You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4829 lines
106 KiB
4829 lines
106 KiB
// Copyright (c) 1997-2001 Microsoft Corporation
// Event Trace Session
// Event Definitions
// Syntax:
// Guid EventName
// #version value
// #level value
// #type name1 value1
// {
// MofFields
// }
// #type name2 value2
// {
// MofFields
// }
// Kernel Events
68fdd900-4a3e-11d1-84f4-0000f80464e3 EventTrace
#type Header 0
BufferSize, ItemULong
Version, ItemULong
BuildNumber, ItemULong
NumProc, ItemULong
EndTime, ItemULongLong
MaxFileSize, ItemULong
LogFileMode, ItemULongX
BuffersWritten, ItemULong
StartBuffers, ItemULong
PointerSize, ItemULong
EventsLost, ItemULong
CPUSpeed, ItemULong
LoggerName, ItemPtr
LogFileName, ItemPtr
TimeZone, ItemCharHidden[176]
BootTime, ItemULongLong
PerfFrequency, ItemULongLong
StartTime, ItemULongLong
ReservedFlags, ItemULongX
BuffersLost, ItemULong
3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c Process
#version 0
#type Start 1
#type End 2
#type DCStart 3
#type DCEnd 4
ProcessId, ItemPtr
ParentId, ItemPtr
UserSID, ItemSid
ImageFileName, ItemString
#version 1
#type Start 1
#type End 2
#type DCStart 3
#type DCEnd 4
PageDirectoryBase, ItemPtr
ProcessId, ItemULongX
ParentId, ItemULongX
SessionId, ItemULong
ExitStatus, ItemULong
UserSID, ItemSid
ImageFileName, ItemString
3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c Thread
#version 0
#type Start 1
#type End 2
#type DCStart 3
#type DCEnd 4
TThreadId, ItemULongX
ProcessId, ItemULongX
#version 1
#type Start 1
#type DCStart 3
ProcessId, ItemULongX
TThreadId, ItemULongX
StackBase, ItemPtr
StackLimit, ItemPtr
UserStackBase, ItemPtr
UserStackLimit, ItemPtr
StartAddr, ItemPtr
Win32StartAddr, ItemPtr
WaitMode, ItemChar
#version 1
#type End 2
#type DCEnd 4
ProcessId, ItemULongX
TThreadId, ItemULongX
#version 1
#type CSwitch 36
NewThreadId, ItemULongX
OldThreadId, ItemULongX
NewThreadPriority, ItemCharShort
OldThreadPriority, ItemCharShort
NewThreadQuantum, ItemCharShort
OldThreadQuantum, ItemCharShort
OldThreadWaitReason, ItemCharShort
OldThreadWaitMode, ItemCharShort
OldThreadState, ItemCharShort
OldThreadWaitIdealProcessor, ItemCharShort
NewThreadWaitTime, ItemULongX
3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c DiskIo
#type Read 10
#type Write 11
DiskNumber, ItemULong
IrpFlags, ItemULongX
TransferSize, ItemULong
ResponseTime, ItemULong
ByteOffset, ItemULongLong
FileObject, ItemPtr
HighResResponseTime, ItemULongLong
AE53722E-C863-11d2-8659-00C04FA321A1 Registry
#version 0
#type Create 10
#type Open 11
#type Delete 12
#type Query 13
#type SetValue 14
#type DeleteValue 15
#type QueryValue 16
#type EnumerateKey 17
#type EnumerateValueKey 18
#type QueryMultipleValue 19
#type SetInformation 20
#type Flush 21
KeyHandle, ItemPtr
ElapsedTime, ItemLongLong
KeyName, ItemWString
#version 1
#type Create 10
#type Open 11
#type Delete 12
#type Query 13
#type SetValue 14
#type DeleteValue 15
#type QueryValue 16
#type EnumerateKey 17
#type EnumerateValueKey 18
#type QueryMultipleValue 19
#type SetInformation 20
#type Flush 21
#type RunDown 22
KeyHandle, ItemPtr
ElapsedTime, ItemLongLong
Index, ItemULong
KeyName, ItemWString
90cbdc39-4a3e-11d1-84f4-0000f80464e3 FileIo
#version 0
#type Name 0
FileObject, ItemPtr
FileName, ItemWString
#version 1
#type Name 0
#type FileCreate 32
FileObject, ItemPtr
FileName, ItemWString
9a280ac0-c8e0-11d1-84e2-00c04fb998a2 TcpIp
#version 0
#type Send 10
#type Recv 11
#type Connect 12
#type Disconnect 13
#type Retransmit 14
#type Accept 15
daddr, ItemIPAddr
saddr, ItemIPAddr
dport, ItemPort
sport, ItemPort
size, ItemULong
PID, ItemULong
#version 1
#type Send 10
#type Recv 11
#type Connect 12
#type Disconnect 13
#type Retransmit 14
#type Accept 15
#type Reconnect 16
PID, ItemULong
size, ItemULong
daddr, ItemIPAddr
saddr, ItemIPAddr
dport, ItemPort
sport, ItemPort
bf3a50c5-a9c9-4988-a005-2df0b7c80f80 UdpIp
#version 0
#type Send 10
#type Recv 11
context, ItemPtr
saddr, ItemIPAddr
sport, ItemPort
size, ItemUShort
daddr, ItemIPAddr
dport, ItemPort
dsize, ItemUShort
#version 1
#type Send 10
#type Recv 11
PID, ItemULong
size, ItemULong
daddr, ItemIPAddr
saddr, ItemIPAddr
dport, ItemPort
sport, ItemPort
2cb15d1d-5fc1-11d2-abe1-00a0c911f518 Image
#version 0
#type Load 10
BaseAddress, ItemPtr
ModuleSize, ItemULong
ImageFileName, ItemWString
#version 1
#type Load 10
ImageBase, ItemPtr
ImageSize, ItemPtr
ProcessId, ItemULong
FileName, ItemWString
3d6fa8d3-fe05-11d0-9dda-00c04fd7ba7c PageFault
#type TransitionFault 10
#type DemandZeroFault 11
#type CopyOnWrite 12
#type GuardPageFault 13
#type HardPageFault 14
Virtual Address, ItemPtr
Program Counter, ItemPtr
01853a65-418f-4f36-aefc-dc0f1d2fd235 SystemConfig
#type CPU 10
MHz, ItemULong
NumberOfProcessors, ItemULong
MemSize, ItemULong
PageSize, ItemULong
AllocationGranularity, ItemULong
ComputerName, ItemWChar[256]
DomainName, ItemWChar[132]
#type PhyDisk 11
DiskNumber, ItemULong
BytesPerSector, ItemULong
SectorsPerTrack, ItemULong
TracksPerCylinder, ItemULong
Cylinders, ItemULongLong
SCSIPort, ItemULong
SCSIPath, ItemULong
SCSITarget, ItemULong
SCSILun, ItemULong
Manufacturer, ItemWChar[256]
PartitionCount, ItemULong
WriteCacheEnabled, ItemBool
BootDriveLetter, ItemWChar[3]
#type LogDisk 12
StartOffset, ItemULongLong
PartitionSize, ItemULongLong
DiskNumber, ItemULong
Size, ItemULong
DriveType, ItemULong
DriveLetterString, ItemWChar[4]
Pad, ItemULong
PartitionNumber, ItemULong
SectorsPerCluster, ItemULong
BytesPerSector, ItemULong
NumberOfFreeClusters, ItemLongLong
TotalNumberOfClusters, ItemLongLong
FileSystem, ItemWChar[16]
VolumeExt, ItemULong
#type NIC 13
NICName, ItemWChar[256]
Index, ItemULong
PhysicalAddrLen, ItemULong
PhysicalAddr, ItemWChar[8]
Size, ItemULong
IpAddress, ItemLong
SubnetMask, ItemLong
DhcpServer, ItemLong
Gateway, ItemLong
PrimaryWinsServer, ItemLong
SecondaryWinsServer, ItemLong
DnsServer1, ItemLong
DnsServer2, ItemLong
DnsServer3, ItemLong
DnsServer4, ItemLong
Data, ItemULong
#type Video 14
MemorySize, ItemULong
XResolution, ItemULong
YResolution, ItemULong
BitsPerPixel, ItemULong
VRefresh, ItemULong
ChipType, ItemWCHAR[256]
DACType, ItemWCHAR[256]
AdapterString, ItemWCHAR[256]
BiosString, ItemWCHAR[256]
DeviceId, ItemWCHAR[256]
StateFlags, ItemULong
#type Services 15
ServiceName, ItemWCHAR[34]
DisplayName, ItemWCHAR[256]
ProcessName, ItemWCHAR[34]
ProcessId, ItemULong
#type Power 16
S1, ItemBool
S2, ItemBool
S3, ItemBool
S4, ItemBool
S5, ItemBool
Pad1, ItemChar
Pad2, ItemChar
Pad3, ItemChar
// Test Events
// d58c126f-b309-11d1-969e-0000f875a5bc
d58c126f-b309-11d1-969e-0000f875a5bc TraceKmp
// Test Events
// d58c126f-b309-11d1-969e-0000f875a5bc
ce5b1020-8ea9-11d0-a4ec-00a0c9062910 TraceDp
#type Start 1
#type End 2
UserData, ItemULong
// Test Events
// 1bd67283-57cc-11d2-9a03-00c04f72c722
1bd67283-57cc-11d2-9a03-00c04f72c722 TranProv
#type Start 1
#type End 2
UserData, ItemULong
// DS Events
// 1c83b2fc-c04f-11d1-8afc-00c04fc21914
5b7eb15d-7441-11d2-b711-00c04fb998a2 DsKccGuid
#type Start 1
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Null1, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd000-daeb-11d1-be80-00c04fadfff5 DsDirSearch
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSWString
Choice, ItemDSWString
ObjDN, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSWString
Filter, ItemDSWString
Index, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd001-daeb-11d1-be80-00c04fadfff5 DsDirAddEntry
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSWString
ObjDn, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd002-daeb-11d1-be80-00c04fadfff5 DsDirMod
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSWString
ObjDn, ItemDSWString
Null3, ItemDSWString
Null4, ItemMLString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemMLString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd005-daeb-11d1-be80-00c04fadfff5 DsDirModDN
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Caller, ItemDSWString
ObjDn, ItemDSWString
NewParentDn, ItemDSWString
NewName, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd003-daeb-11d1-be80-00c04fadfff5 DsDirDel
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSWString
ObjDn, ItemDSWString
Null3, ItemDSWString
Null4, ItemMLString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemMLString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd004-daeb-11d1-be80-00c04fadfff5 DsDirCompare
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSWString
AssertType, ItemDSWString
ObjDn, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd006-daeb-11d1-be80-00c04fadfff5 DsDirGtNcChg
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
UuidDest, ItemDSWString
NcDn, ItemDSWString
UsnVecFrom, ItemDSWString
flags, ItemDSWString
RetCrit, ItemDSWString
ExtOp, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NumObj, ItemDSWString
NumBytes, ItemDSWString
UsnVecTo, ItemDSWString
ExtRet, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd007-daeb-11d1-be80-00c04fadfff5 DsDirReplSync
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
NcDn, ItemDSWString
DsaOrUuid, ItemDSWString
Options, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd008-daeb-11d1-be80-00c04fadfff5 DsDirFind
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Caller, ItemDSWString
AttId, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
05acd009-daeb-11d1-be80-00c04fadfff5 DsLdapBind
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Null1, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa22-7f4b-11d2-b389-0000f87a46c8 DsKccTask
#type Start 1
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Null1, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa23-7f4b-11d2-b389-0000f87a46c8 DsDrsReplSync
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ObjDN, ItemDSWString
DraSrc, ItemDSWString
UuidSrc, ItemDSWString
Options, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa24-7f4b-11d2-b389-0000f87a46c8 DsDrsReplGtChg
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
UuidDest, ItemDSWString
NcDn, ItemDSWString
UsnFromHighObj, ItemDSWString
UsnFromHighProp, ItemDSWString
Flags, ItemDSWString
MaxObj, ItemDSWString
MaxBytes, ItemDSWString
ExtOp, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
UsnToHighObj, ItemDSWString
UsnToHighProp, ItemDSWString
NumObj, ItemDSWString
NumByte, ItemDSWString
ExtRet, ItemDSWString
ErrCode, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa25-7f4b-11d2-b389-0000f87a46c8 DsDrsUpdtRefs
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NcDn, ItemDSWString
DsaDest, ItemDSWString
UuidDest, ItemDSWString
Options, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa26-7f4b-11d2-b389-0000f87a46c8 DsDrsReplAdd
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NcDn, ItemDSWString
SrcDsaDn, ItemDSWString
TransDn, ItemDSWString
DsaSrc, ItemDSWString
Options, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa27-7f4b-11d2-b389-0000f87a46c8 DsDrsReplMod
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NcDn, ItemDSWString
UuidSrc, ItemDSWString
SrcDra, ItemDSWString
RepFlags, ItemDSWString
ModFields, ItemDSWString
Options, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa28-7f4b-11d2-b389-0000f87a46c8 DsDrsReplDel
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NcDn, ItemDSWString
DsaSrc, ItemDSWString
Options, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa29-7f4b-11d2-b389-0000f87a46c8 DsDrsVrfyNames
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cNames, ItemDSWString
Flags, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa2a-7f4b-11d2-b389-0000f87a46c8 DsDrsIntDmMv
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
SrcDsaDn, ItemDSWString
SrcObjDn, ItemDSWString
DstNameDn, ItemDSWString
TargetNcDn, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa2b-7f4b-11d2-b389-0000f87a46c8 DsDrsAddEntry
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cObj, ItemDSWString
NameDn, ItemDSWString
NextNameDn, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cObjAdded, ItemDSWString
ErrCode, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa2c-7f4b-11d2-b389-0000f87a46c8 DsDrsExecKcc
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
TaskId, ItemDSWString
Flags, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa2d-7f4b-11d2-b389-0000f87a46c8 DsDrsGtReplInfo
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
InfoType, ItemDSWString
ObjDn, ItemDSWString
UuidSrc, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa2e-7f4b-11d2-b389-0000f87a46c8 DsDrsGtNT4ChgLg
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
flags, ItemDSWString
maxLen, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NtStatus, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa2f-7f4b-11d2-b389-0000f87a46c8 DsDrsCrackNames
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cNames, ItemDSWString
CodePage, ItemDSWString
LocaleId, ItemDSWString
FmtOffered, ItemDSWString
FmtDesired, ItemDSWString
Flags, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa30-7f4b-11d2-b389-0000f87a46c8 DsDrsWrtSPN
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Account, ItemDSWString
Op, ItemDSWString
cSpn, ItemDSWString
Flags, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa31-7f4b-11d2-b389-0000f87a46c8 DsDrsDCInfo
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Domain, ItemDSWString
InfoLevel, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
14f8aa32-7f4b-11d2-b389-0000f87a46c8 DsDrsGtMbrshps
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cDsNames, ItemDSWString
OpType, ItemDSWString
LimitDomDn, ItemDSWString
Flags, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
5b7eb154-7441-11d2-b711-00c04fb998a2 LdapAtqGuid
#type Start 1
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
b9d4702a-6a98-11d2-b710-00c04fb998a2 LdapRequest
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Choice, ItemDSWString
Null2, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Id, ItemDSWString
ErrCode, ItemDSWString
Null3, ItemDSWString
Null4, ItemDSWString
Null5, ItemDSWString
Null6, ItemDSWString
Null7, ItemDSWString
Null8, ItemDSWString
// KDC Events
// 24db8964-e6bc-11d1-916a-0000f8045b04
50af5304-e6bc-11d1-916a-0000f8045b04 GetASTicket
#type Start 1
KdcOption, ItemULongX
#type End 2
KerbErr, ItemULongX
Client, ItemPWString
Server, ItemPWString
RequestRealm, ItemPWString
c11cf384-e6bd-11d1-916a-0000f8045b04 TGSRequest
#type Start 1
KdcOption, ItemULongX
#type End 2
KerbErr, ItemULongX
Client, ItemPWString
ServerAcct, ItemPWString
ClientRealm, ItemPWString
a34d7f52-1dd0-434e-88a1-423e2a199946 KdcChangePass
#type Start 1
#type End 2
KerbErr, ItemULongX
ExtErr, ItemULongX
Klininfo, ItemULongX
ClientRealm, ItemPWString
AccountName, ItemPWString
// Kerberos.dll Events
// bba3add2-c229-4cdb-ae2b-57eb6966b0c4
8a3b8d86-db1e-47a9-9264-146e097b3c64 KerbLogonUser
#type Start 1
#type End 2
Status, ItemULongX
LogonType, ItemPWString
UserName, ItemPWString
LogonDomain, ItemPWString
52e82f1a-7cd4-47ed-b5e5-fde7bf64cea6 KerbInitSecurityContext
#type Start 1
#type End 2
Status, ItemULongX
CredSource, ItemPWString
DomainName, ItemPWString
UserName, ItemPWString
Target, ItemPWString
ExtError, ItemULongX
klininfo, ItemULongX
94acefe3-9e56-49e3-9895-7240a231c371 KerbAcceptSecurityContext
#type Start 1
#type End 2
Status, ItemULongX
CredSource, ItemPWString
DomainName, ItemPWString
UserName, ItemPWString
Target, ItemPWString
94c79108-b23b-4418-9b7f-e6d75a3a0ab2 KerbSetPassword
#type Start 1
#type End 2
Status, ItemULongX
AccountName, ItemPWString
AccountRealm, ItemPWString
ClientName, ItemPWString
ClientRealm, ItemPWString
KdcAddress, ItemPWString
c55e606b-334a-488b-b907-384abaa97b04 KerbChangePassword
#type Start 1
#type End 2
Status, ItemULongX
AccountName, ItemPWString
DomainName, ItemPWString
// SAM Events
// 8e598056-8993-11d2-819e-0000f875a064
39511dbe-899b-11d2-819e-0000f875a064 SamUserCreate
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
abb14b68-899b-11d2-819e-0000f875a064 SamCompCreate
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
c8eb5e5c-899c-11d2-819e-0000f875a064 SamGrpCreate
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
f9d2ba6a-899c-11d2-819e-0000f875a064 SamAddMemGrp
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
250959aa-899d-11d2-819e-0000f875a064 SamDelMemGrp
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
45fc997e-899d-11d2-819e-0000f875a064 SamPwdChng
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
62bef71e-899d-11d2-819e-0000f875a064 SamUserPwdSet
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
880217b8-899d-11d2-819e-0000f875a064 SamCompPwdSet
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
1f228de8-8a6c-11d2-819e-0000f875a064 SamPwdPushPdc
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
a41d90bc-899d-11d2-819e-0000f875a064 SamIdByName
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
25059476-899f-11d2-819e-0000f875a064 SamNameById
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
// *** Active Directory Service Provider: SAM
// W2K SP Specials
8c89045c-3f5d-4289-939a-fb854000cb6b SamConnect
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
dbc0ceab-cff3-4c0f-85f2-0c2107142f36 SamCloseHandle
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
74e10cbb-202e-4a97-871d-8547972b5141 SamSetSecurityObj
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
676347f3-fd20-4e7d-90b1-77e35f84af9a SamQuerySecurityObj
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
f8012701-7e99-49c5-b832-1db8bc4a610d SamShutdownSamSrv
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
a11e5d6b-353d-4bf6-97a8-ede4cba45524 SamLookupDomInSamSrv
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
7c65ceb0-75ba-46b9-884e-67e038c5b003 SamEnumDomInSamSrv
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
6e1f2449-f1f3-4634-b51f-46e2c6625892 SamOpenDomain
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
Sam, ItemWString
L1, ItemULong
Sid, ItemWString
IP, ItemWString
L2, ItemULong
#type End 2
Sam, ItemWString
L1, ItemULong
Sid, ItemWString
IP, ItemWString
L2, ItemULong
89399c21-4aaf-408e-ba39-ab831a1298d5 SamQueryInfoDom
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
45309ef4-c59e-425e-b95b-19f1c5a3c55a SamSetInfoDom
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
5d11e02f-0c36-4180-ad07-89062c9df9ec SamEnumGrpsInDom
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
07ffaa1d-34f6-49cd-b541-2f0d7dff15c4 SamEnumUsersInDom
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
5e612efd-c05e-4f76-bced-f5607aa3d46e SamCreateAliasInDom
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
f1fea491-bfa6-436c-a178-a70d03b4fb1a SamEnumAliasesInDom
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
1cf5fd19-1ac1-4324-84f7-970a634a91ee SamGetAliasMem
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
Sam, ItemWString
L1, ItemULong
Sid, ItemWString
IP, ItemWString
L2, ItemULong
#type End 2
Sam, ItemWString
L1, ItemULong
Sid, ItemWString
IP, ItemWString
L2, ItemULong
b41d7bdf-4249-4651-ac0f-1879be0d5c0c SamOpenGrp
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
632fcc78-6057-48f9-8d5f-4bb0f73d3cd1 SamQueryInfoGrp
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
26106246-4473-4295-841b-4a51c6afc3db SamSetInfoGrp
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
5f7c4ba5-d6a4-4625-900e-48fa7811e06a SamDeleteGrp
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
5954bc51-c5ec-4aaa-831c-6f2c1b2515b6 SamGetMemInGrp
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
0254ba6d-7ff0-4bfe-a3f9-8fd8da667641 SamSetMemAttrsOfGrp
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
ba41c883-592f-4ab9-b2a9-c6263b011fe7 SamOpenAlias
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
419f025a-bf06-4673-af66-d230bec2af02 SamQueryInfoAlias
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
e712d39d-a3a6-4224-a1bd-4717b24e4e8c SamSetInfoAlias
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
fbfe2540-452b-41bb-9219-dfb6fd1a129b SamDeleteAlias
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
3a2e63d1-5dc4-4168-85ea-3e331f88ce83 SamAddMemToAlias
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
6ba1639c-afc4-454e-b3e0-5e8f7fc39af9 SamRemoveMemFromAlias
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
5cec3d52-6eeb-474d-b468-58362888f1b0 SamGetMemInAlias
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
b8d2bc4a-1525-4386-bb1c-6bb2e24eb001 SamOpenUser
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
c2a0e094-a178-4372-b4fe-a33e48c3585c SamDeleteUser
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
e1cb227a-6d55-4282-a5f7-6fa4a5922c0b SamQueryInfoUser
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
bc80e27f-6b74-4da9-abfc-2e4e82b81000 SamSetInfoUser
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
19b30cde-3e41-4cff-83c8-3df2779f840c SamChangePwdComputer
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
0e3913c5-9760-4ced-b133-004a64e8d53c SamGetGrpsForUser
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
eb225178-f5f0-42b7-895b-db89276f647a SamQueryDisplayInfo
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
aceb7864-9a14-4c73-8ed0-94ec53f6651c SamGetDisplayEnumIdx
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
4ff7a7db-43ca-470a-8b64-3003e2d22042 SamGetUserDomPwdInfo
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
8919f267-a053-4669-aa69-2da0d4a20d92 SamRemoveMemFromForeignDom
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
ff0c6ce2-9528-4a91-b9c7-bcf834b6f79a SamGetDomPwdInfo
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
2e991575-c2ed-42a7-97ff-a0d6571f1862 SamSetBootKeyInfo
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
33be4128-d02e-4b6f-949e-ab77cc8164b1 SamGetBootKeyInfo
#type Start 1
Sam, ItemWString
Version, ItemULong
Sid, ItemWString
Client, ItemWString
#type End 2
// LSA Events
// cc85922f-db41-11d2-9244-006008269001 MSLSATrace
cc85922e-db41-11d2-9244-006008269001 QuerySecret
#type Start 1
#type End 2
2306fe3b-dbf6-11d2-9244-006008269001 Close
#type Start 1
#type End 2
2306fe3a-dbf6-11d2-9244-006008269001 OpenPolicy
#type Start 1
#type End 2
2306fe39-dbf6-11d2-9244-006008269001 QueryInfoPolicy
#type Start 1
#type End 2
2306fe38-dbf6-11d2-9244-006008269001 SetInfoPolicy
#type Start 1
#type End 2
2306fe37-dbf6-11d2-9244-006008269001 EnumTrustedDoms
#type Start 1
#type End 2
2306fe36-dbf6-11d2-9244-006008269001 LookupNames
#type Start 1
#type End 2
2306fe35-dbf6-11d2-9244-006008269001 LookupSids
#type Start 1
#type End 2
2306fe34-dbf6-11d2-9244-006008269001 OpenTrustedDomain
#type Start 1
#type End 2
2306fe33-dbf6-11d2-9244-006008269001 QryInfoTrustDom
#type Start 1
#type End 2
2306fe32-dbf6-11d2-9244-006008269001 SetInfoTrustedDom
#type Start 1
#type End 2
2306fe31-dbf6-11d2-9244-006008269001 QueryInfoPolicy2
#type Start 1
#type End 2
2306fe30-dbf6-11d2-9244-006008269001 SetInfoPolicy2
#type Start 1
#type End 2
2306fe2f-dbf6-11d2-9244-006008269001 QryTrstDomByNam
#type Start 1
#type End 2
2306fe2e-dbf6-11d2-9244-006008269001 SetTrstedDomInfoByNam
#type Start 1
#type End 2
2306fe2d-dbf6-11d2-9244-006008269001 EnumTrstedDomEx
#type Start 1
#type End 2
2306fe2c-dbf6-11d2-9244-006008269001 CreateTrustedDomEx
#type Start 1
#type End 2
2306fe2b-dbf6-11d2-9244-006008269001 QueryDomainInfoPolicy
#type Start 1
#type End 2
2306fe2a-dbf6-11d2-9244-006008269001 SetDomainInfoPolicy
#type Start 1
#type End 2
2306fe29-dbf6-11d2-9244-006008269001 OpTrustedDomByName
#type Start 1
#type End 2
393da8c0-dbed-11d2-895b-00c04f79ab69 NlServerAuth
#type Start 1
Client, ItemWString
Account, ItemWString
ChannelType, ItemULongX
NegotiatedFlags, ItemULongX
#type End 2
Client, ItemWString
Account, ItemWString
ChannelType, ItemULongX
NegotiatedFlags, ItemULongX
Status, ItemULongX
63dbb180-dbed-11d2-895b-00c04f79ab69 NlSecChanlSetup
#type Start 1
#type End 2
// SRV events
e09074ae-0a98-4805-9a41-a8940af97086 SrvSmb
#type CreateDirectory 0
#type DeleteDirectory 1
#type Open 2
#type Create 3
#type Close 4
#type Flush 5
#type Delete 6
#type Rename 7
#type QueryInformation 8
#type SetInformation 9
#type Read 10
#type Write 11
#type LockByteRange 12
#type UnlockByteRange 13
#type CreateTemporary 14
#type CheckDirectory 15
#type ProcessExit 16
#type Seek 17
#type LockAndRead 18
#type SetInformation2 19
#type QueryInformation2 20
#type LockingAndX 21
#type Transaction 22
#type TransactionSecondary 23
#type Ioctl 24
#type IoctlSecondary 25
#type Move 26
#type Echo 27
#type OpenAndX 28
#type ReadAndX 29
#type WriteAndX 30
#type FindClose2 31
#type FindNotifyClose 32
#type TreeConnect 33
#type TreeDisconnect 34
#type Negotiate 35
#type SessionSetupAndX 36
#type LogoffAndX 37
#type TreeConnectAndX 38
#type QueryInformationDisk 39
#type Search 40
#type NtTransaction 41
#type NtTransactionSecondary 42
#type NtCreateAndX 43
#type NtCancel 44
#type OpenPrintFile 45
#type ClosePrintFile 46
#type GetPrintQueue 47
#type ReadRaw 48
#type WriteRaw 49
#type ReadMpx 50
#type WriteMpx 51
#type WriteMpxSecondary 52
#type Open2 53
#type FindFirst2 54
#type FindNext2 55
#type QueryFsInformation 56
#type SetFsInformation 57
#type QueryPathInformation 58
#type SetPathInformation 59
#type QueryFileInformation 60
#type SetFileInformation 61
#type Fsctl 62
#type Ioctl2 63
#type FindNotify 64
#type CreateDirectory2 65
#type GetDfsReferrals 66
#type ReportDfsInconsistency 67
#type CreateWirhSdOrEa 68
#type NtIoctl 69
#type SetSecurityDescriptor 70
#type NtNotifyChange 71
#type NtRename 72
#type QuerySecurityDescriptor 73
#type QueryQuota 74
#type SetQuota 75
StartTime, ItemULongLong
ElapseKCPU, ItemCPUTime
ElapseUCPU, ItemCPUTime
ClientAddr, ItemIpAddr
FileObject, ItemULongX
FileName, ItemPWString
// DFS events
e3f1c64a-1a24-494b-8d47-ac37ad623342 DFS
#type TranslatePathStart 50
#type TranslatePathEnd 52
rtnStatus, ItemULongX
SubDirectory, ItemPWString
ParentPathName, ItemPWString
DfsPathName, ItemPWString
#type GetReferralsStart 55
#type GetReferralsEnd 59
rtnStatus, ItemULongX
DfsPathName, ItemPWString
#type FindShareStart 76
#type FindShareEnd 79
rtnStatus, ItemULongX
ShareName, ItemPWString
// NSPI events: Uses DS Control Guid.
D01B04CF-240E-11d3-ACBE-00C04F68A51D NspiUpdateStat
#type Start 1
#type End 2
4D63B05C-2502-11d3-ACC1-00C04F68A51D NspiCompareDNTs
#type Start 1
#type End 2
61569D69-2502-11d3-ACC1-00C04F68A51D NspiQueryRows
#type Start 1
#type End 2
6F370D3C-2502-11d3-ACC1-00C04F68A51D NspiSeekEntries
#type Start 1
#type End 2
6F370D3D-2502-11d3-ACC1-00C04F68A51D NspiGetMatches
#type Start 1
#type End 2
6F370D3E-2502-11d3-ACC1-00C04F68A51D NspiResolveNames
#type Start 1
#type End 2
7842189A-2502-11d3-ACC1-00C04F68A51D NspiDNToEph
#type Start 1
#type End 2
7842189B-2502-11d3-ACC1-00C04F68A51D NspiGetHierInfo
#type Start 1
#type End 2
7842189C-2502-11d3-ACC1-00C04F68A51D NspiResrtRestrct
#type Start 1
#type End 2
80AD666A-2502-11d3-ACC1-00C04F68A51D NspiBind
#type Start 1
#type End 2
873BDDEA-2502-11d3-ACC1-00C04F68A51D NspiGtNamFromIDs
#type Start 1
#type End 2
873BDDEB-2502-11d3-ACC1-00C04F68A51D NspiGtIDsFromNam
#type Start 1
#type End 2
8D8C5846-2502-11d3-ACC1-00C04F68A51D NspiGetPropList
#type Start 1
#type End 2
8D8C5847-2502-11d3-ACC1-00C04F68A51D NspiQueryCol
#type Start 1
#type End 2
8D8C5848-2502-11d3-ACC1-00C04F68A51D NspiGetProps
#type Start 1
#type End 2
96EF9AA6-2502-11d3-ACC1-00C04F68A51D NspiGetTemplInfo
#type Start 1
#type End 2
96EF9AA7-2502-11d3-ACC1-00C04F68A51D NspiModProps
#type Start 1
#type End 2
380D48A4-2506-11d3-ACC1-00C04F68A51D NspiModLinkAtt
#type Start 1
#type End 2
380D48A5-2506-11d3-ACC1-00C04F68A51D NspiDeleteEntries
#type Start 1
#type End 2
E357DC53-B6FC-48e0-8189-C9D2AB2A8F16 DsTaskQueueExecuteGuid
#type Start 1
#type End 2
// SPOOLER Events
// Control guid is 94a984ef-f525-4bf1-be3c-ef374056a592
127eb555-3b06-46ea-a08b-5dc2c3c57cfd PrintJob
#type SpoolJob 1
#type PrintJob 7
#type TrackThread 8
#type EndTrackThread 10
#type PauseJob 12
#type ResumeJob 13
JobId, ItemULong
#type DeleteJob 2
JobId, ItemULong
JobSize, ItemULong
DataType, ItemULong
Pages, ItemULong
PagesPerSide, ItemULong
FilesOpened, ItemShort
1d32b239-92a6-485a-96d2-dc3659fb803e RenderedJob
#type JobRendered 11
JobId, ItemULong
GdiJobSize, ItemULong
ICMMethod, ItemULong
Color, ItemShort
XRes, ItemShort
YRes, ItemShort
Quality, ItemShort
Copies, ItemShort
TTOption, ItemShort
// NTLM Events
// C92CF544-91B3-4dc0-8E11-C580339A0BF8 NtlmControl
94D4C9EB-0D01-41ae-99E8-15B26B593A83 NtlmServerAccept
#type Start 1
StageHint, ItemULong
InContext, ItemPtr
#type End 2
StageHint, ItemULong
InContext, ItemPtr
OutContext, ItemPtr
Status, ItemULong
#type Info 0
StageHint, ItemULong
InContext, ItemPtr
OutContext, ItemPtr
Flags, ItemULong
UserName, ItemPWString
DomainName, ItemPWString
Workstation, ItemPWString
6DF28B22-73BE-45cc-BA80-8B332B35A21D NtlmClientInitialize
#type Start 1
StageHint, ItemULong
InContext, ItemPtr
#type End 2
StageHint, ItemULong
InContext, ItemPtr
OutContext, ItemPtr
Status, ItemULong
19196B33-A302-4c12-9D5A-EAC149E93C46 NtlmLogonUser
#type Start 1
#type End 2
Status, ItemULong
LogonType, ItemULong
UserName, ItemPWString
DomainName, ItemPWString
34D84181-C28A-41d8-BB9E-995190DF83DF NtlmValidateUser
#type Start 1
#type End 2
Success, ItemULong
LogonServer, ItemPWString
LogonDomain, ItemPWString
UserName, ItemPWString
Workstation, ItemPWString
// Com+ Services Events
67F49F8C-01B8-4354-BFFB-7A93E7211C3E ObjPoolCreateObject
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectGuid, ItemGUID
ObjectsCreated, ItemULong
ObjectID, ItemULongLong
C5A3005A-F643-4f09-B146-A47B9165E522 ObjPoolDestroyObject
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectGuid, ItemGUID
ObjectsCreated, ItemULong
ObjectID, ItemULongLong
F1A43E1E-150B-4a8a-8DFF-5E9504819A83 ObjPoolPutObject
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectGuid, ItemGUID
Reason, ItemLong
AvailableObjects, ItemULong
ObjectID, ItemULongLong
D3B13BA9-E13C-42a5-AB9D-A765EABD8DD7 ObjPoolGetObject
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ObjectGuid, ItemGUID
AvailableObjects, ItemULong
ObjectID, ItemULongLong
6251827A-9115-41ca-A3B7-2073CD25EB87 ObjPoolRecycleToTx
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ObjectGuid, ItemGUID
TransactionGuid, ItemGUID
ObjectID, ItemULongLong
3ED9E879-E0CB-432a-B29E-3440BE825B5C ObjPoolGetFromTx
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ObjectGuid, ItemGUID
TransactionGuid, ItemGUID
ObjectID, ItemULongLong
880F56F9-5B21-4d36-8C8E-95FF4283006F ObjPoolCreateDecision
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectGuid, ItemGUID
ThreadsWaiting, ItemULong
AvailableObjects, ItemULong
CreatedObjects, ItemULong
Minimum, ItemULong
Maximum, ItemULong
664E7E9A-458C-4b84-BF3A-C9877D929D00 ObjPoolTimeout
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectGuid, ItemGUID
ActivityGuid, ItemGUID
Timeout, ItemULong
E68E1870-CB15-4d2d-986E-E9E6D1B2E656 ObjPoolCreatePool
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectGuid, ItemGUID
Minimum, ItemULong
Maximum, ItemULong
Timeout, ItemULong
B896121F-0C4F-47e1-AD15-C7B0AA4491C4 AppActivation
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
E90FF16B-2AC0-40b0-9F84-CB742C468CB2 AppShutdown
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
1114B062-2702-4b52-92D2-2EB11ABA646E AppForceShutdown
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
DA6C4250-BC95-45f0-AB49-CC4D605ECF41 ThreadStart
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TThreadID, ItemULongLong
SystemThread, ItemULong
ThreadCount, ItemULong
1DAE16A8-E038-46bc-B27A-8609E643099B ThreadTerminate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TThreadID, ItemULongLong
SystemThread, ItemULong
ThreadCount, ItemULong
6818FD0A-C7F3-406f-91F4-7600978CC3C9 ThreadBindToApt
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TThreadID, ItemULongLong
AptID, ItemULongLong
ActivitiesCount, ItemULong
LowCount, ItemULong
440EA498-EB7E-4b70-A1E3-9A91861CD6C3 ThreadUnbind
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TThreadID, ItemULongLong
AptID, ItemULongLong
ActivitiesCount, ItemULong
E9EBBACC-7A92-40f3-80AF-783535CBD118 ThreadAssignApt
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
AptID, ItemULongLong
72502A15-B665-4f5b-A319-E395CCA92393 ThreadUnassignApt
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
AptID, ItemULongLong
1E9E83C5-C5C8-4a2d-AB63-8469C296764B CreateInstance
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ContextID, ItemULongLong
ObjectID, ItemULongLong
3A446C03-769E-4dca-8F59-8F5FA7761FAB DestroyInstance
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ContextID, ItemULongLong
3F2E0CEB-6C34-4ae2-9475-A01B086E8C60 TransactionStart
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TransactionGuid, ItemGUID
Root, ItemBool
DA92FF99-95C0-43d5-9A7D-6C23C15E2FE7 TransactionPrepare
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TransactionGuid, ItemGUID
VoteYes, ItemBool
BE2B8AA1-1FEF-4ded-907D-CDCE5849008E TransactionAbort
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TransactionGuid, ItemGUID
C67F7946-4630-4c77-B4F6-88C6ABE65F12 TransactionCommit
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TransactionGuid, ItemGUID
BAC5C1AE-009D-4e09-9A0A-FD88BB31A1E8 MethodCall
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
MethodIndex, ItemULong
F0B30BEC-DB18-478c-9221-EAA208CBB5AE MethodReturn
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
MethodIndex, ItemULong
HResult, ItemLong
91D068A5-0B98-48f1-A0CF-AB8626CA5147 MethodException
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
MethodIndex, ItemULong
8FE5F194-CF29-4eff-A5AA-A54AD7F4F131 DisableCommit
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ContextID, ItemULongLong
37276016-0EBD-432a-8333-D84821AB3863 EnableCommit
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ContextID, ItemULongLong
AB095D80-3E83-4597-8007-00803D50DF86 SetComplete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ContextID, ItemULongLong
9A39AA4F-63DB-42ec-A59E-DD116F57A247 SetAbort
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ContextID, ItemULongLong
A6D75196-3DDC-4f35-9AB9-3CB121F28BAE Deactivate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ContextID, ItemULongLong
ObjectID, ItemULongLong
B0CE0D5B-05EC-4380-B225-2EEDA3903042 Activate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ContextID, ItemULongLong
ObjectID, ItemULongLong
7649AF3C-3E56-47b7-9596-876FADD36B5D ResourceCreate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
ResourceID, ItemULongLong
ResType, ItemWChar[64]
Enlisted, ItemBool
5BA81729-A69D-473e-B656-56C9C393A862 ResourceAllocate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
ResourceID, ItemULongLong
ResType, ItemWChar[64]
Enlisted, ItemBool
NumRated, ItemULong
Rating, ItemULong
4F0B170E-9065-4d5a-AD2C-7BFC0DAA0C93 ResourceRecycle
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
ResourceID, ItemULongLong
ResType, ItemWChar[64]
58CDFE25-2DC0-485b-981C-7A0B39B96FAB ResourceDestroy
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
ResourceID, ItemULongLong
HResult, ItemLong
ResType, ItemWChar[64]
F96DE808-C2D7-43b3-8593-6BC1E772DB9B ResourceTrack
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
ResourceID, ItemULongLong
ResType, ItemWChar[64]
Enlisted, ItemBool
CD6D18FC-31F0-4304-A5DF-BA2A15840266 Authenticate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ObjectID, ItemULongLong
MethodIndex, ItemULong
CurrentUserImpersonationInproc, ItemBool
LengthOrigUserSID, ItemULong
LengthCrtUserSID, ItemULong
SIDsBuffer, ItemVariant
03148C79-11DC-4b43-ACA3-65B11682CFF4 AuthenticateFail
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ObjectID, ItemULongLong
MethodIndex, ItemULong
CurrentUserImpersonationInproc, ItemBool
LengthOrigUserSID, ItemULong
LengthCrtUserSID, ItemULong
SIDsBuffer, ItemVariant
9B3359DC-2B4C-46b4-A03A-7339AF71B765 ObjectConstruct
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectGuid, ItemGUID
ObjectID, ItemULongLong
ConstructString, ItemWChar[64]
C49B4FA9-20DF-4f48-82B2-C448DEF02DFC UserEvent
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Buffer, ItemVariant
90B8FED5-7EEF-4107-B791-8CF15B2117F3 ActivityCreate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
EDC039B9-84E7-4f69-937B-A08942719651 ActivityDestroy
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
43B68014-2B7E-47ae-AFC2-E54184CFF71F ActivityEnter
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Current, ItemGUID
Entered, ItemGUID
SystemThread, ItemULong
E7D21C91-3CBE-4340-B605-0EBB0FE32E2F ActivityTimeout
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Current, ItemGUID
Entered, ItemGUID
SystemThread, ItemULong
Timeout, ItemULong
F2013085-1572-490b-93BE-BE3AB406955C ActivityReenter
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Current, ItemGUID
SystemThread, ItemULong
CallDepth, ItemULong
C589CFD4-D3AC-4cdd-B157-22C53234A63A ActivityLeave
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Current, ItemGUID
Left, ItemGUID
53F94E5B-7F22-4d2b-A1CC-510BEF6FA833 ActivityLeaveSame
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Current, ItemGUID
CallDepth, ItemULong
7172CA53-633A-4f56-A947-07567258849E IISRequestInfo
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
ClientIP, ItemWChar[16]
ServerIP, ItemWChar[16]
URL, ItemWChar[128]
4F0960DD-568B-4391-9F72-134C5670E7C8 QCRecord
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
Queue, ItemWChar[60]
Workflow, ItemGUID
MSMQhresult, ItemLong
71925AE2-8133-425d-BF0D-21662BAFF1FC QCQueueOpen
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Queue, ItemWChar[60]
QueueID, ItemULongULong
MSMQhresult, ItemLong
71955D87-4448-4e7b-BA4E-7873C11AABA3 QCReceive
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
QueueID, ItemULongULong
Workflow, ItemGUID
MSMQhresult, ItemLong
A00DC142-ED4F-49b1-8DAD-0241C08DFE1B QCReceiveFail
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
QueueID, ItemULongULong
MSMQhresult, ItemLong
2C0D5D35-ED91-4c05-B7D2-0C833EAC7CF5 QCMoveToRetry
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Workflow, ItemGUID
RetryIndex, ItemULong
C03BB7FF-6A7A-4019-B290-F4D07A873187 QCMoveToDead
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Workflow, ItemGUID
648D7C88-D207-4f90-8DE9-DA3159F25FF8 QCPlayback
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
Workflow, ItemGUID
MSMQhresult, ItemLong
4DFA5983-B413-45b3-AD0D-6493E903A645 ExceptionUser
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Code, ItemULong
Address, ItemULongULong
StackTrace, ItemWChar[512]
57709B60-0EF0-4ea6-B415-CDDA1CDD35A9 CRMRecoveryStart
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
C45B18D3-FD16-4120-B396-58E9D64D59AB CRMRecoveryDone
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
C93490AC-B23F-408f-9C17-809B0EB86631 CRMCheckpoint
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
AB8FC323-CBB2-40b7-AFD3-558054E55848 CRMBegin
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
TransactionGuid, ItemGUID
ProgIdCompensator, ItemWChar[64]
Description, ItemWChar[64]
3F50C4A1-D7F2-4e4e-BE35-BE31447D6316 CRMPrepare
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
6461B223-574D-42bc-A5B5-C42BC0A1BB1E CRMCommit
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
AA814AA8-2FF1-4e23-8279-3D024C817327 CRMAbort
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
E37629F4-3358-44e4-89C6-C0B7EB82A4B1 CRMInDoubt
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
B7BB1AE1-D8D5-469a-BF49-EF1AC3E73A9A CRMDone
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
7968E4E4-1E00-4e37-9BE4-8553FB661E16 CRMRelease
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
04876E17-C180-47e3-B855-5E0A1255EFA5 CRMAnalyze
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RecordType, ItemULong
RecordSize, ItemULong
A1ECBE0E-FA1F-47d3-91DD-99AB5B92D3A1 CRMWrite
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Variants, ItemBool
RecordSize, ItemULong
EE5D2FF2-811C-4fb1-9861-D44EA6E1E6A7 CRMForget
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
D7428814-30D3-4b7a-8C34-898722FCFA3A CRMForce
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
12DF1221-2D16-41de-B31F-0E03BBEFD448 CRMDeliver
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Variants, ItemBool
RecordSize, ItemULong
39AEDB9B-D2CE-4ffe-A0EC-F95DB80BAD27 AdmAppInstall
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
InstalledAppID, ItemGUID
MSIPath, ItemWChar[256]
DestinationPath, ItemWChar[256]
UserName, ItemWChar[256]
WithUsers, ItemBool
WithSecurity, ItemBool
Queued, ItemBool
HResult, ItemLong
B36E4627-D28D-485f-A35C-29E08C4F4753 AdmAppCreate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
CreatedAppID, ItemGUID
AppName, ItemWChar[512]
HResult, ItemLong
45046ADC-3B2E-4e79-9208-6992EB00C4A5 AdmAppDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
DeletedAppID, ItemGUID
HResult, ItemLong
0A750C63-CD91-4ee6-8091-867B86924E09 AdmAppUpdate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
UpdatedAppID, ItemGUID
PropertyName, ItemWChar[64]
NewValue, ItemWChar[1024]
HResult, ItemLong
4EF3D7D1-2A21-4a81-89E1-98B2A5DF4C55 AdmAppPaused
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
PausedAppID, ItemGUID
Paused, ItemBool
HResult, ItemLong
D77C881C-18E1-4165-9D9C-CA02DD4B7A0E AdmCompInstall
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
CompAppID, ItemGUID
DLLPath, ItemWChar[256]
TLBPath, ItemWChar[256]
PSDLLPath, ItemWChar[256]
HResult, ItemLong
4DC56F75-D3AE-4e63-9CE0-3142CF4E4080 AdmCompImport
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
CompAppID, ItemGUID
ProgID, ItemWChar[64]
HResult, ItemLong
7CF60AC4-6C26-495b-934E-47CCAE111BCF AdmCompDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
CompAppID, ItemGUID
HResult, ItemLong
7CD5BF83-CE9C-4a9d-936E-C8A751CAAB4F AdmCompUpdate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
CompAppID, ItemGUID
PropertyName, ItemWChar[64]
NewValue, ItemWChar[1024]
HResult, ItemLong
C08BE4A9-79F4-46d4-949F-FBB73311EC13 AdmItfUpdate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ItfAppID, ItemGUID
PropertyName, ItemWChar[64]
NewValue, ItemWChar[1024]
HResult, ItemLong
B2CD5095-BCE0-42b5-B550-59E5E1146F54 AdmMetUpdate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
MetAppID, ItemGUID
MethodIndex, ItemULong
PropertyName, ItemWChar[64]
NewValue, ItemWChar[1024]
HResult, ItemLong
910BB3FA-E353-4953-A97F-A72E2574922C AdmRoleAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
RoleName, ItemWChar[256]
HResult, ItemLong
8A28125E-D216-4d30-88A5-80B442F80216 AdmRoleDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
RoleName, ItemWChar[256]
HResult, ItemLong
9B2A3DAD-2AA7-4beb-9EEE-5E7162B2E8EA AdmUserAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
RoleName, ItemWChar[256]
HResult, ItemLong
UserSID, ItemVariant
6EBEA049-5AD9-4b2a-AD28-F0375726AA23 AdmUserDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
RoleName, ItemWChar[256]
HResult, ItemLong
UserSID, ItemVariant
B6AB05B2-084A-4cfc-9E57-5C95E3A0889F AdmCompRoleAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
RoleName, ItemWChar[256]
HResult, ItemLong
7B42E65E-1CAC-418b-B21C-43256A29B008 AdmCompRoleDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
RoleName, ItemWChar[256]
HResult, ItemLong
7040B74F-A240-4251-8218-443F1270B971 AdmItfRoleAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
RoleName, ItemWChar[256]
HResult, ItemLong
94F8892C-520A-4816-895A-F62A2EA99B7F AdmItfRoleDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
RoleName, ItemWChar[256]
HResult, ItemLong
79677BFD-1AC0-455f-B2C1-A8983DA78AA2 AdmMetRoleAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
MethodIndex, ItemULong
RoleName, ItemWChar[256]
HResult, ItemLong
F5FB4B1F-11FA-44c1-88BD-750F4CC2C8EC AdmMetRoleDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
RoleAppID, ItemGUID
MethodIndex, ItemULong
RoleName, ItemWChar[256]
HResult, ItemLong
780B22BD-5244-4302-86BE-D57962CFD79A AdmMachineAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
MachineName, ItemWChar[512]
HResult, ItemLong
09D87E55-022D-4851-8219-54ED25C4A5C6 AdmMachineDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
MachineName, ItemWChar[512]
HResult, ItemLong
415FF65E-117D-488b-9A81-C6923E3ED8BE AdmMachineUpdate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
MachineName, ItemWChar[512]
PropertyName, ItemWChar[64]
NewValue, ItemWChar[1024]
HResult, ItemLong
A8BA53C5-3399-447d-B64F-09D50A9DFEAD AdmPermSubscriberAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
SubscrAppID, ItemGUID
SubscriptionID, ItemGUID
ECclsid, ItemGUID
MethodName, ItemWChar[256]
Enabled, ItemBool
SubscriberCLSID, ItemGUID
HResult, ItemLong
DE05C3C4-ACEE-4fd7-B2C9-9A0764419E9B AdmPermSubscriberDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
SubscrAppID, ItemGUID
SubscriptionID, ItemGUID
HResult, ItemLong
5E47D7F3-6A36-4221-8033-5DF1B66B2A3B AdmPermSubscriberUpdate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
SubscrAppID, ItemGUID
SubscriptionID, ItemGUID
PropertyName, ItemWChar[64]
NewValue, ItemWChar[1024]
HResult, ItemLong
C40DFD24-7B49-48eb-A21F-DB3235D1B4F6 AdmTransSubscriberAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
SubscriptionID, ItemGUID
ECclsid, ItemGUID
MethodName, ItemWChar[256]
Enabled, ItemBool
HResult, ItemLong
1E49DDB6-C883-4cb3-9BC4-1332EDDBAE78 AdmTransSubscriberDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
SubscriptionID, ItemGUID
HResult, ItemLong
3E6E2249-A249-4f54-A0D7-A97FB6162EFB AdmTransSubscriberUpdate
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
SubscriptionID, ItemGUID
PropertyName, ItemWChar[64]
NewValue, ItemWChar[1024]
HResult, ItemLong
51B057F9-ACB8-4c8d-BE40-E9ED750EF034 AdmPartitionAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
AddPartitionID, ItemGUID
PartitionName, ItemWChar[512]
HResult, ItemLong
8566E9C5-F387-4ecf-AA8D-D065B691732C AdmPartitionDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
DelPartitionID, ItemGUID
HResult, ItemLong
12E58202-E6CD-4e17-B366-5AC3F37C00A8 AdmPartitionSetAdd
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
AddPartitionSetID, ItemGUID
PartitionSetName, ItemWChar[512]
HResult, ItemLong
D55F48FD-17C6-4b12-AFD7-DEFC834CC488 AdmPartitionSetDelete
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
DelPartitionSetID, ItemGUID
HResult, ItemLong
DC28009B-DA4E-4efa-9F95-205B21469A13 AppActivation2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
InstanceID, ItemGUID
AE10D5F2-31B7-4a27-9B57-7A81E4BCDF4D AppShutdown2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
4B78B80C-494E-45e6-B7A6-BAFE5D7D9FF1 AppForceShutdown2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
AB4DF7DB-DB12-4139-8898-BD66C7D776DA AppPaused2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
Paused, ItemBool
7D4287E8-23B2-41f5-B7FC-817634218A9E AppRecycle2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
InstanceID, ItemGUID
Reason, ItemLong
E34AA4CB-32C4-4b62-8C05-B4762B217E68 TransactionStart2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TransactionGuid, ItemGUID
Root, ItemBool
IsolationLevel, ItemLong
F509A56C-5CFF-421f-8AA2-08A94323755C TransactionPrepare2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TransactionGuid, ItemGUID
VoteYes, ItemBool
C9715D69-6CA8-4da7-9A28-A8E4FDEA5099 TransactionAbort2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TransactionGuid, ItemGUID
ABB8DCE4-6EAE-4f41-BF53-B70BDA428567 TransactionCommit2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
TransactionGuid, ItemGUID
25D668F5-15A1-4741-B72F-104C25FCB662 ObjPoolPutObject2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectGuid, ItemGUID
Reason, ItemLong
AvailableObjects, ItemULong
ObjectID, ItemULongLong
E971B116-854E-420b-926E-AF6088AA07D8 ObjPoolGetObject2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ObjectGuid, ItemGUID
AvailableObjects, ItemULong
ObjectID, ItemULongLong
ForPartitionID, ItemGUID
5BF0E5EE-493F-4808-978D-C8001CAEA1A3 ObjPoolRecycleToTx2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ObjectGuid, ItemGUID
TransactionGuid, ItemGUID
ObjectID, ItemULongLong
D7454176-0346-40b8-91FE-5923C67CBA42 ObjPoolGetFromTx2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ObjectGuid, ItemGUID
TransactionGuid, ItemGUID
ObjectID, ItemULongLong
ForPartitionID, ItemGUID
8FB0E7B4-97ED-410d-B988-16922032A368 ObjectConstruct2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectGuid, ItemGUID
ObjectID, ItemULongLong
ConstructString, ItemWChar[64]
ForPartitionID, ItemGUID
085121E8-A3F7-4fa9-A9C4-07BC2B2C696F CreateInstance2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ActivityGuid, ItemGUID
ContextID, ItemULongLong
ObjectID, ItemULongLong
ForPartitionID, ItemGUID
773BA00D-0EFD-4a57-A309-86D3B4BEB114 DestroyInstance2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ContextID, ItemULongLong
CE0A98AB-6001-4552-A58E-B88313308A74 MethodCall2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
SystemThread, ItemULong
MethodIndex, ItemULong
BCD15EFB-C30C-4a51-957F-1D89E984763A MethodReturn2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
SystemThread, ItemULong
MethodIndex, ItemULong
HResult, ItemLong
2A56A5E4-962C-4a78-BEFB-CFCD965F7B34 MethodException2
#version 0
#type Event 0
ProcessId, ItemULong
ApplicationID, ItemGUID
PartitionID, ItemGUID
AppInstanceID, ItemGUID
ComputerName, ItemWChar[256]
ObjectID, ItemULongLong
SystemThread, ItemULong
MethodIndex, ItemULong
// PERFLIB, LoadPerf, and PDH events
// 51af3adb-28b1-4ba5-b59a-3aeec16deb3c
// 275a79bb-9980-42ba-bafe-a92ded1192cf
// 51af3adf-28b1-4ba5-b59a-3aeec16deb3c
51af3adb-28b1-4ba5-b59a-3aeec16deb3c PERFLIB
FileLine, ItemULong,
RtnStatus, ItemULongX,
OptArgs, ItemOptArgs
275a79bb-9980-42ba-bafe-a92ded1192cf LoadPerf
FileLine, ItemULong,
RtnStatus, ItemULongX,
OptArgs, ItemOptArgs
51af3adf-28b1-4ba5-b59a-3aeec16deb3c PDH-Debug
FileLine, ItemULong,
RtnStatus, ItemULongX,
OptArgs, ItemOptArgs
// Exchange Events
// 2EACCEDF-8648-453e-9250-27F0069F71D2
31F5A811-6EA0-4321-93D9-CDB9A70D50A1 RPC
#version 0
#type None 0
#type Release 1
#type OpenFolder 2
#type OpenMessage 3
#type GetHierarchyTable 4
#type GetContentsTable 5
#type CreateMessage 6
#type GetPropsSpecific 7
#type GetPropsAll 8
#type GetPropList 9
#type SetProps 10
#type DeleteProps 11
#type SaveChangesMessage 12
#type NukeRecipients 13
#type FlushRecipients 14
#type ReadRecipients 15
#type ReloadCachedInfo 16
#type SetReadFlag 17
#type SetColumns 18
#type SortTable 19
#type Restrict 20
#type QueryRows 21
#type GetStatus 22
#type QueryPosition 23
#type SeekRow 24
#type SeekRowBookmark 25
#type SeekRowApprox 26
#type CreateBookmark 27
#type CreateFolder 28
#type DeleteFolder 29
#type DeleteMessages 30
#type GetMessageStatus 31
#type SetMessageStatus 32
#type GetAttachmentTable 33
#type OpenAttach 34
#type CreateAttach 35
#type DeleteAttach 36
#type SaveChangesAttach 37
#type SetReceiveFolder 38
#type GetReceiveFolder 39
#type SpoolerRules 40
#type RegisterNotification 41
#type Notify 42
#type OpenStream 43
#type ReadStream 44
#type WriteStream 45
#type SeekStream 46
#type SetSizeStream 47
#type SetSearchCriteria 48
#type GetSearchCriteria 49
#type SubmitMessage 50
#type MoveCopyMessages 51
#type AbortSubmit 52
#type MoveFolder 53
#type CopyFolder 54
#type QueryColumnsAll 55
#type Abort 56
#type CopyTo 57
#type CopyToStream 58
#type CloneStream 59
#type RegisterTableNotification 60
#type DeregisterTableNotification 61
#type GetACLTable 62
#type GetRulesTable 63
#type ModifyACL 64
#type ModifyRules 65
#type GetOwningMDBs 66
#type LtidFromId 67
#type IdFromLtid 68
#type FGhosted 69
#type OpenMessageProp 70
#type SetSpooler 71
#type SpoolerLockMsg 72
#type AddressTypes 73
#type TransportSend 74
#type FXSrcCopyMessages 75
#type FXSrcCopyFolder 76
#type FXSrcCopyTo 77
#type FXSrcGetBuffer 78
#type FindRow 79
#type Progress 80
#type XportNewMail 81
#type ValidAttachs 82
#type FXDstCopyConfig 83
#type FXDstPutBuffer 84
#type GetNamesFromIDs 85
#type GetIDsFromNames 86
#type UpdateDAMs 87
#type EmptyFolder 88
#type ExpandRow 89
#type CollapseRow 90
#type LockRegionStream 91
#type UnlockRegionStream 92
#type CommitStream 93
#type GetStreamSize 94
#type QryNamedProps 95
#type GetPerUserLtids 96
#type GetPerUserGuid 97
#type FlushPerUser 98
#type GetPerUser 99
#type SetPerUser 100
#type CacheCcnRead 101
#type SetReadFlags 102
#type CopyProps 103
#type GetReceiveFolderTable 104
#type FXSrcCopyProps 105
#type FXDstCopyProps 106
#type GetCollapseState 107
#type SetCollapseState 108
#type SetXport 109
#type Pending 110
#type OptionsData 111
#type IncrCfg 112
#type IncrState 113
#type ImportMsgChange 114
#type ImportHierChange 115
#type ImportDelete 116
#type UpldStStrmBegin 117
#type UpldStStrmContinue 118
#type UpldStStrmEnd 119
#type ImportMsgMove 120
#type SetPropsNoReplicate 121
#type DeletePropsNoReplicate 122
#type GetStoreState 123
#type GetRights 124
#type GetAllPerUserLtids 125
#type OpenCollect 126
#type GetLrepIds 127
#type ImportReads 128
#type ResetTable 129
#type FXGetIncrState 130
#type OpenAdvisor 131
#type RegICSNotifs 132
#type OpenCStream 133
#type TellVersion 134
#type OpenFolderByName 135
#type SetICSNotifGUID 136
#type FreeBookmark 137
#type DeleteFolderByName 138
#type ConfigNntpNewsfeed 139
#type CheckMsgIds 140
#type BeginNntpArticle 141
#type WriteNntpArticle 142
#type SaveNntpArticle 143
#type WriteCommitStream 144
#type HardDeleteMessages 145
#type HardEmptyFolder 146
#type SetLocalRepMidsetDeleted 147
#type End 200
#type BookmarkReturned 251
#type FidReturned 252
#type HsotReturned 253
#type Logon 254
#type BufferTooSmall 255
BBED5A34-6447-47c3-864A-6ED959545973 TaskQ
#version 0
#type Start 1
#type End 2
#type Dequeue 7
AC0D888F-D1B2-45c1-8CC9-2269FDD0DAA5 EIF
#version 0
#type Start 1
HSOT, ItemULong
UserName, ItemWString
Function, ItemString
#type End 2
Error Code, ItemULongX
#type LogonStart 10
Guid 1, ItemULongLongX
Guid 2, ItemULongLongX
#type LogonEnd 11
HSOT, ItemULong
UserName, ItemWString
Error Code, ItemULongX
#type DoConnect 12
Guid1, ItemULongX
Guid2, ItemULongX
Guid3, ItemULongX
Guid4, ItemULongX
#type OpenFdrStart 14
HSOT, ItemULong
UserName, ItemWString
Function, ItemString
#type OpenFdrEnd 15
Error Code, ItemULongX
HSOT, ItemULong
#type OpenURL 16
HSOT, ItemULong
UserName, ItemWString
Function, ItemString
URL, ItemWString
// PDH counter logfile events
// 933f3bb3-943e-490d-9ced-3cbb14c14479
933f3bb3-943e-490d-9ced-3cbb14c14479 PDH
#type Header 32
#type DataBlock 34
#type Catalog 35
#type Perflib 36
LogFileGuid, ItemGUID
BlockID, ItemULong
BlockCount, ItemULong
// BROWSER Events
// Control guid is 5576F62E-4142-45a8-9516-262A510C13F0
2B992163-736F-4a68-9153-95BC5F34D884 Browse
#type UserInputReturn 10
#type UserInputBack 11
#type UserInputLButtonUp 12
#type UserInputPageDown 13
#type UserInputPageUp 14
#type StartFrame 16
#type LoadedParsed 18
#type LayoutExec 19
#type LayoutBackground 20
#type Paint 21
#type Address 22
Url, ItemWString
// Heap Events
// Control guid is 222962ab-6180-4b88-a825-346b75f2a24a
222962ab-6180-4b88-a825-346b75f2a24a Heap
#type Create 32
#type Alloc 33
Size, ItemSizeT
Address, ItemPtr
Source, ItemULong
#type ReAlloc 34
HeapHandle, ItemPtr
NewAddress, ItemPtr
OldAddress, ItemPtr
NewSize, ItemSizeT
OldSize, ItemSizeT
Source, ItemULong
#type Destroy 35
#type Free 36
HeapHandle, ItemPtr
Address, ItemPtr
Source, ItemULong
#type Expand 37
HeapHandle, ItemPtr
CommittedSize, ItemSizeT
Address, ItemPtr
FreeSpace, ItemSizeT
CommittedSpace, ItemSizeT
ReservedSpace, ItemSizeT
NoOfUCRs, ItemULong
#type SnapShot 38
HeapHandle, ItemPtr
Flags, ItemULong
FreeSpace, ItemSizeT
CommittedSpace, ItemSizeT
ReservedSpace, ItemSizeT
#type Contract 42
HeapHandle, ItemPtr
DeCommitSize, ItemSizeT
DeCommitAddress, ItemPtr
FreeSpace, ItemSizeT
CommittedSpace, ItemSizeT
ReservedSpace, ItemSizeT
NoOfUCRs, ItemULong
#type Lock 43
#type Unlock 44
#type Validate 45
#type Walk 46
// Critical Section Events
// Control guid is 3AC66736-CC59-4cff-8115-8DF50E39816B
3AC66736-CC59-4cff-8115-8DF50E39816B CriticalSection
#type Collision 34
#type Initialize 35
// IIS Universal Listener Events
// Control guid is dd5ef90a-6398-47a4-ad34-4dcecdef795f
3c419e3d-1d18-415b-a91a-9b558938de4b HttpRequest
#type Start 1
RequestObj, ItemPtr
AddressType, ItemTDIAddr
RemoteAddress, ItemUnknown
#type Parse 10
RequestObj, ItemPtr
HttpVerb, ItemULong
Url, ItemWString
#type Deliver 11
RequestObj, ItemPtr
RequestId, ItemULongLong
SiteId, ItemULong
AppPoolName, ItemWString
Url, ItemWString
#type End 2
#type RecvResp 12
#type RecvBody 13
#type CacheAndSend 15
#type FastResp 16
#type FastSend 17
#type ZeroSend 18
#type SendError 19
RequestId, ItemULongLong
HttpStatus, ItemUShort
#type CachedEnd 14
RequestObj, ItemPtr
SiteId, ItemULong
BytesSent, ItemULong
// IIS6 W3Core.dll Events
// Control guid is 3a2a4e84-4c21-4981-ae10-3fda0d9b0f83
d42cf7ef-de92-473e-8b6c-621ea663113a W3Server
#type Start 1
RequestId, ItemULongLong
BytesRecd, ItemULong
#type End 2
#type SendBody 16
#type SendResp 17
#type SendEntity 18
#type SendFilter 19
#type ErrSend 20
#type ErrSendEnt 21
#type ErrSendCtx 22
#type ErrVecSend 23
#type VectorSend 24
RequestId, ItemULongLong
BytesSent, ItemULong
#type FileReq 10
RequestId, ItemULongLong
FileName, ItemWString
#type CGIReq 11
#type ISAPIReq 12
RequestId, ItemULongLong
#type OOPReq 13
RequestId, ItemULongLong
ProcessId, ItemULong
TotalReq, ItemULong
CurrentReq, ItemULong
00237f0d-73eb-4bcf-a232-126693595847 W3Filter
#type Start 1
RequestId, ItemULongLong
FilterName, ItemWString
#type End 2
RequestId, ItemULongLong
e2e55403-0d2e-4609-a470-be0da04013c0 W3Cgi
#type Start 1
#type End 2
RequestId, ItemULongLong
// IIS6 W3Isapi.dll Events
// Control guid is a1c2040e-8840-4c31-ba11-9871031a19ea
2e94e6c7-eda0-4b73-9010-2529edce1c27 W3Isapi
#type Start 1
RequestId, ItemULongLong
connID, ItemPtr
fOop, ItemULong
#type End 2
#type SendHdr 10
#type SendHdrEx 11
#type VectorSend 12
#type ErrorSend 13
#type SsfSend 14
#type SsdError 15
RequestId, ItemULongLong
connID, ItemPtr
// IIS6 strmfil.dll Events
// Control guid is 1fbecc45-c060-4e7c-8a0e-0dbd6116181b
0ecf983b-7115-4b77-a543-95d138ee4400 StrmFilt
#type Start 1
#type End 2
d353dc2d-3e55-4b88-a4ac-183c368362a3 SslHandShake
#type Start 1
#type End 2
// Active Server Pages (ASP) Events
// Control guid is 06b94d9a-b15e-456e-a4ef-37c984a2cb4b
1fc299fa-3fc4-4c37-910d-de5b911d0270 AspReq
#type Start 1
#type End 2
ConnID, ItemPtr
// ASP.NET Events
// Control guid is aff081fe-0247-4275-9c4e-021f3dc1da35
06a01367-79d3-4594-8eb3-c721603c4679 AspNetReq
#type Start 1
#type End 2
ConnID, ItemPtr
// Custom ISAPI extension Events
71bda656-663c-4eae-977a-a749f1fa0fcd CustomIsapiExt
#type Start 1
#type End 2
ConnID, ItemPtr