Packet structure

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
/                                                               /
/                        EVENT_HEADER                           /
/                                                               /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 80 bytes
|                      ETW_BUFFER_CONTEXT                       |
|                        UserDataLength                         |
|                      MessageLength                            |
|                      ProviderNameLength                       |
/                          UserData                             /
/              variable length, padded to 32 bits               /
/                          Message                              /
/              variable length, padded to 32 bits               /
/                          ProviderName                         /
/              variable length, padded to 32 bits               /


All multi-byte numerical fields are little-endian. All primitive types in this document are from Windows and their size can be found on section 2.2 "Common Data Types" of [MS-DTYP]: Windows Data Types.

EVENT_HEADER is 80 bytes long; its structure is described on Microsoft's page for the EVENT_HEADER structure.

The bit values of Flags in EVENT_HEADER are:

#define EVENT_HEADER_FLAG_EXTENDED_INFO         0x0001
#define EVENT_HEADER_FLAG_STRING_ONLY           0x0004
#define EVENT_HEADER_FLAG_TRACE_MESSAGE         0x0008
#define EVENT_HEADER_FLAG_NO_CPUTIME            0x0010
#define EVENT_HEADER_FLAG_32_BIT_HEADER         0x0020
#define EVENT_HEADER_FLAG_64_BIT_HEADER         0x0040

The bit values of EventProperty in EVENT_HEADER are:

#define EVENT_HEADER_PROPERTY_XML               0x0001

ETW_BUFFER_CONTEXT is 4 bytes long; its structure is described on Microsoft's page for the ETW_BUFFER_CONTEXT structure.

UserDataLength is the length of UserData, the UserDataLength doesn't include the padding bytes of UserData.

MessageLength is the length of Message, the MessageLength doesn't include the padding bytes of Message.

ProviderNameLength is the length of ProviderName, the ProviderNameLength doesn't include the padding bytes of ProviderName.

UserData is specific event data of the provider, its format is defined by the provider.

Message is a null-terminated UTF-16 string that contains the event message string.

Providername is a null-terminated UTF-16 string that contains the event provider name string.