events to the WMI event logger. Trace events should not be reported until the driver receives a request to enable events and the control GUID is one the driver supports. The driver should initialize an EVENT_TRACE_HEADER structure, fill in any user-defined event data at the end, and pass a pointer to the EVENT_TRACE_HEADER to IoWMIWriteEvent. The driver should continue reporting trace events until it receives a request to disable the control GUID for the trace events.

If the driver does not specify the WNODE_FLAG_USE_MOF_PTR flag in the Flags member of EVENT_TRACE_HEADER, the EVENT_TRACE_HEADER structure is followed in memory by event-specific data. In this case, the Size member must be sizeof(EVENT_TRACE_HEADER) plus the size of the event-specific data.

If the driver does specify the WNODE_FLAG_USE_MOF_PTR flag, the EVENT_TRACE_HEADER structure is followed in memory by an array of MOF_FIELD structures (which are defined in Evntrace.h) that contain pointers to the data and sizes rather than the event tracing data itself. In this case, the Size member must be sizeof(EVENT_TRACE_HEADER) plus the size of the array of MOF_FIELD structures.


Header evntrace.h (include Wdm.h, Ntddk.h)

See Also