# -*- coding: utf-8 -*-
"""
Microsoft-Office-Events
GUID : 8736922d-e8b2-47eb-8564-23e77e728cf3
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("8736922d-e8b2-47eb-8564-23e77e728cf3"),
event_id=1,
version=0)
class Microsoft_Office_Events_1_0(Etw):
pattern = Struct("cValue" / Int32ul, "Frame" / Int64ul)
@declare(guid=guid("8736922d-e8b2-47eb-8564-23e77e728cf3"),
event_id=2,
version=0)
class Microsoft_Office_Events_2_0(Etw):
pattern = Struct("BaseAddress" / Int64ul, "TimeDateStamp" / Int32ul,
"Size" / Int32ul, "wzName" / WString)
@declare(guid=guid("8736922d-e8b2-47eb-8564-23e77e728cf3"),
event_id=3,
version=0)
class Microsoft_Office_Events_3_0(Etw):
pattern = Struct("dwTag" / Int32ul, "dwID" / Int32ul,
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-PDFReader
GUID : dfa86faa-2c55-4140-bff9-5cc586217a7b
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("dfa86faa-2c55-4140-bff9-5cc586217a7b"),
event_id=1,
version=0)
class Microsoft_Windows_PDFReader_1_0(Etw):
pattern = Struct("FileName" / WString, "WindowID" / Int32ul)
@declare(guid=guid("dfa86faa-2c55-4140-bff9-5cc586217a7b"),
event_id=2,
version=0)
class Microsoft_Windows_PDFReader_2_0(Etw):
pattern = Struct("HResult" / Int32ul)
@declare(guid=guid("dfa86faa-2c55-4140-bff9-5cc586217a7b"),
event_id=35,
version=0)
class Microsoft_Windows_PDFReader_35_0(Etw):
pattern = Struct("StringParam" / CString, "HResultParam" / Int32ul)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-SPB-HIDI2C
GUID : 991f8fe6-249d-44d6-b93d-5a3060c1dedb
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("991f8fe6-249d-44d6-b93d-5a3060c1dedb"),
event_id=1000,
version=1)
class Microsoft_Windows_SPB_HIDI2C_1000_1(Etw):
pattern = Struct("DeviceObject" / Int64ul, "Status" / Int32ul)
@declare(guid=guid("991f8fe6-249d-44d6-b93d-5a3060c1dedb"),
event_id=1001,
version=1)
class Microsoft_Windows_SPB_HIDI2C_1001_1(Etw):
pattern = Struct("DeviceObject" / Int64ul, "Status" / Int32ul)
@declare(guid=guid("991f8fe6-249d-44d6-b93d-5a3060c1dedb"),
event_id=1002,
version=1)
class Microsoft_Windows_SPB_HIDI2C_1002_1(Etw):
pattern = Struct("DeviceObject" / Int64ul, "Status" / Int32ul)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-D3D9
GUID : 783aca0a-790e-4d7f-8451-aa850511c6b9
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("783aca0a-790e-4d7f-8451-aa850511c6b9"),
event_id=1,
version=0)
class Microsoft_Windows_D3D9_1_0(Etw):
pattern = Struct("pSwapchain" / Int64ul, "Flags" / Int32ul)
@declare(guid=guid("783aca0a-790e-4d7f-8451-aa850511c6b9"),
event_id=2,
version=0)
class Microsoft_Windows_D3D9_2_0(Etw):
pattern = Struct("Result" / Int32ul)
@declare(guid=guid("783aca0a-790e-4d7f-8451-aa850511c6b9"),
event_id=3,
version=0)
class Microsoft_Windows_D3D9_3_0(Etw):
pattern = Struct("pSwapchain" / Int64ul, "Width" / Int32ul,
"Height" / Int32ul, "BackbufferFormat" / Int32ul,
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Winsock-SQM
GUID : 093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8"),
event_id=5,
version=0)
class Microsoft_Windows_Winsock_SQM_5_0(Etw):
pattern = Struct("SqmType" / Int32ul, "SqmSessionGuid" / Guid,
"SqmID" / Int32ul, "SqmDWORDDatapointValue" / Int32ul)
@declare(guid=guid("093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8"),
event_id=10,
version=0)
class Microsoft_Windows_Winsock_SQM_10_0(Etw):
pattern = Struct("SqmType" / Int32ul, "SqmSessionGuid" / Guid,
"SqmID" / Int32ul, "SqmStringDatapointValue" / WString)
@declare(guid=guid("093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8"),
event_id=11,
version=0)
class Microsoft_Windows_Winsock_SQM_11_0(Etw):
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Containers-Wcifs-Mapping
GUID : 0223f0a3-6383-5a7a-7bc7-04d4739e2e32
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("0223f0a3-6383-5a7a-7bc7-04d4739e2e32"),
event_id=1,
version=0)
class Microsoft_Windows_Containers_Wcifs_Mapping_1_0(Etw):
pattern = Struct("SourceLength" / Int16ul,
"Source" / Bytes(lambda this: this.SourceLength),
"TargetLength" / Int16ul,
"Target" / Bytes(lambda this: this.TargetLength))
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-XWizards
GUID : 777ba8fe-2498-4875-933a-3067de883070
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("777ba8fe-2498-4875-933a-3067de883070"),
event_id=81,
version=0)
class Microsoft_Windows_XWizards_81_0(Etw):
pattern = Struct("Caption" / WString, "Text" / WString)
@declare(guid=guid("777ba8fe-2498-4875-933a-3067de883070"),
event_id=82,
version=0)
class Microsoft_Windows_XWizards_82_0(Etw):
pattern = Struct("Caption" / WString, "Text" / WString)
@declare(guid=guid("777ba8fe-2498-4875-933a-3067de883070"),
event_id=83,
version=0)
class Microsoft_Windows_XWizards_83_0(Etw):
pattern = Struct("Caption" / WString, "Text" / WString)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-WWAN-CFE
GUID : 71c993b8-1e28-4543-9886-fb219b63fdb3
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("71c993b8-1e28-4543-9886-fb219b63fdb3"),
event_id=12,
version=0)
class Microsoft_Windows_WWAN_CFE_12_0(Etw):
pattern = Struct("Manufacture" / WString, "Model" / WString,
"FirmwareVersion" / WString, "ErrorCode" / Int32ul)
@declare(guid=guid("71c993b8-1e28-4543-9886-fb219b63fdb3"),
event_id=15,
version=0)
class Microsoft_Windows_WWAN_CFE_15_0(Etw):
pattern = Struct("ProviderName" / WString)
@declare(guid=guid("71c993b8-1e28-4543-9886-fb219b63fdb3"),
event_id=16,
version=0)
class Microsoft_Windows_WWAN_CFE_16_0(Etw):
pattern = Struct("Manufacture" / WString, "Model" / WString,
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Sysmon
GUID : 5770385f-c22a-43e0-bf4c-06f5698ffbd9
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("5770385f-c22a-43e0-bf4c-06f5698ffbd9"), event_id=1, version=5)
class Microsoft_Windows_Sysmon_1_5(Etw):
pattern = Struct(
"RuleName" / WString,
"UtcTime" / WString,
"ProcessGuid" / Guid,
"ProcessId" / Int32ul,
"Image" / WString,
"FileVersion" / WString,
"Description" / WString,
"Product" / WString,
"Company" / WString,
"OriginalFileName" / WString,
"CommandLine" / WString,
"CurrentDirectory" / WString,
"User" / WString,
"LogonGuid" / Guid,
"LogonId" / Int64ul,
"TerminalSessionId" / Int32ul,
"IntegrityLevel" / WString,
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Diagnosis-PCW
GUID : aabf8b86-7936-4fa2-acb0-63127f879dbf
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("aabf8b86-7936-4fa2-acb0-63127f879dbf"),
event_id=1,
version=0)
class Microsoft_Windows_Diagnosis_PCW_1_0(Etw):
pattern = Struct("Error" / Int32ul, "ProviderGuid" / Guid)
@declare(guid=guid("aabf8b86-7936-4fa2-acb0-63127f879dbf"),
event_id=2,
version=0)
class Microsoft_Windows_Diagnosis_PCW_2_0(Etw):
pattern = Struct("Error" / Int32ul, "ProviderGuid" / Guid,
"CounterSetGuid" / Guid)
@declare(guid=guid("aabf8b86-7936-4fa2-acb0-63127f879dbf"),
event_id=3,
version=0)
class Microsoft_Windows_Diagnosis_PCW_3_0(Etw):
pattern = Struct("Error" / Int32ul, "CounterSetGuid" / Guid,
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-User-Diagnostic
GUID : 305fc87b-002a-5e26-d297-60223012ca9c
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("305fc87b-002a-5e26-d297-60223012ca9c"),
event_id=1,
version=0)
class Microsoft_Windows_User_Diagnostic_1_0(Etw):
pattern = Struct("ErrorCode" / Int32ul)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Storage-Tiering-IoHeat
GUID : 990c55fc-2662-47f6-b7d7-eb3c027cb13f
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("990c55fc-2662-47f6-b7d7-eb3c027cb13f"),
event_id=1,
version=0)
class Microsoft_Windows_Storage_Tiering_IoHeat_1_0(Etw):
pattern = Struct("VolumeGuid" / Guid, "VolumeIdHash" / Int32ul)
@declare(guid=guid("990c55fc-2662-47f6-b7d7-eb3c027cb13f"),
event_id=2,
version=0)
class Microsoft_Windows_Storage_Tiering_IoHeat_2_0(Etw):
pattern = Struct("FileIDLower" / Int64ul, "FileIDUpper" / Int64ul,
"Offset" / Int64ul, "Length" / Int32ul,
"VolumeIdHash" / Int32ul)
@declare(guid=guid("990c55fc-2662-47f6-b7d7-eb3c027cb13f"),
event_id=3,
version=0)
class Microsoft_Windows_Storage_Tiering_IoHeat_3_0(Etw):
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Crypto-BCrypt
GUID : c7e089ac-ba2a-11e0-9af7-68384824019b
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("c7e089ac-ba2a-11e0-9af7-68384824019b"),
event_id=1,
version=0)
class Microsoft_Windows_Crypto_BCrypt_1_0(Etw):
pattern = Struct("ProviderName" / WString, "AlgorithmName" / WString,
"dwFlags" / Int32ul, "Status" / Int32ul,
"OperationType" / Int32ul)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Search-ProfileNotify
GUID : fc6f77dd-769a-470e-bcf9-1b6555a118be
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("fc6f77dd-769a-470e-bcf9-1b6555a118be"), event_id=1, version=0)
class Microsoft_Windows_Search_ProfileNotify_1_0(Etw):
pattern = Struct(
"User" / WString,
"__binLength" / Int32ul,
"binary" / Bytes(lambda this: this.__binLength)
)
@declare(guid=guid("fc6f77dd-769a-470e-bcf9-1b6555a118be"), event_id=2, version=0)
class Microsoft_Windows_Search_ProfileNotify_2_0(Etw):
pattern = Struct(
"UserAccount" / WString,
"ErrorCode" / WString,
"ErrorMessage" / WString,
"__binLength" / Int32ul,
"binary" / Bytes(lambda this: this.__binLength)
)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-TerminalServices-RemoteConnectionManager
GUID : c76baa63-ae81-421c-b425-340b4b24157f
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("c76baa63-ae81-421c-b425-340b4b24157f"),
event_id=2,
version=0)
class Microsoft_Windows_TerminalServices_RemoteConnectionManager_2_0(Etw):
pattern = Struct("message" / CString)
@declare(guid=guid("c76baa63-ae81-421c-b425-340b4b24157f"),
event_id=3,
version=0)
class Microsoft_Windows_TerminalServices_RemoteConnectionManager_3_0(Etw):
pattern = Struct("message" / CString)
@declare(guid=guid("c76baa63-ae81-421c-b425-340b4b24157f"),
event_id=4,
version=0)
class Microsoft_Windows_TerminalServices_RemoteConnectionManager_4_0(Etw):
pattern = Struct("message" / CString)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-RPCSS
GUID : d8975f88-7ddb-4ed0-91bf-3adf48c48e0c
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("d8975f88-7ddb-4ed0-91bf-3adf48c48e0c"),
event_id=1,
version=1)
class Microsoft_Windows_RPCSS_1_1(Etw):
pattern = Struct("DetectionLocation" / Int16ul, "Status" / Int32ul,
"AdditionalData1" / Int32ul, "AdditionalData2" / Int32ul)
@declare(guid=guid("d8975f88-7ddb-4ed0-91bf-3adf48c48e0c"),
event_id=2,
version=1)
class Microsoft_Windows_RPCSS_2_1(Etw):
pattern = Struct("InterfaceUUID" / Guid, "ObjectUUID" / Guid,
"Protocol" / CString, "EndPoint" / CString)
@declare(guid=guid("d8975f88-7ddb-4ed0-91bf-3adf48c48e0c"),
event_id=3,
version=1)
class Microsoft_Windows_RPCSS_3_1(Etw):
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-StateRepository
GUID : 89592015-d996-4636-8f61-066b5d4dd739
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("89592015-d996-4636-8f61-066b5d4dd739"),
event_id=100,
version=0)
class Microsoft_Windows_StateRepository_100_0(Etw):
pattern = Struct("ErrorCode" / Int32ul, "SQL" / CString)
@declare(guid=guid("89592015-d996-4636-8f61-066b5d4dd739"),
event_id=101,
version=0)
class Microsoft_Windows_StateRepository_101_0(Etw):
pattern = Struct("SQL" / CString, "ProcessId" / Int32ul,
"ThreadId" / Int32ul)
@declare(guid=guid("89592015-d996-4636-8f61-066b5d4dd739"),
event_id=102,
version=0)
class Microsoft_Windows_StateRepository_102_0(Etw):
pattern = Struct("ErrorCode" / Int32ul, "Subkey" / WString)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Hyper-V-ComputeLib
GUID : af7fd3a7-b248-460c-a9f5-fec39ef8468c
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("af7fd3a7-b248-460c-a9f5-fec39ef8468c"),
event_id=100,
version=0)
class Microsoft_Windows_Hyper_V_ComputeLib_100_0(Etw):
pattern = Struct("TraceData" / WString, "VmName" / WString,
"VmId" / WString, "StackFrameCount" / Int32ul,
"StackFrame" / Int64ul, "ModuleCount" / Int32ul,
"Module" / Int32sl)
@declare(guid=guid("af7fd3a7-b248-460c-a9f5-fec39ef8468c"),
event_id=101,
version=0)
class Microsoft_Windows_Hyper_V_ComputeLib_101_0(Etw):
pattern = Struct("TraceData" / WString, "VmName" / WString,
"VmId" / WString, "StackFrameCount" / Int32ul,
"StackFrame" / Int64ul, "ModuleCount" / Int32ul,
"Module" / Int32sl)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-ServiceTriggerPerfEventProvider
GUID : 6545939f-3398-411a-88b7-6a8914b8cec7
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("6545939f-3398-411a-88b7-6a8914b8cec7"),
event_id=1,
version=0)
class Microsoft_Windows_ServiceTriggerPerfEventProvider_1_0(Etw):
pattern = Struct("TriggerSubType" / WString, "TriggerData" / WString)
@declare(guid=guid("6545939f-3398-411a-88b7-6a8914b8cec7"),
event_id=2,
version=0)
class Microsoft_Windows_ServiceTriggerPerfEventProvider_2_0(Etw):
pattern = Struct("TriggerSubType" / WString, "TriggerData" / WString)
@declare(guid=guid("6545939f-3398-411a-88b7-6a8914b8cec7"),
event_id=3,
version=0)
class Microsoft_Windows_ServiceTriggerPerfEventProvider_3_0(Etw):
pattern = Struct("TriggerSubType" / WString, "TriggerData" / WString)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-UserDataAccess-Poom
GUID : 0bd19909-eb6f-4b16-8074-6dce803f091d
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("0bd19909-eb6f-4b16-8074-6dce803f091d"),
event_id=1,
version=0)
class Microsoft_Windows_UserDataAccess_Poom_1_0(Etw):
pattern = Struct("P1_HResult" / Int32sl, "P2_String" / CString,
"P3_UInt32" / Int32ul)
@declare(guid=guid("0bd19909-eb6f-4b16-8074-6dce803f091d"),
event_id=2,
version=0)
class Microsoft_Windows_UserDataAccess_Poom_2_0(Etw):
pattern = Struct("P1_HResult" / Int32sl, "P2_String" / CString,
"P3_UInt32" / Int32ul)
@declare(guid=guid("0bd19909-eb6f-4b16-8074-6dce803f091d"),
event_id=1000,
version=0)
class Microsoft_Windows_UserDataAccess_Poom_1000_0(Etw):
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Diagnosis-WDC
GUID : 05921578-2261-42c7-a0d3-26ddbce6c50d
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("05921578-2261-42c7-a0d3-26ddbce6c50d"), event_id=5016, version=0)
class Microsoft_Windows_Diagnosis_WDC_5016_0(Etw):
pattern = Struct(
"FileName" / CString,
"Line" / Int32ul,
"Address" / Int64ul,
"Size" / Int64ul
)
@declare(guid=guid("05921578-2261-42c7-a0d3-26ddbce6c50d"), event_id=5017, version=0)
class Microsoft_Windows_Diagnosis_WDC_5017_0(Etw):
pattern = Struct(
"FileName" / CString,
"Line" / Int32ul,
"Address" / Int64ul
)
@declare(guid=guid("05921578-2261-42c7-a0d3-26ddbce6c50d"), event_id=5018, version=0)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-PerfProc
GUID : 72d211e1-4c54-4a93-9520-4901681b2271
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("72d211e1-4c54-4a93-9520-4901681b2271"),
event_id=2001,
version=1)
class Microsoft_Windows_PerfProc_2001_1(Etw):
pattern = Struct("Win32Error" / Int32ul)
@declare(guid=guid("72d211e1-4c54-4a93-9520-4901681b2271"),
event_id=2002,
version=1)
class Microsoft_Windows_PerfProc_2002_1(Etw):
pattern = Struct("Message" / WString, "Win32Error" / Int32ul)
@declare(guid=guid("72d211e1-4c54-4a93-9520-4901681b2271"),
event_id=2003,
version=1)
class Microsoft_Windows_PerfProc_2003_1(Etw):
pattern = Struct("Message" / WString, "Win32Error" / Int32ul)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Spell-Checking
GUID : d0e22efc-ac66-4b25-a72d-382736b5e940
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("d0e22efc-ac66-4b25-a72d-382736b5e940"),
event_id=1,
version=0)
class Microsoft_Windows_Spell_Checking_1_0(Etw):
pattern = Struct("WordlistType" / Int32ul)
@declare(guid=guid("d0e22efc-ac66-4b25-a72d-382736b5e940"),
event_id=2,
version=0)
class Microsoft_Windows_Spell_Checking_2_0(Etw):
pattern = Struct("WordlistType" / Int32ul)
@declare(guid=guid("d0e22efc-ac66-4b25-a72d-382736b5e940"),
event_id=16,
version=0)
class Microsoft_Windows_Spell_Checking_16_0(Etw):
pattern = Struct("First" / WString, "Second" / WString)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-IME-KRTIP
GUID : e013e74b-97f4-4e1c-a120-596e5629ecfe
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("e013e74b-97f4-4e1c-a120-596e5629ecfe"),
event_id=10,
version=0)
class Microsoft_Windows_IME_KRTIP_10_0(Etw):
pattern = Struct("Duration" / Int32ul, "IMEType" / Int32ul)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-BranchCacheSMB
GUID : 4a933674-fb3d-4e8d-b01d-17ee14e91a3e
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("4a933674-fb3d-4e8d-b01d-17ee14e91a3e"), event_id=3000, version=0)
class Microsoft_Windows_BranchCacheSMB_3000_0(Etw):
pattern = Struct(
"MinHashVersion" / Int32ul,
"MaxHashVersion" / Int32ul
)
@declare(guid=guid("4a933674-fb3d-4e8d-b01d-17ee14e91a3e"), event_id=3002, version=0)
class Microsoft_Windows_BranchCacheSMB_3002_0(Etw):
pattern = Struct(
"Path" / WString
)
@declare(guid=guid("4a933674-fb3d-4e8d-b01d-17ee14e91a3e"), event_id=3003, version=0)
class Microsoft_Windows_BranchCacheSMB_3003_0(Etw):
pattern = Struct(
"Path" / WString,
"ContentHandle" / WString,
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-TerminalServices-Printers
GUID : 952773bf-c2b7-49bc-88f4-920744b82c43
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("952773bf-c2b7-49bc-88f4-920744b82c43"),
event_id=1100,
version=0)
class Microsoft_Windows_TerminalServices_Printers_1100_0(Etw):
pattern = Struct("Param1" / WString)
@declare(guid=guid("952773bf-c2b7-49bc-88f4-920744b82c43"),
event_id=1102,
version=0)
class Microsoft_Windows_TerminalServices_Printers_1102_0(Etw):
pattern = Struct("Param1" / WString, "Param2" / WString)
@declare(guid=guid("952773bf-c2b7-49bc-88f4-920744b82c43"),
event_id=1105,
version=0)
class Microsoft_Windows_TerminalServices_Printers_1105_0(Etw):
pattern = Struct("Param1" / WString)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-MCCS-ActiveSyncProvider
GUID : 4a155f10-25ad-47e6-aba8-2c4f5eee7846
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("4a155f10-25ad-47e6-aba8-2c4f5eee7846"),
event_id=1,
version=0)
class Microsoft_Windows_MCCS_ActiveSyncProvider_1_0(Etw):
pattern = Struct("P1_HResult" / Int32sl, "P2_String" / CString,
"P3_UInt32" / Int32ul)
@declare(guid=guid("4a155f10-25ad-47e6-aba8-2c4f5eee7846"),
event_id=2,
version=0)
class Microsoft_Windows_MCCS_ActiveSyncProvider_2_0(Etw):
pattern = Struct("P1_HResult" / Int32sl, "P2_String" / CString,
"P3_UInt32" / Int32ul)
@declare(guid=guid("4a155f10-25ad-47e6-aba8-2c4f5eee7846"),
event_id=101,
version=0)
class Microsoft_Windows_MCCS_ActiveSyncProvider_101_0(Etw):
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Kernel-PnP-Rundown
GUID : b3a0c2c8-83bb-4ddf-9f8d-4b22d3c38ad7
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("b3a0c2c8-83bb-4ddf-9f8d-4b22d3c38ad7"), event_id=1, version=0)
class Microsoft_Windows_Kernel_PnP_Rundown_1_0(Etw):
pattern = Struct(
"ResourceConsumerPdo" / Int64ul,
"ConnectionId" / Int64ul,
"ResourceConsumerInstancePathLength" / Int32ul,
"ResourceConsumerInstancePath" / Bytes(lambda this: this.ResourceConsumerInstancePathLength)
)
@declare(guid=guid("b3a0c2c8-83bb-4ddf-9f8d-4b22d3c38ad7"), event_id=2, version=0)
class Microsoft_Windows_Kernel_PnP_Rundown_2_0(Etw):
pattern = Struct(
"Pdo" / Int64ul,
"ParentPdo" / Int64ul
)
@declare(guid=guid("b3a0c2c8-83bb-4ddf-9f8d-4b22d3c38ad7"), event_id=3, version=0)
class Microsoft_Windows_Kernel_PnP_Rundown_3_0(Etw):
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-StorageManagement-WSP-Host
GUID : 595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e"),
event_id=1000,
version=0)
class Microsoft_Windows_StorageManagement_WSP_Host_1000_0(Etw):
pattern = Struct("ProviderName" / WString, "ProviderDLL" / WString,
"ErrorCode" / Int32ul, "LoadPhase" / Int32ul)
# -*- coding: utf-8 -*-
"""
Microsoft-Windows-Media-Streaming
GUID : 982824e5-e446-46ae-bc74-836401ffb7b6
"""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
@declare(guid=guid("982824e5-e446-46ae-bc74-836401ffb7b6"),
event_id=1001,
version=0)
class Microsoft_Windows_Media_Streaming_1001_0(Etw):
pattern = Struct("ErrorCode" / Int32ul)
@declare(guid=guid("982824e5-e446-46ae-bc74-836401ffb7b6"),
event_id=1003,
version=0)
class Microsoft_Windows_Media_Streaming_1003_0(Etw):
pattern = Struct("ErrorCode" / Int32ul)
@declare(guid=guid("982824e5-e446-46ae-bc74-836401ffb7b6"),
event_id=1005,
version=0)
class Microsoft_Windows_Media_Streaming_1005_0(Etw):
pattern = Struct("ErrorCode" / Int32ul)
