TdhGetProperty function

Retrieves a property value from the event data.


TDHSTATUS TdhGetProperty(
  PEVENT_RECORD             pEvent,
  ULONG                     TdhContextCount,
  PTDH_CONTEXT              pTdhContext,
  ULONG                     PropertyDataCount,
  ULONG                     BufferSize,
  PBYTE                     pBuffer



The event record passed to your EventRecordCallback callback. For details, see the EVENT_RECORD structure.


Number of elements in pTdhContext.


Array of context values for WPP or classic ETW events only; otherwise, NULL. For details, see the TDH_CONTEXT structure. The array must not contain duplicate context types.


Number of data descriptor structures in pPropertyData.


Array of PROPERTY_DATA_DESCRIPTOR structures that defines the property to retrieve.

If you called the TdhGetPropertySize function to retrieve the required buffer size for the property, you can use the same data descriptors.

If you are retrieving a property that is not a member of a structure, you can specify a single data descriptor. If you are retrieving a property that is a member of a structure, specify an array of two data descriptors (structures cannot contain or reference other structures).


Size of the pBuffer buffer, in bytes. You can get this value from the pPropertySize parameter when calling TdhGetPropertySize function.


User-allocated buffer that receives the property data.

Return Value

Returns ERROR_SUCCESS if successful. Otherwise, this function returns one of the following return codes in addition to others.

Return code Description
The schema for the event was not found or the specified property was not found.
The pBuffer buffer is too small. To get the required buffer size, call TdhGetPropertySize.
One or more of the parameters is not valid.
The resourceFileName attribute in the manifest contains the location of the provider binary. When you register the manifest, the location is written to the registry. TDH was unable to find the binary based on the registered location.
The WMI service is not available.


If the event is a WPP or classic ETW event, you can specify context information that is used to help parse the event information. The event is a WPP event if the EVENT_HEADER_FLAG_TRACE_MESSAGE flag is set in the Flags member of EVENT_HEADER (see the EventHeader member of EVENT_RECORD). The event is a legacy ETW event if the EVENT_HEADER_FLAG_CLASSIC_HEADER flag is set.

For a list of properties for WPP events and their data types, see PROPERTY_DATA_DESCRIPTOR.


For an example that shows how to call this function to retrieve the value of a top-level property or the member of a structure, see Using TdhGetProperty to Consume Event Data.


Minimum supported client Windows Vista [desktop apps only]
Minimum supported server Windows Server 2008 [desktop apps only]
Target Platform Windows
Header tdh.h
Library Tdh.lib
DLL Tdh.dll

See Also