????

Your IP : 3.138.105.128

Current Path : C:/Windows/System32/wbem/
Upload File :
Current File : C:/Windows/System32/wbem/krnlprov.mof

��// Copyright (c) 1997-2003 Microsoft Corporation, All Rights Reserved



#pragma autorecover

#pragma classflags(64)

#pragma namespace("\\\\.\\Root\\CIMV2")



[Locale(1033) : ToInstance] 

class Win32_SystemTrace : __ExtrinsicEvent

{

};



[Locale(1033) : ToInstance] 

class Win32_ProcessTrace : Win32_SystemTrace

{

  [read : ToSubclass] uint32 ProcessID;

  [read : ToSubclass] uint32 ParentProcessID;

  [read : ToSubclass] uint32 SessionID;

  [read : ToSubclass] uint8 Sid[];

  [read : ToSubclass] string ProcessName;

};



[Locale(1033) : ToInstance] 

class Win32_ProcessStartTrace : Win32_ProcessTrace

{

};



[Locale(1033) : ToInstance] 

class Win32_ProcessStopTrace : Win32_ProcessTrace

{

  [read : ToSubclass] uint32 ExitStatus;

};



[Locale(1033) : ToInstance] 

class Win32_ThreadTrace : Win32_SystemTrace

{

  [read : ToSubclass] uint32 ThreadID;

  [read : ToSubclass] uint32 ProcessID;

};



[Locale(1033) : ToInstance] 

class Win32_ThreadStartTrace : Win32_ThreadTrace

{

  [read : ToSubclass] uint64 StackBase;

  [read : ToSubclass] uint64 StackLimit;

  [read : ToSubclass] uint64 UserStackBase;

  [read : ToSubclass] uint64 UserStackLimit;

  uint64 StartAddr;

  uint64 Win32StartAddr;

  uint32 WaitMode;

};



[Locale(1033) : ToInstance] 

class Win32_ThreadStopTrace : Win32_ThreadTrace

{

};



[Locale(1033) : ToInstance] 

class Win32_ModuleTrace : Win32_SystemTrace

{

};



[Locale(1033) : ToInstance] 

class Win32_ModuleLoadTrace : Win32_ModuleTrace

{

  [read : ToSubclass] uint64 ImageBase;

  [read : ToSubclass] uint64 ImageSize;

  [read : ToSubclass] uint32 ProcessID;

  [read : ToSubclass] string FileName;

  [read : ToSubclass] uint32 ImageChecksum;

  [read : ToSubclass] uint32 TimeDateStamp;

  [read : ToSubclass] uint64 DefaultBase;

};



Instance of __Win32Provider as $KTP

{

  Name = "WMI Kernel Trace Event Provider";

  Clsid = "{9877D8A7-FDA1-43F9-AEEA-F90747EA66B0}";

  HostingModel = "WmiCore";

};



Instance of __EventProviderRegistration

{

  Provider = $KTP;

  EventQueryList = {"select * from Win32_ProcessStartTrace", "select * from Win32_ProcessStopTrace", "select * from Win32_ThreadStartTrace", "select * from Win32_ThreadStopTrace", "select * from Win32_ModuleLoadTrace"};

};

#pragma autorecover

#pragma classflags(64)

#pragma namespace("\\\\.\\Root\\CIMV2")

instance of __namespace{ name="ms_409";};

#pragma namespace("\\\\.\\Root\\CIMV2\\ms_409")



[Description("The SystemTrace class is the base class for all system trace events.  System trace events are fired by the kernel logger via the event tracing API.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] 

class Win32_SystemTrace : __ExtrinsicEvent

{

};



[Description("This event is the base event for process events.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] 

class Win32_ProcessTrace : Win32_SystemTrace

{

  [Description("The ProcessID property identifies the process involved in the event.") : Amended ToSubclass] uint32 ProcessID;

  [Description("The ParentProcessID property identifies of the process that actuallycaused the event to happen.") : Amended ToSubclass] uint32 ParentProcessID;

  [Description("The SessionID property identifies the session under which the process exists.") : Amended ToSubclass] uint32 SessionID;

  [Description("The Sid property is the security identifier representing the user context under which the event happened.") : Amended ToSubclass] uint8 Sid[];

  [Description("The ProcessName property contains the name of the process.") : Amended ToSubclass] string ProcessName;

};



[Description("The ProcessStartTrace event class indicates a new process has started.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] 

class Win32_ProcessStartTrace : Win32_ProcessTrace

{

};



[Description("The ProcessStopTrace event class indicates a process has terminated.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] 

class Win32_ProcessStopTrace : Win32_ProcessTrace

{

  [Description("The ExitStatus property contains the exit status of the stopped process ") : Amended ToSubclass] uint32 ExitStatus;

};



[Description("The ThreadTrace event class is the base event for thread events.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] 

class Win32_ThreadTrace : Win32_SystemTrace

{

  [Description("The ThreadID property contains the thread identifier of the thread involved in the event.") : Amended ToSubclass] uint32 ThreadID;

  [Description("The ProcessID property contains the process identifier of the process to which the thread belongs.") : Amended ToSubclass] uint32 ProcessID;

};



[Description("The ThreadStartTrace event class indicates a new thread has started.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] 

class Win32_ThreadStartTrace : Win32_ThreadTrace

{

  [Description("The StackBase property indicates the base address of the thread's stack.") : Amended ToSubclass] uint64 StackBase;

  [Description("The StackBase property indicates the limit of the thread's stack.") : Amended ToSubclass] uint64 StackLimit;

  [Description("The UserStackBase property indicates the base address of the thread's user-mode stack.") : Amended ToSubclass] uint64 UserStackBase;

  [Description("The UserStackLimit property indicates the limit of the thread's user-mode stack.") : Amended ToSubclass] uint64 UserStackLimit;

};



[Description("The ThreadStopTrace event class indicates a thread has terminated.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] 

class Win32_ThreadStopTrace : Win32_ThreadTrace

{

};



[Description("The ModuleTrace event class is the base event for module events.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] 

class Win32_ModuleTrace : Win32_SystemTrace

{

};



[Description("The ModuleLoadTrace event class indicates a process has loaded a new module.") : Amended ToSubclass,AMENDMENT, LOCALE("ms_409") : ToInstance] 

class Win32_ModuleLoadTrace : Win32_ModuleTrace

{

  [Description("The ImageBase property indicates the base address where the module was loaded into process memory.") : Amended ToSubclass] uint64 ImageBase;

  [Description("The ImageSize property indicates the size in bytes of the loaded module.") : Amended ToSubclass] uint64 ImageSize;

  [Description("The ProcessID property indentifies the process that loaded the module.") : Amended ToSubclass] uint32 ProcessID;

  [Description("The FileName property indicates the filename of the loaded module.") : Amended ToSubclass] string FileName;

  [Description("NT image checksum (usually set at link time), as listed in the NT image header; it is a hash used to verify the image was not changed or it's the same.  Note: This is not a cryptographic hash, therefore it's weak.") : Amended ToSubclass] uint32 ImageChecksum;

  [Description("NT image timestamp (usually set at link time), as listed in the NT image header; it is a  used to identify the binary image along with the original file name and ImageSize, which is also retrieved from the NT image header.") : Amended ToSubclass] uint32 TimeDateStamp;

  [Description("default load base address, as listed in the NT image header; if the requested address is unavailable the image will be loaded at a different address (ImageBase), causing rebasing.") : Amended ToSubclass] uint64 DefaultBase;

};