2.3.2 EVENT_HEADER

  • Article

msdn link

The EVENT_HEADER structure defines the main parameters of an event.

 typedef struct _EVENT_HEADER {
   USHORT Size;
   USHORT HeaderType;
   USHORT Flags;
   USHORT EventProperty;
   ULONG ThreadId;
   ULONG ProcessId;
   LARGE_INTEGER TimeStamp;
   GUID ProviderId;
   EVENT_DESCRIPTOR EventDescriptor;
   union {
     struct {
       ULONG KernelTime;
       ULONG UserTime;
     };
     ULONG64 ProcessorTime;
   };
   GUID ActivityId;
 } EVENT_HEADER,
  *PEVENT_HEADER;

Size: Size of the event record, in bytes.

HeaderType: Reserved.

Flags: Flags that provide information about the event such as the type of session it was logged to and whether the event contains extended data. This member can contain one or more of the following flags.

Value

Meaning

EVENT_HEADER_FLAG_EXTENDED_INFO

The ExtendedData member of the event record contains data.

EVENT_HEADER_FLAG_PRIVATE_SESSION

The event was logged to a private session.

EVENT_HEADER_FLAG_STRING_ONLY

 The event data is a null-terminated Unicode string.

EVENT_HEADER_FLAG_TRACE_MESSAGE

The provider used an implementation-specific trace message function to log the event. Typically indicates that the event was written by the Windows software trace preprocessor.

EVENT_HEADER_FLAG_NO_CPUTIME

Indicates that elapsed execution time was not recorded; the ProcessorTime member can be used to determine the elapsed execution time.

EVENT_HEADER_FLAG_32_BIT_HEADER

Indicates that the provider was running on a 32-bit computer or in a WOW64 session.

EVENT_HEADER_FLAG_64_BIT_HEADER

Indicates that the provider was running on a 64-bit computer.

EVENT_HEADER_FLAG_DECODE_GUID

Indicates that the ProviderId member of the event record is a decode GUID rather than a control GUID.<2>

EVENT_HEADER_FLAG_CLASSIC_HEADER

Indicates that provider used a trace event function to log the event.

EVENT_HEADER_FLAG_PROCESSOR_INDEX

If this flag is set, the identifier for the CPU that logged the event MUST be accessed using the ProcessorIndex member of the BufferContext member of the event record.

If this flag is not set, the identifier for the CPU that logged the event MUST be read from the ProcessorNumber member of the BufferContext member of the event record.<3>

EventProperty: Indicates the source to use for parsing the event data.

Value

Meaning

EVENT_HEADER_PROPERTY_XML

Indicates that you need a manifest to parse the event data.

EVENT_HEADER_PROPERTY_FORWARDED_XML

Indicates that the event data contains within itself a fully rendered XML description of the data, so you do not need a manifest to parse the event data.

EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG

Indicates that you need a WMI MOF class to parse the event data.

ThreadId: Identifies the thread that generated the event.

ProcessId: Identifies the process that generated the event.

TimeStamp: Contains the time that the event occurred. The resolution is system time unless the ProcessTraceMode member of EVENT_TRACE_LOGFILE contains the PROCESS_TRACE_MODE_RAW_TIMESTAMP flag, in which case the resolution depends on the value of the Wnode.ClientContext member of EVENT_TRACE_PROPERTIES at the time the controller created the session.

ProviderId: GUID that uniquely identifies the provider that logged the event.

EventDescriptor: Defines information about the event such as the event identifier and severity level.

KernelTime: Elapsed execution time for kernel-mode instructions, in CPU time units. For private sessions, the value in the ProcessorTime member can be used instead.

UserTime: Elapsed execution time for user-mode instructions, in CPU time units. For private sessions, the value in the ProcessorTime member can be used instead.

ProcessorTime: For private sessions, the elapsed execution time for user-mode instructions, in CPU ticks.

ActivityId: Identifier that relates two events.

The KernelTime and UserTime members can be used to determine the CPU cost in units for a set of instructions (the values indicate the CPU usage charged to that thread at the time of logging). For example, if Event A and Event B are consecutively logged by the same thread and they have CPU usage numbers 150 and 175, then the activity that was performed by that thread between events A and B cost 25 CPU time units (175 – 150).