зеркало из https://github.com/microsoft/Tx.git
722 строки
21 KiB
C#
722 строки
21 KiB
C#
//
|
|
// This code was generated by EtwEventTypeGen.exe
|
|
//
|
|
|
|
using System;
|
|
|
|
namespace Tx.Windows.Microsoft_Windows_CsvFs_Diagnostic
|
|
{
|
|
public enum EventTask : uint {
|
|
Task.Setup.DriverLoad = 101,
|
|
Task.VolumeStateChange = 102,
|
|
Task.IO = 103,
|
|
Task.File.CreateFile = 104,
|
|
Task.IO.Tunneled = 105,
|
|
Task.Setup.Channel = 106,
|
|
Task.IO.SingleClientNotify = 107,
|
|
Task.IO.ByteRangeLock = 108,
|
|
Task.IO.OplockUpgrade = 109,
|
|
Task.IO.Oplock = 110,
|
|
Task.File.CleanupFile = 111,
|
|
Task.File.CloseFile = 112,
|
|
Task.StateRundown = 113,
|
|
}
|
|
|
|
[Format("Openning file %6.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x00100, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Create File")]
|
|
|
|
public class FileOpenStarted : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Volume { get; set; }
|
|
|
|
[EventField("win:GUID")]
|
|
public Guid VolumeId { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong FileObject { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong RelativeFileObject { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FileName { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint DesiredAccess { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Options { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint SharedAccess { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint AttributeFlags { get; set; }
|
|
}
|
|
|
|
[Format("Closing file object %4.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x00200, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Create File")]
|
|
|
|
public class FileClose : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong FileObject { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FileName { get; set; }
|
|
}
|
|
|
|
[Format("Cleaning file object %4.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x00300, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Create File")]
|
|
|
|
public class FileClean : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong FileObject { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FileName { get; set; }
|
|
}
|
|
|
|
[Format("Query Volume Information completed with status %1.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x00400, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Create File")]
|
|
|
|
public class QueryVolumeInformation : SystemEvent
|
|
{
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
}
|
|
|
|
[Format("Down-level File Object %3 is reopened with status %9.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x00500, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Create File")]
|
|
|
|
public class DownLevelFileOpened : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong FileObject { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FileName { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint CreateDisposition { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint DesiredAccess { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint SharedAccess { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint CreateFlags { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint AttributeFlags { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
}
|
|
|
|
[Format("Down-level File Object %3 is closed.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x00600, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Create File")]
|
|
|
|
public class DownLevelFileClosed : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong FileObject { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FileName { get; set; }
|
|
}
|
|
|
|
[Format("Down-level File Object %3 is released.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x00700, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Create File")]
|
|
|
|
public class DownLevelFileReleased : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong FileObject { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FileName { get; set; }
|
|
}
|
|
|
|
[Format("Received Byte Range Lock Request %4. At %7; Length %8; Key %9; Fags %5.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x01800, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO", "ByteRangeLock")]
|
|
|
|
public class ByteRangeLockUplevelAdd : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong File { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint MinorFunction { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Flags { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Process { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Offset { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Length { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Key { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
}
|
|
|
|
[Format("Removed Lock. At %4; Length %5; Key %6; Exclusive %7.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x01900, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO", "ByteRangeLock")]
|
|
|
|
public class ByteRangeLockUplevelRemoved : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong File { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Process { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Offset { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Length { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Key { get; set; }
|
|
|
|
[EventField("win:Boolean")]
|
|
public bool Exclusive { get; set; }
|
|
}
|
|
|
|
[Format("Resume Lock. At %4; Length %5; Key %6; Exclusive %7.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02000, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO", "ByteRangeLock")]
|
|
|
|
public class ByteRangeLockUplevelResume : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong File { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Process { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Offset { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Length { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Key { get; set; }
|
|
|
|
[EventField("win:Boolean")]
|
|
public bool Exclusive { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
}
|
|
|
|
[Format("Cleanup Locks. Status %3. Downlevel status %4.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02010, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO", "ByteRangeLock")]
|
|
|
|
public class ByteRangeLockCleanup : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong File { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Process { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint DownLevelStatus { get; set; }
|
|
}
|
|
|
|
[Format("Pause Locks. Status %3.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02020, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO", "ByteRangeLock")]
|
|
|
|
public class ByteRangeLockPause : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong File { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Process { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
}
|
|
|
|
[Format("Resuming oplock to level %3 completed with status %4.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 02050, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO", "Oplock")]
|
|
|
|
public class OplockResume : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong FileObject { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint OplockLevel { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
}
|
|
|
|
[Format("Enqueuing Single Client Notify. For File %3; Oplock Level is %4; Ignore Current Conditions %5.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02100, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO", "OplockUpgrade")]
|
|
|
|
public class EnqueueSingleClientNotify : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong File { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FullPath { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint OplockLevel { get; set; }
|
|
|
|
[EventField("win:Boolean")]
|
|
public bool IgnoreCurrentConditions { get; set; }
|
|
}
|
|
|
|
[Format("Single Client Notify Completion. For File %3; Oplock Level is %4; Status %5; Is Event Completion %6.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02110, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO", "OplockUpgrade")]
|
|
|
|
public class SingleClientNotifyCompletion : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong File { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FullPath { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint OplockLevel { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
|
|
[EventField("win:Boolean")]
|
|
public bool IsEventCompletion { get; set; }
|
|
}
|
|
|
|
[Format("Volume %2 transitioning from %3 to SetDownlevel. Local %4; Flags %5; CountersName %6; Volume target path %7; File System target path %8.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02200, 0,
|
|
"win:Start", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "VolumeState")]
|
|
|
|
public class StateChangeSetDownlevelStart : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Volume { get; set; }
|
|
|
|
[EventField("win:GUID")]
|
|
public Guid VolumeId { get; set; }
|
|
|
|
[EventField("win:Int32")]
|
|
public int CurrentState { get; set; }
|
|
|
|
[EventField("win:Boolean")]
|
|
public bool IsLocal { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Flags { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string CountersName { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string VolumeTargetPath { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FsTargetPath { get; set; }
|
|
}
|
|
|
|
[Format("Volume %2 transitioning from %3 to %4.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02300, 0,
|
|
"win:Start", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "VolumeState")]
|
|
|
|
public class VolumeStateChangeStart : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Volume { get; set; }
|
|
|
|
[EventField("win:GUID")]
|
|
public Guid VolumeId { get; set; }
|
|
|
|
[EventField("win:Int32")]
|
|
public int CurrentState { get; set; }
|
|
|
|
[EventField("win:Int32")]
|
|
public int NewState { get; set; }
|
|
}
|
|
|
|
[Format("Volume %2 moved to state %3. Reson %4; Status %5.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02400, 0,
|
|
"win:Stop", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "VolumeState")]
|
|
|
|
public class VolumeStateChanged : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Volume { get; set; }
|
|
|
|
[EventField("win:GUID")]
|
|
public Guid VolumeId { get; set; }
|
|
|
|
[EventField("win:Int32")]
|
|
public int State { get; set; }
|
|
|
|
[EventField("win:Int32")]
|
|
public int Source { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
}
|
|
|
|
[Format("Start IO %1 on %3 (%7). Major Code %10. Minor Code %11.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02500, 0,
|
|
"win:Start", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO")]
|
|
|
|
public class IoStart : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong IrpContext { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong FileObject { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Vcb { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Ccb { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FileName { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint IrpFlags { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint IrpContextFlags { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint MajorFunction { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint MinorFunction { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint IrpSlFlags { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Control { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Parameter1 { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Parameter2 { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Parameter3 { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Parameter4 { get; set; }
|
|
}
|
|
|
|
[Format("Completed IO %1. Status %3. Information %4.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02600, 0,
|
|
"win:Stop", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO")]
|
|
|
|
public class IoCompleted : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong IrpContext { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Information { get; set; }
|
|
}
|
|
|
|
[Format("Posted IO %1.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02700, 0,
|
|
"win:Info", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO")]
|
|
|
|
public class IoPosted : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong IrpContext { get; set; }
|
|
}
|
|
|
|
[Format("Continue IO %1.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02800, 0,
|
|
"win:Info", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO")]
|
|
|
|
public class IoContinue : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong IrpContext { get; set; }
|
|
}
|
|
|
|
[Format("Pause IO %1. Status %3. Information %4.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x02900, 0,
|
|
"win:Suspend", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO")]
|
|
|
|
public class IoPause : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong IrpContext { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint IrpContextFlags { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Status { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Information { get; set; }
|
|
}
|
|
|
|
[Format("Resume IO %1.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x03000, 0,
|
|
"win:Resume", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "IO")]
|
|
|
|
public class IoResume : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Irp { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong IrpContext { get; set; }
|
|
}
|
|
|
|
[Format("Volume %2, %5")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x03100, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Rundown")]
|
|
|
|
public class VolumeRundown : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Volume { get; set; }
|
|
|
|
[EventField("win:GUID")]
|
|
public Guid VolumeId { get; set; }
|
|
|
|
[EventField("win:Int32")]
|
|
public int VpbFlags { get; set; }
|
|
|
|
[EventField("win:Int32")]
|
|
public int State { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string CountersName { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string VolumeTargetPath { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FsTargetPath { get; set; }
|
|
}
|
|
|
|
[Format("File %12")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x03200, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Rundown")]
|
|
|
|
public class FileRundown : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Vcb { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint FcbState { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint FcbCondition { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint FcbConditionStatus { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint FcbDownlevelOplockLevel { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong FileId { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Ccb { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint CcbFlags { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong ShadowFileObject { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong RealFileObject { get; set; }
|
|
|
|
[EventField("win:UnicodeString")]
|
|
public string FileName { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint CreateDisposition { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint DesiredAccess { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint SharedAccess { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint CreateFlags { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint AttributeFlags { get; set; }
|
|
}
|
|
|
|
[Format("Lock. At %4; Length %5; Key %6; Exclusive %7.")]
|
|
|
|
[ManifestEvent("{6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1}", 0x03300, 0,
|
|
"", "win:Informational", "Microsoft-Windows-CsvFs/Diagnostic", "Rundown")]
|
|
|
|
public class FileLockRundown : SystemEvent
|
|
{
|
|
[EventField("win:Pointer")]
|
|
public ulong Fcb { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong File { get; set; }
|
|
|
|
[EventField("win:Pointer")]
|
|
public ulong Process { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Offset { get; set; }
|
|
|
|
[EventField("win:HexInt64")]
|
|
public ulong Length { get; set; }
|
|
|
|
[EventField("win:HexInt32")]
|
|
public uint Key { get; set; }
|
|
|
|
[EventField("win:Boolean")]
|
|
public bool Exclusive { get; set; }
|
|
}
|
|
|
|
}
|