|
|
// (c) 1998-1999 Microsoft Corporation. All rights reserved.
#pragma autorecover#pragma classflags("forceupdate")
Qualifier Description : ToSubClass Amended;Qualifier Values : ToSubClass Amended;Qualifier DisplayName : Amended;Qualifier BitValues:ToSubClass Amended ;
Qualifier Aggregate : ToSubClass ;Qualifier ValueMap : ToSubClass ;Qualifier Aggregation : ToSubClass ; Qualifier ArrayType : ToSubClass ;Qualifier Association : ToInstance ToSubClass DisableOverride ; Qualifier BitMap : ToSubClass ;Qualifier CIM_Key : ToSubClass ;Qualifier CIMTYPE : ToSubClass ;Qualifier Deprecated : ToSubClass ;Qualifier Enumeration : ToSubClass ;Qualifier EnumPrivileges : ToSubClass ;Qualifier ImplementationSource : ToSubClass ;Qualifier Key : ToInstance ToSubClass DisableOverride ;Qualifier Locale : ToInstance ;Qualifier MappingStrings : ToSubClass ;Qualifier Max : ToSubClass ;Qualifier MaxLen : ToSubClass ;Qualifier Min : ToSubClass ;Qualifier ModelCorrespondence : ToSubClass ;Qualifier Not_Null : ToSubClass ;Qualifier Override : Restricted ;Qualifier Privileges : ToSubClass ; Qualifier Propagated : ToSubClass ;Qualifier provider : ToInstance ;Qualifier Range : ToSubClass ;Qualifier Read : ToSubClass ;Qualifier Schema : ToInstance ;Qualifier Singleton : ToSubClass ToInstance ;Qualifier SUBTYPE : ToSubClass ;Qualifier Units : ToSubClass ;Qualifier UUID : ToInstance ;Qualifier Volatile : ToSubClass ; Qualifier Weak : ToSubClass ;Qualifier Write : ToSubClass ;Qualifier WritePrivileges : ToSubClass ;
#pragma namespace ("\\\\.\\Root\\CIMV2")
[Description( "The SystemTrace class is the base class for all system trace events. " "System trace events are fired by the kernel logger via the event " "tracing API." ), Locale (0x409)]class Win32_SystemTrace : __ExtrinsicEvent { };
[Description( "This event is the base event for process events."), Locale (0x409)]class Win32_ProcessTrace : Win32_SystemTrace{ [read, Description( "The ProcessID property identifies the process involved in the event.")] uint32 ProcessID; [read, Description( "The ParentProcessID property identifies of the process that actually" "caused the event to happen.")] uint32 ParentProcessID; [read, Description( "The SessionID property identifies the session under which the process " "exists.")] uint32 SessionID; [read, Description( "The Sid property is the security identifier representing the user " "context under which the event happened.")] uint8 Sid[];
[read, Description( "The ProcessName property contains the name of the process.")] string ProcessName;
[read, Description( "The PageDirectoryBase property identifies the process' page directory base.")] uint64 PageDirectoryBase;};
[Description( "The ProcessStartTrace event class indicates a new process has started."), Locale (0x409)]class Win32_ProcessStartTrace : Win32_ProcessTrace{};
[Description( "The ProcessStopTrace event class indicates a process has terminated."), Locale (0x409)]class Win32_ProcessStopTrace : Win32_ProcessTrace{ [read, Description( "The ExitStatus property contains the exit status of the stopped process ")] uint32 ExitStatus;};
[Description( "The ThreadTrace event class is the base event for thread events."), Locale (0x409)]class Win32_ThreadTrace : Win32_SystemTrace{
[read, Description( "The ThreadID property contains the thread identifier of " "the thread involved in the event.")] uint32 ThreadID;
[read, Description( "The ProcessID property contains the process identifier of " "the process to which the thread belongs.")] uint32 ProcessID;};
[Description( "The ThreadStartTrace event class indicates a new thread has started."), Locale (0x409)]class Win32_ThreadStartTrace : Win32_ThreadTrace{ [read, Description( "The StackBase property indicates the base address of the thread's stack.")] uint64 StackBase;
[read, Description( "The StackBase property indicates the limit of the thread's stack.")] uint64 StackLimit;
[read, Description( "The UserStackBase property indicates the base address of the thread's " "user-mode stack.")] uint64 UserStackBase;
[read, Description( "The UserStackLimit property indicates the limit of the thread's " "user-mode stack.")] uint64 UserStackLimit;
uint64 StartAddr; uint64 Win32StartAddr; uint32 WaitMode;};
[Description( "The ThreadStopTrace event class indicates a thread has terminated."), Locale (0x409)]class Win32_ThreadStopTrace : Win32_ThreadTrace{};
[Description( "The ModuleTrace event class is the base event for module events."), Locale (0x409)]class Win32_ModuleTrace : Win32_SystemTrace{};
[Description( "The ModuleLoadTrace event class indicates a process has loaded a new module."), Locale (0x409)]class Win32_ModuleLoadTrace : Win32_ModuleTrace{ [read, Description( "The ImageBase property indicates the base address where the module " "was loaded into process memory.")] uint64 ImageBase;
[read, Description( "The ImageSize property indicates the size in bytes of the loaded module.")] uint32 ImageSize;
[read, Description( "The ProcessID property indentifies the process that loaded the module.")] uint32 ProcessID;
[read, Description( "The FileName property indicates the filename of the loaded module.")] string FileName;};
instance of __Win32Provider as $KTP{ Name = "WMI Kernel Trace Event Provider"; Clsid = "{9877D8A7-FDA1-43F9-AEEA-F90747EA66B0}"; HostingModel = "WmiCore";};
instance of __EventProviderRegistration{ Provider = $KTP; EventQueryList = { ///////////////////////////////////////////////////////////////////// // Process queries "select * from Win32_ProcessStartTrace", "select * from Win32_ProcessStopTrace",
///////////////////////////////////////////////////////////////////// // Thread queries "select * from Win32_ThreadStartTrace", "select * from Win32_ThreadStopTrace",
///////////////////////////////////////////////////////////////////// // Module queries "select * from Win32_ModuleLoadTrace" };};
|
