EVENT_HEADER structure
Defines information about the event.
Syntax
typedef struct _EVENT_HEADER { USHORT Size; USHORT HeaderType; USHORT Flags; USHORT EventProperty; ULONG ThreadId; ULONG ProcessId; LARGE_INTEGER TimeStamp; GUID ProviderId; EVENT_DESCRIPTOR EventDescriptor; union { struct { ULONG KernelTime; ULONG UserTime; }; ULONG64 ProcessorTime; }; GUID ActivityId; } EVENT_HEADER, *PEVENT_HEADER;
Members
- Size
-
Size of the event record, in bytes.
- HeaderType
-
Reserved.
- Flags
-
Flags that provide information about the event such as the type of session it was logged to and if the event contains extended data. This member can contain one or more of the following flags.
Value Meaning - EVENT_HEADER_FLAG_EXTENDED_INFO
The ExtendedData member of EVENT_RECORD contains data.
- EVENT_HEADER_FLAG_PRIVATE_SESSION
The event was logged to a private session. Use ProcessorTime for elapsed execution time.
- EVENT_HEADER_FLAG_STRING_ONLY
The event data is a null-terminated Unicode string. You do not need a manifest to parse the UserData member of EVENT_RECORD.
- EVENT_HEADER_FLAG_TRACE_MESSAGE
The provider used TraceMessage or TraceMessageVa to log the event. Most providers do not use these functions to write events, so this flag typically indicates that the event was written by Windows Software Trace Preprocessor (WPP).
- EVENT_HEADER_FLAG_NO_CPUTIME
Use ProcessorTime for elapsed execution time.
- EVENT_HEADER_FLAG_32_BIT_HEADER
Indicates that the provider was running on a 32-bit computer or in a WOW64 session.
- EVENT_HEADER_FLAG_64_BIT_HEADER
Indicates that the provider was running on a 64-bit computer.
- EVENT_HEADER_FLAG_CLASSIC_HEADER
Indicates that provider used TraceEvent to log the event.
- EventProperty
-
Indicates the source to use for parsing the event data.
- ThreadId
-
Identifies the thread that generated the event.
- ProcessId
-
Identifies the process that generated the event.
- TimeStamp
-
Contains the time that the event occurred. The resolution is system time unless the ProcessTraceMode member of EVENT_TRACE_LOGFILE contains the PROCESS_TRACE_MODE_RAW_TIMESTAMP flag, in which case the resolution depends on the value of the Wnode.ClientContext member of EVENT_TRACE_PROPERTIES at the time the controller created the session.
- ProviderId
-
GUID that uniquely identifies the provider that logged the event.
- EventDescriptor
-
Defines the information about the event such as the event identifier and severity level. For details, see EVENT_DESCRIPTOR.
- KernelTime
-
Elapsed execution time for kernel-mode instructions, in CPU time units. If you are using a private session, use the value in the ProcessorTime member instead. For more information, see Remarks.
- UserTime
-
Elapsed execution time for user-mode instructions, in CPU time units. If you are using a private session, use the value in the ProcessorTime member instead. For more information, see Remarks.
- ProcessorTime
-
For private sessions, the elapsed execution time for user-mode instructions, in CPU ticks.
- ActivityId
-
Identifier that relates two events. For details, see EventWriteTransfer.
Remarks
You can use the KernelTime and UserTime members to determine the CPU cost in units for a set of instructions (the values indicate the CPU usage charged to that thread at the time of logging). For example, if Event A and Event B are consecutively logged by the same thread and they have CPU usage numbers 150 and 175, then the activity that was performed by that thread between events A and B cost 25 CPU time units (175 – 150).
The TimerResolution of the TRACE_LOGFILE_HEADER structure contains the resolution of the CPU usage timer in 100-nanosecond units. You can use the timer resolution with the kernel time and user time values to determine the amount of CPU time that the set of instructions used. For example, if the timer resolution is 156,250, then 25 CPU time units is 0.39 seconds (156,250 * 25 * 100 / 1,000,000,000). This is the amount of CPU time (not elapsed wall clock time) used by the set of instructions between events A and B.
Requirements
|
Minimum supported client |
Windows Vista [desktop apps only] |
|---|---|
|
Minimum supported server |
Windows Server 2008 [desktop apps only] |
|
Header |
|
See also