#ifndef _NTRTL_H

/**
 * The RtlGetUnloadEventTrace routine enables the dump code to get the unloaded module information from Ntdll.dll for storage in the minidump.
 *
 * \return A pointer to an array of unload events.
 * \sa https://learn.microsoft.com/en-us/windows/win32/devnotes/rtlgetunloadeventtrace
 */
NTSYSAPI
PRTL_UNLOAD_EVENT_TRACE
NTAPI
RtlGetUnloadEventTrace(
    VOID
    );

#endif
View code on GitHub

PRTL_UNLOAD_EVENT_TRACE RtlGetUnloadEventTrace(void);
View the official Win32 development documentation

NtDoc

This function is documented in Windows SDK.

Edit description on GitHub

Win32 development documentation (rtlgetunloadeventtrace)

RtlGetUnloadEventTrace function

[This function may be changed or removed from Windows without further notice.]

Enables the dump code to get the unloaded module information from Ntdll.dll for storage in the minidump.

Parameters

This function has no parameters.

Return value

This function returns a pointer to an array. For more information, see Remarks.

Remarks

The RtlpUnloadEventTrace array is defined as follows:

#define RTL_UNLOAD_EVENT_TRACE_NUMBER 64

typedef struct _RTL_UNLOAD_EVENT_TRACE {
    PVOID BaseAddress;   // Base address of dll
    SIZE_T SizeOfImage;  // Size of image
    ULONG Sequence;      // Sequence number for this event
    ULONG TimeDateStamp; // Time and date of image
    ULONG CheckSum;      // Image checksum
    WCHAR ImageName[32]; // Image name
} RTL_UNLOAD_EVENT_TRACE, *PRTL_UNLOAD_EVENT_TRACE;

RTL_UNLOAD_EVENT_TRACE RtlpUnloadEventTrace[RTL_UNLOAD_EVENT_TRACE_NUMBER];

This function has no associated header file. The associated import library, Ntdll.lib, is available in the Windows Driver Kit (WDK). You can also call this function using the LoadLibrary and GetProcAddress functions.

Requirements

Requirement	Value
DLL	Ntdll.dll

View the official Win32 development documentation

Edit description on GitHub