//0x540 bytes (sizeof)
struct _WMI_LOGGER_CONTEXT
{
ULONG LoggerId; //0x0
ULONG BufferSize; //0x4
ULONG MaximumEventSize; //0x8
ULONG LoggerMode; //0xc
LONG AcceptNewEvents; //0x10
ULONGLONG GetCpuClock; //0x18
struct _ETHREAD* LoggerThread; //0x20
LONG LoggerStatus; //0x28
ULONG FailureReason; //0x2c
struct _ETW_BUFFER_QUEUE BufferQueue; //0x30
struct _ETW_BUFFER_QUEUE OverflowQueue; //0x40
struct _LIST_ENTRY GlobalList; //0x50
struct _LIST_ENTRY DebugIdTrackingList; //0x60
struct _ETW_DECODE_CONTROL_ENTRY* DecodeControlList; //0x70
ULONG DecodeControlCount; //0x78
union
{
struct _WMI_BUFFER_HEADER* BatchedBufferList; //0x80
struct _EX_FAST_REF CurrentBuffer; //0x80
};
struct _UNICODE_STRING LoggerName; //0x88
struct _UNICODE_STRING LogFileName; //0x98
struct _UNICODE_STRING LogFilePattern; //0xa8
struct _UNICODE_STRING NewLogFileName; //0xb8
ULONG ClockType; //0xc8
ULONG LastFlushedBuffer; //0xcc
ULONG FlushTimer; //0xd0
ULONG FlushThreshold; //0xd4
union _LARGE_INTEGER ByteOffset; //0xd8
ULONG MinimumBuffers; //0xe0
volatile LONG BuffersAvailable; //0xe4
volatile LONG NumberOfBuffers; //0xe8
ULONG MaximumBuffers; //0xec
volatile ULONG EventsLost; //0xf0
volatile LONG PeakBuffersCount; //0xf4
ULONG BuffersWritten; //0xf8
ULONG LogBuffersLost; //0xfc
ULONG RealTimeBuffersDelivered; //0x100
ULONG RealTimeBuffersLost; //0x104
LONG* SequencePtr; //0x108
ULONG LocalSequence; //0x110
struct _GUID InstanceGuid; //0x114
ULONG MaximumFileSize; //0x124
LONG FileCounter; //0x128
enum _POOL_TYPE PoolType; //0x12c
struct _ETW_REF_CLOCK ReferenceTime; //0x130
LONG CollectionOn; //0x140
ULONG ProviderInfoSize; //0x144
struct _LIST_ENTRY Consumers; //0x148
ULONG NumConsumers; //0x158
struct _ETW_REALTIME_CONSUMER* TransitionConsumer; //0x160
VOID* RealtimeLogfileHandle; //0x168
struct _UNICODE_STRING RealtimeLogfileName; //0x170
union _LARGE_INTEGER RealtimeWriteOffset; //0x180
union _LARGE_INTEGER RealtimeReadOffset; //0x188
union _LARGE_INTEGER RealtimeLogfileSize; //0x190
ULONGLONG RealtimeLogfileUsage; //0x198
ULONGLONG RealtimeMaximumFileSize; //0x1a0
ULONG RealtimeBuffersSaved; //0x1a8
struct _ETW_REF_CLOCK RealtimeReferenceTime; //0x1b0
enum _ETW_RT_EVENT_LOSS NewRTEventsLost; //0x1c0
struct _KEVENT LoggerEvent; //0x1c8
struct _KEVENT FlushEvent; //0x1e0
struct _KTIMER FlushTimeOutTimer; //0x1f8
struct _KDPC LoggerDpc; //0x238
struct _KMUTANT LoggerMutex; //0x278
struct _EX_PUSH_LOCK LoggerLock; //0x2b0
union
{
ULONGLONG BufferListSpinLock; //0x2b8
struct _EX_PUSH_LOCK BufferListPushLock; //0x2b8
};
struct _SECURITY_CLIENT_CONTEXT ClientSecurityContext; //0x2c0
struct _TOKEN_ACCESS_INFORMATION* TokenAccessInformation; //0x308
struct _EX_FAST_REF SecurityDescriptor; //0x310
union _LARGE_INTEGER StartTime; //0x318
VOID* LogFileHandle; //0x320
LONGLONG BufferSequenceNumber; //0x328
union
{
ULONG Flags; //0x330
struct
{
ULONG Persistent:1; //0x330
ULONG AutoLogger:1; //0x330
ULONG FsReady:1; //0x330
ULONG RealTime:1; //0x330
ULONG Wow:1; //0x330
ULONG KernelTrace:1; //0x330
ULONG NoMoreEnable:1; //0x330
ULONG StackTracing:1; //0x330
ULONG ErrorLogged:1; //0x330
ULONG RealtimeLoggerContextFreed:1; //0x330
ULONG PebsTracing:1; //0x330
ULONG PmcCounters:1; //0x330
ULONG PageAlignBuffers:1; //0x330
ULONG StackLookasideListAllocated:1; //0x330
ULONG SecurityTrace:1; //0x330
ULONG LastBranchTracing:1; //0x330
ULONG SystemLoggerIndex:8; //0x330
ULONG StackCaching:1; //0x330
ULONG ProviderTracking:1; //0x330
ULONG ProcessorTrace:1; //0x330
ULONG QpcDeltaTracking:1; //0x330
ULONG MarkerBufferSaved:1; //0x330
ULONG LargeMdlPages:1; //0x330
ULONG ExcludeKernelStack:1; //0x330
ULONG BootLogger:1; //0x330
};
};
union
{
ULONG Flags2; //0x334
ULONG UnifiedStackCaching:1; //0x334
};
union
{
volatile ULONG RequestFlag; //0x338
struct
{
ULONG DbgRequestNewFile:1; //0x338
ULONG DbgRequestUpdateFile:1; //0x338
ULONG DbgRequestFlush:1; //0x338
ULONG DbgRequestDisableRealtime:1; //0x338
ULONG DbgRequestDisconnectConsumer:1; //0x338
ULONG DbgRequestConnectConsumer:1; //0x338
ULONG DbgRequestNotifyConsumer:1; //0x338
ULONG DbgRequestUpdateHeader:1; //0x338
ULONG DbgRequestDeferredFlush:1; //0x338
ULONG DbgRequestDeferredFlushTimer:1; //0x338
ULONG DbgRequestFlushTimer:1; //0x338
ULONG DbgRequestUpdateDebugger:1; //0x338
ULONG DbgSpareRequestFlags:20; //0x338
};
};
struct _ETW_STACK_TRACE_BLOCK StackTraceBlock; //0x340
struct _RTL_BITMAP HookIdMap; //0x3e0
struct _ETW_STACK_CACHE* StackCache; //0x3f0
struct _ETW_PMC_SUPPORT* PmcData; //0x3f8
struct _ETW_LBR_SUPPORT* LbrData; //0x400
struct _ETW_IPT_SUPPORT* IptData; //0x408
struct _LIST_ENTRY BinaryTrackingList; //0x410
struct _WMI_BUFFER_HEADER** ScratchArray; //0x420
struct _DISALLOWED_GUIDS DisallowedGuids; //0x428
struct PERIODIC_CAPTURE_STATE_CONTEXT* PeriodicCaptureStateContext; //0x438
struct _ETW_SOFT_RESTART_CONTEXT* SoftRestartContext; //0x440
struct _ETW_SILODRIVERSTATE* SiloState; //0x448
struct _WORK_QUEUE_ITEM CompressionWorkItem; //0x450
LONG CompressionWorkItemState; //0x470
struct _EX_PUSH_LOCK CompressionLock; //0x478
struct _WMI_BUFFER_HEADER* CompressionTarget; //0x480
VOID* CompressionWorkspace; //0x488
LONG CompressionOn; //0x490
ULONG CompressionRatioGuess; //0x494
ULONG PartialBufferCompressionLevel; //0x498
enum ETW_COMPRESSION_RESUMPTION_MODE CompressionResumptionMode; //0x49c
struct _SINGLE_LIST_ENTRY PlaceholderList; //0x4a0
struct _KDPC CompressionDpc; //0x4a8
union _LARGE_INTEGER LastBufferSwitchTime; //0x4e8
union _LARGE_INTEGER BufferWriteDuration; //0x4f0
union _LARGE_INTEGER BufferCompressDuration; //0x4f8
LONGLONG ReferenceQpcDelta; //0x500
struct _ETW_EVENT_CALLBACK_CONTEXT* CallbackContext; //0x508
union _LARGE_INTEGER* LastDroppedTime; //0x510
union _LARGE_INTEGER* FlushingLastDroppedTime; //0x518
LONGLONG FlushingSequenceNumber; //0x520
struct _ETW_PARTITION_CONTEXT PartitionContext; //0x528
struct _MDL* BufferMdl; //0x530
};