#line 1 "C:\\WINDOWS\\SYSTEM32\\WBEM\\KRNLPROV.MOF" // Copyright (c) 1997-2003 Microsoft Corporation, All Rights Reserved #pragma autorecover #pragma classflags(64) #pragma namespace("\\\\.\\Root\\CIMV2") [Locale(1033) : ToInstance] class Win32_SystemTrace : __ExtrinsicEvent { }; [Locale(1033) : ToInstance] class Win32_ProcessTrace : Win32_SystemTrace { [read : ToSubclass] uint32 ProcessID; [read : ToSubclass] uint32 ParentProcessID; [read : ToSubclass] uint32 SessionID; [read : ToSubclass] uint8 Sid[]; [read : ToSubclass] string ProcessName; }; [Locale(1033) : ToInstance] class Win32_ProcessStartTrace : Win32_ProcessTrace { }; [Locale(1033) : ToInstance] class Win32_ProcessStopTrace : Win32_ProcessTrace { [read : ToSubclass] uint32 ExitStatus; }; [Locale(1033) : ToInstance] class Win32_ThreadTrace : Win32_SystemTrace { [read : ToSubclass] uint32 ThreadID; [read : ToSubclass] uint32 ProcessID; }; [Locale(1033) : ToInstance] class Win32_ThreadStartTrace : Win32_ThreadTrace { [read : ToSubclass] uint64 StackBase; [read : ToSubclass] uint64 StackLimit; [read : ToSubclass] uint64 UserStackBase; [read : ToSubclass] uint64 UserStackLimit; uint64 StartAddr; uint64 Win32StartAddr; uint32 WaitMode; }; [Locale(1033) : ToInstance] class Win32_ThreadStopTrace : Win32_ThreadTrace { }; [Locale(1033) : ToInstance] class Win32_ModuleTrace : Win32_SystemTrace { }; [Locale(1033) : ToInstance] class Win32_ModuleLoadTrace : Win32_ModuleTrace { [read : ToSubclass] uint64 ImageBase; [read : ToSubclass] uint64 ImageSize; [read : ToSubclass] uint32 ProcessID; [read : ToSubclass] string FileName; [read : ToSubclass] uint32 ImageChecksum; [read : ToSubclass] uint32 TimeDateStamp; [read : ToSubclass] uint64 DefaultBase; }; Instance of __Win32Provider as $KTP { Name = "WMI Kernel Trace Event Provider"; Clsid = "{9877D8A7-FDA1-43F9-AEEA-F90747EA66B0}"; HostingModel = "WmiCore"; }; Instance of __EventProviderRegistration { Provider = $KTP; EventQueryList = {"select * from Win32_ProcessStartTrace", "select * from Win32_ProcessStopTrace", "select * from Win32_ThreadStartTrace", "select * from Win32_ThreadStopTrace", "select * from Win32_ModuleLoadTrace"}; }; #pragma autorecover #pragma classflags(64) #pragma namespace("\\\\.\\Root\\CIMV2") instance of __namespace{ name="ms_409";}; #pragma namespace("\\\\.\\Root\\CIMV2\\ms_409") [Description("The SystemTrace class is the base class for all system trace events. System trace events are fired by the kernel logger via the event tracing API.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] class Win32_SystemTrace : __ExtrinsicEvent { }; [Description("This event is the base event for process events.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] class Win32_ProcessTrace : Win32_SystemTrace { [Description("The ProcessID property identifies the process involved in the event.") : Amended ToSubclass] uint32 ProcessID; [Description("The ParentProcessID property identifies of the process that actuallycaused the event to happen.") : Amended ToSubclass] uint32 ParentProcessID; [Description("The SessionID property identifies the session under which the process exists.") : Amended ToSubclass] uint32 SessionID; [Description("The Sid property is the security identifier representing the user context under which the event happened.") : Amended ToSubclass] uint8 Sid[]; [Description("The ProcessName property contains the name of the process.") : Amended ToSubclass] string ProcessName; }; [Description("The ProcessStartTrace event class indicates a new process has started.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] class Win32_ProcessStartTrace : Win32_ProcessTrace { }; [Description("The ProcessStopTrace event class indicates a process has terminated.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] class Win32_ProcessStopTrace : Win32_ProcessTrace { [Description("The ExitStatus property contains the exit status of the stopped process ") : Amended ToSubclass] uint32 ExitStatus; }; [Description("The ThreadTrace event class is the base event for thread events.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] class Win32_ThreadTrace : Win32_SystemTrace { [Description("The ThreadID property contains the thread identifier of the thread involved in the event.") : Amended ToSubclass] uint32 ThreadID; [Description("The ProcessID property contains the process identifier of the process to which the thread belongs.") : Amended ToSubclass] uint32 ProcessID; }; [Description("The ThreadStartTrace event class indicates a new thread has started.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] class Win32_ThreadStartTrace : Win32_ThreadTrace { [Description("The StackBase property indicates the base address of the thread's stack.") : Amended ToSubclass] uint64 StackBase; [Description("The StackBase property indicates the limit of the thread's stack.") : Amended ToSubclass] uint64 StackLimit; [Description("The UserStackBase property indicates the base address of the thread's user-mode stack.") : Amended ToSubclass] uint64 UserStackBase; [Description("The UserStackLimit property indicates the limit of the thread's user-mode stack.") : Amended ToSubclass] uint64 UserStackLimit; }; [Description("The ThreadStopTrace event class indicates a thread has terminated.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] class Win32_ThreadStopTrace : Win32_ThreadTrace { }; [Description("The ModuleTrace event class is the base event for module events.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] class Win32_ModuleTrace : Win32_SystemTrace { }; [Description("The ModuleLoadTrace event class indicates a process has loaded a new module.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] class Win32_ModuleLoadTrace : Win32_ModuleTrace { [Description("The ImageBase property indicates the base address where the module was loaded into process memory.") : Amended ToSubclass] uint64 ImageBase; [Description("The ImageSize property indicates the size in bytes of the loaded module.") : Amended ToSubclass] uint64 ImageSize; [Description("The ProcessID property indentifies the process that loaded the module.") : Amended ToSubclass] uint32 ProcessID; [Description("The FileName property indicates the filename of the loaded module.") : Amended ToSubclass] string FileName; [Description("NT image checksum (usually set at link time), as listed in the NT image header; it is a hash used to verify the image was not changed or it's the same. Note: This is not a cryptographic hash, therefore it's weak.") : Amended ToSubclass] uint32 ImageChecksum; [Description("NT image timestamp (usually set at link time), as listed in the NT image header; it is a used to identify the binary image along with the original file name and ImageSize, which is also retrieved from the NT image header.") : Amended ToSubclass] uint32 TimeDateStamp; [Description("default load base address, as listed in the NT image header; if the requested address is unavailable the image will be loaded at a different address (ImageBase), causing rebasing.") : Amended ToSubclass] uint64 DefaultBase; };