Last active
January 7, 2022 11:08
-
-
Save andrewkroh/57631d96eed73257a08676149653d283 to your computer and use it in GitHub Desktop.
Microsoft-Windows-FileInfoMinifilter Messages from Windows 2012 Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Id : 1 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, fi:FileNameCreate} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="PathLength" inType="win:UInt16" outType="xs:unsignedShort"/> | |
| <data name="Path" inType="win:UnicodeString" outType="xs:string" length="PathLength"/> | |
| </template> | |
| Description : | |
| Id : 2 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, fi:FileNameRundown} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="PathLength" inType="win:UInt16" outType="xs:unsignedShort"/> | |
| <data name="Path" inType="win:UnicodeString" outType="xs:string" length="PathLength"/> | |
| </template> | |
| Description : | |
| Id : 3 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, fi:FileNameDelete} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="PathLength" inType="win:UInt16" outType="xs:unsignedShort"/> | |
| <data name="Path" inType="win:UnicodeString" outType="xs:string" length="PathLength"/> | |
| </template> | |
| Description : | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Id : 10 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILENAME} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 11 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILENAME} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 12 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_CREATE, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="CreateOptions" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="CreateAttributes" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="ShareAccess" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 12 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_CREATE, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="CreateOptions" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="CreateAttributes" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="ShareAccess" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 13 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| </template> | |
| Description : | |
| Id : 13 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 14 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| </template> | |
| Description : | |
| Id : 14 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 15 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_READ, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="ByteOffset" inType="win:UInt64" outType="win:HexInt64"/> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IOSize" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="IOFlags" inType="win:UInt32" outType="win:HexInt32"/> | |
| </template> | |
| Description : | |
| Id : 15 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_READ, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="ByteOffset" inType="win:UInt64" outType="win:HexInt64"/> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="IOSize" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="IOFlags" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="ExtraFlags" inType="win:UInt32" outType="win:HexInt32"/> | |
| </template> | |
| Description : | |
| Id : 16 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_WRITE, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="ByteOffset" inType="win:UInt64" outType="win:HexInt64"/> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IOSize" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="IOFlags" inType="win:UInt32" outType="win:HexInt32"/> | |
| </template> | |
| Description : | |
| Id : 16 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_WRITE, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="ByteOffset" inType="win:UInt64" outType="win:HexInt64"/> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="IOSize" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="IOFlags" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="ExtraFlags" inType="win:UInt32" outType="win:HexInt32"/> | |
| </template> | |
| Description : | |
| Id : 17 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 17 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 18 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 18 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 19 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 19 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 20 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="Length" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FileIndex" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 20 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="Length" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FileIndex" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 21 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| </template> | |
| Description : | |
| Id : 21 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 22 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 22 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 23 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 23 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 24 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_OP_END, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="Status" inType="win:UInt32" outType="win:HexInt32"/> | |
| </template> | |
| Description : | |
| Id : 25 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="Length" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FileIndex" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 25 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="Length" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FileIndex" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 26 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_DELETE_PATH} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FilePath" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 26 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_DELETE_PATH} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FilePath" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 27 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FilePath" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 27 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FilePath" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 28 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FilePath" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 28 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="FilePath" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 29 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 29 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_FILEIO} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileKey" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ExtraInformation" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="InfoClass" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| </template> | |
| Description : | |
| Id : 30 | |
| Version : 0 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_CREATE_NEW_FILE} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="ThreadId" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="CreateOptions" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="CreateAttributes" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="ShareAccess" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
| Id : 30 | |
| Version : 1 | |
| LogLink : System.Diagnostics.Eventing.Reader.EventLogLink | |
| Level : System.Diagnostics.Eventing.Reader.EventLevel | |
| Opcode : System.Diagnostics.Eventing.Reader.EventOpcode | |
| Task : System.Diagnostics.Eventing.Reader.EventTask | |
| Keywords : {, KERNEL_FILE_KEYWORD_CREATE_NEW_FILE} | |
| Template : <template xmlns="http://schemas.microsoft.com/win/2004/08/events"> | |
| <data name="Irp" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="FileObject" inType="win:Pointer" outType="win:HexInt64"/> | |
| <data name="IssuingThreadId" inType="win:UInt32" outType="xs:unsignedInt"/> | |
| <data name="CreateOptions" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="CreateAttributes" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="ShareAccess" inType="win:UInt32" outType="win:HexInt32"/> | |
| <data name="FileName" inType="win:UnicodeString" outType="xs:string"/> | |
| </template> | |
| Description : | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment