mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1466 lines
34 KiB
1466 lines
34 KiB
// Guid Definitions
// 10/23/98
// The #type statement and the #typev statement may be used to convert
// messages into user readable forms.
// With #type all parameters are processed as strings and the default string
// processing of FormTMessage is used
// With #typev wherever possible parameters are processed as their native format
// and the %x!x! style of FormatMessage should be used.
// Note Parameter %1 through %9 are predefined
// Parameter is #typev
// %1 GUID Friendly Name string
// %2 GUID SubType Name string
// %3 Thread ID ULONG_PTR
// %4 System Time String
// %5 Kernel Time or User Time String
// %6 User Time or NULL String
// %7 Sequence Number LONG
// %8 Unused String
// %9 CPU Number LONG
// %10 and above are the user parameters
// %255 Is reserved
// Note these parameters are always present, but may not be valid
// depending on the source.
// User defined messages always start at message number 10
// Messages 0 through 9 are reserved for system use.
// Message number 255 is reserved.
// Available formats for user arguments are -
//Name Description #typev Format
//ItemChar CHAR
//ItemUChar UCHAR
//ItemCharShort USHORT
//ItemCharSign SHORT
//ItemShort Signed Short SHORT
//ItemUShort Unsigned Short USHORT
//ItemLong Signed Long, decoded as decimal LONG
//ItemULong Unsigned Long, decoded as decimal ULONG
//ItemULongX Unsigned Long, seen as hexadecimal ULONG
//ItemLongLong Signed 64 Bit value LONGLONG
//ItemULongLong Unsigned 64 Bit value ULONGLONG
//ItemRString Reduced Ascii String String
// (\t, \n, \r, \,, converted to space, trailing sp removed)
//ItemWString Unicode String, null terminated String
//ItemPString Counted Ascii String String
//ItemPWString Counted Unicode String String
//ItemMLString Multi-Line Ascii String String
//ItemSid Security identifier String
//ItemChar4 CHAR4
//ItemIPAddr IP Address String (If needed raw, use ItemUlong)
// (string of form xxx.xxx.xxx.xxx)
//ItemPort String (If needed raw use ItemUshort)
//ItemNWString Non-null terminated Wide Char String String
//ItemListByte (element1,element2,....) String
// byte index into a list of strings
//ItemListShort(element1,element2,....) String
// short index into a list of strings
//ItemListLong (element1,element2,....) String
// Long index into a list of strings
//ItemGUID Normal GUID format String
//ItemNTerror Translates a ULONG error code to the String
// NT Error Text
//ItemNTSTATUS Converts NTSTATUS to symbolic name String
//ItemWINERROR Converts WINERROR to symbolic name String
//ItemNETEVENT Converts NETEVENT to symbolic name String
//ItemMerror module.ext String
// Translates a ULONG error code using the
// module specified.
//ItemTimeStamp Treats a LONGLONG as a timestamp String
//ItemUnknown String
ce5b1020-8ea9-11d0-a4ec-00a0c9062910 TraceDp
#type Start 1 "TraceDp TID=0x%3 Start"
#type End 2 "TraceDp TID=0x%3End"
2cb15d1d-5fc1-11d2-abe1-00a0c911f518 ImageLoad
#typev Load 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>ImageLoad of %12!s! (Base=0x%10!X!,size=0x%11!X!)"
Base Address, ItemULongX
Module Size, ItemULongX
Image Filename, ItemWString
3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c Process
#typev Start 1 "%10!08X!.%3!08X!::%4!s! [%1!s!] <*>Process %13!s! Started for %12"
#typev End 2 "%10!08X!.%3!08X!::%4!s! [%1!s!] <*>Process %13!s!(PID=%10!5d!) Completed"
#typev DCStart 3 "%10!08X!.%3!08X!::%4!s! [%1!s!DC] <*>Process Data Collection Started of %13!s! for %12!s!"
#typev DCEnd 4 "%10!08X!.%3!08X!::%4!s! [%1!s!DC] <*>Process Data Colection Ended for %13!s!"
#typev Load 5 "%10!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>Load of %13!s![%12!s! - %11!d!]
Process Id, ItemULongX
Parent Id, ItemULongX
User SID, ItemSid
Image Filename, ItemString
3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c Thread
#typev Start 1 "%11!08X!.%10!08X!::%4!s! [%1!s!] <%9!d!>Started"
#typev End 2 "%11!08X!.%10!08X!::%4!s! [%1!s!] <%9!d!>Ended"
#typev DCStart 3 "%11!08X!.%10!08X!::%4!s! [%1!s!DC] <%9!d!>Data Collection Started "
#typev DCEnd 4 "%11!08X!.%10!08X!::%4!s! [%1!s!DC] <%9!d!>Data Collection Ended"
Thread Id, ItemULongX
Process Id, ItemULong
3d6fa8d3-fe05-11d0-9dda-00c04fd7ba7c PageFault
#typev TransitionFault 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault Transition VA=0x%10!08X!, PC=0x%11!08X!"
#typev DemandZeroFault 11 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault DemandZero VA=0x%10!08X!, PC=0x%11!08X!"
#typev CopyOnWrite 12 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault CopyOnWrite VA=0x%10!08X!, PC=0x%11!08X!"
#typev GlobalPageFault 13 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault GuardPageFault VA=0x%10!08X!, PC=0x%11!08X!"
#typev Hard 14 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault Hard VA=0x%10!08X!, PC=0x%11!08X!, in %12!016X!"
#typev Notification 15 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Pagefault Notification VA=0x%10!08X!, PC=0x%11!08X!, in %12!016X!"
Virtual Address,ItemULongX
Program Counter,ItemUlongX
Byte Offset, ItemLongLong
File Object, ItemUlongX
Byte Count, ItemUlong
HotFile Name, ItemNWString
3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c DiskIo
#typev Read 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Disk %10!2d! Read of %12!5d! bytes (FileObj=0x%15!08X!)"
#typev Write 11 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Disk %10!2d! Write of %12!5d! bytes (FileObj=0x%15!08X!)"
Disk Number, ItemULong
Irp Flags, ItemULongX
Transfer Size, ItemULong
QueueDepth, ItemULong
Byte Offset, ItemLongLong
File Object, ItemULongX
AE53722E-C863-11d2-8659-00C04FA321A1 Registry
#typev Create 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Create of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Open 11 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Open of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Delete 12 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Delete of Handle = 0x%11!08X! Status = %10!0X!"
#typev Query 13 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Query Handle = 0x%11!08X! Status = %10!0X!"
#typev SetValue 14 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>SetValue of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev DeleteValue 15 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>DeleteValue of %13!s! Handle = 0x%11!08X! Status = %10!0X! (TID =%3!0X!)"
#typev QueryValue 16 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>QueryValue Handle = 0x%11!08X! Status = %10!0X!"
#typev EnumerateKey 17 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>EnumerateKey of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev EnumerateValueKey 18 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>EnumerateValueKey of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev QueryMultipleValue 19 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>QueryMultiple of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev SetInformation 20 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>SetInformation of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Flush 21 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Flush of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
Key Handle, ItemULongX
Elapsed Time, ItemLongLong
KeyName, ItemWString
90cbdc39-4a3e-11d1-84f4-0000f80464e3 FileIo
#typev All 0 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!>Filio for %11 (FileObj=0x%10!X!)"
File Object, ItemULongX
File Name, ItemWString
9a280ac0-c8e0-11d1-84e2-00c04fb998a2 TcpIp
#typev Send 10 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>TCPIP Send to %10!13s!:%12!05d! from %11!13s!:%13!05d! of %14!5d! bytes"
saddr, ItemIPAddr
daddr, ItemIPAddr
sport, ItemUShort
dport, ItemUShort
size, ItemULong
PID, ItemULongX
#typev Recv 11 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>TCPIP Receive from %10!13s!:%12!05d! to %11!13s!:%13!05d! of %14!5d! bytes"
saddr, ItemIPAddr
daddr, ItemIPAddr
sport, ItemUShort
dport, ItemUShort
size, ItemULong
PID, ItemULongX
#typev Connect 12 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>TCPIP Connect to %10:%12!05D! from %11:%13!05D!"
#typev Disconnect 13 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>TCPIP Discon From %10:%12!05D! to %11:%13!05D!"
saddr, ItemIPAddr
daddr, ItemIPAddr
sport, ItemUShort
dport, ItemUShort
size, ItemULong
PID, ItemULongX
bf3a50c5-a9c9-4988-a005-2df0b7c80f80 UdpIp
#typev Send 10 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>UDP Send to %11!13s!:%12!05d! from %14!13s!:%15!05d! of %13!5d! bytes (Context= %10!08X!)"
#typev Recv 11 "%15!08X!.%3!08X!::%4!s! [%1!s!] <%9!d!>UDP Receive from %11!13s!:%12!05d! to %14!13s!:%15!05d! of %13!5d! bytes (Context= %10!08X!)"
context, ItemULongX /10
destaddr, ItemIPAddr /11
destport, ItemUShort /12
Bufrsize, ItemUShort /13
srcdaddr, ItemIPAddr /14
srcport, ItemUShort /15
sentsize, ItemUShort /16
// Test Events
// d58c126f-b309-11d1-969e-0000f875a5bc
ce5b1020-8ea9-11d0-a4ec-00a0c9062910 TraceDp
#type Start 1
#type End 2
UserData, ItemULong
// Test Events
// 1bd67283-57cc-11d2-9a03-00c04f72c722
1bd67283-57cc-11d2-9a03-00c04f72c722 TranProv
#type Start 1
#type End 2
UserData, ItemULong
// DS Events
// 1c83b2fc-c04f-11d1-8afc-00c04fc21914
5b7eb15d-7441-11d2-b711-00c04fb998a2 DsKccGuid
#type Start 1
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Null1, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd000-daeb-11d1-be80-00c04fadfff5 DsDirSearch
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSString
Choice, ItemDSString
ObjDN, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd001-daeb-11d1-be80-00c04fadfff5 DsDirAddEntry
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSString
ObjDn, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd002-daeb-11d1-be80-00c04fadfff5 DsDirMod
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSString
ObjDn, ItemDSString
Null3, ItemDSString
Null4, ItemMLString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemMLString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd005-daeb-11d1-be80-00c04fadfff5 DsDirModDN
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Caller, ItemDSString
ObjDn, ItemDSString
NewParentDn, ItemDSString
NewName, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd003-daeb-11d1-be80-00c04fadfff5 DsDirDel
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSString
ObjDn, ItemDSString
Null3, ItemDSString
Null4, ItemMLString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemMLString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd004-daeb-11d1-be80-00c04fadfff5 DsDirCompare
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
Caller, ItemDSString
AssertType, ItemDSString
ObjDn, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd006-daeb-11d1-be80-00c04fadfff5 DsDirGtNcChg
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
UuidDest, ItemDSString
NcDn, ItemDSString
UsnVecFrom, ItemDSString
flags, ItemDSString
RetCrit, ItemDSString
ExtOp, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NumObj, ItemDSString
NumBytes, ItemDSString
UsnVecTo, ItemDSString
ExtRet, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd007-daeb-11d1-be80-00c04fadfff5 DsDirReplSync
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
NcDn, ItemDSString
DsaOrUuid, ItemDSString
Options, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
BindId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd008-daeb-11d1-be80-00c04fadfff5 DsDirFind
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Caller, ItemDSString
AttId, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
05acd009-daeb-11d1-be80-00c04fadfff5 DsLdapBind
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Null1, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa22-7f4b-11d2-b389-0000f87a46c8 DsKccTask
#type Start 1
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Null1, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa23-7f4b-11d2-b389-0000f87a46c8 DsDrsReplSync
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ObjDN, ItemDSString
DraSrc, ItemDSString
UuidSrc, ItemDSString
Options, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa24-7f4b-11d2-b389-0000f87a46c8 DsDrsReplGtChg
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
UuidDest, ItemDSString
NcDn, ItemDSString
UsnFromHighObj, ItemDSString
UsnFromHighProp, ItemDSString
Flags, ItemDSString
MaxObj, ItemDSString
MaxBytes, ItemDSString
ExtOp, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
UsnToHighObj, ItemDSString
UsnToHighProp, ItemDSString
NumObj, ItemDSString
NumByte, ItemDSString
ExtRet, ItemDSString
ErrCode, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa25-7f4b-11d2-b389-0000f87a46c8 DsDrsUpdtRefs
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NcDn, ItemDSString
DsaDest, ItemDSString
UuidDest, ItemDSString
Options, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa26-7f4b-11d2-b389-0000f87a46c8 DsDrsReplAdd
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NcDn, ItemDSString
SrcDsaDn, ItemDSString
TransDn, ItemDSString
DsaSrc, ItemDSString
Options, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa27-7f4b-11d2-b389-0000f87a46c8 DsDrsReplMod
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NcDn, ItemDSString
UuidSrc, ItemDSString
SrcDra, ItemDSString
RepFlags, ItemDSString
ModFields, ItemDSString
Options, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa28-7f4b-11d2-b389-0000f87a46c8 DsDrsReplDel
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NcDn, ItemDSString
DsaSrc, ItemDSString
Options, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa29-7f4b-11d2-b389-0000f87a46c8 DsDrsVrfyNames
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cNames, ItemDSString
Flags, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa2a-7f4b-11d2-b389-0000f87a46c8 DsDrsIntDmMv
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
SrcDsaDn, ItemDSString
SrcObjDn, ItemDSString
DstNameDn, ItemDSString
TargetNcDn, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa2b-7f4b-11d2-b389-0000f87a46c8 DsDrsAddEntry
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cObj, ItemDSString
NameDn, ItemDSString
NextNameDn, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cObjAdded, ItemDSString
ErrCode, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa2c-7f4b-11d2-b389-0000f87a46c8 DsDrsExecKcc
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
TaskId, ItemDSString
Flags, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa2d-7f4b-11d2-b389-0000f87a46c8 DsDrsGtReplInfo
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
InfoType, ItemDSString
ObjDn, ItemDSString
UuidSrc, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa2e-7f4b-11d2-b389-0000f87a46c8 DsDrsGtNT4ChgLg
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
flags, ItemDSString
maxLen, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
NtStatus, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa2f-7f4b-11d2-b389-0000f87a46c8 DsDrsCrackNames
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cNames, ItemDSString
CodePage, ItemDSString
LocaleId, ItemDSString
FmtOffered, ItemDSString
FmtDesired, ItemDSString
Flags, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa30-7f4b-11d2-b389-0000f87a46c8 DsDrsWrtSPN
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Account, ItemDSString
Op, ItemDSString
cSpn, ItemDSString
Flags, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa31-7f4b-11d2-b389-0000f87a46c8 DsDrsDCInfo
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Domain, ItemDSString
InfoLevel, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
14f8aa32-7f4b-11d2-b389-0000f87a46c8 DsDrsGtMbrshps
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
cDsNames, ItemDSString
OpType, ItemDSString
LimitDomDn, ItemDSString
Flags, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
ErrCode, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
5b7eb154-7441-11d2-b711-00c04fb998a2 LdapAtqGuid
#type Start 1
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
b9d4702a-6a98-11d2-b710-00c04fb998a2 LdapRequest
#type Start 1
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Choice, ItemDSString
Null2, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
#type End 2
Signature, ItemCharSign
Version, ItemCharShort
Inserts, ItemCharShort
messageId, ItemULong
Id, ItemDSString
ErrCode, ItemDSString
Null3, ItemDSString
Null4, ItemDSString
Null5, ItemDSString
Null6, ItemDSString
Null7, ItemDSString
Null8, ItemDSString
// KDC Events
// 24db8964-e6bc-11d1-916a-0000f8045b04
50af5304-e6bc-11d1-916a-0000f8045b04 GetASTicket
#type Start 1
KdcOption, ItemULongX
#type End 2
KerbErr, ItemULongX
Client, ItemPWString
Server, ItemPWString
RequestRealm, ItemPWString
c11cf384-e6bd-11d1-916a-0000f8045b04 TGSRequest
#type Start 1
KdcOption, ItemULongX
#type End 2
KerbErr, ItemULongX
Client, ItemPWString
ServerAcct, ItemPWString
ClientRealm, ItemPWString
// SAM Events
// 8e598056-8993-11d2-819e-0000f875a064
39511dbe-899b-11d2-819e-0000f875a064 SamUserCreate
#type Start 1
#type End 2
abb14b68-899b-11d2-819e-0000f875a064 SamCompCreate
#type Start 1
#type End 2
c8eb5e5c-899c-11d2-819e-0000f875a064 SamGrpCreate
#type Start 1
#type End 2
f9d2ba6a-899c-11d2-819e-0000f875a064 SamAddMemGrp
#type Start 1
#type End 2
250959aa-899d-11d2-819e-0000f875a064 SamDelMemGrp
#type Start 1
#type End 2
45fc997e-899d-11d2-819e-0000f875a064 SamPwdChng
#type Start 1
#type End 2
62bef71e-899d-11d2-819e-0000f875a064 SamUserPwdSet
#type Start 1
#type End 2
880217b8-899d-11d2-819e-0000f875a064 SamCompPwdSet
#type Start 1
#type End 2
1f228de8-8a6c-11d2-819e-0000f875a064 SamPwdPushPdc
#type Start 1
#type End 2
a41d90bc-899d-11d2-819e-0000f875a064 SamIdByName
#type Start 1
#type End 2
25059476-899f-11d2-819e-0000f875a064 SamNameById
#type Start 1
#type End 2
// LSA Events
// cc85922f-db41-11d2-9244-006008269001 MSLSATrace
cc85922e-db41-11d2-9244-006008269001 QuerySecret
#type Start 1
#type End 2
2306fe3b-dbf6-11d2-9244-006008269001 Close
#type Start 1
#type End 2
2306fe3a-dbf6-11d2-9244-006008269001 OpenPolicy
#type Start 1
#type End 2
2306fe39-dbf6-11d2-9244-006008269001 QueryInformationPolicy
#type Start 1
#type End 2
2306fe38-dbf6-11d2-9244-006008269001 SetInformationPolicy
#type Start 1
#type End 2
2306fe37-dbf6-11d2-9244-006008269001 EnumerateTrustedDomains
#type Start 1
#type End 2
2306fe36-dbf6-11d2-9244-006008269001 LookupNames
#type Start 1
#type End 2
2306fe35-dbf6-11d2-9244-006008269001 LookupSids
#type Start 1
#type End 2
2306fe34-dbf6-11d2-9244-006008269001 OpenTrustedDomain
#type Start 1
#type End 2
2306fe33-dbf6-11d2-9244-006008269001 QueryInfoTrustedDomain
#type Start 1
#type End 2
2306fe32-dbf6-11d2-9244-006008269001 SetInformationTrustedDomain
#type Start 1
#type End 2
2306fe31-dbf6-11d2-9244-006008269001 QueryInformationPolicy2
#type Start 1
#type End 2
2306fe30-dbf6-11d2-9244-006008269001 SetInformationPolicy2
#type Start 1
#type End 2
2306fe2f-dbf6-11d2-9244-006008269001 QueryTrustedDomainInfoByName
#type Start 1
#type End 2
2306fe2e-dbf6-11d2-9244-006008269001 SetTrustedDomainInfoByName
#type Start 1
#type End 2
2306fe2d-dbf6-11d2-9244-006008269001 EnumerateTrustedDomainsEx
#type Start 1
#type End 2
2306fe2c-dbf6-11d2-9244-006008269001 CreateTrustedDomainEx
#type Start 1
#type End 2
2306fe2b-dbf6-11d2-9244-006008269001 QueryDomainInformationPolicy
#type Start 1
#type End 2
2306fe2a-dbf6-11d2-9244-006008269001 SetDomainInformationPolicy
#type Start 1
#type End 2
2306fe29-dbf6-11d2-9244-006008269001 OpenTrustedDomainByName
#type Start 1
#type End 2
// Netdevice
f404cdf8-6926-11d2-a059-00a0c95b7f08 NetDevice
#typev Normal 10 "%11!2d!, %4: %12!s!"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
Message, ItemString // 12
#type BytesIndicated 11 "%11, %4: NDBothHandleReceiveIndication (%15): Conn[%12], Indicated %13, Available %14"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
ConnIdx, ItemUShort // 12
Indicated, ItemULong // 13
Available, ItemULong // 14
Message, ItemString // 15
#type BuildReceiveIrpEnter 20 "%11, %4: NDBothBuildReceiveIrp: Entry"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
#type BuildReceiveIrpInfo 23 "%11, %4: NDBothBuildReceiveIrp as %13: Conn[%12], Phase = %14"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
ConnIdx, ItemUShort // 12
DriverType,ItemString // 13
ConnPhase, ItemString // 14
#type BuildReceiveIrpCounts 26 "%11, %4: NDBothBuildReceiveIrp as %17: Bytes for Sec %12, Buf %13, Hdr %14, Rcb In = %15, Out = %16"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
SecBytes,ItemULong // 12
BufBytes,ItemULong // 13
HdrBytes,ItemULong // 14
RcbInIdx,ItemUShort // 15
RcbOutIdx,ItemUShort // 16
DriverType,ItemString // 17
#type BuildReceiveIrpExit 29 "%11, %4: NDBothBuildReceiveIrp: Exit"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
#type ProcessIncomingBufferEntry 120 "%11, %4: NDBothProcessIncomingBuffer: Entry"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
#type ProcessIncomingBufferIgnore 126 "%11, %4: NDBothProcessIncomingBuffer: Ignoring Message"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
#type ProcessIncomingBufferExit 129 "%11, %4: NDBothProcessIncomingBuffer: Exit"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
#type ProcessNewHeaderEnter 130 "%11, %4: NDBothProcessNewHeader: Entry"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
#type ProcessNewHeaderAnnounce 132 "%11, %4: NDBothProcessNewHeader as %16 for RCB[%12] on Conn[%15] is Rqst Id 0x%13_%14"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
RCB Idx, ItemUShort // 12
Rqst IdH,ItemULongX // 13
Rqst IdL,ItemULongX // 14
Conn Idx,ItemUShort // 15
DriverType,ItemString // 16
#type ProcessNewHeaderExit 148 "%11, %4: NDBothProcessNewHeader: Exit"
Ordinal, ItemULongX // 10
CPU Num, ItemUShort // 11
5eb2d7d2-c2af-11d2-afc3-00c04f8ef2f7 Sample
#typev Ascii 10 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!> Type: %2, Seq: %10!d! Str1: %11!s!"
//#typev Ascii 0 "0,%3!08X!,%4!s!,%1!s!,%9!d!,%2,%10!d!,%11!s!"
Sequence, ItemUlong // 10
AsciiStr, ItemString // 11
//#typev Wchar 11 "00000000.%3!08X!::%4!s! [%1!s!] <%9!d!> Type: %2!s!, Seq: %10!d! Str1: %11!s!"
//#typev Wchar 11 "0,%3!08X!,%4!s!,%1!s!,%9!d!,%2,%10!d!,%11!s!"
// Sequence,ItemUlong // 10
// UnicodeStr, ItemWString // 11