//****************************************** // Guid Definitions // 10/23/98 //****************************************** // The #type statement and the #typev statement may be used to convert // messages into user readable forms. // With #type all parameters are processed as strings and the default string // processing of FormTMessage is used // With #typev wherever possible parameters are processed as their native format // and the %x!x! style of FormatMessage should be used. // // Note Parameter %1 through %9 are predefined // Parameter is #typev // %1 GUID Friendly Name string // %2 GUID SubType Name string // %3 Thread ID ULONG_PTR // %4 System Time String // %5 Kernel Time or User Time String // %6 User Time or NULL String // %7 Sequence Number LONG // %8 Unused String // %9 CPU Number LONG // %10 and above are the user parameters // %255 Is reserved // // Note these parameters are always present, but may not be valid // depending on the source. // // User defined messages always start at message number 10 // Messages 0 through 9 are reserved for system use. // Message number 255 is reserved. // // Available formats for user arguments are - // //Name Description #typev Format //ItemChar CHAR //ItemUChar UCHAR //ItemCharShort USHORT //ItemCharSign SHORT //ItemShort Signed Short SHORT //ItemUShort Unsigned Short USHORT //ItemLong Signed Long, decoded as decimal LONG //ItemULong Unsigned Long, decoded as decimal ULONG //ItemULongX Unsigned Long, seen as hexadecimal ULONG //ItemLongLong Signed 64 Bit value LONGLONG //ItemULongLong Unsigned 64 Bit value ULONGLONG //ItemRString Reduced Ascii String String // (\t, \n, \r, \,, converted to space, trailing sp removed) //ItemWString Unicode String, null terminated String //ItemPString Counted Ascii String String //ItemPWString Counted Unicode String String //ItemMLString Multi-Line Ascii String String //ItemSid Security identifier String //ItemChar4 CHAR4 //ItemIPAddr IP Address String (If needed raw, use ItemUlong) // (string of form xxx.xxx.xxx.xxx) //ItemPort String (If needed raw use ItemUshort) //ItemNWString Non-null terminated Wide Char String String //ItemListByte (element1,element2,....) String // byte index into a list of strings //ItemListShort(element1,element2,....) String // short index into a list of strings //ItemListLong (element1,element2,....) String // Long index into a list of strings //ItemGUID Normal GUID format String //ItemNTerror Translates a ULONG error code to the String // NT Error Text //ItemNTSTATUS Converts NTSTATUS to symbolic name String //ItemWINERROR Converts WINERROR to symbolic name String //ItemNETEVENT Converts NETEVENT to symbolic name String //ItemMerror module.ext String // Translates a ULONG error code using the // module specified. //ItemTimeStamp Treats a LONGLONG as a timestamp String //ItemUnknown String ce5b1020-8ea9-11d0-a4ec-00a0c9062910 TraceDp #type Start 1 "TraceDp TID=0x%3 Start" #type End 2 "TraceDp TID=0x%3End" 2cb15d1d-5fc1-11d2-abe1-00a0c911f518 ImageLoad #typev Load 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>ImageLoad of %12!s! (Base=0x%10!X!,size=0x%11!X!)" { Base Address, ItemULongX Module Size, ItemULongX Image Filename, ItemWString } 3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c Process #typev Start 1 "%10!08X!.%3!08X!::%4!s! [%1!s!] <*>Process %13!s! Started for %12" #typev End 2 "%10!08X!.%3!08X!::%4!s! [%1!s!] <*>Process %13!s!(PID=%10!5d!) Completed" #typev DCStart 3 "%10!08X!.%3!08X!::%4!s! [%1!s!DC] <*>Process Data Collection Started of %13!s! for %12!s!" #typev DCEnd 4 "%10!08X!.%3!08X!::%4!s! [%1!s!DC] <*>Process Data Colection Ended for %13!s!" #typev Load 5 "%10!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>Load of %13!s![%12!s! - %11!d!] { Process Id, ItemULongX Parent Id, ItemULongX User SID, ItemSid Image Filename, ItemString } 3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c Thread #typev Start 1 "%11!08X!.%10!08X!::%4!s! [%1!s!] <%9!d!>Started" #typev End 2 "%11!08X!.%10!08X!::%4!s! [%1!s!] <%9!d!>Ended" #typev DCStart 3 "%11!08X!.%10!08X!::%4!s! [%1!s!DC] <%9!d!>Data Collection Started " #typev DCEnd 4 "%11!08X!.%10!08X!::%4!s! [%1!s!DC] <%9!d!>Data Collection Ended" { Thread Id, ItemULongX Process Id, ItemULong } 3d6fa8d3-fe05-11d0-9dda-00c04fd7ba7c PageFault #typev TransitionFault 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault Transition VA=0x%10!08X!, PC=0x%11!08X!" #typev DemandZeroFault 11 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault DemandZero VA=0x%10!08X!, PC=0x%11!08X!" #typev CopyOnWrite 12 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault CopyOnWrite VA=0x%10!08X!, PC=0x%11!08X!" #typev GlobalPageFault 13 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault GuardPageFault VA=0x%10!08X!, PC=0x%11!08X!" #typev Hard 14 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault Hard VA=0x%10!08X!, PC=0x%11!08X!, in %12!016X!" #typev Notification 15 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault Notification VA=0x%10!08X!, PC=0x%11!08X!, in %12!016X!" { Virtual Address,ItemULongX Program Counter,ItemUlongX Byte Offset, ItemLongLong File Object, ItemUlongX Byte Count, ItemUlong HotFile Name, ItemNWString } 3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c DiskIo #typev Read 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Disk %10!2d! Read of %12!5d! bytes (FileObj=0x%15!08X!)" #typev Write 11 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Disk %10!2d! Write of %12!5d! bytes (FileObj=0x%15!08X!)" { Disk Number, ItemULong Irp Flags, ItemULongX Transfer Size, ItemULong QueueDepth, ItemULong Byte Offset, ItemLongLong File Object, ItemULongX } AE53722E-C863-11d2-8659-00C04FA321A1 Registry #typev Create 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Create of %13!s! Handle = 0x%11!08X! Status = %10!0X!" #typev Open 11 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Open of %13!s! Handle = 0x%11!08X! Status = %10!0X!" #typev Delete 12 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Delete of Handle = 0x%11!08X! Status = %10!0X!" #typev Query 13 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Query Handle = 0x%11!08X! Status = %10!0X!" #typev SetValue 14 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>SetValue of %13!s! Handle = 0x%11!08X! Status = %10!0X!" #typev DeleteValue 15 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>DeleteValue of %13!s! Handle = 0x%11!08X! Status = %10!0X! (TID =%3!0X!)" #typev QueryValue 16 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>QueryValue Handle = 0x%11!08X! Status = %10!0X!" #typev EnumerateKey 17 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>EnumerateKey of %13!s! Handle = 0x%11!08X! Status = %10!0X!" #typev EnumerateValueKey 18 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>EnumerateValueKey of %13!s! Handle = 0x%11!08X! Status = %10!0X!" #typev QueryMultipleValue 19 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>QueryMultiple of %13!s! Handle = 0x%11!08X! Status = %10!0X!" #typev SetInformation 20 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>SetInformation of %13!s! Handle = 0x%11!08X! Status = %10!0X!" #typev Flush 21 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Flush of %13!s! Handle = 0x%11!08X! Status = %10!0X!" { Status,ItemUlongX Key Handle, ItemULongX Elapsed Time, ItemLongLong KeyName, ItemWString } 90cbdc39-4a3e-11d1-84f4-0000f80464e3 FileIo #typev All 0 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Filio for %11 (FileObj=0x%10!X!)" { File Object, ItemULongX File Name, ItemWString } 9a280ac0-c8e0-11d1-84e2-00c04fb998a2 TcpIp #typev Send 10 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>TCPIP Send to %10!13s!:%12!05d! from %11!13s!:%13!05d! of %14!5d! bytes" { saddr, ItemIPAddr daddr, ItemIPAddr sport, ItemUShort dport, ItemUShort size, ItemULong PID, ItemULongX } #typev Recv 11 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>TCPIP Receive from %10!13s!:%12!05d! to %11!13s!:%13!05d! of %14!5d! bytes" { saddr, ItemIPAddr daddr, ItemIPAddr sport, ItemUShort dport, ItemUShort size, ItemULong PID, ItemULongX } #typev Connect 12 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>TCPIP Connect to %10:%12!05D! from %11:%13!05D!" #typev Disconnect 13 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>TCPIP Discon From %10:%12!05D! to %11:%13!05D!" { saddr, ItemIPAddr daddr, ItemIPAddr sport, ItemUShort dport, ItemUShort size, ItemULong PID, ItemULongX } bf3a50c5-a9c9-4988-a005-2df0b7c80f80 UdpIp #typev Send 10 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>UDP Send to %11!13s!:%12!05d! from %14!13s!:%15!05d! of %13!5d! bytes (Context= %10!08X!)" #typev Recv 11 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>UDP Receive from %11!13s!:%12!05d! to %14!13s!:%15!05d! of %13!5d! bytes (Context= %10!08X!)" { context, ItemULongX /10 destaddr, ItemIPAddr /11 destport, ItemUShort /12 Bufrsize, ItemUShort /13 srcdaddr, ItemIPAddr /14 srcport, ItemUShort /15 sentsize, ItemUShort /16 } //****************************************** // Test Events // d58c126f-b309-11d1-969e-0000f875a5bc //****************************************** ce5b1020-8ea9-11d0-a4ec-00a0c9062910 TraceDp #type Start 1 #type End 2 { UserData, ItemULong } //****************************************** // Test Events // 1bd67283-57cc-11d2-9a03-00c04f72c722 //****************************************** 1bd67283-57cc-11d2-9a03-00c04f72c722 TranProv #type Start 1 #type End 2 { UserData, ItemULong } //****************************************** // DS Events // 1c83b2fc-c04f-11d1-8afc-00c04fc21914 //****************************************** 5b7eb15d-7441-11d2-b711-00c04fb998a2 DsKccGuid #type Start 1 #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong Null1, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd000-daeb-11d1-be80-00c04fadfff5 DsDirSearch #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong Caller, ItemDSString Choice, ItemDSString ObjDN, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd001-daeb-11d1-be80-00c04fadfff5 DsDirAddEntry #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong Caller, ItemDSString ObjDn, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd002-daeb-11d1-be80-00c04fadfff5 DsDirMod #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong Caller, ItemDSString ObjDn, ItemDSString Null3, ItemDSString Null4, ItemMLString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemMLString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd005-daeb-11d1-be80-00c04fadfff5 DsDirModDN #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong Caller, ItemDSString ObjDn, ItemDSString NewParentDn, ItemDSString NewName, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd003-daeb-11d1-be80-00c04fadfff5 DsDirDel #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong Caller, ItemDSString ObjDn, ItemDSString Null3, ItemDSString Null4, ItemMLString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemMLString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd004-daeb-11d1-be80-00c04fadfff5 DsDirCompare #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong Caller, ItemDSString AssertType, ItemDSString ObjDn, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd006-daeb-11d1-be80-00c04fadfff5 DsDirGtNcChg #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong UuidDest, ItemDSString NcDn, ItemDSString UsnVecFrom, ItemDSString flags, ItemDSString RetCrit, ItemDSString ExtOp, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong NumObj, ItemDSString NumBytes, ItemDSString UsnVecTo, ItemDSString ExtRet, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd007-daeb-11d1-be80-00c04fadfff5 DsDirReplSync #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong NcDn, ItemDSString DsaOrUuid, ItemDSString Options, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId, ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd008-daeb-11d1-be80-00c04fadfff5 DsDirFind #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong Caller, ItemDSString AttId, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 05acd009-daeb-11d1-be80-00c04fadfff5 DsLdapBind #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong Null1, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa22-7f4b-11d2-b389-0000f87a46c8 DsKccTask #type Start 1 #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong Null1, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa23-7f4b-11d2-b389-0000f87a46c8 DsDrsReplSync #type Start 1 Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ObjDN, ItemDSString DraSrc, ItemDSString UuidSrc, ItemDSString Options, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa24-7f4b-11d2-b389-0000f87a46c8 DsDrsReplGtChg #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong UuidDest, ItemDSString NcDn, ItemDSString UsnFromHighObj, ItemDSString UsnFromHighProp, ItemDSString Flags, ItemDSString MaxObj, ItemDSString MaxBytes, ItemDSString ExtOp, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong UsnToHighObj, ItemDSString UsnToHighProp, ItemDSString NumObj, ItemDSString NumByte, ItemDSString ExtRet, ItemDSString ErrCode, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa25-7f4b-11d2-b389-0000f87a46c8 DsDrsUpdtRefs #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong NcDn, ItemDSString DsaDest, ItemDSString UuidDest, ItemDSString Options, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa26-7f4b-11d2-b389-0000f87a46c8 DsDrsReplAdd #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong NcDn, ItemDSString SrcDsaDn, ItemDSString TransDn, ItemDSString DsaSrc, ItemDSString Options, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa27-7f4b-11d2-b389-0000f87a46c8 DsDrsReplMod #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong NcDn, ItemDSString UuidSrc, ItemDSString SrcDra, ItemDSString RepFlags, ItemDSString ModFields, ItemDSString Options, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa28-7f4b-11d2-b389-0000f87a46c8 DsDrsReplDel #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong NcDn, ItemDSString DsaSrc, ItemDSString Options, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa29-7f4b-11d2-b389-0000f87a46c8 DsDrsVrfyNames #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong cNames, ItemDSString Flags, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa2a-7f4b-11d2-b389-0000f87a46c8 DsDrsIntDmMv #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong SrcDsaDn, ItemDSString SrcObjDn, ItemDSString DstNameDn, ItemDSString TargetNcDn, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa2b-7f4b-11d2-b389-0000f87a46c8 DsDrsAddEntry #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong cObj, ItemDSString NameDn, ItemDSString NextNameDn, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong cObjAdded, ItemDSString ErrCode, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa2c-7f4b-11d2-b389-0000f87a46c8 DsDrsExecKcc #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong TaskId, ItemDSString Flags, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa2d-7f4b-11d2-b389-0000f87a46c8 DsDrsGtReplInfo #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong InfoType, ItemDSString ObjDn, ItemDSString UuidSrc, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa2e-7f4b-11d2-b389-0000f87a46c8 DsDrsGtNT4ChgLg #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong flags, ItemDSString maxLen, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong NtStatus, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa2f-7f4b-11d2-b389-0000f87a46c8 DsDrsCrackNames #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong cNames, ItemDSString CodePage, ItemDSString LocaleId, ItemDSString FmtOffered, ItemDSString FmtDesired, ItemDSString Flags, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa30-7f4b-11d2-b389-0000f87a46c8 DsDrsWrtSPN #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong Account, ItemDSString Op, ItemDSString cSpn, ItemDSString Flags, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa31-7f4b-11d2-b389-0000f87a46c8 DsDrsDCInfo #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong Domain, ItemDSString InfoLevel, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 14f8aa32-7f4b-11d2-b389-0000f87a46c8 DsDrsGtMbrshps #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong cDsNames, ItemDSString OpType, ItemDSString LimitDomDn, ItemDSString Flags, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong ErrCode, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } 5b7eb154-7441-11d2-b711-00c04fb998a2 LdapAtqGuid #type Start 1 #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong } b9d4702a-6a98-11d2-b710-00c04fb998a2 LdapRequest #type Start 1 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong Choice, ItemDSString Null2, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } #type End 2 { Signature, ItemCharSign Version, ItemCharShort Inserts, ItemCharShort messageId, ItemULong BindId,ItemULong Id, ItemDSString ErrCode, ItemDSString Null3, ItemDSString Null4, ItemDSString Null5, ItemDSString Null6, ItemDSString Null7, ItemDSString Null8, ItemDSString } //****************************************** // KDC Events // 24db8964-e6bc-11d1-916a-0000f8045b04 //****************************************** 50af5304-e6bc-11d1-916a-0000f8045b04 GetASTicket #type Start 1 { KdcOption, ItemULongX } #type End 2 { KerbErr, ItemULongX Client, ItemPWString Server, ItemPWString RequestRealm, ItemPWString } c11cf384-e6bd-11d1-916a-0000f8045b04 TGSRequest #type Start 1 { KdcOption, ItemULongX } #type End 2 { KerbErr, ItemULongX Client, ItemPWString ServerAcct, ItemPWString ClientRealm, ItemPWString } //****************************************** // SAM Events // 8e598056-8993-11d2-819e-0000f875a064 //****************************************** 39511dbe-899b-11d2-819e-0000f875a064 SamUserCreate #type Start 1 #type End 2 abb14b68-899b-11d2-819e-0000f875a064 SamCompCreate #type Start 1 #type End 2 c8eb5e5c-899c-11d2-819e-0000f875a064 SamGrpCreate #type Start 1 #type End 2 f9d2ba6a-899c-11d2-819e-0000f875a064 SamAddMemGrp #type Start 1 #type End 2 250959aa-899d-11d2-819e-0000f875a064 SamDelMemGrp #type Start 1 #type End 2 45fc997e-899d-11d2-819e-0000f875a064 SamPwdChng #type Start 1 #type End 2 62bef71e-899d-11d2-819e-0000f875a064 SamUserPwdSet #type Start 1 #type End 2 880217b8-899d-11d2-819e-0000f875a064 SamCompPwdSet #type Start 1 #type End 2 1f228de8-8a6c-11d2-819e-0000f875a064 SamPwdPushPdc #type Start 1 #type End 2 a41d90bc-899d-11d2-819e-0000f875a064 SamIdByName #type Start 1 #type End 2 25059476-899f-11d2-819e-0000f875a064 SamNameById #type Start 1 #type End 2 //****************************************** // LSA Events // cc85922f-db41-11d2-9244-006008269001 MSLSATrace //****************************************** cc85922e-db41-11d2-9244-006008269001 QuerySecret #type Start 1 #type End 2 2306fe3b-dbf6-11d2-9244-006008269001 Close #type Start 1 #type End 2 2306fe3a-dbf6-11d2-9244-006008269001 OpenPolicy #type Start 1 #type End 2 2306fe39-dbf6-11d2-9244-006008269001 QueryInformationPolicy #type Start 1 #type End 2 2306fe38-dbf6-11d2-9244-006008269001 SetInformationPolicy #type Start 1 #type End 2 2306fe37-dbf6-11d2-9244-006008269001 EnumerateTrustedDomains #type Start 1 #type End 2 2306fe36-dbf6-11d2-9244-006008269001 LookupNames #type Start 1 #type End 2 2306fe35-dbf6-11d2-9244-006008269001 LookupSids #type Start 1 #type End 2 2306fe34-dbf6-11d2-9244-006008269001 OpenTrustedDomain #type Start 1 #type End 2 2306fe33-dbf6-11d2-9244-006008269001 QueryInfoTrustedDomain #type Start 1 #type End 2 2306fe32-dbf6-11d2-9244-006008269001 SetInformationTrustedDomain #type Start 1 #type End 2 2306fe31-dbf6-11d2-9244-006008269001 QueryInformationPolicy2 #type Start 1 #type End 2 2306fe30-dbf6-11d2-9244-006008269001 SetInformationPolicy2 #type Start 1 #type End 2 2306fe2f-dbf6-11d2-9244-006008269001 QueryTrustedDomainInfoByName #type Start 1 #type End 2 2306fe2e-dbf6-11d2-9244-006008269001 SetTrustedDomainInfoByName #type Start 1 #type End 2 2306fe2d-dbf6-11d2-9244-006008269001 EnumerateTrustedDomainsEx #type Start 1 #type End 2 2306fe2c-dbf6-11d2-9244-006008269001 CreateTrustedDomainEx #type Start 1 #type End 2 2306fe2b-dbf6-11d2-9244-006008269001 QueryDomainInformationPolicy #type Start 1 #type End 2 2306fe2a-dbf6-11d2-9244-006008269001 SetDomainInformationPolicy #type Start 1 #type End 2 2306fe29-dbf6-11d2-9244-006008269001 OpenTrustedDomainByName #type Start 1 #type End 2 // Netdevice f404cdf8-6926-11d2-a059-00a0c95b7f08 NetDevice #typev Normal 10 "%11!2d!, %4: %12!s!" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 Message, ItemString // 12 } #type BytesIndicated 11 "%11, %4: NDBothHandleReceiveIndication (%15): Conn[%12], Indicated %13, Available %14" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 ConnIdx, ItemUShort // 12 Indicated, ItemULong // 13 Available, ItemULong // 14 Message, ItemString // 15 } #type BuildReceiveIrpEnter 20 "%11, %4: NDBothBuildReceiveIrp: Entry" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 } #type BuildReceiveIrpInfo 23 "%11, %4: NDBothBuildReceiveIrp as %13: Conn[%12], Phase = %14" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 ConnIdx, ItemUShort // 12 DriverType,ItemString // 13 ConnPhase, ItemString // 14 } #type BuildReceiveIrpCounts 26 "%11, %4: NDBothBuildReceiveIrp as %17: Bytes for Sec %12, Buf %13, Hdr %14, Rcb In = %15, Out = %16" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 SecBytes,ItemULong // 12 BufBytes,ItemULong // 13 HdrBytes,ItemULong // 14 RcbInIdx,ItemUShort // 15 RcbOutIdx,ItemUShort // 16 DriverType,ItemString // 17 } #type BuildReceiveIrpExit 29 "%11, %4: NDBothBuildReceiveIrp: Exit" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 } #type ProcessIncomingBufferEntry 120 "%11, %4: NDBothProcessIncomingBuffer: Entry" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 } #type ProcessIncomingBufferIgnore 126 "%11, %4: NDBothProcessIncomingBuffer: Ignoring Message" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 } #type ProcessIncomingBufferExit 129 "%11, %4: NDBothProcessIncomingBuffer: Exit" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 } #type ProcessNewHeaderEnter 130 "%11, %4: NDBothProcessNewHeader: Entry" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 } #type ProcessNewHeaderAnnounce 132 "%11, %4: NDBothProcessNewHeader as %16 for RCB[%12] on Conn[%15] is Rqst Id 0x%13_%14" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 RCB Idx, ItemUShort // 12 Rqst IdH,ItemULongX // 13 Rqst IdL,ItemULongX // 14 Conn Idx,ItemUShort // 15 DriverType,ItemString // 16 } #type ProcessNewHeaderExit 148 "%11, %4: NDBothProcessNewHeader: Exit" { Ordinal, ItemULongX // 10 CPU Num, ItemUShort // 11 } 5eb2d7d2-c2af-11d2-afc3-00c04f8ef2f7 Sample #typev Ascii 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!> Type: %2, Seq: %10!d! Str1: %11!s!" //#typev Ascii 0 "0,%3!08X!,%4!s!,%1!s!,%9!d!,%2,%10!d!,%11!s!" { Sequence, ItemUlong // 10 AsciiStr, ItemString // 11 } //#typev Wchar 11 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!> Type: %2!s!, Seq: %10!d! Str1: %11!s!" //#typev Wchar 11 "0,%3!08X!,%4!s!,%1!s!,%9!d!,%2,%10!d!,%11!s!" //{ // Sequence,ItemUlong // 10 // UnicodeStr, ItemWString // 11 //}