Generated/Microsoft_Windows_Kernel

// // This code was generated by EtwEventTypeGen.exe // using System; namespace Tx.Windows.Microsoft_Windows_Kernel_File { public enum EventTask : uint { NameCreate = 10, NameDelete = 11, Create = 12, Cleanup = 13, Close = 14, Read = 15, Write = 16, SetInformation = 17, SetDelete = 18, Rename = 19, DirEnum = 20, Flush = 21, QueryInformation = 22, FSCTL = 23, OperationEnd = 24, DirNotify = 25, DeletePath = 26, RenamePath = 27, SetLinkPath = 28, SetLink = 29, CreateNewFile = 30, } [Format("Irp=%1, ThreadId=%2, FileObject=%3, CreateOptions=%4, CreateAttributes=%5, ShareAccess=%6, FileName=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 12, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO", "KERNEL_FILE_KEYWORD_CREATE")] public class KFileEvt_Create_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:UInt32")] public uint CreateOptions { get; set; } [EventField("win:UInt32")] public uint CreateAttributes { get; set; } [EventField("win:UInt32")] public uint ShareAccess { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 13, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Cleanup_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 14, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Close_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } } [Format("ByteOffset=%1, Irp=%2, ThreadId=%3, FileObject=%4, FileKey=%5, IOSize=%6, IOFlags=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 15, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO", "KERNEL_FILE_KEYWORD_READ")] public class KFileEvt_Read_V0 : SystemEvent { [EventField("win:UInt64")] public ulong ByteOffset { get; set; } [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint IOSize { get; set; } [EventField("win:UInt32")] public uint IOFlags { get; set; } } [Format("ByteOffset=%1, Irp=%2, ThreadId=%3, FileObject=%4, FileKey=%5, IOSize=%6, IOFlags=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 16, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO", "KERNEL_FILE_KEYWORD_WRITE")] public class KFileEvt_Write_V0 : SystemEvent { [EventField("win:UInt64")] public ulong ByteOffset { get; set; } [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint IOSize { get; set; } [EventField("win:UInt32")] public uint IOFlags { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, ExtraInformation=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 17, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_SetInformation_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, ExtraInformation=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 18, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Delete_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, ExtraInformation=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 19, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Rename_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, Length=%5, InfoClass=%6, FileIndex=%7, FileName=%8")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 20, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_DirEnum_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint Length { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UInt32")] public uint FileIndex { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 21, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Flush_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, ExtraInformation=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 22, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_QueryInformation_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, ExtraInformation=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 23, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_FSCTL_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, Length=%5, InfoClass=%6, FileIndex=%7, FileName=%8")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 25, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_DirNotify_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint Length { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UInt32")] public uint FileIndex { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, ExtraInformation=%5, InfoClass=%6, FilePath=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 26, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_DELETE_PATH")] public class KFileEvt_DeletePath_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UnicodeString")] public string FilePath { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, ExtraInformation=%5, InfoClass=%6, FilePath=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 27, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH")] public class KFileEvt_RenamePath_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UnicodeString")] public string FilePath { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, ExtraInformation=%5, InfoClass=%6, FilePath=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 28, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH")] public class KFileEvt_SetLinkPath_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UnicodeString")] public string FilePath { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, FileKey=%4, ExtraInformation=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 29, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_SetLink_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, ThreadId=%2, FileObject=%3, CreateOptions=%4, CreateAttributes=%5, ShareAccess=%6, FileName=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 30, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_CREATE_NEW_FILE")] public class KFileEvt_CreateNewFile_V0 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ThreadId { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:UInt32")] public uint CreateOptions { get; set; } [EventField("win:UInt32")] public uint CreateAttributes { get; set; } [EventField("win:UInt32")] public uint ShareAccess { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } [Format("FileKey=%1, FileName=%2")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 10, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILENAME")] public class KFileEvt_NameCreate : SystemEvent { [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } [Format("FileKey=%1, FileName=%2")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 11, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILENAME")] public class KFileEvt_NameDelete : SystemEvent { [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } [Format("Irp=%1, FileObject=%2, IssuingThreadId=%3, CreateOptions=%4, CreateAttributes=%5, ShareAccess=%6, FileName=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 12, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO", "KERNEL_FILE_KEYWORD_CREATE")] public class KFileEvt_Create_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint CreateOptions { get; set; } [EventField("win:UInt32")] public uint CreateAttributes { get; set; } [EventField("win:UInt32")] public uint ShareAccess { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, IssuingThreadId=%4")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 13, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Cleanup_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, IssuingThreadId=%4")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 14, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Close_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } } [Format("ByteOffset=%1, Irp=%2, FileObject=%3, FileKey=%4, IssuingThreadId=%5, IOSize=%6, IOFlags=%7, ExtraFlags=%8")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 15, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO", "KERNEL_FILE_KEYWORD_READ")] public class KFileEvt_Read_V1 : SystemEvent { [EventField("win:UInt64")] public ulong ByteOffset { get; set; } [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint IOSize { get; set; } [EventField("win:UInt32")] public uint IOFlags { get; set; } [EventField("win:UInt32")] public uint ExtraFlags { get; set; } } [Format("ByteOffset=%1, Irp=%2, FileObject=%3, FileKey=%4, IssuingThreadId=%5, IOSize=%6, IOFlags=%7, ExtraFlags=%8")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 16, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO", "KERNEL_FILE_KEYWORD_WRITE")] public class KFileEvt_Write_V1 : SystemEvent { [EventField("win:UInt64")] public ulong ByteOffset { get; set; } [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint IOSize { get; set; } [EventField("win:UInt32")] public uint IOFlags { get; set; } [EventField("win:UInt32")] public uint ExtraFlags { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, ExtraInformation=%4, IssuingThreadId=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 17, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_SetInformation_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, ExtraInformation=%4, IssuingThreadId=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 18, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Delete_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, ExtraInformation=%4, IssuingThreadId=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 19, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Rename_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, IssuingThreadId=%4, Length=%5, InfoClass=%6, FileIndex=%7, FileName=%8")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 20, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_DirEnum_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint Length { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UInt32")] public uint FileIndex { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, IssuingThreadId=%4")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 21, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_Flush_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, ExtraInformation=%4, IssuingThreadId=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 22, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_QueryInformation_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, ExtraInformation=%4, IssuingThreadId=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 23, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_FSCTL_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, ExtraInformation=%2, Status=%3")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 24, 0, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO", "KERNEL_FILE_KEYWORD_OP_END")] public class KFileEvt_OperationEnd : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint Status { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, IssuingThreadId=%4, Length=%5, InfoClass=%6, FileIndex=%7, FileName=%8")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 25, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_DirNotify_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint Length { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UInt32")] public uint FileIndex { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, ExtraInformation=%4, IssuingThreadId=%5, InfoClass=%6, FilePath=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 26, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_DELETE_PATH")] public class KFileEvt_DeletePath_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UnicodeString")] public string FilePath { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, ExtraInformation=%4, IssuingThreadId=%5, InfoClass=%6, FilePath=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 27, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH")] public class KFileEvt_RenamePath_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UnicodeString")] public string FilePath { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, ExtraInformation=%4, IssuingThreadId=%5, InfoClass=%6, FilePath=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 28, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH")] public class KFileEvt_SetLinkPath_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } [EventField("win:UnicodeString")] public string FilePath { get; set; } } [Format("Irp=%1, FileObject=%2, FileKey=%3, ExtraInformation=%4, IssuingThreadId=%5, InfoClass=%6")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 29, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_FILEIO")] public class KFileEvt_SetLink_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:Pointer")] public ulong FileKey { get; set; } [EventField("win:Pointer")] public ulong ExtraInformation { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint InfoClass { get; set; } } [Format("Irp=%1, FileObject=%2, IssuingThreadId=%3, CreateOptions=%4, CreateAttributes=%5, ShareAccess=%6, FileName=%7")] [ManifestEvent("{edd08927-9cc4-4e65-b970-c2560fb5c289}", 30, 1, "", "win:Informational", "Microsoft-Windows-Kernel-File/Analytic", "KERNEL_FILE_KEYWORD_CREATE_NEW_FILE")] public class KFileEvt_CreateNewFile_V1 : SystemEvent { [EventField("win:Pointer")] public ulong Irp { get; set; } [EventField("win:Pointer")] public ulong FileObject { get; set; } [EventField("win:UInt32")] public uint IssuingThreadId { get; set; } [EventField("win:UInt32")] public uint CreateOptions { get; set; } [EventField("win:UInt32")] public uint CreateAttributes { get; set; } [EventField("win:UInt32")] public uint ShareAccess { get; set; } [EventField("win:UnicodeString")] public string FileName { get; set; } } }

Generated/Microsoft_Windows_Kernel_File.cs (731 lines of code) (raw):