mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
463 lines
16 KiB
463 lines
16 KiB
/*++
|
|
|
|
Copyright (c) Microsoft Corporation. All rights reserved.
|
|
|
|
Module Name:
|
|
|
|
Wmistr.h
|
|
|
|
Abstract:
|
|
|
|
WMI structure definitions
|
|
|
|
--*/
|
|
|
|
#ifndef _WMISTR_
|
|
#define _WMISTR_
|
|
|
|
#pragma warning(disable: 4200) // nonstandard extension used : zero-sized array in struct/union
|
|
#pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union
|
|
|
|
//
|
|
// WNODE definition
|
|
typedef struct _WNODE_HEADER
|
|
{
|
|
ULONG BufferSize; // Size of entire buffer inclusive of this ULONG
|
|
ULONG ProviderId; // Provider Id of driver returning this buffer
|
|
union
|
|
{
|
|
ULONG64 HistoricalContext; // Logger use
|
|
struct
|
|
{
|
|
ULONG Version; // Reserved
|
|
ULONG Linkage; // Linkage field reserved for WMI
|
|
};
|
|
};
|
|
|
|
union
|
|
{
|
|
ULONG CountLost; // Reserved
|
|
HANDLE KernelHandle; // Kernel handle for data block
|
|
LARGE_INTEGER TimeStamp; // Timestamp as returned in units of 100ns
|
|
// since 1/1/1601
|
|
};
|
|
GUID Guid; // Guid for data block returned with results
|
|
ULONG ClientContext;
|
|
ULONG Flags; // Flags, see below
|
|
} WNODE_HEADER, *PWNODE_HEADER;
|
|
|
|
//
|
|
// WNODE_HEADER flags are defined as follows
|
|
#define WNODE_FLAG_ALL_DATA 0x00000001 // set for WNODE_ALL_DATA
|
|
#define WNODE_FLAG_SINGLE_INSTANCE 0x00000002 // set for WNODE_SINGLE_INSTANCE
|
|
#define WNODE_FLAG_SINGLE_ITEM 0x00000004 // set for WNODE_SINGLE_ITEM
|
|
#define WNODE_FLAG_EVENT_ITEM 0x00000008 // set for WNODE_EVENT_ITEM
|
|
|
|
// Set if data block size is
|
|
// identical for all instances
|
|
// (used with WNODE_ALL_DATA
|
|
// only)
|
|
#define WNODE_FLAG_FIXED_INSTANCE_SIZE 0x00000010
|
|
|
|
#define WNODE_FLAG_TOO_SMALL 0x00000020 // set for WNODE_TOO_SMALL
|
|
|
|
// Set when a data provider returns a
|
|
// WNODE_ALL_DATA in which the number of
|
|
// instances and their names returned
|
|
// are identical to those returned from the
|
|
// previous WNODE_ALL_DATA query. Only data
|
|
// blocks registered with dynamic instance
|
|
// names should use this flag.
|
|
#define WNODE_FLAG_INSTANCES_SAME 0x00000040
|
|
|
|
// Instance names are not specified in
|
|
// WNODE_ALL_DATA; values specified at
|
|
// registration are used instead. Always
|
|
// set for guids registered with static
|
|
// instance names
|
|
#define WNODE_FLAG_STATIC_INSTANCE_NAMES 0x00000080
|
|
|
|
#define WNODE_FLAG_INTERNAL 0x00000100 // Used internally by WMI
|
|
|
|
// timestamp should not be modified by
|
|
// a historical logger
|
|
#define WNODE_FLAG_USE_TIMESTAMP 0x00000200
|
|
#define WNODE_FLAG_PERSIST_EVENT 0x00000400
|
|
|
|
#define WNODE_FLAG_EVENT_REFERENCE 0x00002000
|
|
|
|
// Set if Instance names are ansi. Only set when returning from
|
|
// WMIQuerySingleInstanceA and WMIQueryAllDataA
|
|
#define WNODE_FLAG_ANSI_INSTANCENAMES 0x00004000
|
|
|
|
// Set if WNODE is a method call
|
|
#define WNODE_FLAG_METHOD_ITEM 0x00008000
|
|
|
|
// Set if instance names originated from a PDO
|
|
#define WNODE_FLAG_PDO_INSTANCE_NAMES 0x00010000
|
|
|
|
// The second byte, except the first bit is used exclusively for tracing
|
|
#define WNODE_FLAG_TRACED_GUID 0x00020000 // denotes a trace
|
|
|
|
#define WNODE_FLAG_LOG_WNODE 0x00040000 // request to log Wnode
|
|
|
|
#define WNODE_FLAG_USE_GUID_PTR 0x00080000 // Guid is actually a pointer
|
|
|
|
#define WNODE_FLAG_USE_MOF_PTR 0x00100000 // MOF data are dereferenced
|
|
|
|
#define WNODE_FLAG_NO_HEADER 0x00200000 // Trace without header
|
|
|
|
// Set for events that are WNODE_EVENT_REFERENCE
|
|
// Mask for event severity level. Level 0xff is the most severe type of event
|
|
#define WNODE_FLAG_SEVERITY_MASK 0xff000000
|
|
|
|
//
|
|
// This structure is used within the WNODE_ALL_DATA when the data blocks
|
|
// for the different instances are different lengths. If the data blocks
|
|
// for the different instances are identical lengths then
|
|
// WNODE_FLAG_FIXED_INSTANCE_SIZE should be set and FixedInstanceSize
|
|
// set to the common data block size.
|
|
typedef struct
|
|
{
|
|
ULONG OffsetInstanceData; // Offset from beginning of WNODE_ALL_DATA
|
|
// to Data block for instance
|
|
ULONG LengthInstanceData; // Length of data block for instance
|
|
} OFFSETINSTANCEDATAANDLENGTH, *POFFSETINSTANCEDATAANDLENGTH;
|
|
|
|
typedef struct tagWNODE_ALL_DATA
|
|
{
|
|
struct _WNODE_HEADER WnodeHeader;
|
|
|
|
ULONG DataBlockOffset;// Offset from begin of WNODE to first data block
|
|
|
|
ULONG InstanceCount; // Count of instances whose data follows.
|
|
|
|
// Offset to an array of offsets to the instance names
|
|
ULONG OffsetInstanceNameOffsets;
|
|
|
|
// If WNODE_FLAG_FIXED_INSTANCE_SIZE is set in Flags then
|
|
// FixedInstanceSize specifies the size of each data block. In this case
|
|
// there is one ULONG followed by the data blocks.
|
|
// If WNODE_FLAG_FIXED_INSTANCE_SIZE is not set
|
|
// then OffsetInstanceDataAndLength
|
|
// is an array of OFFSETINSTANCEDATAANDLENGTH that specifies the
|
|
// offsets and lengths of the data blocks for each instance.
|
|
union
|
|
{
|
|
ULONG FixedInstanceSize;
|
|
OFFSETINSTANCEDATAANDLENGTH OffsetInstanceDataAndLength[];
|
|
/* [InstanceCount] */
|
|
};
|
|
|
|
// padding so that first data block begins on a 8 byte boundry
|
|
|
|
// data blocks and instance names for all instances
|
|
|
|
} WNODE_ALL_DATA, *PWNODE_ALL_DATA;
|
|
|
|
|
|
typedef struct tagWNODE_SINGLE_INSTANCE
|
|
{
|
|
struct _WNODE_HEADER WnodeHeader;
|
|
|
|
// Offset from beginning of WNODE_SINGLE_INSTANCE
|
|
// to instance name. Use when
|
|
// WNODE_FLAG_STATIC_INSTANCE_NAMES is reset
|
|
// (Dynamic instance names)
|
|
ULONG OffsetInstanceName;
|
|
|
|
// Instance index when
|
|
// WNODE_FLAG_STATIC_INSTANCE_NAME is set
|
|
ULONG InstanceIndex; // (Static Instance Names)
|
|
|
|
ULONG DataBlockOffset; // offset from beginning of WNODE to data block
|
|
ULONG SizeDataBlock; // Size of data block for instance
|
|
|
|
UCHAR VariableData[];
|
|
// instance names and padding so data block begins on 8 byte boundry
|
|
|
|
// data block
|
|
} WNODE_SINGLE_INSTANCE, *PWNODE_SINGLE_INSTANCE;
|
|
|
|
|
|
typedef struct tagWNODE_SINGLE_ITEM
|
|
{
|
|
struct _WNODE_HEADER WnodeHeader;
|
|
|
|
// Offset from beginning of WNODE_SINGLE_INSTANCE
|
|
// to instance name. Examine when
|
|
// WNODE_FLAG_STATIC_INSTANCE_NAME is reset
|
|
// (Dynamic instance names)
|
|
ULONG OffsetInstanceName;
|
|
|
|
// Instance index when
|
|
// WNODE_FLAG_STATIC_INSTANCE_NAME
|
|
ULONG InstanceIndex; // set (Static Instance Names)
|
|
|
|
ULONG ItemId; // Item Id for data item being set
|
|
|
|
ULONG DataBlockOffset; // offset from WNODE begin to data item value
|
|
ULONG SizeDataItem; // Size of data item
|
|
|
|
UCHAR VariableData[];
|
|
// instance names and padding so data value begins on 8 byte boundry
|
|
|
|
// data item value
|
|
} WNODE_SINGLE_ITEM, *PWNODE_SINGLE_ITEM;
|
|
|
|
typedef struct tagWNODE_METHOD_ITEM
|
|
{
|
|
struct _WNODE_HEADER WnodeHeader;
|
|
|
|
// Offset from beginning of WNODE_METHOD_ITEM
|
|
// to instance name. Examine when
|
|
// WNODE_FLAG_STATIC_INSTANCE_NAME is reset
|
|
// (Dynamic instance names)
|
|
ULONG OffsetInstanceName;
|
|
|
|
// Instance index when
|
|
// WNODE_FLAG_STATIC_INSTANCE_NAME
|
|
ULONG InstanceIndex; // set (Static Instance Names)
|
|
|
|
ULONG MethodId; // Method id of method being called
|
|
|
|
ULONG DataBlockOffset; // On Entry: offset from WNODE to input data
|
|
// On Return: offset from WNODE to input and
|
|
// output data blocks
|
|
ULONG SizeDataBlock; // On Entry: Size of input data, 0 if no input
|
|
// data
|
|
// On Return: Size of output data, 0 if no output
|
|
// data
|
|
|
|
UCHAR VariableData[];
|
|
// instance names and padding so data value begins on 8 byte boundry
|
|
|
|
// data item value
|
|
} WNODE_METHOD_ITEM, *PWNODE_METHOD_ITEM;
|
|
|
|
typedef struct tagWNODE_EVENT_ITEM
|
|
{
|
|
struct _WNODE_HEADER WnodeHeader;
|
|
|
|
// Different data could be here depending upon the flags set in the
|
|
// WNODE_HEADER above. If the WNODE_FLAG_ALL_DATA flag is set then the
|
|
// contents of a WNODE_ALL_DATA (excluding WNODE_HEADER) is here. If the
|
|
// WNODE_FLAG_SINGLE_INSTANCE flag is set then a WNODE_SINGLE_INSTANCE
|
|
// (excluding WNODE_HEADER) is here. Lastly if the WNODE_FLAG_SINGLE_ITEM
|
|
// flag is set then a WNODE_SINGLE_ITEM (excluding WNODE_HEADER) is here.
|
|
} WNODE_EVENT_ITEM, *PWNODE_EVENT_ITEM;
|
|
|
|
|
|
//
|
|
// If a KM data provider needs to fire an event that is larger than the
|
|
// maximum size that WMI allows then it should fire a WNODE_EVENT_REFERENCE
|
|
// that specifies which guid and instance name to query for the actual data
|
|
// that should be part of the event.
|
|
typedef struct tagWNODE_EVENT_REFERENCE
|
|
{
|
|
struct _WNODE_HEADER WnodeHeader;
|
|
GUID TargetGuid;
|
|
ULONG TargetDataBlockSize;
|
|
union
|
|
{
|
|
ULONG TargetInstanceIndex;
|
|
WCHAR TargetInstanceName[];
|
|
};
|
|
} WNODE_EVENT_REFERENCE, *PWNODE_EVENT_REFERENCE;
|
|
|
|
|
|
typedef struct tagWNODE_TOO_SMALL
|
|
{
|
|
struct _WNODE_HEADER WnodeHeader;
|
|
ULONG SizeNeeded; // Size needed to build WNODE result
|
|
} WNODE_TOO_SMALL, *PWNODE_TOO_SMALL;
|
|
|
|
|
|
typedef struct
|
|
{
|
|
GUID Guid; // Guid of data block being registered or updated
|
|
ULONG Flags; // Flags
|
|
|
|
ULONG InstanceCount; // Count of static instances names for the guid
|
|
|
|
union
|
|
{
|
|
// If WMIREG_FLAG_INSTANCE_LIST then this has the offset
|
|
// to a list of InstanceCount counted UNICODE
|
|
// strings placed end to end.
|
|
ULONG InstanceNameList;
|
|
|
|
// If WMIREG_FLAG_INSTANCE_BASENAME then this has the
|
|
// offset to a single counted UNICODE string that
|
|
// has the basename for the instance names.
|
|
|
|
ULONG BaseNameOffset;
|
|
|
|
// If WMIREG_FLAG_INSTANCE_PDO is set then InstanceInfo
|
|
// has the PDO whose device instance path will
|
|
// become the instance name
|
|
ULONG_PTR Pdo;
|
|
|
|
// If WMIREG_FLAG_INSTANCE_REFERENCE then this points to
|
|
// a WMIREGINSTANCEREF structure.
|
|
|
|
ULONG_PTR InstanceInfo;// Offset from beginning of the WMIREGINFO structure to
|
|
};
|
|
|
|
} WMIREGGUIDW, *PWMIREGGUIDW;
|
|
|
|
typedef WMIREGGUIDW WMIREGGUID;
|
|
typedef PWMIREGGUIDW PWMIREGGUID;
|
|
|
|
// Set if collection must be enabled for the guid before the data provider
|
|
// can be queried for data.
|
|
#define WMIREG_FLAG_EXPENSIVE 0x00000001
|
|
|
|
// Set if instance names for this guid are specified in a static list within
|
|
// the WMIREGINFO
|
|
#define WMIREG_FLAG_INSTANCE_LIST 0x00000004
|
|
|
|
// Set if instance names are to be static and generated by WMI using a
|
|
// base name in the WMIREGINFO and an index
|
|
#define WMIREG_FLAG_INSTANCE_BASENAME 0x00000008
|
|
|
|
// Set if WMI should do automatic mapping of a PDO to device instance name
|
|
// as the instance name for the guid. This flag should only be used by
|
|
// kernel mode data providers.
|
|
#define WMIREG_FLAG_INSTANCE_PDO 0x00000020
|
|
|
|
// Note the flags WMIREG_FLAG_INSTANCE_LIST, WMIREG_FLAG_INSTANCE_BASENAME,
|
|
// WMIREG_FLAG_INSTANCE_REFERENCE and WMIREG_FLAG_INSTANCE_PDO are mutually
|
|
// exclusive.
|
|
|
|
//
|
|
// These flags are only valid in a response to WMI_GUID_REGUPDATE
|
|
#define WMIREG_FLAG_REMOVE_GUID 0x00010000 // Remove support for guid
|
|
#define WMIREG_FLAG_RESERVED1 0x00020000 // Reserved by WMI
|
|
#define WMIREG_FLAG_RESERVED2 0x00040000 // Reserved by WMI
|
|
|
|
// Set if guid is one that is written to trace log.
|
|
// This guid cannot be queried directly via WMI, but must be read using
|
|
// logger apis.
|
|
#define WMIREG_FLAG_TRACED_GUID 0x00080000
|
|
|
|
//
|
|
// Only those Trace Guids that have this bit set can receive
|
|
// Enable/Disable Notifications.
|
|
//
|
|
#define WMIREG_FLAG_TRACE_CONTROL_GUID 0x00001000
|
|
|
|
//
|
|
// Set if the guid is only used for firing events. Guids that can be queried
|
|
// and that fire events should not have this bit set.
|
|
#define WMIREG_FLAG_EVENT_ONLY_GUID 0x00000040
|
|
|
|
typedef struct
|
|
{
|
|
// Size of entire WMIREGINFO structure including this ULONG
|
|
// and any static instance names that follow
|
|
ULONG BufferSize;
|
|
|
|
ULONG NextWmiRegInfo; // Offset to next WMIREGINFO structure
|
|
|
|
ULONG RegistryPath; // Offset from beginning of WMIREGINFO structure to a
|
|
// counted Unicode string containing
|
|
// the driver registry path (under HKLM\CCS\Services)
|
|
// This must be filled only by kernel mode data
|
|
// providers
|
|
|
|
// Offset from beginning of WMIREGINFO structure to a
|
|
// counted Unicode string containing
|
|
// the name of resource in driver file containing MOF info
|
|
ULONG MofResourceName;
|
|
|
|
// Count of WMIREGGUID structures immediately following
|
|
ULONG GuidCount;
|
|
WMIREGGUIDW WmiRegGuid[]; // array of GuidCount WMIREGGUID structures
|
|
// Variable length data including :
|
|
// Instance Names
|
|
} WMIREGINFOW, *PWMIREGINFOW;
|
|
|
|
typedef WMIREGINFOW WMIREGINFO;
|
|
typedef PWMIREGINFOW PWMIREGINFO;
|
|
|
|
//
|
|
// WMI request codes
|
|
typedef enum
|
|
{
|
|
#ifndef _WMIKM_
|
|
WMI_GET_ALL_DATA = 0,
|
|
WMI_GET_SINGLE_INSTANCE = 1,
|
|
WMI_SET_SINGLE_INSTANCE = 2,
|
|
WMI_SET_SINGLE_ITEM = 3,
|
|
WMI_ENABLE_EVENTS = 4,
|
|
WMI_DISABLE_EVENTS = 5,
|
|
WMI_ENABLE_COLLECTION = 6,
|
|
WMI_DISABLE_COLLECTION = 7,
|
|
WMI_REGINFO = 8,
|
|
WMI_EXECUTE_METHOD = 9
|
|
#endif
|
|
} WMIDPREQUESTCODE;
|
|
|
|
#if defined(_WINNT_) || defined(WINNT)
|
|
//
|
|
// WMI guid objects have the following rights
|
|
// WMIGUID_QUERY
|
|
// WMIGUID_SET
|
|
// WMIGUID_NOTIFICATION
|
|
// WMIGUID_READ_DESCRIPTION
|
|
// WMIGUID_EXECUTE
|
|
// TRACELOG_CREATE_REALTIME
|
|
// TRACELOG_CREATE_ONDISK
|
|
// TRACELOG_GUID_ENABLE
|
|
// TRACELOG_ACCESS_KERNEL_LOGGER
|
|
// TRACELOG_CREATE_INPROC
|
|
// TRACELOG_ACCESS_REALTIME
|
|
|
|
//
|
|
// GuidTypes
|
|
//
|
|
//#ifndef _WMIKM_
|
|
#define WMI_GUIDTYPE_TRACECONTROL 0
|
|
#define WMI_GUIDTYPE_TRACE 1
|
|
#define WMI_GUIDTYPE_DATA 2
|
|
#define WMI_GUIDTYPE_EVENT 3
|
|
//#endif
|
|
|
|
//
|
|
// Specific rights for WMI guid objects. These are available from 0x0001 to
|
|
// 0xffff (ie up to 16 rights)
|
|
//
|
|
#define WMIGUID_QUERY 0x0001
|
|
#define WMIGUID_SET 0x0002
|
|
#define WMIGUID_NOTIFICATION 0x0004
|
|
#define WMIGUID_READ_DESCRIPTION 0x0008
|
|
#define WMIGUID_EXECUTE 0x0010
|
|
#define TRACELOG_CREATE_REALTIME 0x0020
|
|
#define TRACELOG_CREATE_ONDISK 0x0040
|
|
#define TRACELOG_GUID_ENABLE 0x0080
|
|
#define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100
|
|
#define TRACELOG_CREATE_INPROC 0x0200
|
|
#define TRACELOG_ACCESS_REALTIME 0x0400
|
|
#define TRACELOG_REGISTER_GUIDS 0x0800
|
|
|
|
#define WMIGUID_ALL_ACCESS (STANDARD_RIGHTS_READ | \
|
|
SYNCHRONIZE | \
|
|
WMIGUID_QUERY | \
|
|
WMIGUID_SET | \
|
|
WMIGUID_NOTIFICATION | \
|
|
WMIGUID_READ_DESCRIPTION | \
|
|
WMIGUID_EXECUTE | \
|
|
TRACELOG_CREATE_REALTIME | \
|
|
TRACELOG_CREATE_ONDISK | \
|
|
TRACELOG_GUID_ENABLE | \
|
|
TRACELOG_ACCESS_KERNEL_LOGGER |\
|
|
TRACELOG_CREATE_INPROC | \
|
|
TRACELOG_ACCESS_REALTIME | \
|
|
TRACELOG_REGISTER_GUIDS )
|
|
|
|
#define WMI_GLOBAL_LOGGER_ID 0x0001
|
|
#endif
|
|
|
|
#endif
|
|
|