// (c) 1998-1999 Microsoft Corporation. All rights reserved. #pragma autorecover #pragma classflags("forceupdate") Qualifier Description : ToSubClass Amended; Qualifier Values : ToSubClass Amended; Qualifier DisplayName : Amended; Qualifier BitValues:ToSubClass Amended ; Qualifier Aggregate : ToSubClass ; Qualifier ValueMap : ToSubClass ; Qualifier Aggregation : ToSubClass ; Qualifier ArrayType : ToSubClass ; Qualifier Association : ToInstance ToSubClass DisableOverride ; Qualifier BitMap : ToSubClass ; Qualifier CIM_Key : ToSubClass ; Qualifier CIMTYPE : ToSubClass ; Qualifier Deprecated : ToSubClass ; Qualifier Enumeration : ToSubClass ; Qualifier EnumPrivileges : ToSubClass ; Qualifier ImplementationSource : ToSubClass ; Qualifier Key : ToInstance ToSubClass DisableOverride ; Qualifier Locale : ToInstance ; Qualifier MappingStrings : ToSubClass ; Qualifier Max : ToSubClass ; Qualifier MaxLen : ToSubClass ; Qualifier Min : ToSubClass ; Qualifier ModelCorrespondence : ToSubClass ; Qualifier Not_Null : ToSubClass ; Qualifier Override : Restricted ; Qualifier Privileges : ToSubClass ; Qualifier Propagated : ToSubClass ; Qualifier provider : ToInstance ; Qualifier Range : ToSubClass ; Qualifier Read : ToSubClass ; Qualifier Schema : ToInstance ; Qualifier Singleton : ToSubClass ToInstance ; Qualifier SUBTYPE : ToSubClass ; Qualifier Units : ToSubClass ; Qualifier UUID : ToInstance ; Qualifier Volatile : ToSubClass ; Qualifier Weak : ToSubClass ; Qualifier Write : ToSubClass ; Qualifier WritePrivileges : ToSubClass ; #pragma namespace ("\\\\.\\Root\\CIMV2") [Description( "The SystemTrace class is the base class for all system trace events. " "System trace events are fired by the kernel logger via the event " "tracing API." ), Locale (0x409)] class Win32_SystemTrace : __ExtrinsicEvent { }; [Description( "This event is the base event for process events."), Locale (0x409)] class Win32_ProcessTrace : Win32_SystemTrace { [read, Description( "The ProcessID property identifies the process involved in the event.")] uint32 ProcessID; [read, Description( "The ParentProcessID property identifies of the process that actually" "caused the event to happen.")] uint32 ParentProcessID; [read, Description( "The SessionID property identifies the session under which the process " "exists.")] uint32 SessionID; [read, Description( "The Sid property is the security identifier representing the user " "context under which the event happened.")] uint8 Sid[]; [read, Description( "The ProcessName property contains the name of the process.")] string ProcessName; [read, Description( "The PageDirectoryBase property identifies the process' page directory base.")] uint64 PageDirectoryBase; }; [Description( "The ProcessStartTrace event class indicates a new process has started."), Locale (0x409)] class Win32_ProcessStartTrace : Win32_ProcessTrace { }; [Description( "The ProcessStopTrace event class indicates a process has terminated."), Locale (0x409)] class Win32_ProcessStopTrace : Win32_ProcessTrace { [read, Description( "The ExitStatus property contains the exit status of the stopped process ")] uint32 ExitStatus; }; [Description( "The ThreadTrace event class is the base event for thread events."), Locale (0x409)] class Win32_ThreadTrace : Win32_SystemTrace { [read, Description( "The ThreadID property contains the thread identifier of " "the thread involved in the event.")] uint32 ThreadID; [read, Description( "The ProcessID property contains the process identifier of " "the process to which the thread belongs.")] uint32 ProcessID; }; [Description( "The ThreadStartTrace event class indicates a new thread has started."), Locale (0x409)] class Win32_ThreadStartTrace : Win32_ThreadTrace { [read, Description( "The StackBase property indicates the base address of the thread's stack.")] uint64 StackBase; [read, Description( "The StackBase property indicates the limit of the thread's stack.")] uint64 StackLimit; [read, Description( "The UserStackBase property indicates the base address of the thread's " "user-mode stack.")] uint64 UserStackBase; [read, Description( "The UserStackLimit property indicates the limit of the thread's " "user-mode stack.")] uint64 UserStackLimit; uint64 StartAddr; uint64 Win32StartAddr; uint32 WaitMode; }; [Description( "The ThreadStopTrace event class indicates a thread has terminated."), Locale (0x409)] class Win32_ThreadStopTrace : Win32_ThreadTrace { }; [Description( "The ModuleTrace event class is the base event for module events."), Locale (0x409)] class Win32_ModuleTrace : Win32_SystemTrace { }; [Description( "The ModuleLoadTrace event class indicates a process has loaded a new module."), Locale (0x409)] class Win32_ModuleLoadTrace : Win32_ModuleTrace { [read, Description( "The ImageBase property indicates the base address where the module " "was loaded into process memory.")] uint64 ImageBase; [read, Description( "The ImageSize property indicates the size in bytes of the loaded module.")] uint32 ImageSize; [read, Description( "The ProcessID property indentifies the process that loaded the module.")] uint32 ProcessID; [read, Description( "The FileName property indicates the filename of the loaded module.")] string FileName; }; instance of __Win32Provider as $KTP { Name = "WMI Kernel Trace Event Provider"; Clsid = "{9877D8A7-FDA1-43F9-AEEA-F90747EA66B0}"; HostingModel = "WmiCore"; }; instance of __EventProviderRegistration { Provider = $KTP; EventQueryList = { ///////////////////////////////////////////////////////////////////// // Process queries "select * from Win32_ProcessStartTrace", "select * from Win32_ProcessStopTrace", ///////////////////////////////////////////////////////////////////// // Thread queries "select * from Win32_ThreadStartTrace", "select * from Win32_ThreadStopTrace", ///////////////////////////////////////////////////////////////////// // Module queries "select * from Win32_ModuleLoadTrace" }; };