Windows Dev Center

WNODE_HEADER structure

The WNODE_HEADER structure is a member of the EVENT_TRACE_PROPERTIES structure.


typedef struct _WNODE_HEADER {
  ULONG BufferSize;
  ULONG ProviderId;
  union {
    ULONG64 HistoricalContext;
    struct {
      ULONG Version;
      ULONG Linkage;
  union {
    HANDLE        KernelHandle;
    LARGE_INTEGER TimeStamp;
  GUID  Guid;
  ULONG ClientContext;
  ULONG Flags;



Total size of memory allocated, in bytes, for the event tracing session properties. The size of memory must include the room for the EVENT_TRACE_PROPERTIES structure plus the session name string and log file name string that follow the structure in memory.


Reserved for internal use.


On output, the handle to the event tracing session.


Reserved for internal use.


Reserved for internal use.


Reserved for internal use.


Time at which the information in this structure was updated, in 100-nanosecond intervals since midnight, January 1, 1601.


The GUID that you define for the session.

For an NT Kernel Logger session, set this member to SystemTraceControlGuid.

For a private logger session, set this member to the provider's GUID that you are going to enable for the session.

If you start a session that is not a kernel logger or private logger session, you do not have to specify a session GUID. If you do not specify a GUID, ETW creates one for you. You need to specify a session GUID only if you want to change the default permissions associated with a specific session. For details, see the EventAccessControl function.

You cannot start more than one session with the same session GUID.

Prior to Windows Vista:  You can start more than one session with the same session GUID.


Clock resolution to use when logging the time stamp for each event. The default is Query performance counter (QPC).

Prior to Windows Vista:  The default is system time.

You can specify one of the following values.


Query performance counter (QPC). The QPC counter provides a high-resolution time stamp but is comparatively more resource-intensive to retrieve.

You should use this resolution if you have high event rates or if the consumer merges events from different buffers.

To determine the resolution, use the PerfFreq member of TRACE_LOGFILE_HEADER when consuming the event.

Note that on older computers, the time stamp may not be accurate because the counter sometimes skips forward due to hardware errors.


System time. The system time provides a low-resolution time stamp but is comparatively less resource-intensive to retrieve.

To determine the resolution, use the TimerResolution member of TRACE_LOGFILE_HEADER when consuming the event.

Note that if the volume of events is high, the resolution for system time may not be fine enough to determine the sequence of events. In this case, a set of events will have the same time stamp, but the order in which ETW delivers the events may not be correct.


CPU cycle counter. The CPU counter provides the highest resolution time stamp and is the least resource-intensive to retrieve. However, the CPU counter is unreliable and should not be used in production. For example, on some computers, the timers will change frequency due to thermal and power changes, in addition to stopping in some states.

To determine the resolution, use the CpuSpeedInMHz member of TRACE_LOGFILE_HEADER when consuming the event.

If your hardware does not support this clock type, ETW uses system time.

Windows Server 2003, Windows XP with SP1, and Windows XP:  This value is not supported, it was introduced in Windows Server 2003 with SP1 and Windows XP with SP2.


Windows 2000:  The ClientContext member is not supported.


Must contain WNODE_FLAG_TRACED_GUID to indicate that the structure contains event tracing information.


Be sure to initialize the memory for this structure to zero before setting any members.


Minimum supported client

Windows 2000 Professional [desktop apps | Windows Store apps]

Minimum supported server

Windows 2000 Server [desktop apps | Windows Store apps]



See also




Community Additions

© 2015 Microsoft