//********************************************* //*** MSV1_0 SSP: MSV1_0 //********************************************* #pragma autorecover #pragma classflags("forceupdate") #pragma namespace ("\\\\.\\Root\\WMI") [Dynamic, Description("Security: NTLM Authentication") : amended, Guid("{5BBB6C18-AA45-49b1-A15F-085F7ED0AA90}"), locale("MS\\0x409")] class MSV1_0DebugTrace : EventTrace { [ Description ("Enable Flags") : amended, ValueDescriptions{ "Error Flag", "Warning Flag", "Init Flag", "Misc Flag", "Logon Session Flag", "Leak Track Flag", "Lpc Flag", "Lpc More Flag", "Api Flag", "Api More Flag", "Session Keys Flag", "Negotiate Flag", "Updates Flag", "NTLM V2 Flag", "Credentials Flag", "Protocol Version Flag", "Target Flag"} : amended, Values{"Error", "Warning", "Init", "Misc", "LogonSess", "Leak", "Lpc", "LpcMore", "Api", "ApiMore", "SKey", "Nego", "Updates", "NtLmV2", "Cred", "Version", "Target"}, ValueMap{"0x00000001", "0x00000002", "0x00000004", "0x00000008", "0x00000010", "0x00000020", "0x00000040", "0x00000080", "0x00000100", "0x00000200", "0x00000400", "0x00000800", "0x00001000", "0x00002000", "0x00004000", "0x00008000", "0x00010000"} : amended ] uint32 Flags; }; [Dynamic, Description("NTLM Security Protocol") : amended, Guid("{C92CF544-91B3-4dc0-8E11-C580339A0BF8}"), locale("MS\\0x409")] class MSV1_0Trace:EventTrace { }; [Dynamic, Description("NTLM Server Accept") : amended, Guid("{94d4c9eb-0d01-41ae-99e8-15b26b593a83}"), DisplayName("NtlmServerAccept"), locale("MS\\0x409") ] class NtlmServerAccept:MSV1_0Trace { }; [Dynamic, Description("NTLM Server Accept") : amended, EventType(1), EventTypeName("Start"), locale("MS\\0x409") ] class NtlmServerAccept_Start:NtlmServerAccept { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; }; [Dynamic, Description("NTLM Server Accept") : amended, EventType(2), EventTypeName("End"), locale("MS\\0x409") ] class NtlmServerAccept_End:NtlmServerAccept { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; [WmiDataId(3), Description("Out-Context") : amended, pointer, read] uint32 OutContext; [WmiDataId(4), Description("Status") : amended, read] uint32 Status; }; [Dynamic, Description("NTLM Server Accept") : amended, EventType(0), EventTypeName("Info"), locale("MS\\0x409") ] class NtlmServerAccept_Info:NtlmServerAccept { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; [WmiDataId(3), Description("Out-Context") : amended, pointer, read] uint32 OutContext; [WmiDataId(4), Description("Flags") : amended, read] uint32 Flags; [WmiDataId(5), Description("Client User Name") : amended, StringTermination("Counted"), format("w"), read] string UserName; [WmiDataId(6), Description("Client Domain Name") : amended, StringTermination("Counted"), format("w"), read] string DomainName; [WmiDataId(7), Description("Client Workstation") : amended, StringTermination("Counted"), format("w"), read] string Workstation; }; [Dynamic, Description("NTLM Client Initialize") : amended, Guid("{6df28b22-73be-45cc-ba80-8b332b35a21d}"), DisplayName("NtlmClientInitialize"), locale("MS\\0x409") ] class NtlmClientInitialize:MSV1_0Trace { }; [Dynamic, Description("NTLM Client Initialize") : amended, EventType(1), EventTypeName("Start"), locale("MS\\0x409") ] class NtlmClientInitialize_Start:NtlmClientInitialize { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; }; [Dynamic, Description("NTLM Client Initialize") : amended, EventType(2), EventTypeName("End"), locale("MS\\0x409") ] class NtlmClientInitialize_End:NtlmClientInitialize { [WmiDataId(1), Description("Stage Hint") : amended, read] uint32 StageHint; [WmiDataId(2), Description("In-Context") : amended, pointer, read] uint32 InContext; [WmiDataId(3), Description("Out-Context") : amended, pointer, read] uint32 OutContext; [WmiDataId(4), Description("Status") : amended, read] uint32 Status; }; [Dynamic, Description("NTLM Logon User") : amended, Guid("{19196b33-a302-4c12-9d5a-eac149e93c46}"), DisplayName("NtlmLogonUser"), locale("MS\\0x409") ] class NtlmLogonUser:MSV1_0Trace { }; [Dynamic, Description("NTLM Logon User") : amended, EventType(1), EventTypeName("Start"), locale("MS\\0x409") ] class NtlmLogonUser_Start:NtlmLogonUser { }; [Dynamic, Description("NTLM Logon User") : amended, EventType(2), EventTypeName("End"), locale("MS\\0x409") ] class NtlmLogonUser_End:NtlmLogonUser { [WmiDataId(1), Description("Status") : amended, read] uint32 Status; [WmiDataId(2), Description("Logon Type") : amended, read] uint32 LogonType; [WmiDataId(3), Description("User Name") : amended, StringTermination("Counted"), format("w"), read] string UserName; [WmiDataId(4), Description("Domain Name") : amended, StringTermination("Counted"), format("w"), read] string DomainName; }; [Dynamic, Description("NTLM Validate Credentials") : amended, Guid("{34d84181-c28a-41d8-bb9e-995190df83df}"), DisplayName("NtlmValidateUser"), locale("MS\\0x409") ] class NtlmValidateUser:MSV1_0Trace { }; [Dynamic, Description("NTLM Validate Credentials") : amended, EventType(1), EventTypeName("Start"), locale("MS\\0x409") ] class NtlmValidateUser_Start:NtlmValidateUser { }; [Dynamic, Description("NTLM Validate Credentials") : amended, EventType(2), EventTypeName("End"), locale("MS\\0x409") ] class NtlmValidateUser_End:NtlmValidateUser { [WmiDataId(1), Description("Success Bitmask") : amended, read] uint32 Success; [WmiDataId(2), Description("Logon Server") : amended, StringTermination("Counted"), format("w"), read] string LogonServer; [WmiDataId(3), Description("Domain Name") : amended, StringTermination("Counted"), format("w"), read] string LogonDomain; [WmiDataId(4), Description("User Name") : amended, StringTermination("Counted"), format("w"), read] string UserName; [WmiDataId(5), Description("Logon Workstation") : amended, StringTermination("Counted"), format("w"), read] string Workstation; };