From 7c1adb8a7391939dfd684f27a37e31f18d303944 Mon Sep 17 00:00:00 2001 From: dmex Date: Thu, 13 Oct 2022 07:14:30 +1100 Subject: [PATCH] Sync latest changes --- ntbcd.h | 76 ++-- ntexapi.h | 991 +++++++++++++++++++++++++++++++++++++++++++++++++-- ntioapi.h | 48 +-- ntldr.h | 16 +- ntmisc.h | 35 +- ntmmapi.h | 18 +- ntobapi.h | 1 + ntpebteb.h | 37 +- ntpoapi.h | 8 +- ntpsapi.h | 71 ++-- ntregapi.h | 4 +- ntrtl.h | 327 ++++++++++++++--- ntsam.h | 2 +- ntwow64.h | 8 + ntzwapi.h | 21 +- phnt.h | 1 + phnt_ntdef.h | 1 + winsta.h | 4 +- 18 files changed, 1427 insertions(+), 242 deletions(-) diff --git a/ntbcd.h b/ntbcd.h index 3ccead1..2815a0e 100644 --- a/ntbcd.h +++ b/ntbcd.h @@ -459,8 +459,8 @@ typedef enum _BCD_ELEMENT_DATATYPE_FORMAT BCD_ELEMENT_DATATYPE_FORMAT_UNKNOWN, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, // 0x01000000 BCD_ELEMENT_DATATYPE_FORMAT_STRING, // 0x02000000 - BCD_ELEMENT_DATATYPE_FORMAT_OBJECT, // 0x03000000 - BCD_ELEMENT_DATATYPE_FORMAT_OBJECTLIST, // 0x04000000 + BCD_ELEMENT_DATATYPE_FORMAT_OBJECT, // 0x03000000 + BCD_ELEMENT_DATATYPE_FORMAT_OBJECTLIST, // 0x04000000 BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, // 0x05000000 BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, // 0x06000000 BCD_ELEMENT_DATATYPE_FORMAT_INTEGERLIST, // 0x07000000 @@ -1067,12 +1067,12 @@ typedef enum _BcdLibraryElementTypes /// 0x1200001D BcdLibraryString_DebuggerNetKey = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 29), /// - /// + /// /// /// 0x1600001E BcdLibraryBoolean_DebuggerNetVM = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 30), /// - /// + /// /// /// 0x1200001F BcdLibraryString_DebuggerNetHostIpv6 = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 31), @@ -1098,7 +1098,7 @@ typedef enum _BcdLibraryElementTypes /// 0x12000030 BcdLibraryString_LoadOptionsString = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 48), /// - /// + /// /// /// 0x16000031 BcdLibraryBoolean_AttemptNonBcdStart = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 49), @@ -1113,7 +1113,7 @@ typedef enum _BcdLibraryElementTypes /// 0x16000041 BcdLibraryBoolean_DisplayOptionsEdit = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 65), /// - /// + /// /// /// 0x15000042 BcdLibraryInteger_FVEKeyRingAddress = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 66), @@ -1133,7 +1133,7 @@ typedef enum _BcdLibraryElementTypes /// 0x16000045 BcdLibraryBoolean_BsdPreserveLog = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 69), /// - /// + /// /// /// 0x16000046 BcdLibraryBoolean_GraphicsModeDisabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 70), @@ -1160,7 +1160,7 @@ typedef enum _BcdLibraryElementTypes /// 0x1200004A BcdLibraryString_FontPath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 74), /// - /// + /// /// /// 0x1500004B BcdLibraryInteger_SiPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 75), @@ -1175,7 +1175,7 @@ typedef enum _BcdLibraryElementTypes /// 0x16000050 BcdLibraryBoolean_ConsoleExtendedInput = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 80), /// - /// + /// /// /// 0x15000051 BcdLibraryInteger_InitialConsoleInput = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 81), @@ -1212,7 +1212,7 @@ typedef enum _BcdLibraryElementTypes /// 0x15000065 BcdLibraryInteger_BootUxDisplayMessage = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 101), /// - /// + /// /// /// 0x15000066 BcdLibraryInteger_BootUxDisplayMessageOverride = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 102), @@ -1237,42 +1237,42 @@ typedef enum _BcdLibraryElementTypes /// 0x1600006A BcdLibraryBoolean_BootUxFadeDisable = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 106), /// - /// + /// /// /// 0x1600006B BcdLibraryBoolean_BootUxReservePoolDebug = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 107), /// - /// + /// /// /// 0x1600006C BcdLibraryBoolean_BootUxDisable = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 108), /// - /// + /// /// /// 0x1500006D BcdLibraryInteger_BootUxFadeFrames = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 109), /// - /// + /// /// /// 0x1600006E BcdLibraryBoolean_BootUxDumpStats = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 110), /// - /// + /// /// /// 0x1600006F BcdLibraryBoolean_BootUxShowStats = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 111), /// - /// + /// /// /// 0x16000071 BcdLibraryBoolean_MultiBootSystem = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 113), /// - /// + /// /// /// 0x16000072 BcdLibraryBoolean_ForceNoKeyboard = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 114), /// - /// + /// /// /// 0x15000073 BcdLibraryInteger_AliasWindowsKey = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 115), @@ -1282,12 +1282,12 @@ typedef enum _BcdLibraryElementTypes /// 0x16000074 BcdLibraryBoolean_BootShutdownDisabled = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 116), /// - /// + /// /// /// 0x15000075 BcdLibraryInteger_PerformanceFrequency = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 117), /// - /// + /// /// /// 0x15000076 BcdLibraryInteger_SecurebootRawPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 118), @@ -1298,12 +1298,12 @@ typedef enum _BcdLibraryElementTypes /// 0x17000077 BcdLibraryIntegerList_AllowedInMemorySettings = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 119), /// - /// + /// /// /// 0x15000079 BcdLibraryInteger_BootUxBitmapTransitionTime = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 121), /// - /// + /// /// /// 0x1600007A BcdLibraryBoolean_TwoBootImages = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 122), @@ -1314,47 +1314,47 @@ typedef enum _BcdLibraryElementTypes /// 0x1600007B BcdLibraryBoolean_ForceFipsCrypto = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 123), /// - /// + /// /// /// 0x1500007D BcdLibraryInteger_BootErrorUx = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 125), /// - /// + /// /// /// 0x1600007E BcdLibraryBoolean_AllowFlightSignatures = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 126), /// - /// + /// /// /// 0x1500007F BcdLibraryInteger_BootMeasurementLogFormat = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 127), /// - /// + /// /// /// 0x15000080 BcdLibraryInteger_DisplayRotation = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 128), /// - /// + /// /// /// 0x15000081 BcdLibraryInteger_LogControl = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 129), /// - /// + /// /// /// 0x16000082 BcdLibraryBoolean_NoFirmwareSync = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 130), /// - /// + /// /// /// 0x11000084 BcdLibraryDevice_WindowsSystemDevice = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_DEVICE, 132), /// - /// + /// /// /// 0x16000087 BcdLibraryBoolean_NumLockOn = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 135), /// - /// + /// /// /// 0x12000088 BcdLibraryString_AdditionalCiPolicy = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_LIBRARY, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 136), @@ -1363,32 +1363,32 @@ typedef enum _BcdLibraryElementTypes typedef enum _BcdTemplateElementTypes { /// - /// + /// /// /// 0x45000001 BcdSetupInteger_DeviceType = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_INTEGER, 1), /// - /// + /// /// /// 0x42000002 BcdSetupString_ApplicationRelativePath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 2), /// - /// + /// /// /// 0x42000003 BcdSetupString_RamdiskDeviceRelativePath = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_STRING, 3), /// - /// + /// /// /// 0x46000004 BcdSetupBoolean_OmitOsLoaderElements = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 4), /// - /// + /// /// /// 0x47000006 BcdSetupIntegerList_ElementsToMigrateList = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_INTEGERLIST, 6), /// - /// + /// /// /// 0x46000010 BcdSetupBoolean_RecoveryOs = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_SETUPTEMPLATE, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 16), @@ -1491,7 +1491,7 @@ typedef enum _BcdOSLoaderElementTypes /// 0x23000003 BcdOSLoaderObject_AssociatedResumeObject = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_OBJECT, 3), /// - /// + /// /// /// 0x26000004 BcdOSLoaderBoolean_StampDisks = MAKE_BCDE_DATA_TYPE(BCD_ELEMENT_DATATYPE_CLASS_APPLICATION, BCD_ELEMENT_DATATYPE_FORMAT_BOOLEAN, 4), diff --git a/ntexapi.h b/ntexapi.h index 9bfad99..8123613 100644 --- a/ntexapi.h +++ b/ntexapi.h @@ -60,7 +60,7 @@ NTSTATUS NTAPI NtQuerySystemEnvironmentValueEx( _In_ PUNICODE_STRING VariableName, - _In_ LPGUID VendorGuid, + _In_ PGUID VendorGuid, _Out_writes_bytes_opt_(*ValueLength) PVOID Value, _Inout_ PULONG ValueLength, _Out_opt_ PULONG Attributes // EFI_VARIABLE_* @@ -71,17 +71,42 @@ NTSTATUS NTAPI NtSetSystemEnvironmentValueEx( _In_ PUNICODE_STRING VariableName, - _In_ LPGUID VendorGuid, + _In_ PGUID VendorGuid, _In_reads_bytes_opt_(ValueLength) PVOID Value, _In_ ULONG ValueLength, // 0 = delete variable _In_ ULONG Attributes // EFI_VARIABLE_* ); +typedef enum _SYSTEM_ENVIRONMENT_INFORMATION_CLASS +{ + SystemEnvironmentNameInformation = 1, // q: VARIABLE_NAME + SystemEnvironmentValueInformation = 2, // q: VARIABLE_NAME_AND_VALUE + MaxSystemEnvironmentInfoClass +} SYSTEM_ENVIRONMENT_INFORMATION_CLASS; + +typedef struct _VARIABLE_NAME +{ + ULONG NextEntryOffset; + GUID VendorGuid; + WCHAR Name[ANYSIZE_ARRAY]; +} VARIABLE_NAME, *PVARIABLE_NAME; + +typedef struct _VARIABLE_NAME_AND_VALUE +{ + ULONG NextEntryOffset; + ULONG ValueOffset; + ULONG ValueLength; + ULONG Attributes; + GUID VendorGuid; + WCHAR Name[ANYSIZE_ARRAY]; + //BYTE Value[ANYSIZE_ARRAY]; +} VARIABLE_NAME_AND_VALUE, *PVARIABLE_NAME_AND_VALUE; + NTSYSCALLAPI NTSTATUS NTAPI NtEnumerateSystemEnvironmentValuesEx( - _In_ ULONG InformationClass, + _In_ ULONG InformationClass, // SYSTEM_ENVIRONMENT_INFORMATION_CLASS _Out_ PVOID Buffer, _Inout_ PULONG BufferLength ); @@ -1205,7 +1230,7 @@ NtWaitForWorkViaWorkerFactory( _Out_writes_to_(Count, *PacketsReturned) struct _FILE_IO_COMPLETION_INFORMATION *MiniPackets, _In_ ULONG Count, _Out_ PULONG PacketsReturned, - _In_ PWORKER_FACTORY_DEFERRED_WORK DeferredWork + _In_ struct _WORKER_FACTORY_DEFERRED_WORK* DeferredWork ); #else @@ -1435,7 +1460,7 @@ typedef enum _SYSTEM_INFORMATION_CLASS SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130 SystemEntropyInterruptTimingInformation, // q; s: SYSTEM_ENTROPY_TIMING_INFORMATION - SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION + SystemConsoleInformation, // q; s: SYSTEM_CONSOLE_INFORMATION SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege) SystemPolicyInformation, // q: SYSTEM_POLICY_INFORMATION SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION @@ -2044,6 +2069,57 @@ typedef struct _EVENT_TRACE_VERSION_INFORMATION ULONG EventTraceKernelVersion; } EVENT_TRACE_VERSION_INFORMATION, *PEVENT_TRACE_VERSION_INFORMATION; +typedef struct _TRACE_ENABLE_FLAG_EXTENSION +{ + USHORT Offset; // Offset to the flag array in structure + UCHAR Length; // Length of flag array in ULONGs + UCHAR Flag; // Must be set to EVENT_TRACE_FLAG_EXTENSION +} TRACE_ENABLE_FLAG_EXTENSION, *PTRACE_ENABLE_FLAG_EXTENSION; + +typedef struct _TRACE_ENABLE_FLAG_EXT_HEADER +{ + USHORT Length; // Length in ULONGs + USHORT Items; // # of items +} TRACE_ENABLE_FLAG_EXT_HEADER, *PTRACE_ENABLE_FLAG_EXT_HEADER; + +typedef struct _TRACE_ENABLE_FLAG_EXT_ITEM +{ + USHORT Offset; // Offset to the next block + USHORT Type; // Extension type +} TRACE_ENABLE_FLAG_EXT_ITEM, *PTRACE_ENABLE_FLAG_EXT_ITEM; + +#define EVENT_TRACE_FLAG_EXT_ITEMS 0x80FF0000 // New extension structure +#define EVENT_TRACE_FLAG_EXT_LEN_NEW_STRUCT 0xFF // Pseudo length to denote new struct format + +#define ETW_MINIMUM_CACHED_STACK_LENGTH 4 +#define ETW_SW_ARRAY_SIZE 256 // Frame Count allocated in lookaside list +#define ETW_STACK_SW_ARRAY_SIZE 192 // Frame Count allocated in stack +#define ETW_MAX_STACKWALK_FILTER 256 // Max number of HookId's +#define ETW_MAX_TAG_FILTER 4 +#define ETW_MAX_POOLTAG_FILTER ETW_MAX_TAG_FILTER + +#define ETW_EXT_ENABLE_FLAGS 0x0001 +#define ETW_EXT_PIDS 0x0002 +#define ETW_EXT_STACKWALK_FILTER 0x0003 +#define ETW_EXT_POOLTAG_FILTER 0x0004 +#define ETW_EXT_STACK_CACHING 0x0005 + +// Extended item for configuring stack caching. +typedef struct _ETW_STACK_CACHING_CONFIG +{ + ULONG CacheSize; + ULONG BucketCount; +} ETW_STACK_CACHING_CONFIG, *PETW_STACK_CACHING_CONFIG; + +// The second bit is set if the trace is used by PM & CP (fixed headers) +// If not, the data block is used by for finer data for performance analysis +// +#define TRACE_HEADER_EVENT_TRACE 0x40000000 +// +// If set, the data block is SYSTEM_TRACE_HEADER +// +#define TRACE_HEADER_ENUM_MASK 0x00FF0000 + #define PERF_MASK_INDEX (0xe0000000) #define PERF_MASK_GROUP (~PERF_MASK_INDEX) #define PERF_NUM_MASKS 8 @@ -2109,6 +2185,9 @@ typedef struct _EVENT_TRACE_VERSION_INFORMATION #define PERF_INTERRUPT_STEER 0x22000000 #define PERF_SHOULD_YIELD 0x24000000 #define PERF_WS 0x28000000 +//#define PERF_POOLTRACE (PERF_MEMORY | PERF_POOL) +//#define PERF_PROFILING (PERF_PROFILE | PERF_PMC_PROFILE) +//#define PERF_SPININSTR (PERF_SPINLOCK | PERF_SPINLOCK_CNTRS) // Masks[2] #define PERF_ANTI_STARVATION 0x40000001 @@ -2143,18 +2222,23 @@ typedef struct _EVENT_TRACE_VERSION_INFORMATION // Masks[4] #define PERF_OPTICAL_IO 0x80000001 #define PERF_OPTICAL_IO_INIT 0x80000002 +// Reserved 0x80000004 #define PERF_DLL_INFO 0x80000008 #define PERF_DLL_FLUSH_WS 0x80000010 +// Reserved 0x80000020 #define PERF_OB_HANDLE 0x80000040 #define PERF_OB_OBJECT 0x80000080 +// Reserved 0x80000100 #define PERF_WAKE_DROP 0x80000200 #define PERF_WAKE_EVENT 0x80000400 #define PERF_DEBUGGER 0x80000800 #define PERF_PROC_ATTACH 0x80001000 #define PERF_WAKE_COUNTER 0x80002000 +// Reserved 0x80004000 #define PERF_POWER 0x80008000 #define PERF_SOFT_TRIM 0x80010000 #define PERF_CC 0x80020000 +// Reserved 0x80040000 #define PERF_FLT_IO_INIT 0x80080000 #define PERF_FLT_IO 0x80100000 #define PERF_FLT_FASTIO 0x80200000 @@ -2181,6 +2265,830 @@ typedef struct _EVENT_TRACE_VERSION_INFORMATION #define PERF_CLUSTER_OFF 0xE0000001 #define PERF_MEMORY_CONTROL 0xE0000002 +// The predefined event groups or families for NT subsystems +#define EVENT_TRACE_GROUP_HEADER 0x0000 +#define EVENT_TRACE_GROUP_IO 0x0100 +#define EVENT_TRACE_GROUP_MEMORY 0x0200 +#define EVENT_TRACE_GROUP_PROCESS 0x0300 +#define EVENT_TRACE_GROUP_FILE 0x0400 +#define EVENT_TRACE_GROUP_THREAD 0x0500 +#define EVENT_TRACE_GROUP_TCPIP 0x0600 +#define EVENT_TRACE_GROUP_JOB 0x0700 +#define EVENT_TRACE_GROUP_UDPIP 0x0800 +#define EVENT_TRACE_GROUP_REGISTRY 0x0900 +#define EVENT_TRACE_GROUP_DBGPRINT 0x0A00 +#define EVENT_TRACE_GROUP_CONFIG 0x0B00 +#define EVENT_TRACE_GROUP_SPARE1 0x0C00 // Spare1 +#define EVENT_TRACE_GROUP_WNF 0x0D00 +#define EVENT_TRACE_GROUP_POOL 0x0E00 +#define EVENT_TRACE_GROUP_PERFINFO 0x0F00 +#define EVENT_TRACE_GROUP_HEAP 0x1000 +#define EVENT_TRACE_GROUP_OBJECT 0x1100 +#define EVENT_TRACE_GROUP_POWER 0x1200 +#define EVENT_TRACE_GROUP_MODBOUND 0x1300 +#define EVENT_TRACE_GROUP_IMAGE 0x1400 +#define EVENT_TRACE_GROUP_DPC 0x1500 +#define EVENT_TRACE_GROUP_CC 0x1600 +#define EVENT_TRACE_GROUP_CRITSEC 0x1700 +#define EVENT_TRACE_GROUP_STACKWALK 0x1800 +#define EVENT_TRACE_GROUP_UMS 0x1900 +#define EVENT_TRACE_GROUP_ALPC 0x1A00 +#define EVENT_TRACE_GROUP_SPLITIO 0x1B00 +#define EVENT_TRACE_GROUP_THREAD_POOL 0x1C00 +#define EVENT_TRACE_GROUP_HYPERVISOR 0x1D00 +#define EVENT_TRACE_GROUP_HYPERVISORX 0x1E00 + +// +// Event for header +// +#define WMI_LOG_TYPE_HEADER (EVENT_TRACE_GROUP_HEADER | EVENT_TRACE_TYPE_INFO) +#define WMI_LOG_TYPE_HEADER_EXTENSION (EVENT_TRACE_GROUP_HEADER | EVENT_TRACE_TYPE_EXTENSION) +#define WMI_LOG_TYPE_RUNDOWN_COMPLETE (EVENT_TRACE_GROUP_HEADER | EVENT_TRACE_TYPE_CHECKPOINT) +#define WMI_LOG_TYPE_GROUP_MASKS_END (EVENT_TRACE_GROUP_HEADER | 0x20) +#define WMI_LOG_TYPE_RUNDOWN_BEGIN (EVENT_TRACE_GROUP_HEADER | 0x30) +#define WMI_LOG_TYPE_RUNDOWN_END (EVENT_TRACE_GROUP_HEADER | 0x31) +#define WMI_LOG_TYPE_DBGID_RSDS (EVENT_TRACE_GROUP_HEADER | EVENT_TRACE_TYPE_DBGID_RSDS) +#define WMI_LOG_TYPE_DBGID_NB10 (EVENT_TRACE_GROUP_HEADER | 0x41) +#define WMI_LOG_TYPE_BUILD_LAB (EVENT_TRACE_GROUP_HEADER | 0x42) +#define WMI_LOG_TYPE_BINARY_PATH (EVENT_TRACE_GROUP_HEADER | 0x43) + +// +// Event for system config +// +#define WMI_LOG_TYPE_CONFIG_CPU (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_CPU) +#define WMI_LOG_TYPE_CONFIG_PHYSICALDISK (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PHYSICALDISK) +#define WMI_LOG_TYPE_CONFIG_LOGICALDISK (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_LOGICALDISK) +#define WMI_LOG_TYPE_CONFIG_OPTICALMEDIA (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_OPTICALMEDIA) +#define WMI_LOG_TYPE_CONFIG_NIC (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_NIC) +#define WMI_LOG_TYPE_CONFIG_VIDEO (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_VIDEO) +#define WMI_LOG_TYPE_CONFIG_SERVICES (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_SERVICES) +#define WMI_LOG_TYPE_CONFIG_POWER (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_POWER) +#define WMI_LOG_TYPE_CONFIG_OSVERSION (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_OSVERSION) +#define WMI_LOG_TYPE_CONFIG_VISUALTHEME (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_VISUALTHEME) +#define WMI_LOG_TYPE_CONFIG_SYSTEMRANGE (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_SYSTEMRANGE) +#define WMI_LOG_TYPE_CONFIG_SYSDLLINFO (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_SYSDLLINFO) +#define WMI_LOG_TYPE_CONFIG_IRQ (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_IRQ) +#define WMI_LOG_TYPE_CONFIG_PNP (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PNP) +#define WMI_LOG_TYPE_CONFIG_IDECHANNEL (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_IDECHANNEL) +#define WMI_LOG_TYPE_CONFIG_NUMANODE (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_NUMANODE) +#define WMI_LOG_TYPE_CONFIG_PLATFORM (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PLATFORM) +#define WMI_LOG_TYPE_CONFIG_PROCESSORGROUP (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PROCESSORGROUP) +#define WMI_LOG_TYPE_CONFIG_PROCESSORNUMBER (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_PROCESSORNUMBER) +#define WMI_LOG_TYPE_CONFIG_DPI (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_DPI) +#define WMI_LOG_TYPE_CONFIG_CODEINTEGRITY (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_CI_INFO) +#define WMI_LOG_TYPE_CONFIG_MACHINEID (EVENT_TRACE_GROUP_CONFIG | EVENT_TRACE_TYPE_CONFIG_MACHINEID) + +// +// Event for Image and File Name +// +#define PERFINFO_LOG_TYPE_FILENAME (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_INFO) +#define PERFINFO_LOG_TYPE_FILENAME_CREATE (EVENT_TRACE_GROUP_FILE | 0x20) +#define PERFINFO_LOG_TYPE_FILENAME_SAME (EVENT_TRACE_GROUP_FILE | 0x21) +#define PERFINFO_LOG_TYPE_FILENAME_NULL (EVENT_TRACE_GROUP_FILE | 0x22) +#define PERFINFO_LOG_TYPE_FILENAME_DELETE (EVENT_TRACE_GROUP_FILE | 0x23) +#define PERFINFO_LOG_TYPE_FILENAME_RUNDOWN (EVENT_TRACE_GROUP_FILE | 0x24) + +#define PERFINFO_LOG_TYPE_MAPFILE (EVENT_TRACE_GROUP_FILE | 0x25) +#define PERFINFO_LOG_TYPE_UNMAPFILE (EVENT_TRACE_GROUP_FILE | 0x26) +#define PERFINFO_LOG_TYPE_MAPFILE_DC_START (EVENT_TRACE_GROUP_FILE | 0x27) +#define PERFINFO_LOG_TYPE_MAPFILE_DC_END (EVENT_TRACE_GROUP_FILE | 0x28) + +#define PERFINFO_LOG_TYPE_FILE_IO_CREATE (EVENT_TRACE_GROUP_FILE | 0x40) +#define PERFINFO_LOG_TYPE_FILE_IO_CLEANUP (EVENT_TRACE_GROUP_FILE | 0x41) +#define PERFINFO_LOG_TYPE_FILE_IO_CLOSE (EVENT_TRACE_GROUP_FILE | 0x42) +#define PERFINFO_LOG_TYPE_FILE_IO_READ (EVENT_TRACE_GROUP_FILE | 0x43) +#define PERFINFO_LOG_TYPE_FILE_IO_WRITE (EVENT_TRACE_GROUP_FILE | 0x44) +#define PERFINFO_LOG_TYPE_FILE_IO_SET_INFORMATION (EVENT_TRACE_GROUP_FILE | 0x45) +#define PERFINFO_LOG_TYPE_FILE_IO_DELETE (EVENT_TRACE_GROUP_FILE | 0x46) +#define PERFINFO_LOG_TYPE_FILE_IO_RENAME (EVENT_TRACE_GROUP_FILE | 0x47) +#define PERFINFO_LOG_TYPE_FILE_IO_DIRENUM (EVENT_TRACE_GROUP_FILE | 0x48) +#define PERFINFO_LOG_TYPE_FILE_IO_FLUSH (EVENT_TRACE_GROUP_FILE | 0x49) +#define PERFINFO_LOG_TYPE_FILE_IO_QUERY_INFORMATION (EVENT_TRACE_GROUP_FILE | 0x4A) +#define PERFINFO_LOG_TYPE_FILE_IO_FS_CONTROL (EVENT_TRACE_GROUP_FILE | 0x4B) +#define PERFINFO_LOG_TYPE_FILE_IO_OPERATION_END (EVENT_TRACE_GROUP_FILE | 0x4C) +#define PERFINFO_LOG_TYPE_FILE_IO_DIRNOTIFY (EVENT_TRACE_GROUP_FILE | 0x4D) +#define PERFINFO_LOG_TYPE_FILE_IO_CREATE_NEW (EVENT_TRACE_GROUP_FILE | 0x4E) +#define PERFINFO_LOG_TYPE_FILE_IO_DELETE_PATH (EVENT_TRACE_GROUP_FILE | 0x4F) +#define PERFINFO_LOG_TYPE_FILE_IO_RENAME_PATH (EVENT_TRACE_GROUP_FILE | 0x50) +#define PERFINFO_LOG_TYPE_FILE_IO_SETLINK_PATH (EVENT_TRACE_GROUP_FILE | 0x51) +#define PERFINFO_LOG_TYPE_FILE_IO_SETLINK (EVENT_TRACE_GROUP_FILE | 0x52) + +// +// Event types for minifilter callbacks +// + +#define PERFINFO_LOG_TYPE_FLT_PREOP_INIT (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_PREOP_INIT) +#define PERFINFO_LOG_TYPE_FLT_POSTOP_INIT (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_POSTOP_INIT) +#define PERFINFO_LOG_TYPE_FLT_PREOP_COMPLETION (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_PREOP_COMPLETION) +#define PERFINFO_LOG_TYPE_FLT_POSTOP_COMPLETION (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_POSTOP_COMPLETION) +#define PERFINFO_LOG_TYPE_FLT_PREOP_FAILURE (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_PREOP_FAILURE) +#define PERFINFO_LOG_TYPE_FLT_POSTOP_FAILURE (EVENT_TRACE_GROUP_FILE | EVENT_TRACE_TYPE_FLT_POSTOP_FAILURE) + +// +// Event types for Job +// + +#define WMI_LOG_TYPE_JOB_CREATE (EVENT_TRACE_GROUP_JOB | 0x20) +#define WMI_LOG_TYPE_JOB_TERMINATE (EVENT_TRACE_GROUP_JOB | 0x21) +#define WMI_LOG_TYPE_JOB_OPEN (EVENT_TRACE_GROUP_JOB | 0x22) +#define WMI_LOG_TYPE_JOB_ASSIGN_PROCESS (EVENT_TRACE_GROUP_JOB | 0x23) +#define WMI_LOG_TYPE_JOB_REMOVE_PROCESS (EVENT_TRACE_GROUP_JOB | 0x24) +#define WMI_LOG_TYPE_JOB_SET (EVENT_TRACE_GROUP_JOB | 0x25) +#define WMI_LOG_TYPE_JOB_QUERY (EVENT_TRACE_GROUP_JOB | 0x26) +#define WMI_LOG_TYPE_JOB_SET_FAILED (EVENT_TRACE_GROUP_JOB | 0x27) +#define WMI_LOG_TYPE_JOB_QUERY_FAILED (EVENT_TRACE_GROUP_JOB | 0x28) +#define WMI_LOG_TYPE_JOB_SET_NOTIFICATION (EVENT_TRACE_GROUP_JOB | 0x29) +#define WMI_LOG_TYPE_JOB_SEND_NOTIFICATION (EVENT_TRACE_GROUP_JOB | 0x2A) +#define WMI_LOG_TYPE_JOB_QUERY_VIOLATION (EVENT_TRACE_GROUP_JOB | 0x2B) +#define WMI_LOG_TYPE_JOB_SET_CPU_RATE (EVENT_TRACE_GROUP_JOB | 0x2C) +#define WMI_LOG_TYPE_JOB_SET_NET_RATE (EVENT_TRACE_GROUP_JOB | 0x2D) + +// +// Event types for Process +// + +#define WMI_LOG_TYPE_PROCESS_CREATE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_START) +#define WMI_LOG_TYPE_PROCESS_DELETE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_END) +#define WMI_LOG_TYPE_PROCESS_DC_START (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_DC_START) +#define WMI_LOG_TYPE_PROCESS_DC_END (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_DC_END) +#define WMI_LOG_TYPE_PROCESS_LOAD_IMAGE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_LOAD) +#define WMI_LOG_TYPE_PROCESS_TERMINATE (EVENT_TRACE_GROUP_PROCESS | EVENT_TRACE_TYPE_TERMINATE) + +#define PERFINFO_LOG_TYPE_PROCESS_PERFCTR_END (EVENT_TRACE_GROUP_PROCESS | 0x20) +#define PERFINFO_LOG_TYPE_PROCESS_PERFCTR_RD (EVENT_TRACE_GROUP_PROCESS | 0x21) +// Reserved (EVENT_TRACE_GROUP_PROCESS | 0x22) +#define PERFINFO_LOG_TYPE_INSWAPPROCESS (EVENT_TRACE_GROUP_PROCESS | 0x23) +#define PERFINFO_LOG_TYPE_PROCESS_FREEZE (EVENT_TRACE_GROUP_PROCESS | 0x24) +#define PERFINFO_LOG_TYPE_PROCESS_THAW (EVENT_TRACE_GROUP_PROCESS | 0x25) +#define PERFINFO_LOG_TYPE_BOOT_PHASE_START (EVENT_TRACE_GROUP_PROCESS | 0x26) +#define PERFINFO_LOG_TYPE_ZOMBIE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x27) +#define PERFINFO_LOG_TYPE_PROCESS_SET_AFFINITY (EVENT_TRACE_GROUP_PROCESS | 0x28) + +#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_USER (EVENT_TRACE_GROUP_PROCESS | 0x30) +#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_EXECUTION (EVENT_TRACE_GROUP_PROCESS | 0x31) +#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_KERNEL (EVENT_TRACE_GROUP_PROCESS | 0x32) +#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_INSTRUMENTATION (EVENT_TRACE_GROUP_PROCESS | 0x33) +#define PERFINFO_LOG_TYPE_CHARGE_WAKE_COUNTER_PRESERVE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x34) + +#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_USER (EVENT_TRACE_GROUP_PROCESS | 0x40) +#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_EXECUTION (EVENT_TRACE_GROUP_PROCESS | 0x41) +#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_KERNEL (EVENT_TRACE_GROUP_PROCESS | 0x42) +#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_INSTRUMENTATION (EVENT_TRACE_GROUP_PROCESS | 0x43) +#define PERFINFO_LOG_TYPE_RELEASE_WAKE_COUNTER_PRESERVE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x44) + +#define PERFINFO_LOG_TYPE_WAKE_DROP_USER (EVENT_TRACE_GROUP_PROCESS | 0x50) +#define PERFINFO_LOG_TYPE_WAKE_DROP_EXECUTION (EVENT_TRACE_GROUP_PROCESS | 0x51) +#define PERFINFO_LOG_TYPE_WAKE_DROP_KERNEL (EVENT_TRACE_GROUP_PROCESS | 0x52) +#define PERFINFO_LOG_TYPE_WAKE_DROP_INSTRUMENTATION (EVENT_TRACE_GROUP_PROCESS | 0x53) +#define PERFINFO_LOG_TYPE_WAKE_DROP_PRESERVE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x54) + +#define PERFINFO_LOG_TYPE_WAKE_EVENT_USER (EVENT_TRACE_GROUP_PROCESS | 0x60) +#define PERFINFO_LOG_TYPE_WAKE_EVENT_EXECUTION (EVENT_TRACE_GROUP_PROCESS | 0x61) +#define PERFINFO_LOG_TYPE_WAKE_EVENT_KERNEL (EVENT_TRACE_GROUP_PROCESS | 0x62) +#define PERFINFO_LOG_TYPE_WAKE_EVENT_INSTRUMENTATION (EVENT_TRACE_GROUP_PROCESS | 0x63) +#define PERFINFO_LOG_TYPE_WAKE_EVENT_PRESERVE_PROCESS (EVENT_TRACE_GROUP_PROCESS | 0x64) + +#define PERFINFO_LOG_TYPE_DEBUG_EVENT (EVENT_TRACE_GROUP_PROCESS | 0x70) + +// +// Event types for Image and Library Loader +// + +#define WMI_LOG_TYPE_IMAGE_LOAD (EVENT_TRACE_GROUP_IMAGE | EVENT_TRACE_TYPE_START) // reserved for future +#define WMI_LOG_TYPE_IMAGE_UNLOAD (EVENT_TRACE_GROUP_IMAGE | EVENT_TRACE_TYPE_END) +#define WMI_LOG_TYPE_IMAGE_DC_START (EVENT_TRACE_GROUP_IMAGE | EVENT_TRACE_TYPE_DC_START) +#define WMI_LOG_TYPE_IMAGE_DC_END (EVENT_TRACE_GROUP_IMAGE | EVENT_TRACE_TYPE_DC_END) +#define WMI_LOG_TYPE_IMAGE_RELOCATION (EVENT_TRACE_GROUP_IMAGE | 0x20) +#define WMI_LOG_TYPE_IMAGE_KERNEL_BASE (EVENT_TRACE_GROUP_IMAGE | 0x21) +#define WMI_LOG_TYPE_IMAGE_HYPERCALL_PAGE (EVENT_TRACE_GROUP_IMAGE | 0x22) + +#define PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_ATTEMPT (EVENT_TRACE_GROUP_IMAGE | 0x80) // 128 +#define PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_SUCCESS (EVENT_TRACE_GROUP_IMAGE | 0x81) +#define PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_FAIL (EVENT_TRACE_GROUP_IMAGE | 0x82) +#define PERFINFO_LOG_TYPE_LDR_LOCK_ACQUIRE_WAIT (EVENT_TRACE_GROUP_IMAGE | 0x83) +#define PERFINFO_LOG_TYPE_LDR_PROC_INIT_DONE (EVENT_TRACE_GROUP_IMAGE | 0x84) // 132 +#define PERFINFO_LOG_TYPE_LDR_CREATE_SECTION (EVENT_TRACE_GROUP_IMAGE | 0x85) +#define PERFINFO_LOG_TYPE_LDR_SECTION_CREATED (EVENT_TRACE_GROUP_IMAGE | 0x86) +#define PERFINFO_LOG_TYPE_LDR_MAP_VIEW (EVENT_TRACE_GROUP_IMAGE | 0x87) + +#define PERFINFO_LOG_TYPE_LDR_RELOCATE_IMAGE (EVENT_TRACE_GROUP_IMAGE | 0x90) // 144 +#define PERFINFO_LOG_TYPE_LDR_IMAGE_RELOCATED (EVENT_TRACE_GROUP_IMAGE | 0x91) +#define PERFINFO_LOG_TYPE_LDR_HANDLE_OLD_DESCRIPTORS (EVENT_TRACE_GROUP_IMAGE | 0x92) +#define PERFINFO_LOG_TYPE_LDR_OLD_DESCRIPTORS_HANDLED (EVENT_TRACE_GROUP_IMAGE | 0x93) +#define PERFINFO_LOG_TYPE_LDR_HANDLE_NEW_DESCRIPTORS (EVENT_TRACE_GROUP_IMAGE | 0x94) // 148 +#define PERFINFO_LOG_TYPE_LDR_NEW_DESCRIPTORS_HANDLED (EVENT_TRACE_GROUP_IMAGE | 0x95) +#define PERFINFO_LOG_TYPE_LDR_DLLMAIN_EXIT (EVENT_TRACE_GROUP_IMAGE | 0x96) + +#define PERFINFO_LOG_TYPE_LDR_FIND_DLL (EVENT_TRACE_GROUP_IMAGE | 0xA0) // 160 +#define PERFINFO_LOG_TYPE_LDR_VIEW_MAPPED (EVENT_TRACE_GROUP_IMAGE | 0xA1) +#define PERFINFO_LOG_TYPE_LDR_LOCK_RELEASE (EVENT_TRACE_GROUP_IMAGE | 0xA2) +#define PERFINFO_LOG_TYPE_LDR_DLLMAIN_ENTER (EVENT_TRACE_GROUP_IMAGE | 0xA3) +#define PERFINFO_LOG_TYPE_LDR_ERROR (EVENT_TRACE_GROUP_IMAGE | 0xA4) // 164 + +#define PERFINFO_LOG_TYPE_LDR_VIEW_MAPPING (EVENT_TRACE_GROUP_IMAGE | 0xA5) // 165 +#define PERFINFO_LOG_TYPE_LDR_SNAPPING (EVENT_TRACE_GROUP_IMAGE | 0xA6) +#define PERFINFO_LOG_TYPE_LDR_SNAPPED (EVENT_TRACE_GROUP_IMAGE | 0xA7) +#define PERFINFO_LOG_TYPE_LDR_LOADING (EVENT_TRACE_GROUP_IMAGE | 0xA8) +#define PERFINFO_LOG_TYPE_LDR_LOADED (EVENT_TRACE_GROUP_IMAGE | 0xA9) +#define PERFINFO_LOG_TYPE_LDR_FOUND_KNOWN_DLL (EVENT_TRACE_GROUP_IMAGE | 0xAA) // 170 +#define PERFINFO_LOG_TYPE_LDR_ABNORMAL (EVENT_TRACE_GROUP_IMAGE | 0xAB) +#define PERFINFO_LOG_TYPE_LDR_PLACEHOLDER (EVENT_TRACE_GROUP_IMAGE | 0xAC) +#define PERFINFO_LOG_TYPE_LDR_RDY_TO_INIT (EVENT_TRACE_GROUP_IMAGE | 0xAD) +#define PERFINFO_LOG_TYPE_LDR_RDY_TO_RUN (EVENT_TRACE_GROUP_IMAGE | 0xAE) // 174 + + +#define PERFINFO_LOG_TYPE_LDR_NEW_DLL_LOAD (EVENT_TRACE_GROUP_IMAGE | 0xB0) // 176 +#define PERFINFO_LOG_TYPE_LDR_NEW_DLL_AS_DATA (EVENT_TRACE_GROUP_IMAGE | 0xB1) // 177 + +#define PERFINFO_LOG_TYPE_LDR_EXTERNAL_PATH (EVENT_TRACE_GROUP_IMAGE | 0xC0) // 192 +#define PERFINFO_LOG_TYPE_LDR_GENERATED_PATH (EVENT_TRACE_GROUP_IMAGE | 0xC1) + +#define PERFINFO_LOG_TYPE_LDR_APISET_RESOLVING (EVENT_TRACE_GROUP_IMAGE | 0xD0) // 208 +#define PERFINFO_LOG_TYPE_LDR_APISET_HOSTED (EVENT_TRACE_GROUP_IMAGE | 0xD1) // 209 +#define PERFINFO_LOG_TYPE_LDR_APISET_UNHOSTED (EVENT_TRACE_GROUP_IMAGE | 0xD2) // 210 +#define PERFINFO_LOG_TYPE_LDR_APISET_UNRESOLVED (EVENT_TRACE_GROUP_IMAGE | 0xD3) // 211 + +#define PERFINFO_LOG_TYPE_LDR_SEARCH_SECURITY (EVENT_TRACE_GROUP_IMAGE | 0xD4) // 212 +#define PERFINFO_LOG_TYPE_LDR_SEARCH_PATH_SECURITY (EVENT_TRACE_GROUP_IMAGE | 0xD5) // 213 + +// +// Event types for Thread +// + +#define WMI_LOG_TYPE_THREAD_CREATE (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_START) +#define WMI_LOG_TYPE_THREAD_DELETE (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_END) +#define WMI_LOG_TYPE_THREAD_DC_START (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_DC_START) +#define WMI_LOG_TYPE_THREAD_DC_END (EVENT_TRACE_GROUP_THREAD | EVENT_TRACE_TYPE_DC_END) + +// Reserved (EVENT_TRACE_GROUP_THREAD | 0x20) +// Reserved (EVENT_TRACE_GROUP_THREAD | 0x21) +// Reserved (EVENT_TRACE_GROUP_THREAD | 0x22) +// Reserved (EVENT_TRACE_GROUP_THREAD | 0x23) +#define PERFINFO_LOG_TYPE_CONTEXTSWAP (EVENT_TRACE_GROUP_THREAD | 0x24) +#define PERFINFO_LOG_TYPE_CONTEXTSWAP_BATCH (EVENT_TRACE_GROUP_THREAD | 0x25) +// Reserved (EVENT_TRACE_GROUP_THREAD | 0x26) +// Reserved (EVENT_TRACE_GROUP_THREAD | 0x27) +// Reserved (EVENT_TRACE_GROUP_THREAD | 0x28) +#define PERFINFO_LOG_TYPE_SPINLOCK (EVENT_TRACE_GROUP_THREAD | 0x29) +#define PERFINFO_LOG_TYPE_QUEUE (EVENT_TRACE_GROUP_THREAD | 0x2A) +#define PERFINFO_LOG_TYPE_RESOURCE (EVENT_TRACE_GROUP_THREAD | 0x2B) +#define PERFINFO_LOG_TYPE_PUSHLOCK (EVENT_TRACE_GROUP_THREAD | 0x2C) +#define PERFINFO_LOG_TYPE_WAIT_SINGLE (EVENT_TRACE_GROUP_THREAD | 0x2D) +#define PERFINFO_LOG_TYPE_WAIT_MULTIPLE (EVENT_TRACE_GROUP_THREAD | 0x2E) +#define PERFINFO_LOG_TYPE_DELAY_EXECUTION (EVENT_TRACE_GROUP_THREAD | 0x2F) +#define PERFINFO_LOG_TYPE_THREAD_SET_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x30) +#define PERFINFO_LOT_TYPE_THREAD_SET_BASE_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x31) +#define PERFINFO_LOG_TYPE_THREAD_SET_BASE_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x31) +#define PERFINFO_LOG_TYPE_READY_THREAD (EVENT_TRACE_GROUP_THREAD | 0x32) +#define PERFINFO_LOG_TYPE_THREAD_SET_PAGE_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x33) +#define PERFINFO_LOG_TYPE_THREAD_SET_IO_PRIORITY (EVENT_TRACE_GROUP_THREAD | 0x34) +#define PERFINFO_LOG_TYPE_THREAD_SET_AFFINITY (EVENT_TRACE_GROUP_THREAD | 0x35) +#define PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM (EVENT_TRACE_GROUP_THREAD | 0x39) +#define PERFINFO_LOG_TYPE_DFSS_START_NEW_INTERVAL (EVENT_TRACE_GROUP_THREAD | 0x3A) +#define PERFINFO_LOG_TYPE_DFSS_PROCESS_IDLE_ONLY_QUEUE (EVENT_TRACE_GROUP_THREAD | 0x3B) +#define PERFINFO_LOG_TYPE_ANTI_STARVATION_BOOST (EVENT_TRACE_GROUP_THREAD | 0x3C) +#define PERFINFO_LOG_TYPE_THREAD_MIGRATION (EVENT_TRACE_GROUP_THREAD | 0x3D) +#define PERFINFO_LOG_TYPE_KQUEUE_ENQUEUE (EVENT_TRACE_GROUP_THREAD | 0x3E) +#define PERFINFO_LOG_TYPE_KQUEUE_DEQUEUE (EVENT_TRACE_GROUP_THREAD | 0x3F) +#define PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_START (EVENT_TRACE_GROUP_THREAD | 0x40) +#define PERFINFO_LOG_TYPE_WORKER_THREAD_ITEM_END (EVENT_TRACE_GROUP_THREAD | 0x41) +#define PERFINFO_LOG_TYPE_AUTO_BOOST_SET_FLOOR (EVENT_TRACE_GROUP_THREAD | 0x42) +#define PERFINFO_LOG_TYPE_AUTO_BOOST_CLEAR_FLOOR (EVENT_TRACE_GROUP_THREAD | 0x43) +#define PERFINFO_LOG_TYPE_AUTO_BOOST_NO_ENTRIES (EVENT_TRACE_GROUP_THREAD | 0x44) +#define PERFINFO_LOG_TYPE_THREAD_SUBPROCESSTAG_CHANGED (EVENT_TRACE_GROUP_THREAD | 0x45) + +// +// Event types for Network subsystem (TCPIP/UDPIP) +// + +#define WMI_LOG_TYPE_TCPIP_SEND (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_SEND) +#define WMI_LOG_TYPE_TCPIP_RECEIVE (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_RECEIVE) +#define WMI_LOG_TYPE_TCPIP_CONNECT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_CONNECT) +#define WMI_LOG_TYPE_TCPIP_DISCONNECT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_DISCONNECT) +#define WMI_LOG_TYPE_TCPIP_RETRANSMIT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_RETRANSMIT) +#define WMI_LOG_TYPE_TCPIP_ACCEPT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_ACCEPT) +#define WMI_LOG_TYPE_TCPIP_RECONNECT (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_RECONNECT) +#define WMI_LOG_TYPE_TCPIP_FAIL (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_CONNFAIL) +#define WMI_LOG_TYPE_TCPIP_TCPCOPY (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_COPY_TCP) +#define WMI_LOG_TYPE_TCPIP_ARPCOPY (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_COPY_ARP) +#define WMI_LOG_TYPE_TCPIP_FULLACK (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_ACKFULL) +#define WMI_LOG_TYPE_TCPIP_PARTACK (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_ACKPART) +#define WMI_LOG_TYPE_TCPIP_DUPACK (EVENT_TRACE_GROUP_TCPIP | EVENT_TRACE_TYPE_ACKDUP) + +#define WMI_LOG_TYPE_UDP_SEND (EVENT_TRACE_GROUP_UDPIP | EVENT_TRACE_TYPE_SEND) +#define WMI_LOG_TYPE_UDP_RECEIVE (EVENT_TRACE_GROUP_UDPIP | EVENT_TRACE_TYPE_RECEIVE) +#define WMI_LOG_TYPE_UDP_FAIL (EVENT_TRACE_GROUP_UDPIP | EVENT_TRACE_TYPE_CONNFAIL) + +// +// Netowrk events with IPV6 +// +#define WMI_LOG_TYPE_TCPIP_SEND_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1A) +#define WMI_LOG_TYPE_TCPIP_RECEIVE_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1B) +#define WMI_LOG_TYPE_TCPIP_CONNECT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1C) +#define WMI_LOG_TYPE_TCPIP_DISCONNECT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1D) +#define WMI_LOG_TYPE_TCPIP_RETRANSMIT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1E) +#define WMI_LOG_TYPE_TCPIP_ACCEPT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x1F) +#define WMI_LOG_TYPE_TCPIP_RECONNECT_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x20) +#define WMI_LOG_TYPE_TCPIP_FAIL_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x21) +#define WMI_LOG_TYPE_TCPIP_TCPCOPY_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x22) +#define WMI_LOG_TYPE_TCPIP_ARPCOPY_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x23) +#define WMI_LOG_TYPE_TCPIP_FULLACK_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x24) +#define WMI_LOG_TYPE_TCPIP_PARTACK_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x25) +#define WMI_LOG_TYPE_TCPIP_DUPACK_IPV6 (EVENT_TRACE_GROUP_TCPIP | 0x26) + +#define WMI_LOG_TYPE_UDP_SEND_IPV6 (EVENT_TRACE_GROUP_UDPIP | 0x1A) +#define WMI_LOG_TYPE_UDP_RECEIVE_IPV6 (EVENT_TRACE_GROUP_UDPIP | 0x1B) + +// +// Event types for IO subsystem +// + +#define WMI_LOG_TYPE_IO_READ (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_READ) +#define WMI_LOG_TYPE_IO_WRITE (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_WRITE) +#define WMI_LOG_TYPE_IO_READ_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_READ_INIT) +#define WMI_LOG_TYPE_IO_WRITE_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_WRITE_INIT) +#define WMI_LOG_TYPE_IO_FLUSH (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_FLUSH) +#define WMI_LOG_TYPE_IO_FLUSH_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_FLUSH_INIT) +#define WMI_LOG_TYPE_IO_REDIRECTED_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_IO_REDIRECTED_INIT) + +#define PERFINFO_LOG_TYPE_DRIVER_INIT (EVENT_TRACE_GROUP_IO | 0x20) +#define PERFINFO_LOG_TYPE_DRIVER_INIT_COMPLETE (EVENT_TRACE_GROUP_IO | 0x21) +#define PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_CALL (EVENT_TRACE_GROUP_IO | 0x22) +#define PERFINFO_LOG_TYPE_DRIVER_MAJORFUNCTION_RETURN (EVENT_TRACE_GROUP_IO | 0x23) +#define PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_CALL (EVENT_TRACE_GROUP_IO | 0x24) +#define PERFINFO_LOG_TYPE_DRIVER_COMPLETIONROUTINE_RETURN (EVENT_TRACE_GROUP_IO | 0x25) +#define PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_CALL (EVENT_TRACE_GROUP_IO | 0x26) +#define PERFINFO_LOG_TYPE_DRIVER_ADD_DEVICE_RETURN (EVENT_TRACE_GROUP_IO | 0x27) +#define PERFINFO_LOG_TYPE_DRIVER_STARTIO_CALL (EVENT_TRACE_GROUP_IO | 0x28) +#define PERFINFO_LOG_TYPE_DRIVER_STARTIO_RETURN (EVENT_TRACE_GROUP_IO | 0x29) +// Reserved (EVENT_TRACE_GROUP_IO | 0x2a) +// Reserved (EVENT_TRACE_GROUP_IO | 0x2b) +// Reserved (EVENT_TRACE_GROUP_IO | 0x2c) +// Reserved (EVENT_TRACE_GROUP_IO | 0x2d) +// Reserved (EVENT_TRACE_GROUP_IO | 0x2e) +// Reserved (EVENT_TRACE_GROUP_IO | 0x2f) +#define PERFINFO_LOG_TYPE_PREFETCH_ACTION (EVENT_TRACE_GROUP_IO | 0x30) +#define PERFINFO_LOG_TYPE_PREFETCH_REQUEST (EVENT_TRACE_GROUP_IO | 0x31) +#define PERFINFO_LOG_TYPE_PREFETCH_READLIST (EVENT_TRACE_GROUP_IO | 0x32) +#define PERFINFO_LOG_TYPE_PREFETCH_READ (EVENT_TRACE_GROUP_IO | 0x33) +#define PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST (EVENT_TRACE_GROUP_IO | 0x34) +#define PERFINFO_LOG_TYPE_DRIVER_COMPLETE_REQUEST_RETURN (EVENT_TRACE_GROUP_IO | 0x35) +#define PERFINFO_LOG_TYPE_BOOT_PREFETCH_INFORMATION (EVENT_TRACE_GROUP_IO | 0x36) +#define PERFINFO_LOG_TYPE_OPTICAL_IO_READ (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_READ) +#define PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_WRITE) +#define PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_FLUSH) +#define PERFINFO_LOG_TYPE_OPTICAL_IO_READ_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_READ_INIT) +#define PERFINFO_LOG_TYPE_OPTICAL_IO_WRITE_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_WRITE_INIT) +#define PERFINFO_LOG_TYPE_OPTICAL_IO_FLUSH_INIT (EVENT_TRACE_GROUP_IO | EVENT_TRACE_TYPE_OPTICAL_IO_FLUSH_INIT) + +// +// Event types for Memory subsystem +// +#define WMI_LOG_TYPE_PAGE_FAULT_TRANSITION (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_TF) +#define WMI_LOG_TYPE_PAGE_FAULT_DEMAND_ZERO (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_DZF) +#define WMI_LOG_TYPE_PAGE_FAULT_COPY_ON_WRITE (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_COW) +#define WMI_LOG_TYPE_PAGE_FAULT_GUARD_PAGE (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_GPF) +#define WMI_LOG_TYPE_PAGE_FAULT_HARD_PAGE_FAULT (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_HPF) +#define WMI_LOG_TYPE_PAGE_FAULT_ACCESS_VIOLATION (EVENT_TRACE_GROUP_MEMORY | EVENT_TRACE_TYPE_MM_AV) + +#define PERFINFO_LOG_TYPE_HARDFAULT (EVENT_TRACE_GROUP_MEMORY | 0x20) +#define PERFINFO_LOG_TYPE_REMOVEPAGEBYCOLOR (EVENT_TRACE_GROUP_MEMORY | 0x21) +#define PERFINFO_LOG_TYPE_REMOVEPAGEFROMLIST (EVENT_TRACE_GROUP_MEMORY | 0x22) +#define PERFINFO_LOG_TYPE_PAGEINMEMORY (EVENT_TRACE_GROUP_MEMORY | 0x23) +#define PERFINFO_LOG_TYPE_INSERTINFREELIST (EVENT_TRACE_GROUP_MEMORY | 0x24) +#define PERFINFO_LOG_TYPE_INSERTINMODIFIEDLIST (EVENT_TRACE_GROUP_MEMORY | 0x25) +#define PERFINFO_LOG_TYPE_INSERTINLIST (EVENT_TRACE_GROUP_MEMORY | 0x26) +#define PERFINFO_LOG_TYPE_INSERTATFRONT (EVENT_TRACE_GROUP_MEMORY | 0x28) +#define PERFINFO_LOG_TYPE_UNLINKFROMSTANDBY (EVENT_TRACE_GROUP_MEMORY | 0x29) +#define PERFINFO_LOG_TYPE_UNLINKFFREEORZERO (EVENT_TRACE_GROUP_MEMORY | 0x2a) +#define PERFINFO_LOG_TYPE_WORKINGSETMANAGER (EVENT_TRACE_GROUP_MEMORY | 0x2b) +#define PERFINFO_LOG_TYPE_TRIMPROCESS (EVENT_TRACE_GROUP_MEMORY | 0x2c) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x2d) +#define PERFINFO_LOG_TYPE_ZEROSHARECOUNT (EVENT_TRACE_GROUP_MEMORY | 0x2e) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x2f) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x30) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x31) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x32) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x33) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x34) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x35) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x36) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x37) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x38) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x39) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3a) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3b) +#define PERFINFO_LOG_TYPE_WSINFOPROCESS (EVENT_TRACE_GROUP_MEMORY | 0x3c) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3d) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3e) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x3f) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x40) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x41) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x42) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x43) +// Reserved (EVENT_TRACE_GROUP_MEMORY | 0x44) +#define PERFINFO_LOG_TYPE_FAULTADDR_WITH_IP (EVENT_TRACE_GROUP_MEMORY | 0x45) +#define PERFINFO_LOG_TYPE_TRIMSESSION (EVENT_TRACE_GROUP_MEMORY | 0x46) +#define PERFINFO_LOG_TYPE_MEMORYSNAPLITE (EVENT_TRACE_GROUP_MEMORY | 0x47) +#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_RUNDOWN (EVENT_TRACE_GROUP_MEMORY | 0x48) +#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_CREATE (EVENT_TRACE_GROUP_MEMORY | 0x49) +#define PERFINFO_LOG_TYPE_WSINFOSESSION (EVENT_TRACE_GROUP_MEMORY | 0x4a) +#define PERFINFO_LOG_TYPE_CREATE_SESSION (EVENT_TRACE_GROUP_MEMORY | 0x4b) +#define PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_END (EVENT_TRACE_GROUP_MEMORY | 0x4c) +#define PERFINFO_LOG_TYPE_SESSION_RUNDOWN_DC_START (EVENT_TRACE_GROUP_MEMORY | 0x4d) +#define PERFINFO_LOG_TYPE_SESSION_DELETE (EVENT_TRACE_GROUP_MEMORY | 0x4e) +#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_DELETE (EVENT_TRACE_GROUP_MEMORY | 0x4f) + +#define PERFINFO_LOG_TYPE_VIRTUAL_ALLOC (EVENT_TRACE_GROUP_MEMORY | 0x62) +#define PERFINFO_LOG_TYPE_VIRTUAL_FREE (EVENT_TRACE_GROUP_MEMORY | 0x63) +#define PERFINFO_LOG_TYPE_HEAP_RANGE_RUNDOWN (EVENT_TRACE_GROUP_MEMORY | 0x64) +#define PERFINFO_LOG_TYPE_HEAP_RANGE_CREATE (EVENT_TRACE_GROUP_MEMORY | 0x65) +#define PERFINFO_LOG_TYPE_HEAP_RANGE_RESERVE (EVENT_TRACE_GROUP_MEMORY | 0x66) +#define PERFINFO_LOG_TYPE_HEAP_RANGE_RELEASE (EVENT_TRACE_GROUP_MEMORY | 0x67) +#define PERFINFO_LOG_TYPE_HEAP_RANGE_DESTROY (EVENT_TRACE_GROUP_MEMORY | 0x68) + +#define PERFINFO_LOG_TYPE_PAGEFILE_BACK (EVENT_TRACE_GROUP_MEMORY | 0x69) +#define PERFINFO_LOG_TYPE_MEMINFO (EVENT_TRACE_GROUP_MEMORY | 0x70) +#define PERFINFO_LOG_TYPE_CONTMEM_GENERATE (EVENT_TRACE_GROUP_MEMORY | 0x71) +#define PERFINFO_LOG_TYPE_FILE_STORE_FAULT (EVENT_TRACE_GROUP_MEMORY | 0x72) +#define PERFINFO_LOG_TYPE_INMEMORY_STORE_FAULT (EVENT_TRACE_GROUP_MEMORY | 0x73) +#define PERFINFO_LOG_TYPE_COMPRESSED_PAGE (EVENT_TRACE_GROUP_MEMORY | 0x74) +#define PERFINFO_LOG_TYPE_PAGEINMEMORY_ACTIVE (EVENT_TRACE_GROUP_MEMORY | 0x75) +#define PERFINFO_LOG_TYPE_PAGE_ACCESS (EVENT_TRACE_GROUP_MEMORY | 0x76) +#define PERFINFO_LOG_TYPE_PAGE_RELEASE (EVENT_TRACE_GROUP_MEMORY | 0x77) +#define PERFINFO_LOG_TYPE_PAGE_RANGE_ACCESS (EVENT_TRACE_GROUP_MEMORY | 0x78) +#define PERFINFO_LOG_TYPE_PAGE_RANGE_RELEASE (EVENT_TRACE_GROUP_MEMORY | 0x79) +#define PERFINFO_LOG_TYPE_PAGE_COMBINE (EVENT_TRACE_GROUP_MEMORY | 0x7a) +#define PERFINFO_LOG_TYPE_KERNEL_MEMUSAGE (EVENT_TRACE_GROUP_MEMORY | 0x7b) +#define PERFINFO_LOG_TYPE_MM_STATS (EVENT_TRACE_GROUP_MEMORY | 0x7c) +#define PERFINFO_LOG_TYPE_MEMINFOEX_WS (EVENT_TRACE_GROUP_MEMORY | 0x7d) +#define PERFINFO_LOG_TYPE_MEMINFOEX_SESSIONWS (EVENT_TRACE_GROUP_MEMORY | 0x7e) + +#define PERFINFO_LOG_TYPE_VIRTUAL_ROTATE (EVENT_TRACE_GROUP_MEMORY | 0x7f) +#define PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_START (EVENT_TRACE_GROUP_MEMORY | 0x80) +#define PERFINFO_LOG_TYPE_VIRTUAL_ALLOC_DC_END (EVENT_TRACE_GROUP_MEMORY | 0x81) + +#define PERFINFO_LOG_TYPE_PAGE_ACCESS_EX (EVENT_TRACE_GROUP_MEMORY | 0x82) +#define PERFINFO_LOG_TYPE_REMOVEFROMWS (EVENT_TRACE_GROUP_MEMORY | 0x83) +#define PERFINFO_LOG_TYPE_WSSHAREABLE_RUNDOWN (EVENT_TRACE_GROUP_MEMORY | 0x84) +#define PERFINFO_LOG_TYPE_INMEMORYACTIVE_RUNDOWN (EVENT_TRACE_GROUP_MEMORY | 0x85) + +#define PERFINFO_LOG_TYPE_MEM_RESET_INFO (EVENT_TRACE_GROUP_MEMORY | 0x86) +#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_CREATE (EVENT_TRACE_GROUP_MEMORY | 0x87) +#define PERFINFO_LOG_TYPE_PFMAPPED_SECTION_OBJECT_DELETE (EVENT_TRACE_GROUP_MEMORY | 0x88) + +// +// +// Event types for Registry subsystem +// +#define WMI_LOG_TYPE_REG_RUNDOWNBEGIN (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGKCBRUNDOWNBEGIN) +#define WMI_LOG_TYPE_REG_RUNDOWNEND (EVENT_TRACE_GROUP_REGISTRY | EVENT_TRACE_TYPE_REGKCBRUNDOWNEND) + +#define PERFINFO_LOG_TYPE_CMCELLREFERRED (EVENT_TRACE_GROUP_REGISTRY | 0x20) +#define PERFINFO_LOG_TYPE_REG_SET_VALUE (EVENT_TRACE_GROUP_REGISTRY | 0x21) +#define PERFINFO_LOG_TYPE_REG_COUNTERS (EVENT_TRACE_GROUP_REGISTRY | 0x22) +#define PERFINFO_LOG_TYPE_REG_CONFIG (EVENT_TRACE_GROUP_REGISTRY | 0x23) +#define PERFINFO_LOG_TYPE_REG_HIVE_INITIALIZE (EVENT_TRACE_GROUP_REGISTRY | 0x24) +#define PERFINFO_LOG_TYPE_REG_HIVE_DESTROY (EVENT_TRACE_GROUP_REGISTRY | 0x25) +#define PERFINFO_LOG_TYPE_REG_HIVE_LINK (EVENT_TRACE_GROUP_REGISTRY | 0x26) +#define PERFINFO_LOG_TYPE_REG_HIVE_RUNDOWN_DC_END (EVENT_TRACE_GROUP_REGISTRY | 0x27) +#define PERFINFO_LOG_TYPE_REG_HIVE_DIRTY (EVENT_TRACE_GROUP_REGISTRY | 0x28) +// Reserved +#define PERFINFO_LOG_TYPE_REG_NOTIF_REGISTER (EVENT_TRACE_GROUP_REGISTRY | 0x30) +#define PERFINFO_LOG_TYPE_REG_NOTIF_DELIVER (EVENT_TRACE_GROUP_REGISTRY | 0x31) + +// +// Event types for PERF tracing specific subsystem +// +#define PERFINFO_LOG_TYPE_RUNDOWN_CHECKPOINT (EVENT_TRACE_GROUP_PERFINFO | 0x20) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x21) +#define PERFINFO_LOG_TYPE_MARK (EVENT_TRACE_GROUP_PERFINFO | 0x22) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x23) +#define PERFINFO_LOG_TYPE_ASYNCMARK (EVENT_TRACE_GROUP_PERFINFO | 0x24) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x25) +#define PERFINFO_LOG_TYPE_IMAGENAME (EVENT_TRACE_GROUP_PERFINFO | 0x26) +#define PERFINFO_LOG_TYPE_DELAYS_CC_CAN_I_WRITE (EVENT_TRACE_GROUP_PERFINFO | 0x27) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x28) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x29) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x2a) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x2b) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x2c) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x2d) +#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE (EVENT_TRACE_GROUP_PERFINFO | 0x2e) +#define PERFINFO_LOG_TYPE_PMC_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x2f) +#define PERFINFO_LOG_TYPE_PMC_CONFIG (EVENT_TRACE_GROUP_PERFINFO | 0x30) +// Reserved (EVENT_TRACE_GROUP_PERFINFO | 0x31) +#define PERFINFO_LOG_TYPE_MSI_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x32) +#define PERFINFO_LOG_TYPE_SYSCALL_ENTER (EVENT_TRACE_GROUP_PERFINFO | 0x33) +#define PERFINFO_LOG_TYPE_SYSCALL_EXIT (EVENT_TRACE_GROUP_PERFINFO | 0x34) +#define PERFINFO_LOG_TYPE_BACKTRACE (EVENT_TRACE_GROUP_PERFINFO | 0x35) +#define PERFINFO_LOG_TYPE_BACKTRACE_USERSTACK (EVENT_TRACE_GROUP_PERFINFO | 0x36) +#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_CACHE (EVENT_TRACE_GROUP_PERFINFO | 0x37) +#define PERFINFO_LOG_TYPE_EXCEPTION_STACK (EVENT_TRACE_GROUP_PERFINFO | 0x38) +#define PERFINFO_LOG_TYPE_BRANCH_TRACE (EVENT_TRACE_GROUP_PERFINFO | 0x39) +#define PERFINFO_LOG_TYPE_DEBUGGER_ENABLED (EVENT_TRACE_GROUP_PERFINFO | 0x3a) +#define PERFINFO_LOG_TYPE_DEBUGGER_EXIT (EVENT_TRACE_GROUP_PERFINFO | 0x3b) +#define PERFINFO_LOG_TYPE_BRANCH_TRACE_DEBUG (EVENT_TRACE_GROUP_PERFINFO | 0x40) +#define PERFINFO_LOG_TYPE_BRANCH_ADDRESS_DEBUG (EVENT_TRACE_GROUP_PERFINFO | 0x41) +#define PERFINFO_LOG_TYPE_THREADED_DPC (EVENT_TRACE_GROUP_PERFINFO | 0x42) +#define PERFINFO_LOG_TYPE_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x43) +#define PERFINFO_LOG_TYPE_DPC (EVENT_TRACE_GROUP_PERFINFO | 0x44) +#define PERFINFO_LOG_TYPE_TIMERDPC (EVENT_TRACE_GROUP_PERFINFO | 0x45) +#define PERFINFO_LOG_TYPE_IOTIMER_EXPIRATION (EVENT_TRACE_GROUP_PERFINFO | 0x46) +#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_NMI (EVENT_TRACE_GROUP_PERFINFO | 0x47) +#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_SET_INTERVAL (EVENT_TRACE_GROUP_PERFINFO | 0x48) +#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_START (EVENT_TRACE_GROUP_PERFINFO | 0x49) +#define PERFINFO_LOG_TYPE_SAMPLED_PROFILE_DC_END (EVENT_TRACE_GROUP_PERFINFO | 0x4a) +#define PERFINFO_LOG_TYPE_SPINLOCK_DC_START (EVENT_TRACE_GROUP_PERFINFO | 0x4b) +#define PERFINFO_LOG_TYPE_SPINLOCK_DC_END (EVENT_TRACE_GROUP_PERFINFO | 0x4c) +#define PERFINFO_LOG_TYPE_ERESOURCE_DC_START (EVENT_TRACE_GROUP_PERFINFO | 0x4d) +#define PERFINFO_LOG_TYPE_ERESOURCE_DC_END (EVENT_TRACE_GROUP_PERFINFO | 0x4e) +#define PERFINFO_LOG_TYPE_CLOCK_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x4f) +#define PERFINFO_LOG_TYPE_TIMER_EXPIRATION_START (EVENT_TRACE_GROUP_PERFINFO | 0x50) +#define PERFINFO_LOG_TYPE_TIMER_EXPIRATION (EVENT_TRACE_GROUP_PERFINFO | 0x51) +#define PERFINFO_LOG_TYPE_TIMER_SET_PERIODIC (EVENT_TRACE_GROUP_PERFINFO | 0x52) +#define PERFINFO_LOG_TYPE_TIMER_SET_ONE_SHOT (EVENT_TRACE_GROUP_PERFINFO | 0x53) +#define PERFINFO_LOG_TYPE_TIMER_SET_THREAD (EVENT_TRACE_GROUP_PERFINFO | 0x54) +#define PERFINFO_LOG_TYPE_TIMER_CANCEL (EVENT_TRACE_GROUP_PERFINFO | 0x55) +#define PERFINFO_LOG_TYPE_TIME_ADJUSTMENT (EVENT_TRACE_GROUP_PERFINFO | 0x56) +#define PERFINFO_LOG_TYPE_CLOCK_MODE_SWITCH (EVENT_TRACE_GROUP_PERFINFO | 0x57) +#define PERFINFO_LOG_TYPE_CLOCK_TIME_UPDATE (EVENT_TRACE_GROUP_PERFINFO | 0x58) +#define PERFINFO_LOG_TYPE_CLOCK_DYNAMIC_TICK_VETO (EVENT_TRACE_GROUP_PERFINFO | 0x59) +#define PERFINFO_LOG_TYPE_CLOCK_CONFIGURATION (EVENT_TRACE_GROUP_PERFINFO | 0x5a) +#define PERFINFO_LOG_TYPE_IPI (EVENT_TRACE_GROUP_PERFINFO | 0x5b) +#define PERFINFO_LOG_TYPE_UNEXPECTED_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x5c) +#define PERFINFO_LOG_TYPE_IOTIMER_START (EVENT_TRACE_GROUP_PERFINFO | 0x5d) +#define PERFINFO_LOG_TYPE_IOTIMER_STOP (EVENT_TRACE_GROUP_PERFINFO | 0x5e) +#define PERFINFO_LOG_TYPE_PASSIVE_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x5f) +#define PERFINFO_LOG_TYPE_WDF_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x60) +#define PERFINFO_LOG_TYPE_WDF_PASSIVE_INTERRUPT (EVENT_TRACE_GROUP_PERFINFO | 0x61) +#define PERFINFO_LOG_TYPE_WDF_DPC (EVENT_TRACE_GROUP_PERFINFO | 0x62) +#define PERFINFO_LOG_TYPE_CPU_CACHE_FLUSH (EVENT_TRACE_GROUP_PERFINFO | 0x63) +#define PERFINFO_LOG_TYPE_DPC_ENQUEUE (EVENT_TRACE_GROUP_PERFINFO | 0x64) +#define PERFINFO_LOG_TYPE_DPC_EXECUTION (EVENT_TRACE_GROUP_PERFINFO | 0x65) +#define PERFINFO_LOG_TYPE_INTERRUPT_STEERING (EVENT_TRACE_GROUP_PERFINFO | 0x66) +#define PERFINFO_LOG_TYPE_WDF_WORK_ITEM (EVENT_TRACE_GROUP_PERFINFO | 0x67) +#define PERFINFO_LOG_TYPE_KTIMER2_SET (EVENT_TRACE_GROUP_PERFINFO | 0x68) +#define PERFINFO_LOG_TYPE_KTIMER2_EXPIRATION (EVENT_TRACE_GROUP_PERFINFO | 0x69) +#define PERFINFO_LOG_TYPE_KTIMER2_CANCEL (EVENT_TRACE_GROUP_PERFINFO | 0x6a) +#define PERFINFO_LOG_TYPE_KTIMER2_DISABLE (EVENT_TRACE_GROUP_PERFINFO | 0x6b) +#define PERFINFO_LOG_TYPE_KTIMER2_FINALIZATION (EVENT_TRACE_GROUP_PERFINFO | 0x6c) +#define PERFINFO_LOG_TYPE_SHOULD_YIELD_PROCESSOR (EVENT_TRACE_GROUP_PERFINFO | 0x6d) + +// +// Event types for ICE. +// + +#define PERFINFO_LOG_TYPE_FUNCTION_CALL (EVENT_TRACE_GROUP_PERFINFO | 0x80) +#define PERFINFO_LOG_TYPE_FUNCTION_RETURN (EVENT_TRACE_GROUP_PERFINFO | 0x81) +#define PERFINFO_LOG_TYPE_FUNCTION_ENTER (EVENT_TRACE_GROUP_PERFINFO | 0x82) +#define PERFINFO_LOG_TYPE_FUNCTION_EXIT (EVENT_TRACE_GROUP_PERFINFO | 0x83) +#define PERFINFO_LOG_TYPE_TAILCALL (EVENT_TRACE_GROUP_PERFINFO | 0x84) +#define PERFINFO_LOG_TYPE_TRAP (EVENT_TRACE_GROUP_PERFINFO | 0x85) +#define PERFINFO_LOG_TYPE_SPINLOCK_ACQUIRE (EVENT_TRACE_GROUP_PERFINFO | 0x86) +#define PERFINFO_LOG_TYPE_SPINLOCK_RELEASE (EVENT_TRACE_GROUP_PERFINFO | 0x87) +#define PERFINFO_LOG_TYPE_CAP_COMMENT (EVENT_TRACE_GROUP_PERFINFO | 0x88) +#define PERFINFO_LOG_TYPE_CAP_RUNDOWN (EVENT_TRACE_GROUP_PERFINFO | 0x89) + +// +// Event types for Debugger subsystem. +// + +#define PERFINFO_LOG_TYPE_DEBUG_PRINT (EVENT_TRACE_GROUP_DBGPRINT | 0x20) + +// +// Event types for WNF facility +// + +#define PERFINFO_LOG_TYPE_WNF_SUBSCRIBE (EVENT_TRACE_GROUP_WNF | 0x20) +#define PERFINFO_LOG_TYPE_WNF_UNSUBSCRIBE (EVENT_TRACE_GROUP_WNF | 0x21) +#define PERFINFO_LOG_TYPE_WNF_CALLBACK (EVENT_TRACE_GROUP_WNF | 0x22) +#define PERFINFO_LOG_TYPE_WNF_PUBLISH (EVENT_TRACE_GROUP_WNF | 0x23) +#define PERFINFO_LOG_TYPE_WNF_NAME_SUB_RUNDOWN (EVENT_TRACE_GROUP_WNF | 0x24) + +// +// Event types for Pool subsystem. +// + +#define PERFINFO_LOG_TYPE_ALLOCATEPOOL (EVENT_TRACE_GROUP_POOL | 0x20) +#define PERFINFO_LOG_TYPE_ALLOCATEPOOL_SESSION (EVENT_TRACE_GROUP_POOL | 0x21) +#define PERFINFO_LOG_TYPE_FREEPOOL (EVENT_TRACE_GROUP_POOL | 0x22) +#define PERFINFO_LOG_TYPE_FREEPOOL_SESSION (EVENT_TRACE_GROUP_POOL | 0x23) +#define PERFINFO_LOG_TYPE_ADDPOOLPAGE (EVENT_TRACE_GROUP_POOL | 0x24) +#define PERFINFO_LOG_TYPE_ADDPOOLPAGE_SESSION (EVENT_TRACE_GROUP_POOL | 0x25) +#define PERFINFO_LOG_TYPE_BIGPOOLPAGE (EVENT_TRACE_GROUP_POOL | 0x26) +#define PERFINFO_LOG_TYPE_BIGPOOLPAGE_SESSION (EVENT_TRACE_GROUP_POOL | 0x27) +#define PERFINFO_LOG_TYPE_POOLSNAP_DC_START (EVENT_TRACE_GROUP_POOL | 0x28) +#define PERFINFO_LOG_TYPE_POOLSNAP_DC_END (EVENT_TRACE_GROUP_POOL | 0x29) +#define PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_START (EVENT_TRACE_GROUP_POOL | 0x2a) +#define PERFINFO_LOG_TYPE_BIGPOOLSNAP_DC_END (EVENT_TRACE_GROUP_POOL | 0x2b) +#define PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_START (EVENT_TRACE_GROUP_POOL | 0x2c) +#define PERFINFO_LOG_TYPE_POOLSNAP_SESSION_DC_END (EVENT_TRACE_GROUP_POOL | 0x2d) +#define PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_START (EVENT_TRACE_GROUP_POOL | 0x2e) +#define PERFINFO_LOG_TYPE_SESSIONBIGPOOLSNAP_DC_END (EVENT_TRACE_GROUP_POOL | 0x2f) + +// +// Event types for Heap subsystem +// +#define PERFINFO_LOG_TYPE_HEAP_CREATE (EVENT_TRACE_GROUP_HEAP | 0x20) +#define PERFINFO_LOG_TYPE_HEAP_ALLOC (EVENT_TRACE_GROUP_HEAP | 0x21) +#define PERFINFO_LOG_TYPE_HEAP_REALLOC (EVENT_TRACE_GROUP_HEAP | 0x22) +#define PERFINFO_LOG_TYPE_HEAP_DESTROY (EVENT_TRACE_GROUP_HEAP | 0x23) +#define PERFINFO_LOG_TYPE_HEAP_FREE (EVENT_TRACE_GROUP_HEAP | 0x24) +#define PERFINFO_LOG_TYPE_HEAP_EXTEND (EVENT_TRACE_GROUP_HEAP | 0x25) +#define PERFINFO_LOG_TYPE_HEAP_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x26) +#define PERFINFO_LOG_TYPE_HEAP_CREATE_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x27) +#define PERFINFO_LOG_TYPE_HEAP_DESTROY_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x28) +#define PERFINFO_LOG_TYPE_HEAP_EXTEND_SNAPSHOT (EVENT_TRACE_GROUP_HEAP | 0x29) +#define PERFINFO_LOG_TYPE_HEAP_CONTRACT (EVENT_TRACE_GROUP_HEAP | 0x2a) +#define PERFINFO_LOG_TYPE_HEAP_LOCK (EVENT_TRACE_GROUP_HEAP | 0x2b) +#define PERFINFO_LOG_TYPE_HEAP_UNLOCK (EVENT_TRACE_GROUP_HEAP | 0x2c) +#define PERFINFO_LOG_TYPE_HEAP_VALIDATE (EVENT_TRACE_GROUP_HEAP | 0x2d) +#define PERFINFO_LOG_TYPE_HEAP_WALK (EVENT_TRACE_GROUP_HEAP | 0x2e) + +#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC (EVENT_TRACE_GROUP_HEAP | 0x2f) +#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE (EVENT_TRACE_GROUP_HEAP | 0x30) +#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ALLOC_CACHE (EVENT_TRACE_GROUP_HEAP | 0x31) +#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_FREE_CACHE (EVENT_TRACE_GROUP_HEAP | 0x32) +#define PERFINFO_LOG_TYPE_HEAP_COMMIT (EVENT_TRACE_GROUP_HEAP | 0x33) +#define PERFINFO_LOG_TYPE_HEAP_DECOMMIT (EVENT_TRACE_GROUP_HEAP | 0x34) +#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_INIT (EVENT_TRACE_GROUP_HEAP | 0x35) +#define PERFINFO_LOG_TYPE_HEAP_AFFINITY_ENABLE (EVENT_TRACE_GROUP_HEAP | 0x36) +//Reserved (EVENT_TRACE_GROUP_HEAP | 0x37) +#define PERFINFO_LOG_TYPE_HEAP_SUBSEGMENT_ACTIVATED (EVENT_TRACE_GROUP_HEAP | 0x38) +#define PERFINFO_LOG_TYPE_HEAP_AFFINITY_ASSIGN (EVENT_TRACE_GROUP_HEAP | 0x39) +#define PERFINFO_LOG_TYPE_HEAP_REUSE_THRESHOLD_ACTIVATED (EVENT_TRACE_GROUP_HEAP | 0x3a) + +// +// Event Types for Critical Section Subsystem +// + +#define PERFINFO_LOG_TYPE_CRITSEC_ENTER (EVENT_TRACE_GROUP_CRITSEC | 0x20) +#define PERFINFO_LOG_TYPE_CRITSEC_LEAVE (EVENT_TRACE_GROUP_CRITSEC | 0x21) +#define PERFINFO_LOG_TYPE_CRITSEC_COLLISION (EVENT_TRACE_GROUP_CRITSEC | 0x22) +#define PERFINFO_LOG_TYPE_CRITSEC_INITIALIZE (EVENT_TRACE_GROUP_CRITSEC | 0x23) + +// +// Event types for Stackwalk subsystem +// + +#define PERFINFO_LOG_TYPE_STACKWALK (EVENT_TRACE_GROUP_STACKWALK | 0x20) +//Reserved (EVENT_TRACE_GROUP_STACKWALK | 0x21) +#define PERFINFO_LOG_TYPE_STACKTRACE_CREATE (EVENT_TRACE_GROUP_STACKWALK | 0x22) +#define PERFINFO_LOG_TYPE_STACKTRACE_DELETE (EVENT_TRACE_GROUP_STACKWALK | 0x23) +#define PERFINFO_LOG_TYPE_STACKTRACE_RUNDOWN (EVENT_TRACE_GROUP_STACKWALK | 0x24) +#define PERFINFO_LOG_TYPE_STACKTRACE_KEY_KERNEL (EVENT_TRACE_GROUP_STACKWALK | 0x25) +#define PERFINFO_LOG_TYPE_STACKTRACE_KEY_USER (EVENT_TRACE_GROUP_STACKWALK | 0x26) + +// +// Event types for ALPC +// + +#define WMI_LOG_TYPE_ALPC_SEND_MESSAGE (EVENT_TRACE_GROUP_ALPC | 0x21) +#define WMI_LOG_TYPE_ALPC_RECEIVE_MESSAGE (EVENT_TRACE_GROUP_ALPC | 0x22) +#define WMI_LOG_TYPE_ALPC_WAIT_FOR_REPLY (EVENT_TRACE_GROUP_ALPC | 0x23) +#define WMI_LOG_TYPE_ALPC_WAIT_FOR_NEW_MESSAGE (EVENT_TRACE_GROUP_ALPC | 0x24) +#define WMI_LOG_TYPE_ALPC_UNWAIT (EVENT_TRACE_GROUP_ALPC | 0x25) +#define WMI_LOG_TYPE_ALPC_CONNECT_REQUEST (EVENT_TRACE_GROUP_ALPC | 0x26) +#define WMI_LOG_TYPE_ALPC_CONNECT_SUCCESS (EVENT_TRACE_GROUP_ALPC | 0x27) +#define WMI_LOG_TYPE_ALPC_CONNECT_FAIL (EVENT_TRACE_GROUP_ALPC | 0x28) +#define WMI_LOG_TYPE_ALPC_CLOSE_PORT (EVENT_TRACE_GROUP_ALPC | 0x29) + + +// +// Event types for Object Manager subsystem +// + +#define PERFINFO_LOG_TYPE_CREATE_HANDLE (EVENT_TRACE_GROUP_OBJECT | 0x20) +#define PERFINFO_LOG_TYPE_CLOSE_HANDLE (EVENT_TRACE_GROUP_OBJECT | 0x21) +#define PERFINFO_LOG_TYPE_DUPLICATE_HANDLE (EVENT_TRACE_GROUP_OBJECT | 0x22) +//Reserved (EVENT_TRACE_GROUP_OBJECT | 0x23) +#define PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_START (EVENT_TRACE_GROUP_OBJECT | 0x24) +#define PERFINFO_LOG_TYPE_OBJECT_TYPE_DC_END (EVENT_TRACE_GROUP_OBJECT | 0x25) +#define PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_START (EVENT_TRACE_GROUP_OBJECT | 0x26) +#define PERFINFO_LOG_TYPE_OBJECT_HANDLE_DC_END (EVENT_TRACE_GROUP_OBJECT | 0x27) +//Reserved (EVENT_TRACE_GROUP_OBJECT | 0x28) +//Reserved (EVENT_TRACE_GROUP_OBJECT | 0x29) +//Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2a) +//Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2b) +//Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2c) +//Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2d) +//Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2e) +//Reserved (EVENT_TRACE_GROUP_OBJECT | 0x2f) +#define PERFINFO_LOG_TYPE_CREATE_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x30) +#define PERFINFO_LOG_TYPE_DELETE_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x31) +#define PERFINFO_LOG_TYPE_REFERENCE_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x32) +#define PERFINFO_LOG_TYPE_DEREFERENCE_OBJECT (EVENT_TRACE_GROUP_OBJECT | 0x33) + +// +// Event types for Power subsystem +// + +#define PERFINFO_LOG_TYPE_BATTERY_LIFE_INFO (EVENT_TRACE_GROUP_POWER | 0x20) +#define PERFINFO_LOG_TYPE_IDLE_STATE_CHANGE (EVENT_TRACE_GROUP_POWER | 0x21) +#define PERFINFO_LOG_TYPE_SET_POWER_ACTION (EVENT_TRACE_GROUP_POWER | 0x22) +#define PERFINFO_LOG_TYPE_SET_POWER_ACTION_RET (EVENT_TRACE_GROUP_POWER | 0x23) +#define PERFINFO_LOG_TYPE_SET_DEVICES_STATE (EVENT_TRACE_GROUP_POWER | 0x24) +#define PERFINFO_LOG_TYPE_SET_DEVICES_STATE_RET (EVENT_TRACE_GROUP_POWER | 0x25) +#define PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE (EVENT_TRACE_GROUP_POWER | 0x26) +#define PERFINFO_LOG_TYPE_PO_NOTIFY_DEVICE_COMPLETE (EVENT_TRACE_GROUP_POWER | 0x27) +#define PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT (EVENT_TRACE_GROUP_POWER | 0x28) +#define PERFINFO_LOG_TYPE_PO_SESSION_CALLOUT_RET (EVENT_TRACE_GROUP_POWER | 0x29) +#define PERFINFO_LOG_TYPE_PO_PRESLEEP (EVENT_TRACE_GROUP_POWER | 0x30) +#define PERFINFO_LOG_TYPE_PO_POSTSLEEP (EVENT_TRACE_GROUP_POWER | 0x31) +#define PERFINFO_LOG_TYPE_PO_CALIBRATED_PERFCOUNTER (EVENT_TRACE_GROUP_POWER | 0x32) +#define PERFINFO_LOG_TYPE_PPM_PERF_STATE_CHANGE (EVENT_TRACE_GROUP_POWER | 0x33) +#define PERFINFO_LOG_TYPE_PPM_THROTTLE_STATE_CHANGE (EVENT_TRACE_GROUP_POWER | 0x34) +#define PERFINFO_LOG_TYPE_PPM_IDLE_STATE_CHANGE (EVENT_TRACE_GROUP_POWER | 0x35) +#define PERFINFO_LOG_TYPE_PPM_THERMAL_CONSTRAINT (EVENT_TRACE_GROUP_POWER | 0x36) +#define PERFINFO_LOG_TYPE_PO_SIGNAL_RESUME_UI (EVENT_TRACE_GROUP_POWER | 0x37) +#define PERFINFO_LOG_TYPE_PO_SIGNAL_VIDEO_ON (EVENT_TRACE_GROUP_POWER | 0x38) +#define PERFINFO_LOG_TYPE_PPM_IDLE_STATE_ENTER (EVENT_TRACE_GROUP_POWER | 0x39) +#define PERFINFO_LOG_TYPE_PPM_IDLE_STATE_EXIT (EVENT_TRACE_GROUP_POWER | 0x3a) +#define PERFINFO_LOG_TYPE_PPM_PLATFORM_IDLE_STATE_ENTER (EVENT_TRACE_GROUP_POWER | 0x3b) +#define PERFINFO_LOG_TYPE_PPM_IDLE_EXIT_LATENCY (EVENT_TRACE_GROUP_POWER | 0x3c) +#define PERFINFO_LOG_TYPE_PPM_IDLE_PROCESSOR_SELECTION (EVENT_TRACE_GROUP_POWER | 0x3d) +#define PERFINFO_LOG_TYPE_PPM_IDLE_PLATFORM_SELECTION (EVENT_TRACE_GROUP_POWER | 0x3e) +#define PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_ENTER (EVENT_TRACE_GROUP_POWER | 0x3f) +#define PERFINFO_LOG_TYPE_PPM_COORDINATED_IDLE_EXIT (EVENT_TRACE_GROUP_POWER | 0x40) + +// +// Event types for MODBound subsystem +// +#define PERFINFO_LOG_TYPE_COWHEADER (EVENT_TRACE_GROUP_MODBOUND | 0x18) +#define PERFINFO_LOG_TYPE_COWBLOB (EVENT_TRACE_GROUP_MODBOUND | 0x19) +#define PERFINFO_LOG_TYPE_COWBLOB_CLOSED (EVENT_TRACE_GROUP_MODBOUND | 0x1a) +#define PERFINFO_LOG_TYPE_MODULEBOUND_ENT (EVENT_TRACE_GROUP_MODBOUND | 0x20) +#define PERFINFO_LOG_TYPE_MODULEBOUND_JUMP (EVENT_TRACE_GROUP_MODBOUND | 0x21) +#define PERFINFO_LOG_TYPE_MODULEBOUND_RET (EVENT_TRACE_GROUP_MODBOUND | 0x22) +#define PERFINFO_LOG_TYPE_MODULEBOUND_CALL (EVENT_TRACE_GROUP_MODBOUND | 0x23) +#define PERFINFO_LOG_TYPE_MODULEBOUND_CALLRET (EVENT_TRACE_GROUP_MODBOUND | 0x24) +#define PERFINFO_LOG_TYPE_MODULEBOUND_INT2E (EVENT_TRACE_GROUP_MODBOUND | 0x25) +#define PERFINFO_LOG_TYPE_MODULEBOUND_INT2B (EVENT_TRACE_GROUP_MODBOUND | 0x26) +#define PERFINFO_LOG_TYPE_MODULEBOUND_FULLTRACE (EVENT_TRACE_GROUP_MODBOUND | 0x27) + +// +// Event types for the thread class scheduler +// +// TODO: Because MMCSS is a DLL it doesn't need to use UMGL. +// +#define PERFINFO_LOG_TYPE_MMCSS_START (0x20) +#define PERFINFO_LOG_TYPE_MMCSS_STOP (0x21) +#define PERFINFO_LOG_TYPE_MMCSS_SCHEDULER_EVENT (0x22) +#define PERFINFO_LOG_TYPE_MMCSS_SCHEDULER_WAKEUP (0x23) +#define PERFINFO_LOG_TYPE_MMCSS_SCHEDULER_SLEEP (0x24) +#define PERFINFO_LOG_TYPE_MMCSS_SCHEDULER_SLEEP_RESP (0x25) + + +// +// Event types for SplitIo +// + +#define PERFINFO_LOG_TYPE_SPLITIO_VOLMGR (EVENT_TRACE_GROUP_SPLITIO | 0x20) + +// Event types for ThreadPool +#define PERFINFO_LOG_TYPE_TP_CALLBACK_ENQUEUE (EVENT_TRACE_GROUP_THREAD_POOL | 0x20) +#define PERFINFO_LOG_TYPE_TP_CALLBACK_DEQUEUE (EVENT_TRACE_GROUP_THREAD_POOL | 0x21) +#define PERFINFO_LOG_TYPE_TP_CALLBACK_START (EVENT_TRACE_GROUP_THREAD_POOL | 0x22) +#define PERFINFO_LOG_TYPE_TP_CALLBACK_STOP (EVENT_TRACE_GROUP_THREAD_POOL | 0x23) +#define PERFINFO_LOG_TYPE_TP_CALLBACK_CANCEL (EVENT_TRACE_GROUP_THREAD_POOL | 0x24) +#define PERFINFO_LOG_TYPE_TP_POOL_CREATE (EVENT_TRACE_GROUP_THREAD_POOL | 0x25) +#define PERFINFO_LOG_TYPE_TP_POOL_CLOSE (EVENT_TRACE_GROUP_THREAD_POOL | 0x26) +#define PERFINFO_LOG_TYPE_TP_POOL_TH_MIN_SET (EVENT_TRACE_GROUP_THREAD_POOL | 0x27) +#define PERFINFO_LOG_TYPE_TP_POOL_TH_MAX_SET (EVENT_TRACE_GROUP_THREAD_POOL | 0x28) +#define PERFINFO_LOG_TYPE_TP_WORKER_NUMANODE_SWITCH (EVENT_TRACE_GROUP_THREAD_POOL | 0x29) +#define PERFINFO_LOG_TYPE_TP_TIMER_SET (EVENT_TRACE_GROUP_THREAD_POOL | 0x2a) +#define PERFINFO_LOG_TYPE_TP_TIMER_CANCELLED (EVENT_TRACE_GROUP_THREAD_POOL | 0x2b) +#define PERFINFO_LOG_TYPE_TP_TIMER_SET_NTTIMER (EVENT_TRACE_GROUP_THREAD_POOL | 0x2c) +#define PERFINFO_LOG_TYPE_TP_TIMER_CANCEL_NTTIMER (EVENT_TRACE_GROUP_THREAD_POOL | 0x2d) +#define PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_BEGIN (EVENT_TRACE_GROUP_THREAD_POOL | 0x2e) +#define PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION_END (EVENT_TRACE_GROUP_THREAD_POOL | 0x2f) +#define PERFINFO_LOG_TYPE_TP_TIMER_EXPIRATION (EVENT_TRACE_GROUP_THREAD_POOL | 0x30) + +// Event types for UMS +#define PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_START (EVENT_TRACE_GROUP_UMS | 0x20) +#define PERFINFO_LOG_TYPE_UMS_DIRECTED_SWITCH_END (EVENT_TRACE_GROUP_UMS | 0x21) +#define PERFINFO_LOG_TYPE_UMS_PARK (EVENT_TRACE_GROUP_UMS | 0x22) +#define PERFINFO_LOG_TYPE_UMS_DISASSOCIATE (EVENT_TRACE_GROUP_UMS | 0x23) +#define PERFINFO_LOG_TYPE_UMS_CONTEXT_SWITCH (EVENT_TRACE_GROUP_UMS | 0x24) + +// Event types for Cache manager +#define PERFINFO_LOG_TYPE_CC_WORKITEM_ENQUEUE (EVENT_TRACE_GROUP_CC | 0x00) +#define PERFINFO_LOG_TYPE_CC_WORKITEM_DEQUEUE (EVENT_TRACE_GROUP_CC | 0x01) +#define PERFINFO_LOG_TYPE_CC_WORKITEM_COMPLETE (EVENT_TRACE_GROUP_CC | 0x02) +#define PERFINFO_LOG_TYPE_CC_READ_AHEAD (EVENT_TRACE_GROUP_CC | 0x03) +#define PERFINFO_LOG_TYPE_CC_WRITE_BEHIND (EVENT_TRACE_GROUP_CC | 0x04) +#define PERFINFO_LOG_TYPE_CC_LAZY_WRITE_SCAN (EVENT_TRACE_GROUP_CC | 0x05) +#define PERFINFO_LOG_TYPE_CC_CAN_I_WRITE_FAIL (EVENT_TRACE_GROUP_CC | 0x06) +//#define PERFINFO_LOG_TYPE_CC_MAP_VIEW (EVENT_TRACE_GROUP_CC | 0x07) +//#define PERFINFO_LOG_TYPE_CC_UNMAP_VIEW (EVENT_TRACE_GROUP_CC | 0x08) +#define PERFINFO_LOG_TYPE_CC_FLUSH_CACHE (EVENT_TRACE_GROUP_CC | 0x09) +#define PERFINFO_LOG_TYPE_CC_FLUSH_SECTION (EVENT_TRACE_GROUP_CC | 0x0a) +#define PERFINFO_LOG_TYPE_CC_READ_AHEAD_PREFETCH (EVENT_TRACE_GROUP_CC | 0x0b) +#define PERFINFO_LOG_TYPE_CC_SCHEDULE_READ_AHEAD (EVENT_TRACE_GROUP_CC | 0x0c) +#define PERFINFO_LOG_TYPE_CC_LOGGED_STREAM_INFO (EVENT_TRACE_GROUP_CC | 0x0d) +#define PERFINFO_LOG_TYPE_CC_EXTRA_WRITEBEHIND_THREAD (EVENT_TRACE_GROUP_CC | 0x0e) + typedef ULONG PERFINFO_MASK; typedef struct _PERFINFO_GROUPMASK @@ -2242,7 +3150,7 @@ typedef struct _EVENT_TRACE_EXECUTIVE_RESOURCE_INFORMATION typedef struct _EVENT_TRACE_HEAP_TRACING_INFORMATION { EVENT_TRACE_INFORMATION_CLASS EventTraceInformationClass; - ULONG ProcessId; + ULONG ProcessId[1]; } EVENT_TRACE_HEAP_TRACING_INFORMATION, *PEVENT_TRACE_HEAP_TRACING_INFORMATION; typedef struct _EVENT_TRACE_TAG_FILTER_INFORMATION @@ -2492,6 +3400,7 @@ typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION PVOID Buffer; } SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION; +#if (PHNT_MODE != PHNT_MODE_KERNEL) // private typedef struct _SYSTEM_GDI_DRIVER_INFORMATION { @@ -2502,6 +3411,7 @@ typedef struct _SYSTEM_GDI_DRIVER_INFORMATION struct _IMAGE_EXPORT_DIRECTORY* ExportSectionPointer; ULONG ImageLength; } SYSTEM_GDI_DRIVER_INFORMATION, *PSYSTEM_GDI_DRIVER_INFORMATION; +#endif // geoffchappell #ifdef _WIN64 @@ -2629,7 +3539,7 @@ typedef struct _SYSTEM_SESSION_MAPPED_VIEW_INFORMATION SIZE_T NumberOfBytesAvailableContiguous; } SYSTEM_SESSION_MAPPED_VIEW_INFORMATION, *PSYSTEM_SESSION_MAPPED_VIEW_INFORMATION; -typedef enum _WATCHDOG_HANDLER_ACTION +typedef enum _WATCHDOG_HANDLER_ACTION { WdActionSetTimeoutValue, WdActionQueryTimeoutValue, @@ -2644,7 +3554,7 @@ typedef enum _WATCHDOG_HANDLER_ACTION typedef NTSTATUS (*PSYSTEM_WATCHDOG_HANDLER)(_In_ WATCHDOG_HANDLER_ACTION Action, _In_ PVOID Context, _Inout_ PULONG DataValue, _In_ BOOLEAN NoLocks); // private -typedef struct _SYSTEM_WATCHDOG_HANDLER_INFORMATION +typedef struct _SYSTEM_WATCHDOG_HANDLER_INFORMATION { PSYSTEM_WATCHDOG_HANDLER WdHandler; PVOID Context; @@ -4517,7 +5427,7 @@ typedef struct _SYSTEM_SHADOW_STACK_INFORMATION ULONG ReservedForUserCet : 6; ULONG KernelCetEnabled : 1; ULONG KernelCetAuditModeEnabled : 1; - ULONG ReservedForKernelCet : 6; // since Windows 10 build 21387 + ULONG ReservedForKernelCet : 6; // since Windows 10 build 21387 ULONG Reserved : 16; }; }; @@ -4611,7 +5521,7 @@ typedef struct _SYSTEM_HYPERVISOR_MINROOT_INFORMATION USHORT RootProcNumaNodes[64]; ULONG RootProcPerCore; ULONG RootProcPerNode; - ULONG RootProcNumaNodesLpsSpecified; + ULONG RootProcNumaNodesLpsSpecified; HV_MINROOT_NUMA_LPS RootProcNumaNodeLps[64]; } SYSTEM_HYPERVISOR_MINROOT_INFORMATION, *PSYSTEM_HYPERVISOR_MINROOT_INFORMATION; @@ -4820,12 +5730,14 @@ typedef union _SYSDBG_LIVEDUMP_CONTROL_ADDPAGES struct { ULONG HypervisorPages : 1; - ULONG NonEssentialHypervisorPages : 1; // WIN11 + ULONG NonEssentialHypervisorPages : 1; // since WIN11 ULONG Reserved : 30; }; ULONG AsUlong; } SYSDBG_LIVEDUMP_CONTROL_ADDPAGES, *PSYSDBG_LIVEDUMP_CONTROL_ADDPAGES; +#define SYSDBG_LIVEDUMP_SELECTIVE_CONTROL_VERSION 1 + // rev typedef struct _SYSDBG_LIVEDUMP_SELECTIVE_CONTROL { @@ -4859,9 +5771,12 @@ typedef struct _SYSDBG_LIVEDUMP_CONTROL HANDLE CancelEventHandle; SYSDBG_LIVEDUMP_CONTROL_FLAGS Flags; SYSDBG_LIVEDUMP_CONTROL_ADDPAGES AddPagesControl; - PSYSDBG_LIVEDUMP_SELECTIVE_CONTROL SelectiveControl; // WIN11 + PSYSDBG_LIVEDUMP_SELECTIVE_CONTROL SelectiveControl; // since WIN11 } SYSDBG_LIVEDUMP_CONTROL, *PSYSDBG_LIVEDUMP_CONTROL; +#define SYSDBG_LIVEDUMP_CONTROL_SIZE RTL_SIZEOF_THROUGH_FIELD(SYSDBG_LIVEDUMP_CONTROL, AddPagesControl) +#define SYSDBG_LIVEDUMP_CONTROL_SIZE_WIN11 sizeof(SYSDBG_LIVEDUMP_CONTROL) + // private typedef struct _SYSDBG_KD_PULL_REMOTE_FILE { @@ -5018,7 +5933,20 @@ typedef struct _KUSER_SHARED_DATA ULONG NumberOfPhysicalPages; BOOLEAN SafeBootMode; - UCHAR VirtualizationFlags; + + union + { + UCHAR VirtualizationFlags; +#if defined(_ARM64_) + struct + { + UCHAR ArchStartedInEl2 : 1; + UCHAR QcSlIsSupported : 1; + UCHAR : 6; + }; +#endif + }; + UCHAR Reserved12[2]; union @@ -5115,34 +6043,31 @@ typedef struct _KUSER_SHARED_DATA XSTATE_CONFIGURATION XState; KSYSTEM_TIME FeatureConfigurationChangeStamp; ULONG Spare; + ULONG64 UserPointerAuthMask; } KUSER_SHARED_DATA, *PKUSER_SHARED_DATA; #include C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountMultiplier) == 0x4); C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, InterruptTime) == 0x8); C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SystemTime) == 0x14); +C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TimeZoneBias) == 0x20); C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtSystemRoot) == 0x30); -C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, LargePageMinimum) == 0x244); -C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtProductType) == 0x264); -C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMajorVersion) == 0x26c); -C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NtMinorVersion) == 0x270); C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ProcessorFeatures) == 0x274); -C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, KdDebuggerEnabled) == 0x2d4); -C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveConsoleId) == 0x2d8); -C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, NumberOfPhysicalPages) == 0x2e8); -C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, SafeBootMode) == 0x2ec); C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCount) == 0x320); C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, TickCountQuad) == 0x320); C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveProcessorCount) == 0x3c0); C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, ActiveGroupCount) == 0x3c4); C_ASSERT(FIELD_OFFSET(KUSER_SHARED_DATA, XState) == 0x3d8); -//C_ASSERT(sizeof(KUSER_SHARED_DATA) == 0x70C); // VS2019 has some weird issue with this. #define USER_SHARED_DATA ((KUSER_SHARED_DATA * const)0x7ffe0000) #if (PHNT_VERSION >= PHNT_WS03) -FORCEINLINE ULONGLONG NtGetTickCount64() +FORCEINLINE +ULONGLONG +NtGetTickCount64( + VOID + ) { ULARGE_INTEGER tickCount; @@ -5169,7 +6094,11 @@ FORCEINLINE ULONGLONG NtGetTickCount64() (UInt32x32To64(tickCount.HighPart, USER_SHARED_DATA->TickCountMultiplier) << 8); } -FORCEINLINE ULONG NtGetTickCount() +FORCEINLINE +ULONG +NtGetTickCount( + VOID + ) { #ifdef _WIN64 @@ -5198,12 +6127,20 @@ FORCEINLINE ULONG NtGetTickCount() #else -FORCEINLINE ULONGLONG NtGetTickCount64() +FORCEINLINE +ULONGLONG +NtGetTickCount64( + VOID + ) { - return GetTickCount(); // pre PHNT_WS03 (dmex) + return GetTickCount(); // pre PHNT_WS03 support (dmex) } -FORCEINLINE ULONG NtGetTickCount() +FORCEINLINE +ULONG +NtGetTickCount( + VOID + ) { return GetTickCount(); } diff --git a/ntioapi.h b/ntioapi.h index e127597..23c70f9 100644 --- a/ntioapi.h +++ b/ntioapi.h @@ -158,7 +158,7 @@ #define FILE_PIPE_SERVER_END 0x00000001 // Win32 pipe instance limit (0xff) -#define FILE_PIPE_UNLIMITED_INSTANCES 0xffffffff +#define FILE_PIPE_UNLIMITED_INSTANCES 0xffffffff // Mailslot values @@ -398,7 +398,7 @@ typedef struct _FILE_END_OF_FILE_INFORMATION #define FLAGS_DELAY_REASONS_LOG_FILE_FULL 0x00000001 #define FLAGS_DELAY_REASONS_BITMAP_SCANNED 0x00000002 -typedef struct _FILE_END_OF_FILE_INFORMATION_EX +typedef struct _FILE_END_OF_FILE_INFORMATION_EX { LARGE_INTEGER EndOfFile; LARGE_INTEGER PagingFileSizeInMM; @@ -412,8 +412,7 @@ typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION LARGE_INTEGER ValidDataLength; } FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION; -#if (PHNT_VERSION >= PHNT_REDSTONE5) -#define FILE_LINK_REPLACE_IF_EXISTS 0x00000001 +#define FILE_LINK_REPLACE_IF_EXISTS 0x00000001 // since RS5 #define FILE_LINK_POSIX_SEMANTICS 0x00000002 #define FILE_LINK_SUPPRESS_STORAGE_RESERVE_INHERITANCE 0x00000008 @@ -421,25 +420,13 @@ typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION #define FILE_LINK_NO_DECREASE_AVAILABLE_SPACE 0x00000020 #define FILE_LINK_PRESERVE_AVAILABLE_SPACE 0x00000030 #define FILE_LINK_IGNORE_READONLY_ATTRIBUTE 0x00000040 -#endif - -#if (PHNT_VERSION >= PHNT_19H1) -#define FILE_LINK_FORCE_RESIZE_TARGET_SR 0x00000080 +#define FILE_LINK_FORCE_RESIZE_TARGET_SR 0x00000080 // since 19H1 #define FILE_LINK_FORCE_RESIZE_SOURCE_SR 0x00000100 #define FILE_LINK_FORCE_RESIZE_SR 0x00000180 -#endif typedef struct _FILE_LINK_INFORMATION { -#if (PHNT_VERSION >= PHNT_REDSTONE5) - union - { - BOOLEAN ReplaceIfExists; // FileLinkInformation - ULONG Flags; // FileLinkInformationEx - }; -#else BOOLEAN ReplaceIfExists; -#endif HANDLE RootDirectory; ULONG FileNameLength; WCHAR FileName[1]; @@ -469,28 +456,17 @@ typedef struct _FILE_RENAME_INFORMATION WCHAR FileName[1]; } FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION; -#if (PHNT_VERSION >= PHNT_REDSTONE) -#define FILE_RENAME_REPLACE_IF_EXISTS 0x00000001 +#define FILE_RENAME_REPLACE_IF_EXISTS 0x00000001 // since REDSTONE #define FILE_RENAME_POSIX_SEMANTICS 0x00000002 -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE3) -#define FILE_RENAME_SUPPRESS_PIN_STATE_INHERITANCE 0x00000004 -#endif - -#if (PHNT_VERSION >= PHNT_REDSTONE5) -#define FILE_RENAME_SUPPRESS_STORAGE_RESERVE_INHERITANCE 0x00000008 +#define FILE_RENAME_SUPPRESS_PIN_STATE_INHERITANCE 0x00000004 // since REDSTONE3 +#define FILE_RENAME_SUPPRESS_STORAGE_RESERVE_INHERITANCE 0x00000008 // since REDSTONE5 #define FILE_RENAME_NO_INCREASE_AVAILABLE_SPACE 0x00000010 #define FILE_RENAME_NO_DECREASE_AVAILABLE_SPACE 0x00000020 #define FILE_RENAME_PRESERVE_AVAILABLE_SPACE 0x00000030 #define FILE_RENAME_IGNORE_READONLY_ATTRIBUTE 0x00000040 -#endif - -#if (PHNT_VERSION >= PHNT_19H1) -#define FILE_RENAME_FORCE_RESIZE_TARGET_SR 0x00000080 +#define FILE_RENAME_FORCE_RESIZE_TARGET_SR 0x00000080 // since 19H1 #define FILE_RENAME_FORCE_RESIZE_SOURCE_SR 0x00000100 #define FILE_RENAME_FORCE_RESIZE_SR 0x00000180 -#endif typedef struct _FILE_RENAME_INFORMATION_EX { @@ -776,7 +752,7 @@ typedef struct _FILE_LINK_ENTRY_FULL_ID_INFORMATION WCHAR FileName[1]; } FILE_LINK_ENTRY_FULL_ID_INFORMATION, *PFILE_LINK_ENTRY_FULL_ID_INFORMATION; -typedef struct _FILE_LINKS_FULL_ID_INFORMATION +typedef struct _FILE_LINKS_FULL_ID_INFORMATION { ULONG BytesNeeded; ULONG EntriesReturned; @@ -1710,7 +1686,7 @@ NtUnloadDriver( #endif #ifndef IO_COMPLETION_ALL_ACCESS -#define IO_COMPLETION_ALL_ACCESS (IO_COMPLETION_QUERY_STATE|IO_COMPLETION_MODIFY_STATE|STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE) +#define IO_COMPLETION_ALL_ACCESS (IO_COMPLETION_QUERY_STATE|IO_COMPLETION_MODIFY_STATE|STANDARD_RIGHTS_REQUIRED|SYNCHRONIZE) #endif typedef enum _IO_COMPLETION_INFORMATION_CLASS @@ -2097,7 +2073,7 @@ typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER // Control structure for FSCTL_PIPE_QUERY_CLIENT_PROCESS_V2 -typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER_V2 +typedef struct _FILE_PIPE_CLIENT_PROCESS_BUFFER_V2 { ULONGLONG ClientSession; #if !defined(BUILD_WOW6432) @@ -2231,7 +2207,7 @@ typedef struct _MOUNTMGR_MOUNT_POINT ULONG DeviceNameOffset; USHORT DeviceNameLength; USHORT Reserved3; -} MOUNTMGR_MOUNT_POINT, * PMOUNTMGR_MOUNT_POINT; +} MOUNTMGR_MOUNT_POINT, *PMOUNTMGR_MOUNT_POINT; // Output structure for IOCTL_MOUNTMGR_DELETE_POINTS, IOCTL_MOUNTMGR_QUERY_POINTS, and IOCTL_MOUNTMGR_DELETE_POINTS_DBONLY. typedef struct _MOUNTMGR_MOUNT_POINTS diff --git a/ntldr.h b/ntldr.h index afb3612..6892883 100644 --- a/ntldr.h +++ b/ntldr.h @@ -12,8 +12,6 @@ #ifndef _NTLDR_H #define _NTLDR_H -#if (PHNT_MODE != PHNT_MODE_KERNEL) - // DLLs typedef BOOLEAN (NTAPI *PLDR_INIT_ROUTINE)( @@ -228,6 +226,8 @@ typedef struct _LDR_DATA_TABLE_ENTRY #define LDR_IMAGEMAPPING_TO_MAPPEDVIEW(DllHandle) ((PVOID)(((ULONG_PTR)(DllHandle)) & ~(ULONG_PTR)2)) #define LDR_IS_RESOURCE(DllHandle) (LDR_IS_IMAGEMAPPING(DllHandle) || LDR_IS_DATAFILE(DllHandle)) +#if (PHNT_MODE != PHNT_MODE_KERNEL) + NTSYSAPI NTSTATUS NTAPI @@ -676,12 +676,12 @@ LdrGetFileNameFromLoadAsDataTable( #endif NTSYSAPI -NTSTATUS -NTAPI +NTSTATUS +NTAPI LdrDisableThreadCalloutsForDll( _In_ PVOID DllImageBase ); - + // Resources NTSYSAPI @@ -737,7 +737,7 @@ LdrFindResourceDirectory_U( _Out_ PIMAGE_RESOURCE_DIRECTORY *ResourceDirectory ); -// private +// private typedef struct _LDR_ENUM_RESOURCE_ENTRY { union @@ -846,8 +846,8 @@ LdrQueryProcessModuleInformation( ); typedef VOID (NTAPI *PLDR_ENUM_CALLBACK)( - _In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, - _In_ PVOID Parameter, + _In_ PLDR_DATA_TABLE_ENTRY ModuleInformation, + _In_ PVOID Parameter, _Out_ BOOLEAN *Stop ); diff --git a/ntmisc.h b/ntmisc.h index 568298c..b321b1f 100644 --- a/ntmisc.h +++ b/ntmisc.h @@ -61,29 +61,30 @@ NtTraceEvent( typedef enum _TRACE_CONTROL_INFORMATION_CLASS { - TraceControlStartLogger = 1, - TraceControlStopLogger = 2, - TraceControlQueryLogger = 3, - TraceControlUpdateLogger = 4, - TraceControlFlushLogger = 5, - TraceControlIncrementLoggerFile = 6, - + TraceControlStartLogger = 1, // inout WMI_LOGGER_INFORMATION + TraceControlStopLogger = 2, // inout WMI_LOGGER_INFORMATION + TraceControlQueryLogger = 3, // inout WMI_LOGGER_INFORMATION + TraceControlUpdateLogger = 4, // inout WMI_LOGGER_INFORMATION + TraceControlFlushLogger = 5, // inout WMI_LOGGER_INFORMATION + TraceControlIncrementLoggerFile = 6, // inout WMI_LOGGER_INFORMATION + TraceControlUnknown = 7, + // unused TraceControlRealtimeConnect = 11, TraceControlActivityIdCreate = 12, TraceControlWdiDispatchControl = 13, - TraceControlRealtimeDisconnectConsumerByHandle = 14, + TraceControlRealtimeDisconnectConsumerByHandle = 14, // in HANDLE TraceControlRegisterGuidsCode = 15, TraceControlReceiveNotification = 16, - TraceControlSendDataBlock = 17, // EnableGuid + TraceControlSendDataBlock = 17, // ETW_ENABLE_NOTIFICATION_PACKET TraceControlSendReplyDataBlock = 18, TraceControlReceiveReplyDataBlock = 19, TraceControlWdiUpdateSem = 20, - TraceControlEnumTraceGuidList = 21, - TraceControlGetTraceGuidInfo = 22, + TraceControlEnumTraceGuidList = 21, // out GUID[] + TraceControlGetTraceGuidInfo = 22, // in GUID, out TRACE_GUID_INFO TraceControlEnumerateTraceGuids = 23, TraceControlRegisterSecurityProv = 24, TraceControlQueryReferenceTime = 25, - TraceControlTrackProviderBinary = 26, + TraceControlTrackProviderBinary = 26, // in HANDLE TraceControlAddNotificationEvent = 27, TraceControlUpdateDisallowList = 28, TraceControlSetEnableAllKeywordsCode = 29, @@ -91,16 +92,18 @@ typedef enum _TRACE_CONTROL_INFORMATION_CLASS TraceControlUseDescriptorTypeCode = 31, TraceControlEnumTraceGroupList = 32, TraceControlGetTraceGroupInfo = 33, - TraceControlTraceSetDisallowList= 34, + TraceControlTraceSetDisallowList = 34, TraceControlSetCompressionSettings = 35, - TraceControlGetCompressionSettings= 36, + TraceControlGetCompressionSettings = 36, TraceControlUpdatePeriodicCaptureState = 37, TraceControlGetPrivateSessionTraceHandle = 38, TraceControlRegisterPrivateSession = 39, TraceControlQuerySessionDemuxObject = 40, TraceControlSetProviderBinaryTracking = 41, - TraceControlMaxLoggers = 42, - TraceControlMaxPmcCounter = 43 + TraceControlMaxLoggers = 42, // out ULONG + TraceControlMaxPmcCounter = 43, // out ULONG + TraceControlQueryUsedProcessorCount = 44, // ULONG // since WIN11 + TraceControlGetPmcOwnership = 45, } TRACE_CONTROL_INFORMATION_CLASS; #if (PHNT_VERSION >= PHNT_VISTA) diff --git a/ntmmapi.h b/ntmmapi.h index 7388484..6823e4b 100644 --- a/ntmmapi.h +++ b/ntmmapi.h @@ -30,11 +30,11 @@ #define PAGE_ENCLAVE_THREAD_CONTROL 0x80000000 #define PAGE_TARGETS_NO_UPDATE 0x40000000 #define PAGE_TARGETS_INVALID 0x40000000 -#define PAGE_ENCLAVE_UNVALIDATED 0x20000000 +#define PAGE_ENCLAVE_UNVALIDATED 0x20000000 #define PAGE_ENCLAVE_NO_CHANGE 0x20000000 -#define PAGE_ENCLAVE_MASK 0x10000000 -#define PAGE_ENCLAVE_DECOMMIT (PAGE_ENCLAVE_MASK | 0) -#define PAGE_ENCLAVE_SS_FIRST (PAGE_ENCLAVE_MASK | 1) +#define PAGE_ENCLAVE_MASK 0x10000000 +#define PAGE_ENCLAVE_DECOMMIT (PAGE_ENCLAVE_MASK | 0) +#define PAGE_ENCLAVE_SS_FIRST (PAGE_ENCLAVE_MASK | 1) #define PAGE_ENCLAVE_SS_REST (PAGE_ENCLAVE_MASK | 2) // Region and section constants @@ -64,8 +64,8 @@ #define MEM_REPLACE_PLACEHOLDER 0x00004000 #define MEM_RESERVE_PLACEHOLDER 0x00040000 -#define SEC_HUGE_PAGES 0x00020000 -#define SEC_PARTITION_OWNER_HANDLE 0x00040000 +#define SEC_HUGE_PAGES 0x00020000 +#define SEC_PARTITION_OWNER_HANDLE 0x00040000 #define SEC_64K_PAGES 0x00080000 #define SEC_BASED 0x00200000 #define SEC_NO_CHANGE 0x00400000 @@ -171,7 +171,7 @@ typedef struct _MEMORY_REGION_INFORMATION ULONG_PTR NodePreference; // 20H1 } MEMORY_REGION_INFORMATION, *PMEMORY_REGION_INFORMATION; -// private +// private typedef enum _MEMORY_WORKING_SET_EX_LOCATION { MemoryLocationInvalid, @@ -955,7 +955,7 @@ typedef struct _MEMORY_PARTITION_INITIAL_ADD_INFORMATION typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION { union - { + { struct { ULONG CommitEvents : 1; @@ -963,7 +963,7 @@ typedef struct _MEMORY_PARTITION_MEMORY_EVENTS_INFORMATION }; ULONG AllFlags; } Flags; - + ULONG HandleAttributes; ULONG DesiredAccess; HANDLE LowCommitCondition; // \KernelObjects\LowCommitCondition diff --git a/ntobapi.h b/ntobapi.h index 76143f8..f4c8cd7 100644 --- a/ntobapi.h +++ b/ntobapi.h @@ -57,6 +57,7 @@ typedef enum _OBJECT_INFORMATION_CLASS #else #define ObjectBasicInformation 0 #define ObjectNameInformation 1 +#define ObjectTypeInformation 2 #define ObjectTypesInformation 3 #define ObjectHandleFlagInformation 4 #define ObjectSessionInformation 5 diff --git a/ntpebteb.h b/ntpebteb.h index 188037f..44ff6fe 100644 --- a/ntpebteb.h +++ b/ntpebteb.h @@ -56,7 +56,7 @@ typedef struct _API_SET_NAMESPACE_ENTRY } API_SET_NAMESPACE_ENTRY, *PAPI_SET_NAMESPACE_ENTRY; // private -typedef struct _API_SET_VALUE_ENTRY +typedef struct _API_SET_VALUE_ENTRY { ULONG Flags; ULONG NameOffset; @@ -125,11 +125,11 @@ typedef struct _PEB ULONG TlsExpansionCounter; PVOID TlsBitmap; ULONG TlsBitmapBits[2]; - - PVOID ReadOnlySharedMemoryBase; + + PVOID ReadOnlySharedMemoryBase; PVOID SharedData; // HotpatchInformation PVOID *ReadOnlyStaticServerData; - + PVOID AnsiCodePageData; // PCPTABLEINFO PVOID OemCodePageData; // PCPTABLEINFO PVOID UnicodeCaseTableData; // PNLSTABLEINFO @@ -184,13 +184,17 @@ typedef struct _PEB SIZE_T MinimumStackCommit; - PVOID SparePointers[4]; // 19H1 (previously FlsCallback to FlsHighIndex) - ULONG SpareUlongs[5]; // 19H1 - //PVOID* FlsCallback; - //LIST_ENTRY FlsListHead; - //PVOID FlsBitmap; - //ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)]; - //ULONG FlsHighIndex; + PVOID SparePointers[2]; // 19H1 (previously FlsCallback to FlsHighIndex) + PVOID PatchLoaderData; + PVOID ChpeV2ProcessInfo; // _CHPEV2_PROCESS_INFO + + ULONG AppModelFeatureState; + ULONG SpareUlongs[2]; + + USHORT ActiveCodePage; + USHORT OemCodePage; + USHORT UseCaseMapping; + USHORT UnusedNlsField; PVOID WerRegistrationData; PVOID WerShipAssertPtr; @@ -234,18 +238,21 @@ typedef struct _PEB }; }; ULONG NtGlobalFlag2; + ULONGLONG ExtendedFeatureDisableMask; // since WIN11 } PEB, *PPEB; #ifdef _WIN64 C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x2C0); //C_ASSERT(sizeof(PEB) == 0x7B0); // REDSTONE3 //C_ASSERT(sizeof(PEB) == 0x7B8); // REDSTONE4 -C_ASSERT(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1 +//C_ASSERT(sizeof(PEB) == 0x7C8); // REDSTONE5 // 19H1 +C_ASSERT(sizeof(PEB) == 0x7d0); // WIN11 #else C_ASSERT(FIELD_OFFSET(PEB, SessionId) == 0x1D4); //C_ASSERT(sizeof(PEB) == 0x468); // REDSTONE3 //C_ASSERT(sizeof(PEB) == 0x470); // REDSTONE4 -C_ASSERT(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1 +//C_ASSERT(sizeof(PEB) == 0x480); // REDSTONE5 // 19H1 +C_ASSERT(sizeof(PEB) == 0x488); // WIN11 #endif #define GDI_BATCH_BUFFER_SIZE 310 @@ -295,14 +302,14 @@ typedef struct _TEB #else PVOID SystemReserved1[26]; #endif - + CHAR PlaceholderCompatibilityMode; BOOLEAN PlaceholderHydrationAlwaysExplicit; CHAR PlaceholderReserved[10]; ULONG ProxiedProcessId; ACTIVATION_CONTEXT_STACK ActivationStack; - + UCHAR WorkingOnBehalfTicket[8]; NTSTATUS ExceptionCode; diff --git a/ntpoapi.h b/ntpoapi.h index abce30a..3e04b6e 100644 --- a/ntpoapi.h +++ b/ntpoapi.h @@ -63,14 +63,14 @@ #define GetPowerRequestList 45 // out: POWER_REQUEST_LIST #define ProcessorInformationEx 46 // in: USHORT ProcessorGroup, out: PROCESSOR_POWER_INFORMATION #define NotifyUserModeLegacyPowerEvent 47 // (kernel-mode only) -#define GroupPark 48 // (debug-mode boot only) +#define GroupPark 48 // (debug-mode boot only) #define ProcessorIdleDomains 49 // (kernel-mode only) #define WakeTimerList 50 // powercfg.exe /waketimers #define SystemHiberFileSize 51 // ULONG #define ProcessorIdleStatesHv 52 // (kernel-mode only) #define ProcessorPerfStatesHv 53 // (kernel-mode only) #define ProcessorPerfCapHv 54 // (kernel-mode only) -#define ProcessorSetIdle 55 // (debug-mode boot only) +#define ProcessorSetIdle 55 // (debug-mode boot only) #define LogicalProcessorIdling 56 // (kernel-mode only) #define UserPresence 57 // POWER_USER_PRESENCE // not implemented #define PowerSettingNotificationName 58 @@ -104,7 +104,7 @@ #define BatteryDeviceState 86 #define PowerInformationInternal 87 // POWER_INFORMATION_LEVEL_INTERNAL // PopPowerInformationInternal #define ThermalStandby 88 // NULL // shutdown with thermal standby as reason. -#define SystemHiberFileType 89 // ULONG // zero ? reduced : full // powercfg.exe /h /type +#define SystemHiberFileType 89 // ULONG // zero ? reduced : full // powercfg.exe /h /type #define PhysicalPowerButtonPress 90 // BOOLEAN #define QueryPotentialDripsConstraint 91 // (kernel-mode only) #define EnergyTrackerCreate 92 @@ -252,7 +252,7 @@ typedef struct _DIAGNOSTIC_BUFFER ULONG_PTR DeviceDescriptionOffset; // PWSTR ULONG_PTR DevicePathOffset; // PWSTR }; - }; + }; ULONG_PTR ReasonOffset; // PCOUNTED_REASON_CONTEXT_RELATIVE } DIAGNOSTIC_BUFFER, *PDIAGNOSTIC_BUFFER; diff --git a/ntpsapi.h b/ntpsapi.h index 3d84e59..3ee9162 100644 --- a/ntpsapi.h +++ b/ntpsapi.h @@ -19,6 +19,7 @@ #define PROCESS_VM_OPERATION 0x0008 #define PROCESS_VM_READ 0x0010 #define PROCESS_VM_WRITE 0x0020 +//#define PROCESS_DUP_HANDLE 0x0040 #define PROCESS_CREATE_PROCESS 0x0080 #define PROCESS_SET_QUOTA 0x0100 #define PROCESS_SET_INFORMATION 0x0200 @@ -121,7 +122,7 @@ typedef enum _PROCESSINFOCLASS ProcessBasePriority, // s: KPRIORITY ProcessRaisePriority, // s: ULONG ProcessDebugPort, // q: HANDLE - ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT + ProcessExceptionPort, // s: PROCESS_EXCEPTION_PORT (requires SeTcbPrivilege) ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN ProcessLdtInformation, // qs: PROCESS_LDT_INFORMATION // 10 ProcessLdtSize, // s: PROCESS_LDT_SIZE @@ -134,7 +135,7 @@ typedef enum _PROCESSINFOCLASS ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS ProcessWx86Information, // qs: ULONG (requires SeTcbPrivilege) (VdmAllowed) ProcessHandleCount, // q: ULONG, PROCESS_HANDLE_INFORMATION // 20 - ProcessAffinityMask, // qs: KAFFINITY, qs: GROUP_AFFINITY + ProcessAffinityMask, // (q >WIN7)s: KAFFINITY, qs: GROUP_AFFINITY ProcessPriorityBoost, // qs: ULONG ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION @@ -148,11 +149,11 @@ typedef enum _PROCESSINFOCLASS ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables ProcessIoPriority, // qs: IO_PRIORITY_HINT ProcessExecuteFlags, // qs: ULONG - ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement + ProcessTlsInformation, // PROCESS_TLS_INFORMATION // ProcessResourceManagement ProcessCookie, // q: ULONG ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION // since VISTA - ProcessPagePriority, // q: PAGE_PRIORITY_INFORMATION + ProcessPagePriority, // qs: PAGE_PRIORITY_INFORMATION ProcessInstrumentationCallback, // s: PVOID or PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION // 40 ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[] @@ -221,10 +222,10 @@ typedef enum _PROCESSINFOCLASS ProcessEnableOptionalXStateFeatures, ProcessAltPrefetchParam, // since 22H1 ProcessAssignCpuPartitions, - ProcessPriorityClassEx, + ProcessPriorityClassEx, // s: PROCESS_PRIORITY_CLASS_EX ProcessMembershipInformation, - ProcessEffectiveIoPriority, - ProcessEffectivePagePriority, + ProcessEffectiveIoPriority, // q: IO_PRIORITY_HINT + ProcessEffectivePagePriority, // q: ULONG MaxProcessInfoClass } PROCESSINFOCLASS; #endif @@ -247,7 +248,7 @@ typedef enum _THREADINFOCLASS ThreadAmILastThread, // q: ULONG ThreadIdealProcessor, // s: ULONG ThreadPriorityBoost, // qs: ULONG - ThreadSetTlsArrayAddress, // s: ULONG_PTR + ThreadSetTlsArrayAddress, // s: ULONG_PTR ThreadIsIoPending, // q: ULONG ThreadHideFromDebugger, // q: BOOLEAN; s: void ThreadBreakOnTermination, // qs: ULONG @@ -256,7 +257,7 @@ typedef enum _THREADINFOCLASS ThreadLastSystemCall, // q: THREAD_LAST_SYSCALL_INFORMATION ThreadIoPriority, // qs: IO_PRIORITY_HINT (requires SeIncreaseBasePriorityPrivilege) ThreadCycleTime, // q: THREAD_CYCLE_TIME_INFORMATION - ThreadPagePriority, // q: ULONG + ThreadPagePriority, // qs: PAGE_PRIORITY_INFORMATION ThreadActualBasePriority, // s: LONG (requires SeIncreaseBasePriorityPrivilege) ThreadTebInformation, // q: THREAD_TEB_INFORMATION (requires THREAD_GET_CONTEXT + THREAD_SET_CONTEXT) ThreadCSwitchMon, @@ -286,8 +287,8 @@ typedef enum _THREADINFOCLASS ThreadCreateStateChange, // since WIN11 ThreadApplyStateChange, ThreadStrongerBadHandleChecks, // since 22H1 - ThreadEffectiveIoPriority, - ThreadEffectivePagePriority, + ThreadEffectiveIoPriority, // q: IO_PRIORITY_HINT + ThreadEffectivePagePriority, // q: ULONG MaxThreadInfoClass } THREADINFOCLASS; #endif @@ -400,7 +401,7 @@ typedef struct _POOLED_USAGE_AND_LIMITS #define PROCESS_EXCEPTION_PORT_ALL_STATE_BITS 0x00000003 #define PROCESS_EXCEPTION_PORT_ALL_STATE_FLAGS ((ULONG_PTR)((1UL << PROCESS_EXCEPTION_PORT_ALL_STATE_BITS) - 1)) -typedef struct _PROCESS_EXCEPTION_PORT +typedef struct _PROCESS_EXCEPTION_PORT { _In_ HANDLE ExceptionPortHandle; // Handle to the exception port. No particular access required. _Inout_ ULONG StateFlags; // Miscellaneous state flags to be cached along with the exception port in the kernel. @@ -454,6 +455,21 @@ typedef struct _PROCESS_PRIORITY_CLASS UCHAR PriorityClass; } PROCESS_PRIORITY_CLASS, *PPROCESS_PRIORITY_CLASS; +typedef struct _PROCESS_PRIORITY_CLASS_EX +{ + union + { + struct + { + USHORT ForegroundValid : 1; + USHORT PriorityClassValid : 1; + }; + USHORT AllFlags; + }; + UCHAR PriorityClass; + BOOLEAN Foreground; +} PROCESS_PRIORITY_CLASS_EX, *PPROCESS_PRIORITY_CLASS_EX; + typedef struct _PROCESS_FOREGROUND_BACKGROUND { BOOLEAN Foreground; @@ -663,7 +679,7 @@ typedef struct _PROCESS_HANDLE_SNAPSHOT_INFORMATION #if (PHNT_MODE != PHNT_MODE_KERNEL) -#if !defined(NTDDI_WIN10_CO) || (NTDDI_VERSION < NTDDI_WIN10_CO) +#if !defined(NTDDI_WIN10_FE) || (NTDDI_VERSION < NTDDI_WIN10_FE) typedef struct _PROCESS_MITIGATION_REDIRECTION_TRUST_POLICY { union { @@ -843,7 +859,8 @@ typedef struct _PROCESS_CHILD_PROCESS_INFORMATION #define POWER_THROTTLING_PROCESS_CURRENT_VERSION 1 #define POWER_THROTTLING_PROCESS_EXECUTION_SPEED 0x1 #define POWER_THROTTLING_PROCESS_DELAYTIMERS 0x2 -#define POWER_THROTTLING_PROCESS_VALID_FLAGS ((POWER_THROTTLING_PROCESS_EXECUTION_SPEED | POWER_THROTTLING_PROCESS_DELAYTIMERS)) +#define POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION 0x4 // since WIN11 +#define POWER_THROTTLING_PROCESS_VALID_FLAGS ((POWER_THROTTLING_PROCESS_EXECUTION_SPEED | POWER_THROTTLING_PROCESS_DELAYTIMERS | POWER_THROTTLING_PROCESS_IGNORE_TIMER_RESOLUTION)) typedef struct _POWER_THROTTLING_PROCESS_STATE { @@ -928,7 +945,7 @@ typedef struct _PROCESS_UPTIME_INFORMATION ULONG HangCount : 4; ULONG GhostCount : 4; ULONG Crashed : 1; - ULONG Terminated : 1; + ULONG Terminated : 1; }; } PROCESS_UPTIME_INFORMATION, *PPROCESS_UPTIME_INFORMATION; @@ -1177,7 +1194,7 @@ typedef struct _RTL_WORK_ON_BEHALF_TICKET_EX #if (PHNT_MODE != PHNT_MODE_KERNEL) // private -typedef enum _SUBSYSTEM_INFORMATION_TYPE +typedef enum _SUBSYSTEM_INFORMATION_TYPE { SubsystemInformationTypeWin32, SubsystemInformationTypeWSL, @@ -1576,7 +1593,7 @@ NtSetLdtEntries( _In_ ULONG Entry1Hi ); -typedef VOID (*PPS_APC_ROUTINE)( +typedef VOID (NTAPI* PPS_APC_ROUTINE)( _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, _In_opt_ PVOID ApcArgument3 @@ -1632,7 +1649,7 @@ NTAPI NtQueueApcThreadEx2( _In_ HANDLE ThreadHandle, _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject - _In_ QUEUE_USER_APC_FLAGS ApcFlags, + _In_ ULONG ApcFlags, // QUEUE_USER_APC_FLAGS _In_ PPS_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, @@ -1698,6 +1715,7 @@ NtWaitForAlertByThreadId( #define ProcThreadAttributeComponentFilter 26 // in ULONG #define ProcThreadAttributeEnableOptionalXStateFeatures 27 // in ULONG64 // since WIN11 #define ProcThreadAttributeCreateStore 28 // ULONG // rev (diversenok) +#define ProcThreadAttributeTrustedApp 29 #ifndef PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS #define PROC_THREAD_ATTRIBUTE_EXTENDED_FLAGS \ @@ -1733,21 +1751,23 @@ NtWaitForAlertByThreadId( #endif // private -typedef struct _PROC_THREAD_ATTRIBUTE { +typedef struct _PROC_THREAD_ATTRIBUTE +{ ULONG_PTR Attribute; SIZE_T Size; ULONG_PTR Value; } PROC_THREAD_ATTRIBUTE, *PPROC_THREAD_ATTRIBUTE; // private -typedef struct _PROC_THREAD_ATTRIBUTE_LIST { +typedef struct _PROC_THREAD_ATTRIBUTE_LIST +{ ULONG PresentFlags; ULONG AttributeCount; ULONG LastAttribute; ULONG SpareUlong0; PPROC_THREAD_ATTRIBUTE ExtendedFlagsAttribute; PROC_THREAD_ATTRIBUTE Attributes[1]; -} PROC_THREAD_ATTRIBUTE_LIST; +} PROC_THREAD_ATTRIBUTE_LIST, *PPROC_THREAD_ATTRIBUTE_LIST; // private #define EXTENDED_PROCESS_CREATION_FLAG_ELEVATION_HANDLED 0x00000001 @@ -1765,7 +1785,8 @@ typedef struct _PROC_THREAD_ATTRIBUTE_LIST { #define PROTECTION_LEVEL_AUTHENTICODE 0x00000007 // private -typedef enum _SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS { +typedef enum _SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS +{ SeSafeOpenExperienceNone = 0x00, SeSafeOpenExperienceCalled = 0x01, SeSafeOpenExperienceAppRepCalled = 0x02, @@ -1778,7 +1799,8 @@ typedef enum _SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS { } SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS; // private -typedef struct _SE_SAFE_OPEN_PROMPT_RESULTS { +typedef struct _SE_SAFE_OPEN_PROMPT_RESULTS +{ SE_SAFE_OPEN_PROMPT_EXPERIENCE_RESULTS Results; WCHAR Path[MAX_PATH]; } SE_SAFE_OPEN_PROMPT_RESULTS, *PSE_SAFE_OPEN_PROMPT_RESULTS; @@ -1790,7 +1812,8 @@ typedef struct _PROC_THREAD_BNOISOLATION_ATTRIBUTE } PROC_THREAD_BNOISOLATION_ATTRIBUTE, *PPROC_THREAD_BNOISOLATION_ATTRIBUTE; // private -typedef struct _ISOLATION_MANIFEST_PROPERTIES { +typedef struct _ISOLATION_MANIFEST_PROPERTIES +{ UNICODE_STRING InstancePath; UNICODE_STRING FriendlyName; UNICODE_STRING Description; diff --git a/ntregapi.h b/ntregapi.h index cddea44..2a16fe2 100644 --- a/ntregapi.h +++ b/ntregapi.h @@ -524,7 +524,7 @@ NtLoadKeyEx( _Out_opt_ PHANDLE RootHandle, _Reserved_ PVOID Reserved // previously PIO_STATUS_BLOCK ); - + // rev by tyranid #if (PHNT_VERSION >= PHNT_20H1) NTSYSCALLAPI @@ -715,7 +715,7 @@ NTSTATUS NtCreateRegistryTransaction( _In_ ACCESS_MASK DesiredAccess, _In_opt_ POBJECT_ATTRIBUTES ObjAttributes, _Reserved_ ULONG CreateOptions - ); + ); #endif #if (PHNT_VERSION >= PHNT_REDSTONE) diff --git a/ntrtl.h b/ntrtl.h index 469b65d..c020f5c 100644 --- a/ntrtl.h +++ b/ntrtl.h @@ -1496,12 +1496,24 @@ RtlCreateUnicodeStringFromAsciiz( _In_ PCSTR SourceString ); +#ifdef PHNT_INLINE_FREE_UNICODE_STRING +FORCEINLINE +VOID +NTAPI +RtlFreeUnicodeString( + _Inout_ _At_(UnicodeString->Buffer, _Frees_ptr_opt_) PUNICODE_STRING UnicodeString + ) +{ + HeapFree(NtCurrentPeb()->ProcessHeap, 0, UnicodeString->Buffer); +} +#else NTSYSAPI VOID NTAPI RtlFreeUnicodeString( _Inout_ _At_(UnicodeString->Buffer, _Frees_ptr_opt_) PUNICODE_STRING UnicodeString ); +#endif #define RTL_DUPLICATE_UNICODE_STRING_NULL_TERMINATE (0x00000001) #define RTL_DUPLICATE_UNICODE_STRING_ALLOCATE_NULL_STRING (0x00000002) @@ -2849,6 +2861,8 @@ typedef struct _RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION CLIENT_ID ReflectionClientId; } RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION, *PRTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION; +typedef RTLP_PROCESS_REFLECTION_REFLECTION_INFORMATION PROCESS_REFLECTION_INFORMATION, *PPROCESS_REFLECTION_INFORMATION; + #if (PHNT_VERSION >= PHNT_WIN7) // rev NTSYSAPI @@ -3002,13 +3016,13 @@ RtlFreeUserStack( // Extended thread context -typedef struct _CONTEXT_CHUNK +typedef struct _CONTEXT_CHUNK { LONG Offset; // Offset may be negative. ULONG Length; } CONTEXT_CHUNK, *PCONTEXT_CHUNK; -typedef struct _CONTEXT_EX +typedef struct _CONTEXT_EX { CONTEXT_CHUNK All; CONTEXT_CHUNK Legacy; @@ -3355,8 +3369,8 @@ NTSYSAPI NTSTATUS NTAPI RtlGuardCheckLongJumpTarget( - _In_ PVOID PcValue, - _In_ BOOL IsFastFail, + _In_ PVOID PcValue, + _In_ BOOL IsFastFail, _Out_ PBOOL IsLongJumpTarget ); @@ -3621,13 +3635,6 @@ RtlDetermineDosPathNameType_U( _In_ PCWSTR DosFileName ); -NTSYSAPI -RTL_PATH_TYPE -NTAPI -RtlDetermineDosPathNameType_Ustr( - _In_ PCUNICODE_STRING DosFileName - ); - NTSYSAPI ULONG NTAPI @@ -3635,13 +3642,6 @@ RtlIsDosDeviceName_U( _In_ PCWSTR DosFileName ); -NTSYSAPI -ULONG -NTAPI -RtlIsDosDeviceName_Ustr( - _In_ PUNICODE_STRING DosFileName - ); - NTSYSAPI ULONG NTAPI @@ -3923,6 +3923,18 @@ RtlReplaceSystemDirectoryInPath( ); #endif +#if (PHNT_VERSION >= PHNT_21H2) +// rev +NTSYSAPI +NTSTATUS +NTAPI +RtlWow64GetProcessMachines( + _In_ HANDLE ProcessHandle, + _Out_ PUSHORT ProcessMachine, + _Out_ PUSHORT NativeMachine + ); +#endif + #if (PHNT_VERSION >= PHNT_REDSTONE2) // private @@ -3999,7 +4011,8 @@ typedef struct _RTL_HEAP_TAG WCHAR TagName[24]; } RTL_HEAP_TAG, *PRTL_HEAP_TAG; -typedef struct _RTL_HEAP_INFORMATION +// Windows 7/8/10 +typedef struct _RTL_HEAP_INFORMATION_V1 { PVOID BaseAddress; ULONG Flags; @@ -4014,17 +4027,41 @@ typedef struct _RTL_HEAP_INFORMATION ULONG Reserved[5]; PRTL_HEAP_TAG Tags; PRTL_HEAP_ENTRY Entries; - ULONG64 HeapTag; // Windows 11 > 22000 -} RTL_HEAP_INFORMATION, *PRTL_HEAP_INFORMATION; +} RTL_HEAP_INFORMATION_V1, *PRTL_HEAP_INFORMATION_V1; + +// Windows 11 > 22000 +typedef struct _RTL_HEAP_INFORMATION_V2 +{ + PVOID BaseAddress; + ULONG Flags; + USHORT EntryOverhead; + USHORT CreatorBackTraceIndex; + SIZE_T BytesAllocated; + SIZE_T BytesCommitted; + ULONG NumberOfTags; + ULONG NumberOfEntries; + ULONG NumberOfPseudoTags; + ULONG PseudoTagGranularity; + ULONG Reserved[5]; + PRTL_HEAP_TAG Tags; + PRTL_HEAP_ENTRY Entries; + ULONG64 HeapTag; +} RTL_HEAP_INFORMATION_V2, *PRTL_HEAP_INFORMATION_V2; #define RTL_HEAP_SIGNATURE 0xFFEEFFEEUL #define RTL_HEAP_SEGMENT_SIGNATURE 0xDDEEDDEEUL -typedef struct _RTL_PROCESS_HEAPS +typedef struct _RTL_PROCESS_HEAPS_V1 { ULONG NumberOfHeaps; - RTL_HEAP_INFORMATION Heaps[1]; -} RTL_PROCESS_HEAPS, *PRTL_PROCESS_HEAPS; + RTL_HEAP_INFORMATION_V1 Heaps[1]; +} RTL_PROCESS_HEAPS_V1, *PRTL_PROCESS_HEAPS_V1; + +typedef struct _RTL_PROCESS_HEAPS_V2 +{ + ULONG NumberOfHeaps; + RTL_HEAP_INFORMATION_V2 Heaps[1]; +} RTL_PROCESS_HEAPS_V2, *PRTL_PROCESS_HEAPS_V2; typedef NTSTATUS (NTAPI *PRTL_HEAP_COMMIT_ROUTINE)( _In_ PVOID Base, @@ -4358,10 +4395,11 @@ RtlWalkHeap( #define HeapCompatibilityInformation 0x0 // q; s: ULONG #define HeapEnableTerminationOnCorruption 0x1 // q; s: NULL #define HeapExtendedInformation 0x2 // q; s: HEAP_EXTENDED_INFORMATION -#define HeapOptimizeResources 0x3 // q; s: HEAP_OPTIMIZE_RESOURCES_INFORMATION +#define HeapOptimizeResources 0x3 // q; s: HEAP_OPTIMIZE_RESOURCES_INFORMATION #define HeapTaggingInformation 0x4 -#define HeapStackDatabase 0x5 -#define HeapMemoryLimit 0x6 // 19H2 +#define HeapStackDatabase 0x5 // q: RTL_HEAP_STACK_QUERY; s: RTL_HEAP_STACK_CONTROL +#define HeapMemoryLimit 0x6 // since 19H2 +#define HeapTag 0x7 // since 20H1 #define HeapDetailedFailureInformation 0x80000001 #define HeapSetDebuggingInformation 0x80000002 // q; s: HEAP_DEBUGGING_INFORMATION @@ -4372,30 +4410,137 @@ typedef enum _HEAP_COMPATIBILITY_MODE HEAP_COMPATIBILITY_LFH = 2UL, } HEAP_COMPATIBILITY_MODE; +typedef struct _RTLP_TAG_INFO +{ + GUID Id; + ULONG_PTR CurrentAllocatedBytes; +} RTLP_TAG_INFO, *PRTLP_TAG_INFO; + +typedef struct _RTLP_HEAP_TAGGING_INFO +{ + USHORT Version; + USHORT Flags; + PVOID ProcessHandle; + ULONG_PTR EntriesCount; + RTLP_TAG_INFO Entries[1]; +} RTLP_HEAP_TAGGING_INFO, *PRTLP_HEAP_TAGGING_INFO; + typedef struct _PROCESS_HEAP_INFORMATION { - ULONG_PTR ReserveSize; - ULONG_PTR CommitSize; + SIZE_T ReserveSize; + SIZE_T CommitSize; ULONG NumberOfHeaps; ULONG_PTR FirstHeapInformationOffset; } PROCESS_HEAP_INFORMATION, *PPROCESS_HEAP_INFORMATION; +typedef struct _HEAP_REGION_INFORMATION +{ + PVOID Address; + SIZE_T ReserveSize; + SIZE_T CommitSize; + ULONG_PTR FirstRangeInformationOffset; + ULONG_PTR NextRegionInformationOffset; +} HEAP_REGION_INFORMATION, *PHEAP_REGION_INFORMATION; + +typedef struct _HEAP_RANGE_INFORMATION +{ + PVOID Address; + SIZE_T Size; + ULONG Type; + ULONG Protection; + ULONG_PTR FirstBlockInformationOffset; + ULONG_PTR NextRangeInformationOffset; +} HEAP_RANGE_INFORMATION, *PHEAP_RANGE_INFORMATION; + +typedef struct _HEAP_BLOCK_INFORMATION +{ + PVOID Address; + ULONG Flags; + SIZE_T DataSize; + ULONG_PTR OverheadSize; + ULONG_PTR NextBlockInformationOffset; +} HEAP_BLOCK_INFORMATION, *PHEAP_BLOCK_INFORMATION; + typedef struct _HEAP_INFORMATION { - ULONG_PTR Address; + PVOID Address; ULONG Mode; - ULONG_PTR ReserveSize; - ULONG_PTR CommitSize; + SIZE_T ReserveSize; + SIZE_T CommitSize; ULONG_PTR FirstRegionInformationOffset; ULONG_PTR NextHeapInformationOffset; } HEAP_INFORMATION, *PHEAP_INFORMATION; +typedef struct _SEGMENT_HEAP_PERFORMANCE_COUNTER_INFORMATION +{ + SIZE_T SegmentReserveSize; + SIZE_T SegmentCommitSize; + ULONG_PTR SegmentCount; + SIZE_T AllocatedSize; + SIZE_T LargeAllocReserveSize; + SIZE_T LargeAllocCommitSize; +} SEGMENT_HEAP_PERFORMANCE_COUNTER_INFORMATION, *PSEGMENT_HEAP_PERFORMANCE_COUNTER_INFORMATION; + +#define HeapPerformanceCountersInformationStandardHeapVersion 0x1 +#define HeapPerformanceCountersInformationSegmentHeapVersion 0x2 + +typedef struct _HEAP_PERFORMANCE_COUNTERS_INFORMATION +{ + ULONG Size; + ULONG Version; + ULONG HeapIndex; + ULONG LastHeapIndex; + PVOID BaseAddress; + SIZE_T ReserveSize; + SIZE_T CommitSize; + ULONG SegmentCount; + SIZE_T LargeUCRMemory; + ULONG UCRLength; + SIZE_T AllocatedSpace; + SIZE_T FreeSpace; + ULONG FreeListLength; + ULONG Contention; + ULONG VirtualBlocks; + ULONG CommitRate; + ULONG DecommitRate; + SEGMENT_HEAP_PERFORMANCE_COUNTER_INFORMATION SegmentHeapPerfInformation; // since WIN8 +} HEAP_PERFORMANCE_COUNTERS_INFORMATION, *PHEAP_PERFORMANCE_COUNTERS_INFORMATION; + +typedef struct _HEAP_INFORMATION_ITEM +{ + ULONG Level; + SIZE_T Size; + union + { + PROCESS_HEAP_INFORMATION ProcessHeapInformation; + HEAP_INFORMATION HeapInformation; + HEAP_REGION_INFORMATION HeapRegionInformation; + HEAP_RANGE_INFORMATION HeapRangeInformation; + HEAP_BLOCK_INFORMATION HeapBlockInformation; + HEAP_PERFORMANCE_COUNTERS_INFORMATION HeapPerfInformation; + ULONG_PTR DynamicStart; + }; +} HEAP_INFORMATION_ITEM, *PHEAP_INFORMATION_ITEM; + +typedef NTSTATUS (NTAPI *PRTL_HEAP_EXTENDED_ENUMERATION_ROUTINE)( + _In_ PHEAP_INFORMATION_ITEM Information, + _In_ PVOID Context + ); + +// HEAP_EXTENDED_INFORMATION Level +#define HeapExtendedProcessHeapInformationLevel 0x1 +#define HeapExtendedHeapInformationLevel 0x2 +#define HeapExtendedHeapRegionInformationLevel 0x3 +#define HeapExtendedHeapRangeInformationLevel 0x4 +#define HeapExtendedHeapBlockInformationLevel 0x5 +#define HeapExtendedHeapHeapPerfInformationLevel 0x80000000 + typedef struct _HEAP_EXTENDED_INFORMATION { - HANDLE Process; - ULONG_PTR Heap; + HANDLE ProcessHandle; + PVOID HeapHandle; ULONG Level; - PVOID CallbackRoutine; + PRTL_HEAP_EXTENDED_ENUMERATION_ROUTINE CallbackRoutine; PVOID CallbackContext; union { @@ -4404,6 +4549,76 @@ typedef struct _HEAP_EXTENDED_INFORMATION }; } HEAP_EXTENDED_INFORMATION, *PHEAP_EXTENDED_INFORMATION; +// rev +typedef NTSTATUS (NTAPI *RTL_HEAP_STACK_WRITE_ROUTINE)( + _In_ PVOID Information, // TODO: 3 missing structures (dmex) + _In_ ULONG Size, + _In_ PVOID Context + ); + +// rev +typedef struct _RTLP_HEAP_STACK_TRACE_SERIALIZATION_INIT +{ + ULONG Count; + ULONG Total; + ULONG Flags; +} RTLP_HEAP_STACK_TRACE_SERIALIZATION_INIT, *PRTLP_HEAP_STACK_TRACE_SERIALIZATION_INIT; + +// rev +typedef struct _RTLP_HEAP_STACK_TRACE_SERIALIZATION_HEADER +{ + USHORT Version; + USHORT PointerSize; + PVOID Heap; + SIZE_T TotalCommit; + SIZE_T TotalReserve; +} RTLP_HEAP_STACK_TRACE_SERIALIZATION_HEADER, *PRTLP_HEAP_STACK_TRACE_SERIALIZATION_HEADER; + +// rev +typedef struct _RTLP_HEAP_STACK_TRACE_SERIALIZATION_ALLOCATION +{ + PVOID Address; + ULONG Flags; + SIZE_T DataSize; +} RTLP_HEAP_STACK_TRACE_SERIALIZATION_ALLOCATION, *PRTLP_HEAP_STACK_TRACE_SERIALIZATION_ALLOCATION; + +// rev +typedef struct _RTLP_HEAP_STACK_TRACE_SERIALIZATION_STACKFRAME +{ + PVOID StackFrame[8]; +} RTLP_HEAP_STACK_TRACE_SERIALIZATION_STACKFRAME, *PRTLP_HEAP_STACK_TRACE_SERIALIZATION_STACKFRAME; + +#define HEAP_STACK_QUERY_VERSION 0x2 + +typedef struct _RTL_HEAP_STACK_QUERY +{ + ULONG Version; + HANDLE ProcessHandle; + RTL_HEAP_STACK_WRITE_ROUTINE WriteRoutine; + PVOID SerializationContext; + UCHAR QueryLevel; + UCHAR Flags; +} RTL_HEAP_STACK_QUERY, *PRTL_HEAP_STACK_QUERY; + +#define HEAP_STACK_CONTROL_VERSION 0x1 +#define HEAP_STACK_CONTROL_FLAGS_STACKTRACE_ENABLE 0x1 +#define HEAP_STACK_CONTROL_FLAGS_STACKTRACE_DISABLE 0x2 + +typedef struct _RTL_HEAP_STACK_CONTROL +{ + USHORT Version; + USHORT Flags; + HANDLE ProcessHandle; +} RTL_HEAP_STACK_CONTROL, *PRTL_HEAP_STACK_CONTROL; + +// rev +typedef NTSTATUS (NTAPI *PRTL_HEAP_DEBUGGING_INTERCEPTOR_ROUTINE)( + _In_ PVOID HeapHandle, + _In_ ULONG Action, + _In_ ULONG StackFramesToCapture, + _In_ PVOID *StackTrace + ); + // rev typedef NTSTATUS (NTAPI *PRTL_HEAP_LEAK_ENUMERATION_ROUTINE)( _In_ LONG Reserved, @@ -4417,7 +4632,7 @@ typedef NTSTATUS (NTAPI *PRTL_HEAP_LEAK_ENUMERATION_ROUTINE)( // symbols typedef struct _HEAP_DEBUGGING_INFORMATION { - PVOID InterceptorFunction; + PRTL_HEAP_DEBUGGING_INTERCEPTOR_ROUTINE InterceptorFunction; USHORT InterceptorValue; ULONG ExtendedOptions; ULONG StackTraceDepth; @@ -4430,7 +4645,7 @@ NTSYSAPI NTSTATUS NTAPI RtlQueryHeapInformation( - _In_ PVOID HeapHandle, + _In_opt_ PVOID HeapHandle, _In_ HEAP_INFORMATION_CLASS HeapInformationClass, _Out_opt_ PVOID HeapInformation, _In_opt_ SIZE_T HeapInformationLength, @@ -4441,7 +4656,7 @@ NTSYSAPI NTSTATUS NTAPI RtlSetHeapInformation( - _In_ PVOID HeapHandle, + _In_opt_ PVOID HeapHandle, _In_ HEAP_INFORMATION_CLASS HeapInformationClass, _In_opt_ PVOID HeapInformation, _In_opt_ SIZE_T HeapInformationLength @@ -4774,7 +4989,7 @@ typedef struct _RTL_DEBUG_INFORMATION struct _RTL_PROCESS_MODULE_INFORMATION_EX *ModulesEx; }; struct _RTL_PROCESS_BACKTRACES *BackTraces; - struct _RTL_PROCESS_HEAPS *Heaps; + PVOID Heaps; struct _RTL_PROCESS_LOCKS *Locks; PVOID SpecificHeap; HANDLE TargetProcessHandle; @@ -7752,7 +7967,7 @@ typedef struct _RTL_UNLOAD_EVENT_TRACE ULONG Version[2]; } RTL_UNLOAD_EVENT_TRACE, *PRTL_UNLOAD_EVENT_TRACE; -typedef struct _RTL_UNLOAD_EVENT_TRACE32 +typedef struct _RTL_UNLOAD_EVENT_TRACE32 { ULONG BaseAddress; ULONG SizeOfImage; @@ -7997,7 +8212,7 @@ RtlSetImageMitigationPolicy( #endif -// session +// session // rev NTSYSAPI @@ -8033,8 +8248,8 @@ NTSYSAPI NTSTATUS NTAPI RtlGetTokenNamedObjectPath( - _In_ HANDLE Token, - _In_opt_ PSID Sid, + _In_ HANDLE Token, + _In_opt_ PSID Sid, _Out_ PUNICODE_STRING ObjectPath // RtlFreeUnicodeString ); #endif @@ -8058,7 +8273,7 @@ NTSYSAPI NTSTATUS NTAPI RtlGetAppContainerParent( - _In_ PSID AppContainerSid, + _In_ PSID AppContainerSid, _Out_ PSID* AppContainerSidParent // RtlFreeSid ); #endif @@ -8225,7 +8440,25 @@ RtlFlsFree( _In_ ULONG FlsIndex ); -typedef enum _STATE_LOCATION_TYPE +#if (PHNT_VERSION >= PHNT_20H1) +NTSYSAPI +NTSTATUS +WINAPI +RtlFlsGetValue( + _In_ ULONG FlsIndex, + _Out_ PVOID* FlsData + ); + +NTSYSAPI +NTSTATUS +WINAPI +RtlFlsSetValue( + _In_ ULONG FlsIndex, + _In_ PVOID FlsData + ); +#endif + +typedef enum _STATE_LOCATION_TYPE { LocationTypeRegistry, LocationTypeFileSystem, @@ -8348,7 +8581,7 @@ NTSYSAPI NTSTATUS NTAPI RtlAppxIsFileOwnedByTrustedInstaller( - _In_ HANDLE FileHandle, + _In_ HANDLE FileHandle, _Out_ PBOOLEAN IsFileOwnedByTrustedInstaller ); #endif @@ -8555,7 +8788,7 @@ NTSYSAPI NTSTATUS NTAPI RtlCheckBootStatusIntegrity( - _In_ HANDLE FileHandle, + _In_ HANDLE FileHandle, _Out_ PBOOLEAN Verified ); diff --git a/ntsam.h b/ntsam.h index 9a12827..4b6d21b 100644 --- a/ntsam.h +++ b/ntsam.h @@ -1425,7 +1425,7 @@ typedef struct _USER_ALLOWED_TO_DELEGATE_TO_LIST ULONG Size; ULONG NumSPNs; UNICODE_STRING SPNList[ANYSIZE_ARRAY]; -} USER_ALLOWED_TO_DELEGATE_TO_LIST, *PUSER_ALLOWED_TO_DELEGATE_TO_LIST; +} USER_ALLOWED_TO_DELEGATE_TO_LIST, *PUSER_ALLOWED_TO_DELEGATE_TO_LIST; #define USER_EXTENDED_FIELD_UPN 0x00000001L #define USER_EXTENDED_FIELD_A2D2 0x00000002L diff --git a/ntwow64.h b/ntwow64.h index aa8ebda..63b80f1 100644 --- a/ntwow64.h +++ b/ntwow64.h @@ -397,6 +397,9 @@ C_ASSERT(FIELD_OFFSET(PEB32, WaitOnAddressHashTable) == 0x25c); //C_ASSERT(sizeof(PEB32) == 0x460); // REDSTONE3 C_ASSERT(sizeof(PEB32) == 0x470); +// Note: Use PhGetProcessPeb32 instead. (dmex) +//#define WOW64_GET_PEB32(peb64) ((PPEB32)PTR_ADD_OFFSET((peb64), ALIGN_UP_BY(sizeof(PEB), PAGE_SIZE))) + #define GDI_BATCH_BUFFER_SIZE 310 typedef struct _GDI_TEB_BATCH32 @@ -568,6 +571,11 @@ C_ASSERT(FIELD_OFFSET(TEB32, ReservedForCrt) == 0xfe8); C_ASSERT(FIELD_OFFSET(TEB32, EffectiveContainerId) == 0xff0); C_ASSERT(sizeof(TEB32) == 0x1000); +// Get the 32-bit TEB without doing a memory reference +// modified from public SDK /10.0.10240.0/um/minwin/wow64t.h (dmex) +#define WOW64_GET_TEB32(teb64) ((PTEB32)PTR_ADD_OFFSET((teb64), ALIGN_UP_BY(sizeof(TEB), PAGE_SIZE))) +#define WOW64_TEB32_POINTER_ADDRESS(teb64) (PVOID)&((teb64)->NtTib.ExceptionList) + // Conversion FORCEINLINE VOID UStr32ToUStr( diff --git a/ntzwapi.h b/ntzwapi.h index 3cdddf0..34d1049 100644 --- a/ntzwapi.h +++ b/ntzwapi.h @@ -1084,7 +1084,6 @@ ZwCreatePort( _In_opt_ ULONG MaxPoolUsage ); -#if (PHNT_VERSION >= PHNT_VISTA) NTSYSCALLAPI NTSTATUS NTAPI @@ -1094,7 +1093,6 @@ ZwCreatePrivateNamespace( _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor ); -#endif NTSYSCALLAPI NTSTATUS @@ -1497,14 +1495,12 @@ ZwDeleteObjectAuditAlarm( _In_ BOOLEAN GenerateOnClose ); -#if (PHNT_VERSION >= PHNT_VISTA) NTSYSCALLAPI NTSTATUS NTAPI ZwDeletePrivateNamespace( _In_ HANDLE NamespaceHandle ); -#endif NTSYSCALLAPI NTSTATUS @@ -1630,7 +1626,7 @@ NTSYSCALLAPI NTSTATUS NTAPI ZwEnumerateSystemEnvironmentValuesEx( - _In_ ULONG InformationClass, + _In_ ULONG InformationClass, // SYSTEM_ENVIRONMENT_INFORMATION_CLASS _Out_ PVOID Buffer, _Inout_ PULONG BufferLength ); @@ -2484,7 +2480,6 @@ ZwOpenPartition( _In_ POBJECT_ATTRIBUTES ObjectAttributes ); -#if (PHNT_VERSION >= PHNT_VISTA) NTSYSCALLAPI NTSTATUS NTAPI @@ -2494,7 +2489,6 @@ ZwOpenPrivateNamespace( _In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ POBJECT_BOUNDARY_DESCRIPTOR BoundaryDescriptor ); -#endif NTSYSCALLAPI NTSTATUS @@ -3227,7 +3221,7 @@ NTSTATUS NTAPI ZwQuerySystemEnvironmentValueEx( _In_ PUNICODE_STRING VariableName, - _In_ LPGUID VendorGuid, + _In_ PGUID VendorGuid, _Out_writes_bytes_opt_(*ValueLength) PVOID Value, _Inout_ PULONG ValueLength, _Out_opt_ PULONG Attributes // EFI_VARIABLE_* @@ -3363,20 +3357,18 @@ ZwQueueApcThreadEx( _In_opt_ PVOID ApcArgument3 ); -#if (PHNT_VERSION >= PHNT_WIN11) NTSYSCALLAPI NTSTATUS NTAPI ZwQueueApcThreadEx2( _In_ HANDLE ThreadHandle, _In_opt_ HANDLE ReserveHandle, // NtAllocateReserveObject - _In_ QUEUE_USER_APC_FLAGS ApcFlags, + _In_ ULONG ApcFlags, // QUEUE_USER_APC_FLAGS _In_ PPS_APC_ROUTINE ApcRoutine, _In_opt_ PVOID ApcArgument1, _In_opt_ PVOID ApcArgument2, _In_opt_ PVOID ApcArgument3 ); -#endif NTSYSCALLAPI NTSTATUS @@ -4159,7 +4151,7 @@ NTSTATUS NTAPI ZwSetSystemEnvironmentValueEx( _In_ PUNICODE_STRING VariableName, - _In_ LPGUID VendorGuid, + _In_ PGUID VendorGuid, _In_reads_bytes_opt_(ValueLength) PVOID Value, _In_ ULONG ValueLength, // 0 = delete variable _In_ ULONG Attributes // EFI_VARIABLE_* @@ -4614,7 +4606,10 @@ NTSTATUS NTAPI ZwWaitForWorkViaWorkerFactory( _In_ HANDLE WorkerFactoryHandle, - _Out_ struct _FILE_IO_COMPLETION_INFORMATION *MiniPacket + _Out_writes_to_(Count, *PacketsReturned) struct _FILE_IO_COMPLETION_INFORMATION *MiniPackets, + _In_ ULONG Count, + _Out_ PULONG PacketsReturned, + _In_ struct _WORKER_FACTORY_DEFERRED_WORK* DeferredWork ); NTSYSCALLAPI diff --git a/phnt.h b/phnt.h index 52b91ff..05dc6ad 100644 --- a/phnt.h +++ b/phnt.h @@ -56,6 +56,7 @@ #define PHNT_21H1 111 #define PHNT_21H2 112 #define PHNT_WIN11 113 +#define PHNT_WIN11_22H2 114 #ifndef PHNT_MODE #define PHNT_MODE PHNT_MODE_USER diff --git a/phnt_ntdef.h b/phnt_ntdef.h index 223e7fd..21e236d 100644 --- a/phnt_ntdef.h +++ b/phnt_ntdef.h @@ -235,6 +235,7 @@ typedef const OBJECT_ATTRIBUTES *PCOBJECT_ATTRIBUTES; #define RTL_INIT_OBJECT_ATTRIBUTES(n, a) RTL_CONSTANT_OBJECT_ATTRIBUTES(n, a) #define OBJ_NAME_PATH_SEPARATOR ((WCHAR)L'\\') +#define OBJ_NAME_ALTPATH_SEPARATOR ((WCHAR)L'/') // Portability diff --git a/winsta.h b/winsta.h index 2e2bef3..45abc91 100644 --- a/winsta.h +++ b/winsta.h @@ -160,7 +160,7 @@ typedef enum _WINSTATIONINFOCLASS WinStationReconnectedFromId, // ULONG WinStationEffectsPolicy, // ULONG WinStationType, // ULONG - WinStationInformationEx, // WINSTATIONINFORMATIONEX + WinStationInformationEx, // WINSTATIONINFORMATIONEX WinStationValidationInfo } WINSTATIONINFOCLASS; @@ -566,7 +566,7 @@ typedef struct _WINSTATIONVIDEODATA typedef enum _CDCLASS { - CdNone, // No connection driver. + CdNone, // No connection driver. CdModem, // Connection driver is a modem. CdClass_Maximum, } CDCLASS;