ETW_TRACE_PARTITION_INFORMATION structure

Contains partition information pulled from an ETW trace. Most commonly used as a return structure for QueryTraceProcessingHandle.

Syntax

typedef struct _ETW_TRACE_PARTITION_INFORMATION {
  GUID   PartitionId;
  GUID   ParentId;
  LONG64 QpcOffsetFromRoot;
  ULONG  PartitionType;
} ETW_TRACE_PARTITION_INFORMATION, *PETW_TRACE_PARTITION_INFORMATION;

Members

PartitionId

GUID to identify the machine.

ParentId

GUID that identifies the partition instance that contains the traced partition. If the traced partition is a host, then ParentId will be 0.

QpcOffsetFromRoot

PartitionType

Enumeration value of the container type. the value may be one of the following:

Value Meaning
Process
1
For events originating from inside a “Windows Server Container”.
VmHost
2
For events originating from inside a “Hyper-V Container”.
VmHostedUvm
3
For events originating from a “Hyper-V Container” template virtual machine.
VmDirectUvm
4
For events originating from applications running with Windows Defender Application Guard.

Requirements

   
Minimum supported client Windows 10, version 1709 [desktop apps only]
Minimum supported server Windows Server 2016 [desktop apps only]
Header evntrace.h