You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
229 lines
6.5 KiB
229 lines
6.5 KiB
|
|
|
|
|
|
|
|
// (c) 1998-1999 Microsoft Corporation. All rights reserved.
|
|
|
|
#pragma autorecover
|
|
#pragma classflags("forceupdate")
|
|
|
|
Qualifier Description : ToSubClass Amended;
|
|
Qualifier Values : ToSubClass Amended;
|
|
Qualifier DisplayName : Amended;
|
|
Qualifier BitValues:ToSubClass Amended ;
|
|
|
|
Qualifier Aggregate : ToSubClass ;
|
|
Qualifier ValueMap : ToSubClass ;
|
|
Qualifier Aggregation : ToSubClass ;
|
|
Qualifier ArrayType : ToSubClass ;
|
|
Qualifier Association : ToInstance ToSubClass DisableOverride ;
|
|
Qualifier BitMap : ToSubClass ;
|
|
Qualifier CIM_Key : ToSubClass ;
|
|
Qualifier CIMTYPE : ToSubClass ;
|
|
Qualifier Deprecated : ToSubClass ;
|
|
Qualifier Enumeration : ToSubClass ;
|
|
Qualifier EnumPrivileges : ToSubClass ;
|
|
Qualifier ImplementationSource : ToSubClass ;
|
|
Qualifier Key : ToInstance ToSubClass DisableOverride ;
|
|
Qualifier Locale : ToInstance ;
|
|
Qualifier MappingStrings : ToSubClass ;
|
|
Qualifier Max : ToSubClass ;
|
|
Qualifier MaxLen : ToSubClass ;
|
|
Qualifier Min : ToSubClass ;
|
|
Qualifier ModelCorrespondence : ToSubClass ;
|
|
Qualifier Not_Null : ToSubClass ;
|
|
Qualifier Override : Restricted ;
|
|
Qualifier Privileges : ToSubClass ;
|
|
Qualifier Propagated : ToSubClass ;
|
|
Qualifier provider : ToInstance ;
|
|
Qualifier Range : ToSubClass ;
|
|
Qualifier Read : ToSubClass ;
|
|
Qualifier Schema : ToInstance ;
|
|
Qualifier Singleton : ToSubClass ToInstance ;
|
|
Qualifier SUBTYPE : ToSubClass ;
|
|
Qualifier Units : ToSubClass ;
|
|
Qualifier UUID : ToInstance ;
|
|
Qualifier Volatile : ToSubClass ;
|
|
Qualifier Weak : ToSubClass ;
|
|
Qualifier Write : ToSubClass ;
|
|
Qualifier WritePrivileges : ToSubClass ;
|
|
|
|
|
|
#pragma namespace ("\\\\.\\Root\\CIMV2")
|
|
|
|
|
|
|
|
|
|
|
|
[Description(
|
|
"The SystemTrace class is the base class for all system trace events. "
|
|
"System trace events are fired by the kernel logger via the event "
|
|
"tracing API." ), Locale (0x409)]
|
|
class Win32_SystemTrace : __ExtrinsicEvent
|
|
{
|
|
|
|
};
|
|
|
|
|
|
[Description(
|
|
"This event is the base event for process events."), Locale (0x409)]
|
|
class Win32_ProcessTrace : Win32_SystemTrace
|
|
{
|
|
[read, Description(
|
|
"The ProcessID property identifies the process involved in the event.")]
|
|
uint32 ProcessID;
|
|
|
|
[read, Description(
|
|
"The ParentProcessID property identifies of the process that actually"
|
|
"caused the event to happen.")]
|
|
uint32 ParentProcessID;
|
|
|
|
[read, Description(
|
|
"The SessionID property identifies the session under which the process "
|
|
"exists.")]
|
|
uint32 SessionID;
|
|
|
|
[read, Description(
|
|
"The Sid property is the security identifier representing the user "
|
|
"context under which the event happened.")]
|
|
uint8 Sid[];
|
|
|
|
[read, Description(
|
|
"The ProcessName property contains the name of the process.")]
|
|
string ProcessName;
|
|
|
|
[read, Description(
|
|
"The PageDirectoryBase property identifies the process' page directory base.")]
|
|
uint64 PageDirectoryBase;
|
|
};
|
|
|
|
[Description(
|
|
"The ProcessStartTrace event class indicates a new process has started."),
|
|
Locale (0x409)]
|
|
class Win32_ProcessStartTrace : Win32_ProcessTrace
|
|
{
|
|
};
|
|
|
|
[Description(
|
|
"The ProcessStopTrace event class indicates a process has terminated."),
|
|
Locale (0x409)]
|
|
class Win32_ProcessStopTrace : Win32_ProcessTrace
|
|
{
|
|
[read, Description(
|
|
"The ExitStatus property contains the exit status of the stopped process ")]
|
|
uint32 ExitStatus;
|
|
};
|
|
|
|
[Description(
|
|
"The ThreadTrace event class is the base event for thread events."),
|
|
Locale (0x409)]
|
|
class Win32_ThreadTrace : Win32_SystemTrace
|
|
{
|
|
|
|
[read, Description(
|
|
"The ThreadID property contains the thread identifier of "
|
|
"the thread involved in the event.")]
|
|
uint32 ThreadID;
|
|
|
|
[read, Description(
|
|
"The ProcessID property contains the process identifier of "
|
|
"the process to which the thread belongs.")]
|
|
uint32 ProcessID;
|
|
};
|
|
|
|
[Description(
|
|
"The ThreadStartTrace event class indicates a new thread has started."),
|
|
Locale (0x409)]
|
|
class Win32_ThreadStartTrace : Win32_ThreadTrace
|
|
{
|
|
[read, Description(
|
|
"The StackBase property indicates the base address of the thread's stack.")]
|
|
uint64 StackBase;
|
|
|
|
[read, Description(
|
|
"The StackBase property indicates the limit of the thread's stack.")]
|
|
uint64 StackLimit;
|
|
|
|
[read, Description(
|
|
"The UserStackBase property indicates the base address of the thread's "
|
|
"user-mode stack.")]
|
|
uint64 UserStackBase;
|
|
|
|
[read, Description(
|
|
"The UserStackLimit property indicates the limit of the thread's "
|
|
"user-mode stack.")]
|
|
uint64 UserStackLimit;
|
|
|
|
uint64 StartAddr;
|
|
uint64 Win32StartAddr;
|
|
uint32 WaitMode;
|
|
};
|
|
|
|
[Description(
|
|
"The ThreadStopTrace event class indicates a thread has terminated."),
|
|
Locale (0x409)]
|
|
class Win32_ThreadStopTrace : Win32_ThreadTrace
|
|
{
|
|
};
|
|
|
|
[Description(
|
|
"The ModuleTrace event class is the base event for module events."),
|
|
Locale (0x409)]
|
|
class Win32_ModuleTrace : Win32_SystemTrace
|
|
{
|
|
};
|
|
|
|
[Description(
|
|
"The ModuleLoadTrace event class indicates a process has loaded a new module."),
|
|
Locale (0x409)]
|
|
class Win32_ModuleLoadTrace : Win32_ModuleTrace
|
|
{
|
|
[read, Description(
|
|
"The ImageBase property indicates the base address where the module "
|
|
"was loaded into process memory.")]
|
|
uint64 ImageBase;
|
|
|
|
[read, Description(
|
|
"The ImageSize property indicates the size in bytes of the loaded module.")]
|
|
uint32 ImageSize;
|
|
|
|
[read, Description(
|
|
"The ProcessID property indentifies the process that loaded the module.")]
|
|
uint32 ProcessID;
|
|
|
|
[read, Description(
|
|
"The FileName property indicates the filename of the loaded module.")]
|
|
string FileName;
|
|
};
|
|
|
|
instance of __Win32Provider as $KTP
|
|
{
|
|
Name = "WMI Kernel Trace Event Provider";
|
|
Clsid = "{9877D8A7-FDA1-43F9-AEEA-F90747EA66B0}";
|
|
HostingModel = "WmiCore";
|
|
};
|
|
|
|
instance of __EventProviderRegistration
|
|
{
|
|
Provider = $KTP;
|
|
EventQueryList =
|
|
{
|
|
/////////////////////////////////////////////////////////////////////
|
|
// Process queries
|
|
"select * from Win32_ProcessStartTrace",
|
|
"select * from Win32_ProcessStopTrace",
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
// Thread queries
|
|
"select * from Win32_ThreadStartTrace",
|
|
"select * from Win32_ThreadStopTrace",
|
|
|
|
|
|
/////////////////////////////////////////////////////////////////////
|
|
// Module queries
|
|
"select * from Win32_ModuleLoadTrace"
|
|
};
|
|
};
|
|
|
|
|