EtwWriteTransfer

Hello.

Quick question: Is EtwWriteTransfer or any other api that participates in sending data through ETW in kernelmode copying data passed to this api so that it will be used in proper moment OR it is on caller side?
My guess is there should be copying of data happening as ETW is async, thus it would be not possible to hold such buffers on caller side, but I just need to confirm it.

Thanks/

Looking at the signature of EtwWriteTransfer

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-etwwritetransfer

there is no possible way that the API could signal the caller that is it finished with the parameters if it does not completely consume them synchronously. And the documentation of EVENT_DATA_DESCRIPTOR explicitly lists a maximum size

https://docs.microsoft.com/en-us/windows/win32/api/evntprov/ns-evntprov-event_data_descriptor

so it seems highly unlikely that the pointers are used in any way after the call completes. You could disassemble the function to be sure, but I expect that it essentially does a memcpy and returns