# -*- coding: utf-8 -*- """ Microsoft-Office-Events GUID : 8736922d-e8b2-47eb-8564-23e77e728cf3 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("8736922d-e8b2-47eb-8564-23e77e728cf3"), event_id=1, version=0) class Microsoft_Office_Events_1_0(Etw): pattern = Struct("cValue" / Int32ul, "Frame" / Int64ul) @declare(guid=guid("8736922d-e8b2-47eb-8564-23e77e728cf3"), event_id=2, version=0) class Microsoft_Office_Events_2_0(Etw): pattern = Struct("BaseAddress" / Int64ul, "TimeDateStamp" / Int32ul, "Size" / Int32ul, "wzName" / WString) @declare(guid=guid("8736922d-e8b2-47eb-8564-23e77e728cf3"), event_id=3, version=0) class Microsoft_Office_Events_3_0(Etw): pattern = Struct("dwTag" / Int32ul, "dwID" / Int32ul,
# -*- coding: utf-8 -*- """ Microsoft-Windows-PDFReader GUID : dfa86faa-2c55-4140-bff9-5cc586217a7b """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("dfa86faa-2c55-4140-bff9-5cc586217a7b"), event_id=1, version=0) class Microsoft_Windows_PDFReader_1_0(Etw): pattern = Struct("FileName" / WString, "WindowID" / Int32ul) @declare(guid=guid("dfa86faa-2c55-4140-bff9-5cc586217a7b"), event_id=2, version=0) class Microsoft_Windows_PDFReader_2_0(Etw): pattern = Struct("HResult" / Int32ul) @declare(guid=guid("dfa86faa-2c55-4140-bff9-5cc586217a7b"), event_id=35, version=0) class Microsoft_Windows_PDFReader_35_0(Etw): pattern = Struct("StringParam" / CString, "HResultParam" / Int32ul)
# -*- coding: utf-8 -*- """ Microsoft-Windows-SPB-HIDI2C GUID : 991f8fe6-249d-44d6-b93d-5a3060c1dedb """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("991f8fe6-249d-44d6-b93d-5a3060c1dedb"), event_id=1000, version=1) class Microsoft_Windows_SPB_HIDI2C_1000_1(Etw): pattern = Struct("DeviceObject" / Int64ul, "Status" / Int32ul) @declare(guid=guid("991f8fe6-249d-44d6-b93d-5a3060c1dedb"), event_id=1001, version=1) class Microsoft_Windows_SPB_HIDI2C_1001_1(Etw): pattern = Struct("DeviceObject" / Int64ul, "Status" / Int32ul) @declare(guid=guid("991f8fe6-249d-44d6-b93d-5a3060c1dedb"), event_id=1002, version=1) class Microsoft_Windows_SPB_HIDI2C_1002_1(Etw): pattern = Struct("DeviceObject" / Int64ul, "Status" / Int32ul)
# -*- coding: utf-8 -*- """ Microsoft-Windows-D3D9 GUID : 783aca0a-790e-4d7f-8451-aa850511c6b9 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("783aca0a-790e-4d7f-8451-aa850511c6b9"), event_id=1, version=0) class Microsoft_Windows_D3D9_1_0(Etw): pattern = Struct("pSwapchain" / Int64ul, "Flags" / Int32ul) @declare(guid=guid("783aca0a-790e-4d7f-8451-aa850511c6b9"), event_id=2, version=0) class Microsoft_Windows_D3D9_2_0(Etw): pattern = Struct("Result" / Int32ul) @declare(guid=guid("783aca0a-790e-4d7f-8451-aa850511c6b9"), event_id=3, version=0) class Microsoft_Windows_D3D9_3_0(Etw): pattern = Struct("pSwapchain" / Int64ul, "Width" / Int32ul, "Height" / Int32ul, "BackbufferFormat" / Int32ul,
# -*- coding: utf-8 -*- """ Microsoft-Windows-Winsock-SQM GUID : 093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8"), event_id=5, version=0) class Microsoft_Windows_Winsock_SQM_5_0(Etw): pattern = Struct("SqmType" / Int32ul, "SqmSessionGuid" / Guid, "SqmID" / Int32ul, "SqmDWORDDatapointValue" / Int32ul) @declare(guid=guid("093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8"), event_id=10, version=0) class Microsoft_Windows_Winsock_SQM_10_0(Etw): pattern = Struct("SqmType" / Int32ul, "SqmSessionGuid" / Guid, "SqmID" / Int32ul, "SqmStringDatapointValue" / WString) @declare(guid=guid("093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8"), event_id=11, version=0) class Microsoft_Windows_Winsock_SQM_11_0(Etw):
# -*- coding: utf-8 -*- """ Microsoft-Windows-Containers-Wcifs-Mapping GUID : 0223f0a3-6383-5a7a-7bc7-04d4739e2e32 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("0223f0a3-6383-5a7a-7bc7-04d4739e2e32"), event_id=1, version=0) class Microsoft_Windows_Containers_Wcifs_Mapping_1_0(Etw): pattern = Struct("SourceLength" / Int16ul, "Source" / Bytes(lambda this: this.SourceLength), "TargetLength" / Int16ul, "Target" / Bytes(lambda this: this.TargetLength))
# -*- coding: utf-8 -*- """ Microsoft-Windows-XWizards GUID : 777ba8fe-2498-4875-933a-3067de883070 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("777ba8fe-2498-4875-933a-3067de883070"), event_id=81, version=0) class Microsoft_Windows_XWizards_81_0(Etw): pattern = Struct("Caption" / WString, "Text" / WString) @declare(guid=guid("777ba8fe-2498-4875-933a-3067de883070"), event_id=82, version=0) class Microsoft_Windows_XWizards_82_0(Etw): pattern = Struct("Caption" / WString, "Text" / WString) @declare(guid=guid("777ba8fe-2498-4875-933a-3067de883070"), event_id=83, version=0) class Microsoft_Windows_XWizards_83_0(Etw): pattern = Struct("Caption" / WString, "Text" / WString)
# -*- coding: utf-8 -*- """ Microsoft-Windows-WWAN-CFE GUID : 71c993b8-1e28-4543-9886-fb219b63fdb3 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("71c993b8-1e28-4543-9886-fb219b63fdb3"), event_id=12, version=0) class Microsoft_Windows_WWAN_CFE_12_0(Etw): pattern = Struct("Manufacture" / WString, "Model" / WString, "FirmwareVersion" / WString, "ErrorCode" / Int32ul) @declare(guid=guid("71c993b8-1e28-4543-9886-fb219b63fdb3"), event_id=15, version=0) class Microsoft_Windows_WWAN_CFE_15_0(Etw): pattern = Struct("ProviderName" / WString) @declare(guid=guid("71c993b8-1e28-4543-9886-fb219b63fdb3"), event_id=16, version=0) class Microsoft_Windows_WWAN_CFE_16_0(Etw): pattern = Struct("Manufacture" / WString, "Model" / WString,
# -*- coding: utf-8 -*- """ Microsoft-Windows-Sysmon GUID : 5770385f-c22a-43e0-bf4c-06f5698ffbd9 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("5770385f-c22a-43e0-bf4c-06f5698ffbd9"), event_id=1, version=5) class Microsoft_Windows_Sysmon_1_5(Etw): pattern = Struct( "RuleName" / WString, "UtcTime" / WString, "ProcessGuid" / Guid, "ProcessId" / Int32ul, "Image" / WString, "FileVersion" / WString, "Description" / WString, "Product" / WString, "Company" / WString, "OriginalFileName" / WString, "CommandLine" / WString, "CurrentDirectory" / WString, "User" / WString, "LogonGuid" / Guid, "LogonId" / Int64ul, "TerminalSessionId" / Int32ul, "IntegrityLevel" / WString,
# -*- coding: utf-8 -*- """ Microsoft-Windows-Diagnosis-PCW GUID : aabf8b86-7936-4fa2-acb0-63127f879dbf """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("aabf8b86-7936-4fa2-acb0-63127f879dbf"), event_id=1, version=0) class Microsoft_Windows_Diagnosis_PCW_1_0(Etw): pattern = Struct("Error" / Int32ul, "ProviderGuid" / Guid) @declare(guid=guid("aabf8b86-7936-4fa2-acb0-63127f879dbf"), event_id=2, version=0) class Microsoft_Windows_Diagnosis_PCW_2_0(Etw): pattern = Struct("Error" / Int32ul, "ProviderGuid" / Guid, "CounterSetGuid" / Guid) @declare(guid=guid("aabf8b86-7936-4fa2-acb0-63127f879dbf"), event_id=3, version=0) class Microsoft_Windows_Diagnosis_PCW_3_0(Etw): pattern = Struct("Error" / Int32ul, "CounterSetGuid" / Guid,
# -*- coding: utf-8 -*- """ Microsoft-Windows-User-Diagnostic GUID : 305fc87b-002a-5e26-d297-60223012ca9c """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("305fc87b-002a-5e26-d297-60223012ca9c"), event_id=1, version=0) class Microsoft_Windows_User_Diagnostic_1_0(Etw): pattern = Struct("ErrorCode" / Int32ul)
# -*- coding: utf-8 -*- """ Microsoft-Windows-Storage-Tiering-IoHeat GUID : 990c55fc-2662-47f6-b7d7-eb3c027cb13f """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("990c55fc-2662-47f6-b7d7-eb3c027cb13f"), event_id=1, version=0) class Microsoft_Windows_Storage_Tiering_IoHeat_1_0(Etw): pattern = Struct("VolumeGuid" / Guid, "VolumeIdHash" / Int32ul) @declare(guid=guid("990c55fc-2662-47f6-b7d7-eb3c027cb13f"), event_id=2, version=0) class Microsoft_Windows_Storage_Tiering_IoHeat_2_0(Etw): pattern = Struct("FileIDLower" / Int64ul, "FileIDUpper" / Int64ul, "Offset" / Int64ul, "Length" / Int32ul, "VolumeIdHash" / Int32ul) @declare(guid=guid("990c55fc-2662-47f6-b7d7-eb3c027cb13f"), event_id=3, version=0) class Microsoft_Windows_Storage_Tiering_IoHeat_3_0(Etw):
# -*- coding: utf-8 -*- """ Microsoft-Windows-Crypto-BCrypt GUID : c7e089ac-ba2a-11e0-9af7-68384824019b """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("c7e089ac-ba2a-11e0-9af7-68384824019b"), event_id=1, version=0) class Microsoft_Windows_Crypto_BCrypt_1_0(Etw): pattern = Struct("ProviderName" / WString, "AlgorithmName" / WString, "dwFlags" / Int32ul, "Status" / Int32ul, "OperationType" / Int32ul)
# -*- coding: utf-8 -*- """ Microsoft-Windows-Search-ProfileNotify GUID : fc6f77dd-769a-470e-bcf9-1b6555a118be """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("fc6f77dd-769a-470e-bcf9-1b6555a118be"), event_id=1, version=0) class Microsoft_Windows_Search_ProfileNotify_1_0(Etw): pattern = Struct( "User" / WString, "__binLength" / Int32ul, "binary" / Bytes(lambda this: this.__binLength) ) @declare(guid=guid("fc6f77dd-769a-470e-bcf9-1b6555a118be"), event_id=2, version=0) class Microsoft_Windows_Search_ProfileNotify_2_0(Etw): pattern = Struct( "UserAccount" / WString, "ErrorCode" / WString, "ErrorMessage" / WString, "__binLength" / Int32ul, "binary" / Bytes(lambda this: this.__binLength) )
# -*- coding: utf-8 -*- """ Microsoft-Windows-TerminalServices-RemoteConnectionManager GUID : c76baa63-ae81-421c-b425-340b4b24157f """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("c76baa63-ae81-421c-b425-340b4b24157f"), event_id=2, version=0) class Microsoft_Windows_TerminalServices_RemoteConnectionManager_2_0(Etw): pattern = Struct("message" / CString) @declare(guid=guid("c76baa63-ae81-421c-b425-340b4b24157f"), event_id=3, version=0) class Microsoft_Windows_TerminalServices_RemoteConnectionManager_3_0(Etw): pattern = Struct("message" / CString) @declare(guid=guid("c76baa63-ae81-421c-b425-340b4b24157f"), event_id=4, version=0) class Microsoft_Windows_TerminalServices_RemoteConnectionManager_4_0(Etw): pattern = Struct("message" / CString)
# -*- coding: utf-8 -*- """ Microsoft-Windows-RPCSS GUID : d8975f88-7ddb-4ed0-91bf-3adf48c48e0c """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("d8975f88-7ddb-4ed0-91bf-3adf48c48e0c"), event_id=1, version=1) class Microsoft_Windows_RPCSS_1_1(Etw): pattern = Struct("DetectionLocation" / Int16ul, "Status" / Int32ul, "AdditionalData1" / Int32ul, "AdditionalData2" / Int32ul) @declare(guid=guid("d8975f88-7ddb-4ed0-91bf-3adf48c48e0c"), event_id=2, version=1) class Microsoft_Windows_RPCSS_2_1(Etw): pattern = Struct("InterfaceUUID" / Guid, "ObjectUUID" / Guid, "Protocol" / CString, "EndPoint" / CString) @declare(guid=guid("d8975f88-7ddb-4ed0-91bf-3adf48c48e0c"), event_id=3, version=1) class Microsoft_Windows_RPCSS_3_1(Etw):
# -*- coding: utf-8 -*- """ Microsoft-Windows-StateRepository GUID : 89592015-d996-4636-8f61-066b5d4dd739 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("89592015-d996-4636-8f61-066b5d4dd739"), event_id=100, version=0) class Microsoft_Windows_StateRepository_100_0(Etw): pattern = Struct("ErrorCode" / Int32ul, "SQL" / CString) @declare(guid=guid("89592015-d996-4636-8f61-066b5d4dd739"), event_id=101, version=0) class Microsoft_Windows_StateRepository_101_0(Etw): pattern = Struct("SQL" / CString, "ProcessId" / Int32ul, "ThreadId" / Int32ul) @declare(guid=guid("89592015-d996-4636-8f61-066b5d4dd739"), event_id=102, version=0) class Microsoft_Windows_StateRepository_102_0(Etw): pattern = Struct("ErrorCode" / Int32ul, "Subkey" / WString)
# -*- coding: utf-8 -*- """ Microsoft-Windows-Hyper-V-ComputeLib GUID : af7fd3a7-b248-460c-a9f5-fec39ef8468c """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("af7fd3a7-b248-460c-a9f5-fec39ef8468c"), event_id=100, version=0) class Microsoft_Windows_Hyper_V_ComputeLib_100_0(Etw): pattern = Struct("TraceData" / WString, "VmName" / WString, "VmId" / WString, "StackFrameCount" / Int32ul, "StackFrame" / Int64ul, "ModuleCount" / Int32ul, "Module" / Int32sl) @declare(guid=guid("af7fd3a7-b248-460c-a9f5-fec39ef8468c"), event_id=101, version=0) class Microsoft_Windows_Hyper_V_ComputeLib_101_0(Etw): pattern = Struct("TraceData" / WString, "VmName" / WString, "VmId" / WString, "StackFrameCount" / Int32ul, "StackFrame" / Int64ul, "ModuleCount" / Int32ul, "Module" / Int32sl)
# -*- coding: utf-8 -*- """ Microsoft-Windows-ServiceTriggerPerfEventProvider GUID : 6545939f-3398-411a-88b7-6a8914b8cec7 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("6545939f-3398-411a-88b7-6a8914b8cec7"), event_id=1, version=0) class Microsoft_Windows_ServiceTriggerPerfEventProvider_1_0(Etw): pattern = Struct("TriggerSubType" / WString, "TriggerData" / WString) @declare(guid=guid("6545939f-3398-411a-88b7-6a8914b8cec7"), event_id=2, version=0) class Microsoft_Windows_ServiceTriggerPerfEventProvider_2_0(Etw): pattern = Struct("TriggerSubType" / WString, "TriggerData" / WString) @declare(guid=guid("6545939f-3398-411a-88b7-6a8914b8cec7"), event_id=3, version=0) class Microsoft_Windows_ServiceTriggerPerfEventProvider_3_0(Etw): pattern = Struct("TriggerSubType" / WString, "TriggerData" / WString)
# -*- coding: utf-8 -*- """ Microsoft-Windows-UserDataAccess-Poom GUID : 0bd19909-eb6f-4b16-8074-6dce803f091d """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("0bd19909-eb6f-4b16-8074-6dce803f091d"), event_id=1, version=0) class Microsoft_Windows_UserDataAccess_Poom_1_0(Etw): pattern = Struct("P1_HResult" / Int32sl, "P2_String" / CString, "P3_UInt32" / Int32ul) @declare(guid=guid("0bd19909-eb6f-4b16-8074-6dce803f091d"), event_id=2, version=0) class Microsoft_Windows_UserDataAccess_Poom_2_0(Etw): pattern = Struct("P1_HResult" / Int32sl, "P2_String" / CString, "P3_UInt32" / Int32ul) @declare(guid=guid("0bd19909-eb6f-4b16-8074-6dce803f091d"), event_id=1000, version=0) class Microsoft_Windows_UserDataAccess_Poom_1000_0(Etw):
# -*- coding: utf-8 -*- """ Microsoft-Windows-Diagnosis-WDC GUID : 05921578-2261-42c7-a0d3-26ddbce6c50d """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("05921578-2261-42c7-a0d3-26ddbce6c50d"), event_id=5016, version=0) class Microsoft_Windows_Diagnosis_WDC_5016_0(Etw): pattern = Struct( "FileName" / CString, "Line" / Int32ul, "Address" / Int64ul, "Size" / Int64ul ) @declare(guid=guid("05921578-2261-42c7-a0d3-26ddbce6c50d"), event_id=5017, version=0) class Microsoft_Windows_Diagnosis_WDC_5017_0(Etw): pattern = Struct( "FileName" / CString, "Line" / Int32ul, "Address" / Int64ul ) @declare(guid=guid("05921578-2261-42c7-a0d3-26ddbce6c50d"), event_id=5018, version=0)
# -*- coding: utf-8 -*- """ Microsoft-Windows-PerfProc GUID : 72d211e1-4c54-4a93-9520-4901681b2271 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("72d211e1-4c54-4a93-9520-4901681b2271"), event_id=2001, version=1) class Microsoft_Windows_PerfProc_2001_1(Etw): pattern = Struct("Win32Error" / Int32ul) @declare(guid=guid("72d211e1-4c54-4a93-9520-4901681b2271"), event_id=2002, version=1) class Microsoft_Windows_PerfProc_2002_1(Etw): pattern = Struct("Message" / WString, "Win32Error" / Int32ul) @declare(guid=guid("72d211e1-4c54-4a93-9520-4901681b2271"), event_id=2003, version=1) class Microsoft_Windows_PerfProc_2003_1(Etw): pattern = Struct("Message" / WString, "Win32Error" / Int32ul)
# -*- coding: utf-8 -*- """ Microsoft-Windows-Spell-Checking GUID : d0e22efc-ac66-4b25-a72d-382736b5e940 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("d0e22efc-ac66-4b25-a72d-382736b5e940"), event_id=1, version=0) class Microsoft_Windows_Spell_Checking_1_0(Etw): pattern = Struct("WordlistType" / Int32ul) @declare(guid=guid("d0e22efc-ac66-4b25-a72d-382736b5e940"), event_id=2, version=0) class Microsoft_Windows_Spell_Checking_2_0(Etw): pattern = Struct("WordlistType" / Int32ul) @declare(guid=guid("d0e22efc-ac66-4b25-a72d-382736b5e940"), event_id=16, version=0) class Microsoft_Windows_Spell_Checking_16_0(Etw): pattern = Struct("First" / WString, "Second" / WString)
# -*- coding: utf-8 -*- """ Microsoft-Windows-IME-KRTIP GUID : e013e74b-97f4-4e1c-a120-596e5629ecfe """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("e013e74b-97f4-4e1c-a120-596e5629ecfe"), event_id=10, version=0) class Microsoft_Windows_IME_KRTIP_10_0(Etw): pattern = Struct("Duration" / Int32ul, "IMEType" / Int32ul)
# -*- coding: utf-8 -*- """ Microsoft-Windows-BranchCacheSMB GUID : 4a933674-fb3d-4e8d-b01d-17ee14e91a3e """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("4a933674-fb3d-4e8d-b01d-17ee14e91a3e"), event_id=3000, version=0) class Microsoft_Windows_BranchCacheSMB_3000_0(Etw): pattern = Struct( "MinHashVersion" / Int32ul, "MaxHashVersion" / Int32ul ) @declare(guid=guid("4a933674-fb3d-4e8d-b01d-17ee14e91a3e"), event_id=3002, version=0) class Microsoft_Windows_BranchCacheSMB_3002_0(Etw): pattern = Struct( "Path" / WString ) @declare(guid=guid("4a933674-fb3d-4e8d-b01d-17ee14e91a3e"), event_id=3003, version=0) class Microsoft_Windows_BranchCacheSMB_3003_0(Etw): pattern = Struct( "Path" / WString, "ContentHandle" / WString,
# -*- coding: utf-8 -*- """ Microsoft-Windows-TerminalServices-Printers GUID : 952773bf-c2b7-49bc-88f4-920744b82c43 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("952773bf-c2b7-49bc-88f4-920744b82c43"), event_id=1100, version=0) class Microsoft_Windows_TerminalServices_Printers_1100_0(Etw): pattern = Struct("Param1" / WString) @declare(guid=guid("952773bf-c2b7-49bc-88f4-920744b82c43"), event_id=1102, version=0) class Microsoft_Windows_TerminalServices_Printers_1102_0(Etw): pattern = Struct("Param1" / WString, "Param2" / WString) @declare(guid=guid("952773bf-c2b7-49bc-88f4-920744b82c43"), event_id=1105, version=0) class Microsoft_Windows_TerminalServices_Printers_1105_0(Etw): pattern = Struct("Param1" / WString)
# -*- coding: utf-8 -*- """ Microsoft-Windows-MCCS-ActiveSyncProvider GUID : 4a155f10-25ad-47e6-aba8-2c4f5eee7846 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("4a155f10-25ad-47e6-aba8-2c4f5eee7846"), event_id=1, version=0) class Microsoft_Windows_MCCS_ActiveSyncProvider_1_0(Etw): pattern = Struct("P1_HResult" / Int32sl, "P2_String" / CString, "P3_UInt32" / Int32ul) @declare(guid=guid("4a155f10-25ad-47e6-aba8-2c4f5eee7846"), event_id=2, version=0) class Microsoft_Windows_MCCS_ActiveSyncProvider_2_0(Etw): pattern = Struct("P1_HResult" / Int32sl, "P2_String" / CString, "P3_UInt32" / Int32ul) @declare(guid=guid("4a155f10-25ad-47e6-aba8-2c4f5eee7846"), event_id=101, version=0) class Microsoft_Windows_MCCS_ActiveSyncProvider_101_0(Etw):
# -*- coding: utf-8 -*- """ Microsoft-Windows-Kernel-PnP-Rundown GUID : b3a0c2c8-83bb-4ddf-9f8d-4b22d3c38ad7 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("b3a0c2c8-83bb-4ddf-9f8d-4b22d3c38ad7"), event_id=1, version=0) class Microsoft_Windows_Kernel_PnP_Rundown_1_0(Etw): pattern = Struct( "ResourceConsumerPdo" / Int64ul, "ConnectionId" / Int64ul, "ResourceConsumerInstancePathLength" / Int32ul, "ResourceConsumerInstancePath" / Bytes(lambda this: this.ResourceConsumerInstancePathLength) ) @declare(guid=guid("b3a0c2c8-83bb-4ddf-9f8d-4b22d3c38ad7"), event_id=2, version=0) class Microsoft_Windows_Kernel_PnP_Rundown_2_0(Etw): pattern = Struct( "Pdo" / Int64ul, "ParentPdo" / Int64ul ) @declare(guid=guid("b3a0c2c8-83bb-4ddf-9f8d-4b22d3c38ad7"), event_id=3, version=0) class Microsoft_Windows_Kernel_PnP_Rundown_3_0(Etw):
# -*- coding: utf-8 -*- """ Microsoft-Windows-StorageManagement-WSP-Host GUID : 595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e"), event_id=1000, version=0) class Microsoft_Windows_StorageManagement_WSP_Host_1000_0(Etw): pattern = Struct("ProviderName" / WString, "ProviderDLL" / WString, "ErrorCode" / Int32ul, "LoadPhase" / Int32ul)
# -*- coding: utf-8 -*- """ Microsoft-Windows-Media-Streaming GUID : 982824e5-e446-46ae-bc74-836401ffb7b6 """ from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct from etl.utils import WString, CString, SystemTime, Guid from etl.dtyp import Sid from etl.parsers.etw.core import Etw, declare, guid @declare(guid=guid("982824e5-e446-46ae-bc74-836401ffb7b6"), event_id=1001, version=0) class Microsoft_Windows_Media_Streaming_1001_0(Etw): pattern = Struct("ErrorCode" / Int32ul) @declare(guid=guid("982824e5-e446-46ae-bc74-836401ffb7b6"), event_id=1003, version=0) class Microsoft_Windows_Media_Streaming_1003_0(Etw): pattern = Struct("ErrorCode" / Int32ul) @declare(guid=guid("982824e5-e446-46ae-bc74-836401ffb7b6"), event_id=1005, version=0) class Microsoft_Windows_Media_Streaming_1005_0(Etw): pattern = Struct("ErrorCode" / Int32ul)