RtlGetUnloadEventTraceEx

#ifndef _NTRTL_H
// begin_msdn:"Winternl"
#if (PHNT_VERSION >= PHNT_VISTA)

NTSYSAPI
VOID
NTAPI
RtlGetUnloadEventTraceEx(
    _Out_ PULONG *ElementSize,
    _Out_ PULONG *ElementCount,
    _Out_ PVOID *EventTrace // works across all processes
    );

#endif
// end_msdn
#endif
View code on GitHub