The EVENT_TRACE_HEADER structure is used to pass a WMI event to the WMI event logger. It is overlaid on the WNODE_HEADER portion of the WNODE_EVENT_ITEM passed to IoWMIWriteEvent. Information contained in the EVENT_TRACE_HEADER is written to the WMI log file.


typedef struct _EVENT_TRACE_HEADER {
  USHORT        Size;
  union {
    USHORT FieldTypeFlags;
    struct {
      UCHAR HeaderType;
      UCHAR MarkerFlags;
  union {
    ULONG  Version;
    struct {
      UCHAR  Type;
      UCHAR  Level;
      USHORT Version;
    } Class;
  ULONG         ThreadId;
  ULONG         ProcessId;
  union {
    GUID      Guid;
    ULONGLONG GuidPtr;
  union {
    struct {
      ULONG KernelTime;
      ULONG UserTime;
    ULONG64 ProcessorTime;
    struct {
      ULONG ClientContext;
      ULONG Flags;







Process identifier.


Specifies the size, in bytes, of the buffer that is allocated to hold event tracing information. The value that is specified must include both the size of the EVENT_TRACE_HEADER structure and the size of any driver-specific data. (EVENT_TRACE_HEADER is overlaid on a WNODE_HEADER structure, but the Size member of EVENT_TRACE_HEADER and the BufferSize member of WNODE_HEADER do not specify the same size. Do not use the BufferSize member of WNODE_HEADER to set the Size member.)


Thread identifier.


The time at which the driver event occurred. This time value is expressed in absolute system time format. Absolute system time is the number of 100-nanosecond intervals since the start of the year 1601 in the Gregorian calendar. If the WNODE_FLAG_USE_TIMESTAMP is set in Flags, the system logger will leave the value of TimeStamp unchanged. Otherwise, the system logger will set the value of TimeStamp at the time it receives the event. A driver can call KeQuerySystemTime to set the value of TimeStamp.


A driver that supports trace events will use this structure to report events to the WMI event logger. Trace events should not be reported until the driver receives a request to enable events and the control GUID is one the driver supports. The driver should initialize an EVENT_TRACE_HEADER structure, fill in any user-defined event data at the end, and pass a pointer to the EVENT_TRACE_HEADER to IoWMIWriteEvent. The driver should continue reporting trace events until it receives a request to disable the control GUID for the trace events.

If the driver does not specify the WNODE_FLAG_USE_MOF_PTR flag in the Flags member of EVENT_TRACE_HEADER, the EVENT_TRACE_HEADER structure is followed in memory by event-specific data. In this case, the Size member must be sizeof(EVENT_TRACE_HEADER) plus the size of the event-specific data.

If the driver does specify the WNODE_FLAG_USE_MOF_PTR flag, the EVENT_TRACE_HEADER structure is followed in memory by an array of MOF_FIELD structures (which are defined in Evntrace.h) that contain pointers to the data and sizes rather than the event tracing data itself. In this case, the Size member must be sizeof(EVENT_TRACE_HEADER) plus the size of the array of MOF_FIELD structures.


Header evntrace.h (include Wdm.h, Ntddk.h)

See Also




Send comments about this topic to Microsoft