LINKTYPE_ETW
Packet structure
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / / / EVENT_HEADER / / / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 80 bytes | ETW_BUFFER_CONTEXT | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | UserDataLength | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MessageLength | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ProviderNameLength | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / UserData / / variable length, padded to 32 bits / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / Message / / variable length, padded to 32 bits / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / ProviderName / / variable length, padded to 32 bits / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Description
All multi-byte numerical fields are little-endian. All primitive types in this document are from Windows and their size can be found on section 2.2 "Common Data Types" of [MS-DTYP]: Windows Data Types.
EVENT_HEADER is 80 bytes long data struct defined by Microsoft. It is declared on this MSDN page.
The bit values of Flags in EVENT_HEADER are:
#define EVENT_HEADER_FLAG_EXTENDED_INFO 0x0001 #define EVENT_HEADER_FLAG_PRIVATE_SESSION 0x0002 #define EVENT_HEADER_FLAG_STRING_ONLY 0x0004 #define EVENT_HEADER_FLAG_TRACE_MESSAGE 0x0008 #define EVENT_HEADER_FLAG_NO_CPUTIME 0x0010 #define EVENT_HEADER_FLAG_32_BIT_HEADER 0x0020 #define EVENT_HEADER_FLAG_64_BIT_HEADER 0x0040 #define EVENT_HEADER_FLAG_CLASSIC_HEADER 0x0100
The bit values of EventProperty in EVENT_HEADER are:
#define EVENT_HEADER_PROPERTY_XML 0x0001 #define EVENT_HEADER_PROPERTY_FORWARDED_XML 0x0002 #define EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG 0x0004
ETW_BUFFER_CONTEXT is 4 bytes long data struct defined by Microsoft. It is declared on this MSDN page.
UserDataLength is the length of UserData, the UserDataLength doesn't include the padding bytes of UserData.
MessageLength is the length of Message, the MessageLength doesn't include the padding bytes of Message.
ProviderNameLength is the length of ProviderName, the ProviderNameLength doesn't include the padding bytes of ProviderName.
UserData is specific event data of the provider, its format is defined by the provider.
Message is a null-terminated UTF-16 string that contains the event message string.
Providername is a null-terminated UTF-16 string that contains the event provider name string.