fltmgr.GLOBALS!PerfTraceRoutines

In windows 8 in fltmgr was introduced feature for filter operation Etw logging - structure WMI_FLTIO_NOTIFY_ROUTINES in GLOBALS:
 void  (TimeStampRoutine*)(struct _ETW_KERNEL_TRACE_TIMESTAMP*, unsigned long);
 void  (FailureNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short);
 void  (InitiationNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short);
 void  (CompletionNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short, struct _ETW_KERNEL_TRACE_TIMESTAMP*);

 void  (FastCompletionNotifyRoutine*)(void*, unsigned long, unsigned long, unsigned short, struct _ETW_KERNEL_TRACE_TIMESTAMP*);

in windows 10 new entry was added:
void  (IoRedirectionNotifyRoutine*)(struct _IRP*, struct _FILE_OBJECT*);

This structure initialized in DriverEntry - PerfTraceRoutines assigned address of GLOBALS.DummyPerfTraceRoutines and then called function WmiQueryTraceInformation with class FltIoNotifyRoutinesClass (where this structure filled with content of EtwpFltIoNotifyRoutines)
So patching this functions pointers you can have real-time info about operations in file filters (or perhaps disable Etw logging for them)

On freshly installed system only two pfns are initialized:

W32pServiceTable from windows 10 build 19577 64bit

W32pServiceLimit .eq. 0x5AD
Btw what does prefix NtModerncore mean?

PiPnpRtlCtx

since w8 Microsoft introduced for PnP devices management new structure with lots of function pointers - PiPnpRtlCtx

It`s called from lots of exported functions, but I think most comfortable for RE are IoOpenDeviceRegistryKey & IoOpenDeviceInterfaceRegistryKey. You can gather address of PiPnpRtlCtx with one pass of disassembling - it will be first loaded address in .data section after call to ExAcquireResourceExclusiveLite

This structure allocating and partially initializing in function PnpCtxOpenMachine. There are at least 3 version with different size:

• 0xac for 32 bit/0x158 for x64 - used in w8, w8.1 and in w10 up to est.build 14279
• 0xb0 for 32 bit/0x160 for x64 - used in w10 up to est. build 16299
• 0x10c for 32 bit/0x210 for x64 - used in w10 since est. build 17134

This struct has lots of pointer to functions (see also PiPnpRtlInit):