typedef struct _WMI_LOGGER_CONTEXT { unsigned long LoggerId; unsigned long BufferSize; unsigned long MaximumEventSize; long CollectionOn; unsigned long LoggerMode; long AcceptNewEvents; __int64 (*GetCpuClock)(void); LARGE_INTEGER StartTime; void *LogFileHandle; ETHREAD *LoggerThread; long LoggerStatus; void *NBQHead; void *OverflowNBQHead; SLIST_HEADER QueueBlockFreeList; LIST_ENTRY GlobalList; union { WMI_BUFFER_HEADER *BatchedBufferList; EX_FAST_REF CurrentBuffer; }; UNICODE_STRING LoggerName; UNICODE_STRING LogFileName; UNICODE_STRING LogFilePattern; UNICODE_STRING NewLogFileName; unsigned long ClockType; unsigned long MaximumFileSize; unsigned long LastFlushedBuffer; unsigned long FlushTimer; unsigned long FlushThreshold; LARGE_INTEGER ByteOffset; unsigned long MinimumBuffers; volatile long BuffersAvailable; volatile long NumberOfBuffers; unsigned long MaximumBuffers; volatile unsigned long EventsLost; unsigned long BuffersWritten; unsigned long LogBuffersLost; unsigned long RealTimeBuffersDelivered; unsigned long RealTimeBuffersLost; long *SequencePtr; unsigned long LocalSequence; GUID InstanceGuid; long FileCounter; void (*BufferCallback)(WMI_BUFFER_HEADER *, void *); POOL_TYPE PoolType; ETW_REF_CLOCK ReferenceTime; LIST_ENTRY Consumers; unsigned long NumConsumers; ETW_REALTIME_CONSUMER *TransitionConsumer; void *RealtimeLogfileHandle; UNICODE_STRING RealtimeLogfileName; LARGE_INTEGER RealtimeWriteOffset; LARGE_INTEGER RealtimeReadOffset; LARGE_INTEGER RealtimeLogfileSize; unsigned __int64 RealtimeLogfileUsage; unsigned __int64 RealtimeMaximumFileSize; unsigned long RealtimeBuffersSaved; ETW_REF_CLOCK RealtimeReferenceTime; ETW_RT_EVENT_LOSS NewRTEventsLost; KEVENT LoggerEvent; KEVENT FlushEvent; KTIMER FlushTimeOutTimer; KDPC FlushDpc; KMUTANT LoggerMutex; EX_PUSH_LOCK LoggerLock; union { unsigned __int64 BufferListSpinLock; EX_PUSH_LOCK BufferListPushLock; }; SECURITY_CLIENT_CONTEXT ClientSecurityContext; EX_FAST_REF SecurityDescriptor; __int64 BufferSequenceNumber; union { unsigned long Flags; struct { unsigned long Persistent : 1; unsigned long AutoLogger : 1; unsigned long FsReady : 1; unsigned long RealTime : 1; unsigned long Wow : 1; unsigned long KernelTrace : 1; unsigned long NoMoreEnable : 1; unsigned long StackTracing : 1; unsigned long ErrorLogged : 1; unsigned long RealtimeLoggerContextFreed : 1; }; }; union { unsigned long RequestFlag; struct { unsigned long RequestNewFie : 1; unsigned long RequestUpdateFile : 1; unsigned long RequestFlush : 1; unsigned long RequestDisableRealtime : 1; unsigned long RequestDisconnectConsumer : 1; unsigned long RequestConnectConsumer : 1; }; }; RTL_BITMAP HookIdMap; } WMI_LOGGER_CONTEXT, *PWMI_LOGGER_CONTEXT;