ENABLE_TRACE_PARAMETERS structure (evntrace.h)

The ENABLE_TRACE_PARAMETERS structure defines the information used to enable a provider.


  ULONG                    Version;
  ULONG                    EnableProperty;
  ULONG                    ControlFlags;
  GUID                     SourceId;
  ULONG                    FilterDescCount;





Optional settings that ETW can include when writing the event. Some settings write extra data to the extended data item section of each event. Other settings refine which events will be included. To use these optional settings, specify one or more of the following flags; otherwise, set to zero.

Value Meaning
Filters out all events that do not have a non-zero keyword specified.

Supported on Windows 10, version 1507 and later. This is also supported on Windows 8.1 and Windows 7 with SP1 via a patch.

Indicates that this call to EnableTraceEx2 should enable a Provider Group rather than an individual Event Provider.

Supported on Windows 10, version 1507 and later. This is also supported on Windows 8.1 and Windows 7 with SP1 via a patch.

Include the Process Start Key in the extended data.

The Process Start Key is a sequence number that identifies the process. While the Process ID may be reused within a session, the Process Start Key is guaranteed uniqueness in the current boot session.

Supported on Windows 10, version 1507 and later. This is also supported on Windows 8.1 and Windows 7 with SP1 via a patch.

Include the Event Key in the extended data.

The Event Key is a unique identifier for the event instance that will be constant across multiple trace sessions listening to this event. It can be used to correlate simultaneous trace sessions.

Supported on Windows 10, version 1507 and later.

Filters out all events that are either marked as an InPrivate event or come from a process that is marked as InPrivate.

InPrivate implies that the event or process contains some data that would be considered private or personal. It is up to the process or event to designate itself as InPrivate for this to work.

Supported on Windows 10, version 1507 and later.

Include in the extended data the security identifier (SID) of the user.

Supported on Windows Vista and later.

Include in the extended data the terminal session identifier.

Supported on Windows Vista and later.

Include in the extended data a call stack trace for events written using EventWrite.

If you set EVENT_ENABLE_PROPERTY_STACK_TRACE, ETW will drop the event if the total event size exceeds 64K. If the provider is logging events close in size to 64K maximum, it is possible that enabling stack capture will cause the event to be lost.

If the stack is longer than the maximum number of frames (192), the frames will be cut from the bottom of the stack.

For consumers, the events will include the EVENT_EXTENDED_ITEM_STACK_TRACE32 or EVENT_EXTENDED_ITEM_STACK_TRACE64 extended item. Note that on 64-bit computers, 32-bit processes will receive 64-bit stack traces.

Supported on Windows 7 and later.


Reserved. Set to 0.


A GUID that uniquely identifies the session that is enabling or disabling the provider. If the provider does not implement EnableCallback, the GUID is not used.


A pointer to an array of EVENT_FILTER_DESCRIPTOR structures that points to the filter data. The number of elements in the array is specified in the FilterDescCount member. There can only be one filter for a specific filter type as specified by the Type member of the EVENT_FILTER_DESCRIPTOR structure.

For a schematized filter (a Type member equal to EVENT_FILTER_TYPE_SCHEMATIZED), the provider uses filter data to prevent events that match the filter criteria from being written to the session. The provider determines the layout of the data and how it applies the filter to the event's data. A session can pass only one schematized filter to the provider.

A session can call the TdhEnumerateProviderFilters function to determine the schematized filters that it can pass to the provider.


The number of elements (filters) in the EVENT_FILTER_DESCRIPTOR array pointed to by EnableFilterDesc member.

The FilterDescCount member should match the number of EVENT_FILTER_DESCRIPTOR structures in the array pointed to by the EnableFilterDesc member.



The ENABLE_TRACE_PARAMETERS structure is a version 2 structure and replaces the ENABLE_TRACE_PARAMETERS_V1 structure for use with the EnableTraceEx2 function.

On Windows 8.1,Windows Server 2012 R2, and later, event payload , scope, and stack walk filters can be used by the EnableTraceEx2 function and the ENABLE_TRACE_PARAMETERS and EVENT_FILTER_DESCRIPTOR structures to filter on specific conditions in a logger session. For more information on event payload filters, see the EnableTraceEx2, TdhCreatePayloadFilter, and TdhAggregatePayloadFilters functions and the EVENT_FILTER_DESCRIPTOR and PAYLOAD_FILTER_PREDICATE structures.

Typically, on 64-bit computers, you cannot capture the kernel stack in certain contexts when page faults are not allowed. To enable walking the kernel stack on x64, set the DisablePagingExecutive Memory Management registry value to 1. The DisablePagingExecutive registry value is located under the following registry key:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management

You should consider the cost of setting this registry value before doing so.


Minimum supported client Windows 7 [desktop apps only]
Minimum supported server Windows Server 2008 R2 [desktop apps only]
Header evntrace.h

See also