Question: possible inconsistency between schema, schema_key and the MS doc

[daladim]

Hello. Reading at the Microsoft documentation, krabsetw (and its Rust-counterpart ferrisetw), I am puzzled about how to distinguish different schemas.

The doc says (emphasis mine):

For manifest-based ETW, the combination Provider.DecodeGuid + Event.Id + Event.Version should uniquely identify an event, i.e. all events with the same DecodeGuid, Id, and Version should have the same set of fields with no changes in field names, field types, or field ordering.

AFAICT, this would mean that a schema_key would only need to contain these 3 fields. However, struct schema_key also contains opcode and level. Is there a reason for it? Is it to support "non-manifest-based ETW"?

Besides, schema_key::operator== consistently compares these 5 fields. But schema::operator== only compares the 3 fields described in the documentation. I am not knowledgeable enough in ETW to tell whether this is an inconsistency, or whether that's fine.

Do you have any ideas on this matter?

(Note: I saw this potential inconsistency in ferrisetw, then I saw that it mirrored what you've written here, so I'm asking at the source of truth :smile: I hope I'll find my answers here)

[swannman]

Nice find @daladim! I think you are correct that opcode and level don't need to be part of the schema cache key, at least for manifest-based providers. I wonder whether we need to maintain these for TraceLogging events?