//********************************************* //*** MSV1_0 SSP: MSV1_0 //********************************************* #pragma classflags("forceupdate") #pragma namespace ("\\\\.\\Root\\WMI") [Dynamic, Description("NTLM Security Protocol") : amended, Guid("{C92CF544-91B3-4dc0-8E11-C580339A0BF8}"), locale("MS\\0x409")] class MSV1_0Trace:EventTrace { }; [Dynamic, Description("NTLM Server Accept") : amended, Guid("{94d4c9eb-0d01-41ae-99e8-15b26b593a83}"), DisplayName("NtlmServerAccept"), locale("MS\\0x409") ] class NtlmServerAccept:MSV1_0Trace { }; [Dynamic, Description("NTLM Server Accept") : amended, EventType(1), EventTypeName("Start"), locale("MS\\0x409") ] class NtlmServerAccept_Start:NtlmServerAccept { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; }; [Dynamic, Description("NTLM Server Accept") : amended, EventType(2), EventTypeName("End"), locale("MS\\0x409") ] class NtlmServerAccept_End:NtlmServerAccept { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; [WmiDataId(3), Description("Out-Context") : amended, pointer, read] uint32 OutContext; [WmiDataId(4), Description("Status") : amended, read] uint32 Status; }; [Dynamic, Description("NTLM Server Accept") : amended, EventType(0), EventTypeName("Info"), locale("MS\\0x409") ] class NtlmServerAccept_Info:NtlmServerAccept { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; [WmiDataId(3), Description("Out-Context") : amended, pointer, read] uint32 OutContext; [WmiDataId(4), Description("Flags") : amended, read] uint32 Flags; [WmiDataId(5), Description("Client User Name") : amended, StringTermination("Counted"), format("w"), read] string UserName; [WmiDataId(6), Description("Client Domain Name") : amended, StringTermination("Counted"), format("w"), read] string DomainName; [WmiDataId(7), Description("Client Workstation") : amended, StringTermination("Counted"), format("w"), read] string Workstation; }; [Dynamic, Description("NTLM Client Initialize") : amended, Guid("{6df28b22-73be-45cc-ba80-8b332b35a21d}"), DisplayName("NtlmClientInitialize"), locale("MS\\0x409") ] class NtlmClientInitialize:MSV1_0Trace { }; [Dynamic, Description("NTLM Client Initialize") : amended, EventType(1), EventTypeName("Start"), locale("MS\\0x409") ] class NtlmClientInitialize_Start:NtlmClientInitialize { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; }; [Dynamic, Description("NTLM Client Initialize") : amended, EventType(2), EventTypeName("End"), locale("MS\\0x409") ] class NtlmClientInitialize_End:NtlmClientInitialize { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; [WmiDataId(3), Description("Out-Context") : amended, pointer, read] uint32 OutContext; [WmiDataId(4), Description("Status") : amended, read] uint32 Status; }; [Dynamic, Description("NTLM Logon User") : amended, Guid("{19196b33-a302-4c12-9d5a-eac149e93c46}"), DisplayName("NtlmLogonUser"), locale("MS\\0x409") ] class NtlmLogonUser:MSV1_0Trace { }; [Dynamic, Description("NTLM Logon User") : amended, EventType(1), EventTypeName("Start"), locale("MS\\0x409") ] class NtlmLogonUser_Start:NtlmLogonUser { }; [Dynamic, Description("NTLM Logon User") : amended, EventType(2), EventTypeName("End"), locale("MS\\0x409") ] class NtlmLogonUser_End:NtlmLogonUser { [WmiDataId(1), Description("Status") : amended, read] uint32 Status; [WmiDataId(2), Description("Logon Type") : amended, read] uint32 LogonType; [WmiDataId(3), Description("User Name") : amended, StringTermination("Counted"), format("w"), read] string UserName; [WmiDataId(4), Description("Domain Name") : amended, StringTermination("Counted"), format("w"), read] string DomainName; }; [Dynamic, Description("NTLM Validate Credentials") : amended, Guid("{34d84181-c28a-41d8-bb9e-995190df83df}"), DisplayName("NtlmValidateUser"), locale("MS\\0x409") ] class NtlmValidateUser:MSV1_0Trace { }; [Dynamic, Description("NTLM Validate Credentials") : amended, EventType(1), EventTypeName("Start"), locale("MS\\0x409") ] class NtlmValidateUser_Start:NtlmValidateUser { }; [Dynamic, Description("NTLM Validate Credentials") : amended, EventType(2), EventTypeName("End"), locale("MS\\0x409") ] class NtlmValidateUser_End:NtlmValidateUser { [WmiDataId(1), Description("Success Bitmask") : amended, read] uint32 Success; [WmiDataId(2), Description("Logon Server") : amended, StringTermination("Counted"), format("w"), read] string LogonServer; [WmiDataId(3), Description("Domain Name") : amended, StringTermination("Counted"), format("w"), read] string LogonDomain; [WmiDataId(4), Description("User Name") : amended, StringTermination("Counted"), format("w"), read] string UserName; [WmiDataId(5), Description("Logon Workstation") : amended, StringTermination("Counted"), format("w"), read] string Workstation; };