????
Your IP : 3.147.2.160
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
<assembly
xmlns="urn:schemas-microsoft-com:asm.v3"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
manifestVersion="1.0"
>
<assemblyIdentity
buildType="$(build.buildType)"
language="neutral"
name="Windows-Defender-Service-MpRtpEtw"
processorArchitecture="$(build.arch)"
publicKeyToken="$(Build.WindowsPublicKeyToken)"
version="$(build.version)"
versionScope="nonSxS"
/>
<instrumentation>
<events
xmlns="http://schemas.microsoft.com/win/2004/08/events"
xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"
>
<provider
guid="{8e92deef-5e17-413b-b927-59b2f06a3cfc}"
message="$(string.Microsoft-Antimalware-RTP.provider.name)"
messageFileName="%programfiles%\Windows Defender\MpRtp.dll"
name="Microsoft-Antimalware-RTP"
resourceFileName="%programfiles%\Windows Defender\MpRtp.dll"
symbol="Microsoft_Antimalware_RTP"
>
<maps>
<valueMap name="DlpOperationType">
<map
message="$(string.OperationType.DlpEngineInitialize)"
value="0"
/>
<map
message="$(string.OperationType.DlpEngineEnable)"
value="1"
/>
<map
message="$(string.OperationType.DlpEngineDisable)"
value="2"
/>
<map
message="$(string.OperationType.DlpAtomicCheckAccessForFileAndOperation)"
value="3"
/>
<map
message="$(string.OperationType.DlpCheckAccessForFile)"
value="4"
/>
<map
message="$(string.OperationType.DlpCheckAccessForOperation)"
value="5"
/>
</valueMap>
<valueMap name="DlpSubOperationType">
<map
message="$(string.SubOperationType.None)"
value="0xffffffff"
/>
<map
message="$(string.SubOperationType.DlpSubOperationCopyToRemovableMedia)"
value="0"
/>
<map
message="$(string.SubOperationType.DlpSubOperationCopyToNetworkShare)"
value="1"
/>
<map
message="$(string.SubOperationType.DlpSubOperationCopyToClipboard)"
value="2"
/>
<map
message="$(string.SubOperationType.DlpSubOperationPrint)"
value="3"
/>
<map
message="$(string.SubOperationType.DlpSubOperationPrintToFile)"
value="4"
/>
<map
message="$(string.SubOperationType.DlpSubOperationScreenClip)"
value="5"
/>
</valueMap>
<valueMap name="DlpAccessCheckType">
<map
message="$(string.AccessCheckType.DlpFileAccessCheckTypeNone)"
value="0"
/>
<map
message="$(string.AccessCheckType.DlpFileAccessCheckTypeOpen)"
value="1"
/>
<map
message="$(string.AccessCheckType.DlpFileAccessCheckTypeSectionCreateSensitive)"
value="2"
/>
<map
message="$(string.AccessCheckType.DlpFileAccessCheckTypeRead)"
value="3"
/>
<map
message="$(string.AccessCheckType.DlpFileAccessCheckTypeCandidate)"
value="4"
/>
</valueMap>
</maps>
<tasks>
<task
eventGUID="{a80e2681-19cb-45fd-8e5e-bdf31a925630}"
name="RTPPassthrough"
value="1"
/>
<task
eventGUID="{6cba00b0-a598-439a-8fa1-7d21480668f1}"
name="RTPPlugin"
value="2"
/>
<task
eventGUID="{70730ef0-c8e8-4dee-9c6f-f3f5d4672b2f}"
name="RTPFilterLoad"
value="3"
/>
<task
eventGUID="{8b08b292-7590-408b-9e30-f32e8d377154}"
name="RTPFilterUnload"
value="4"
/>
<task
eventGUID="{55d09f73-ed05-44f3-aed6-52b21651635f}"
name="RTPSetEngine"
value="5"
/>
<task
eventGUID="{a1f54bbb-bb7f-443e-9d07-6ed9e0f09c9e}"
name="RTPFlushCache"
value="6"
/>
<task
eventGUID="{1bc458bd-fd33-4a34-82d7-109f29d5e311}"
name="RTPScanTimeout"
value="7"
/>
<task
eventGUID="{2c701812-2240-4305-8f52-c4aaf62dbc12}"
name="RTPEnabled"
value="8"
/>
<task
eventGUID="{1392f20c-c750-4952-9855-accee25df368}"
name="RTPDisabled"
value="9"
/>
<task
eventGUID="{f2c5c1c1-f290-47f1-9405-22b98db13de2}"
name="RTPConfigUpdate"
value="10"
/>
<task
eventGUID="{926814c0-7ee2-4a84-aa9e-208221870147}"
name="RTPSetRegistryMonitoring"
value="11"
/>
<task
eventGUID="{e4ae46f6-c4ee-416f-a29f-db6e0ab7cd89}"
name="RTPThreatDetection"
value="12"
/>
<task
eventGUID="{1a13f1ca-358d-4a02-b703-b6c14eddf4b4}"
name="RTPSampleDetection"
value="13"
/>
<task
eventGUID="{40fe7b57-3925-41b0-9a0a-1460a7289da0}"
name="RTPLofiDetection"
value="14"
/>
<task
eventGUID="{68718f43-8b6d-412a-9c15-cffe62238473}"
name="RTPExpensiveDetection"
value="15"
/>
<task
eventGUID="{cf299f11-a0a2-45bf-b7fe-cfe4b7ae2fcc}"
name="RTPBMDetection"
value="16"
/>
<task
eventGUID="{472583bf-e1b7-4016-99f1-00e6f2a253de}"
name="RTPSeqRead"
value="17"
/>
<task
eventGUID="{cbd702de-22de-4d60-9c36-1a61a7ab0b15}"
name="RTPSuspend"
value="18"
/>
<task
eventGUID="{69fc1e84-5067-4903-bf16-8223ab6a0c49}"
name="RTPResume"
value="19"
/>
<task
eventGUID="{b7db7974-6da8-42d5-b4d4-0d8cae5bf803}"
name="RTPPriority"
value="20"
/>
<task
eventGUID="{107A2BE9-5C4C-433C-B97F-B9100AE83F5F}"
name="DlpPerfOperation"
value="21"
/>
<task
eventGUID="{4510012B-AECF-4DB6-B0BF-E9347FA5B94C}"
name="DCEvent"
value="22"
/>
<task
eventGUID="{eb4232ea-6379-422b-aa7a-94cac90148ac}"
name="RTPFileScanResult"
value="23"
/>
</tasks>
<templates>
<template tid="StringPayload">
<data
inType="win:UnicodeString"
name="File"
/>
</template>
<template tid="PriorityPayload">
<data
inType="win:UnicodeString"
name="Description"
/>
<data
inType="win:UInt32"
name="PreviousValue"
/>
<data
inType="win:UInt32"
name="IntendedValueOrHResult"
/>
<data
inType="win:UInt32"
name="LatestValue"
/>
</template>
<template tid="DlpPerfOperationData">
<data
inType="win:UInt32"
map="DlpOperationType"
name="Operation"
/>
<data
inType="win:UInt32"
map="DlpSubOperationType"
name="SubOperation"
/>
<data
inType="win:UInt32"
map="DlpAccessCheckType"
name="AccessCheck"
/>
</template>
<template tid="DCHealthReportEvent">
<data
inType="win:UInt64"
name="Timestamp"
/>
<data
inType="win:UnicodeString"
name="State"
/>
</template>
<template tid="DCDevicePresenceEvent">
<data
inType="win:UInt64"
name="Timestamp"
/>
<data
inType="win:UnicodeString"
name="CurrentGrantedAccess"
/>
<data
inType="win:UnicodeString"
name="MaximumPossibleGrantedAccess"
/>
<data
inType="win:UnicodeString"
name="CurrentDeniedAccess"
/>
<data
inType="win:UnicodeString"
name="MinimumGuaranteedDeniedAccess"
/>
<data
inType="win:UnicodeString"
name="MachineName"
/>
<data
inType="win:UnicodeString"
name="UserName"
/>
<data
inType="win:UnicodeString"
name="ClassName"
/>
<data
inType="win:UnicodeString"
name="MediaName"
/>
<data
inType="win:UnicodeString"
name="BusType"
/>
<data
inType="win:UnicodeString"
name="DeviceId"
/>
<data
inType="win:UnicodeString"
name="InstanceId"
/>
<data
inType="win:UnicodeString"
name="SerialNumber"
/>
<data
inType="win:UnicodeString"
name="VendorId"
/>
<data
inType="win:UnicodeString"
name="ProductId"
/>
<data
inType="win:UnicodeString"
name="DomainAuthenticatedNetworkPresent"
/>
<data
inType="win:UnicodeString"
name="ActiveVPNConnections"
/>
<data
inType="win:UnicodeString"
name="ActiveNetworks"
/>
<data
inType="win:UnicodeString"
name="DevicePolicyGroupMembership"
/>
</template>
<template tid="DCDataDuplicationEventData">
<data
inType="win:UInt64"
name="Timestamp"
/>
<data
inType="win:UnicodeString"
name="Policy"
/>
<data
inType="win:UnicodeString"
name="PolicyRuleId"
/>
<data
inType="win:UnicodeString"
name="DuplicatedOperation"
/>
<data
inType="win:UnicodeString"
name="MachineName"
/>
<data
inType="win:UnicodeString"
name="UserName"
/>
<data
inType="win:UnicodeString"
name="ClassName"
/>
<data
inType="win:UnicodeString"
name="MediaName"
/>
<data
inType="win:UnicodeString"
name="InstanceId"
/>
<data
inType="win:UnicodeString"
name="SerialNumber"
/>
<data
inType="win:UnicodeString"
name="VendorId"
/>
<data
inType="win:UnicodeString"
name="ProductId"
/>
<data
inType="win:UnicodeString"
name="DeviceFilePath"
/>
<data
inType="win:UInt64"
name="EvidenceFileSize"
/>
<data
inType="win:UnicodeString"
name="EvidenceFileLocation"
/>
<data
inType="win:UInt64"
name="Tag"
/>
</template>
<template tid="DCAccessEventData">
<data
inType="win:UInt64"
name="Timestamp"
/>
<data
inType="win:UnicodeString"
name="ActionType"
/>
<data
inType="win:UnicodeString"
name="Access"
/>
<data
inType="win:UnicodeString"
name="Policy"
/>
<data
inType="win:UnicodeString"
name="MachineName"
/>
<data
inType="win:UnicodeString"
name="MediaName"
/>
<data
inType="win:UnicodeString"
name="ClassName"
/>
<data
inType="win:UnicodeString"
name="ClassGuid"
/>
<data
inType="win:UnicodeString"
name="UserName"
/>
<data
inType="win:UnicodeString"
name="VendorId"
/>
<data
inType="win:UnicodeString"
name="ProductId"
/>
<data
inType="win:UnicodeString"
name="DeviceId"
/>
<data
inType="win:UnicodeString"
name="InstanceId"
/>
<data
inType="win:UnicodeString"
name="SerialNumber"
/>
<data
inType="win:UnicodeString"
name="BusType"
/>
<data
inType="win:UnicodeString"
name="FilePath"
/>
<data
inType="win:UInt64"
name="FileSize"
/>
<data
inType="win:UInt64"
name="Tag"
/>
<data
inType="win:UnicodeString"
name="DomainAuthenticatedNetworkPresent"
/>
<data
inType="win:UnicodeString"
name="ActiveVPNConnections"
/>
<data
inType="win:UnicodeString"
name="ProcessImageName"
/>
<data
inType="win:UnicodeString"
name="PolicyId"
/>
<data
inType="win:UnicodeString"
name="AccessChainRuleIds"
/>
<data
inType="win:UnicodeString"
name="AccessChainRuleEntryIds"
/>
<data
inType="win:UnicodeString"
name="PrinterPortName"
/>
</template>
<template tid="RTPFileScanResultPayload">
<data
inType="win:UnicodeString"
name="FileName"
/>
<data
inType="win:UInt32"
name="ScanReason"
/>
<data
inType="win:UInt64"
name="FileId"
outType="win:HexInt64"
/>
<data
inType="win:UInt64"
name="USN"
outType="win:HexInt64"
/>
<data
inType="win:UInt32"
name="RtpScanResult"
/>
<data
inType="win:UInt32"
name="RtpScanAction"
/>
<data
inType="win:UInt32"
name="DoNotCache"
/>
<data
inType="win:UInt32"
name="Flags"
outType="win:HexInt32"
/>
<data
inType="win:UInt32"
name="ScanResult"
/>
<data
inType="win:UInt32"
name="hr"
outType="win:HexInt32"
/>
</template>
</templates>
<events>
<event
level="win:Informational"
opcode="win:Start"
symbol="RTPPassthrough_Start"
task="RTPPassthrough"
value="1"
version="0"
/>
<event
level="win:Informational"
opcode="win:Stop"
symbol="RTPPassthrough_Stop"
task="RTPPassthrough"
value="2"
version="0"
/>
<event
level="win:Informational"
opcode="win:Start"
symbol="RTPPlugin_Start"
task="RTPPlugin"
value="3"
version="0"
/>
<event
level="win:Informational"
opcode="win:Stop"
symbol="RTPPlugin_Stop"
task="RTPPlugin"
value="4"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPFilterLoadEvent"
task="RTPFilterLoad"
value="5"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPFilterUnloadEvent"
task="RTPFilterUnload"
value="6"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPSetEngineEvent"
task="RTPSetEngine"
value="7"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPFlushCacheEvent"
task="RTPFlushCache"
value="8"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPScanTimeoutEvent"
task="RTPScanTimeout"
value="9"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPEnabledEvent"
task="RTPEnabled"
value="10"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPDisabledEvent"
task="RTPDisabled"
value="11"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPConfigUpdateEvent"
task="RTPConfigUpdate"
value="12"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPSetRegistryMonitoringEvent"
task="RTPSetRegistryMonitoring"
value="13"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPThreatDetectionEvent"
task="RTPThreatDetection"
template="StringPayload"
value="14"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPSampleDetectionEvent"
task="RTPSampleDetection"
template="StringPayload"
value="15"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPLofiDetectionEvent"
task="RTPLofiDetection"
template="StringPayload"
value="16"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPExpensiveDetectionEvent"
task="RTPExpensiveDetection"
template="StringPayload"
value="17"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPBMDetectionEvent"
task="RTPBMDetection"
value="18"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPSeqReadEvent"
task="RTPSeqRead"
value="19"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPSuspendEvent"
task="RTPSuspend"
value="20"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPResumeEvent"
task="RTPResume"
value="21"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPPriorityEvent"
task="RTPPriority"
template="PriorityPayload"
value="22"
version="0"
/>
<event
level="win:Informational"
opcode="win:Start"
symbol="RTPDlpPerfOperation_Start"
task="DlpPerfOperation"
template="DlpPerfOperationData"
value="23"
version="0"
/>
<event
level="win:Informational"
opcode="win:Stop"
symbol="RTPDlpPerfOperation_Stop"
task="DlpPerfOperation"
template="DlpPerfOperationData"
value="24"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="DC_AccessEvent"
task="DCEvent"
template="DCAccessEventData"
value="25"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="DC_DataDuplicationEvent"
task="DCEvent"
template="DCDataDuplicationEventData"
value="26"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="RTPFileScanResultEvent"
task="RTPFileScanResult"
template="RTPFileScanResultPayload"
value="27"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="DC_DevicePresenceEvent"
task="DCEvent"
template="DCDevicePresenceEvent"
value="28"
version="0"
/>
<event
level="win:Informational"
opcode="win:Info"
symbol="DC_HealthReportEvent"
task="DCEvent"
template="DCHealthReportEvent"
value="29"
version="0"
/>
</events>
</provider>
</events>
</instrumentation>
<localization>
<resources culture="en-US">
<stringTable>
<string
id="Microsoft-Antimalware-RTP.provider.name"
value="Microsoft-Antimalware-RTP"
/>
<string
id="OperationType.DlpEngineInitialize"
value="DlpEngineInitialize"
/>
<string
id="OperationType.DlpEngineEnable"
value="DlpEngineEnable"
/>
<string
id="OperationType.DlpEngineDisable"
value="DlpEngineDisable"
/>
<string
id="OperationType.DlpAtomicCheckAccessForFileAndOperation"
value="DlpAtomicCheckAccessForFileAndOperation"
/>
<string
id="OperationType.DlpCheckAccessForFile"
value="DlpCheckAccessForFile"
/>
<string
id="OperationType.DlpCheckAccessForOperation"
value="DlpCheckAccessForOperation"
/>
<string
id="SubOperationType.None"
value="None"
/>
<string
id="SubOperationType.DlpSubOperationCopyToRemovableMedia"
value="CopyToRemovableMedia"
/>
<string
id="SubOperationType.DlpSubOperationCopyToNetworkShare"
value="CopyToNetworkShare"
/>
<string
id="SubOperationType.DlpSubOperationCopyToClipboard"
value="CopyToClipboard"
/>
<string
id="SubOperationType.DlpSubOperationPrint"
value="Print"
/>
<string
id="SubOperationType.DlpSubOperationPrintToFile"
value="PrintToFile"
/>
<string
id="SubOperationType.DlpSubOperationScreenClip"
value="ScreenClip"
/>
<string
id="AccessCheckType.DlpFileAccessCheckTypeNone"
value="None"
/>
<string
id="AccessCheckType.DlpFileAccessCheckTypeOpen"
value="Open"
/>
<string
id="AccessCheckType.DlpFileAccessCheckTypeSectionCreateSensitive"
value="SectionCreateSensitive"
/>
<string
id="AccessCheckType.DlpFileAccessCheckTypeRead"
value="Read"
/>
<string
id="AccessCheckType.DlpFileAccessCheckTypeCandidate"
value="Candidate"
/>
</stringTable>
</resources>
</localization>
</assembly>