4.8 BinXml Example Using Templates

2021-06-24

This example demonstrates the use of BinXml templates. There is one outer template <Event> and one inner template <MyEvent>. The outer template has substitutions (shown in bold) under the <System> element. However, it also has a BinXml substitution within the <UserData> element. In other words, the BinXml that describes <MyEvent> is contained as a value for the outer <Event> template instance. The BinXml for <MyEvent> happens to also be another template instance (although it could have been a normal fragment). The MyEvent template substitutions are also shown in bold.

Also, the outer template substitutions are all optional, and some values of that template are NULL; therefore, some of the BinXml elements or attributes are not present in the following XML text.

 <Event xmlns=
   "'http: //schemas.microsoft.com/win/2004/08/events/event'">
 <System>
   <Provider Name="'Microsoft-Windows-Wevttest'" 
             Guid="'{03f41308-fa7b-4fb3-98b8-c2ed0a40d1ef}'"/>
   <EventID>100</EventID>
   <Version>0</Version>
   <Level>1</Level>
   <Task>100</Task>
   <Opcode>1</Opcode>
   <Keywords>0x4000000000e00000</Keywords>
   <TimeCreated SystemTime="'2006-0614T21:40:16.312Z'"/>
   <EventRecordID>5</EventRecordID>
   <Correlation/>
   <Execution ProcessID="'2088'" ThreadID="'2464'"/>
   <Channel>Microsoft-Windows-Wevttest/Operational/Wevttest</Channel>
   <Computer>michaelm4-lh.ntdev.corp.microsoft.com</Computer>
   <Security 
 UserID="'S-1-5-21-397955417-626881126-188441444-2967838'"/>
 </System>
 <UserData>
   <MyEvent xmlns:autons2=
 "'http: //schemas.microsoft.com/win/2004/08/events'"
   xmlns='myNs'><Property>1</Property>
   <Property2>2</Property2>
   </MyEvent>
 </UserData>
 </Event>

Start of <Event> TemplateInstance ...

            
 00 : 0f 01 01 00 0c 00 4a 46-4c cc 16 dc 46 8e 80 a2   
 10 : dc 45 ea 94 9c bd ef 04-00 00 0f 01 01 00 41 ff  <Event>
 20 : ff e3 04 00 00 ba 0c 05-00 45 00 76 00 65 00 6e
 30 : 00 74 00 00 00 7f 00 00-00 06 bc 0f 05 00 78 00
 40 : 6d 00 6c 00 6e 00 73 00-00 00 05 01 35 00 68 00
 50 : 74 00 74 00 70 00 3a 00-2f 00 2f 00 73 00 63 00
 60 : 68 00 65 00 6d 00 61 00-73 00 2e 00 6d 00 69 00
 70 : 63 00 72 00 6f 00 73 00-6f 00 66 00 74 00 2e 00
 80 : 63 00 6f 00 6d 00 2f 00-77 00 69 00 6e 00 2f 00
 90 : 32 00 30 00 30 00 34 00-2f 00 30 00 38 00 2f 00
 A0 : 65 00 76 00 65 00 6e 00-74 00 73 00 2f 00 65 00
 B0 : 76 00 65 00 6e 00 74 00-02 01 ff ff 24 04 00 00  <System>
 C0 : 6f 54 06 00 53 00 79 00-73 00 74 00 65 00 6d 00
 D0 : 00 00 02 41 ff ff c1 00-00 00 f1 7b 08 00 50 00  <Provider>
 E0 : 72 00 6f 00 76 00 69 00-64 00 65 00 72 00 00 00
 F0 : a6 00 00 00 46 4b 95 04-00 4e 00 61 00 6d 00 65
 100: 00 00 00 05 01 1a 00 4d-00 69 00 63 00 72 00 6f
 110: 00 73 00 6f 00 66 00 74-00 2d 00 57 00 69 00 6e
 120: 00 64 00 6f 00 77 00 73-00 2d 00 57 00 65 00 76
 130: 00 74 00 74 00 65 00 73-00 74 00 06 29 15 04 00
 140: 47 00 75 00 69 00 64 00-00 00 05 01 26 00 7b 00
 150: 30 00 33 00 66 00 34 00-31 00 33 00 30 00 38 00
 160: 2d 00 66 00 61 00 37 00-62 00 2d 00 34 00 66 00
 170: 62 00 33 00 2d 00 39 00-38 00 62 00 38 00 2d 00
 180: 63 00 32 00 65 00 64 00-30 00 61 00 34 00 30 00
 190: 64 00 31 00 65 00 66 00-7d 00 03 41 03 00 3d 00  
 <Provider/> <EventID>
 1A0: 00 00 f5 61 07 00 45 00-76 00 65 00 6e 00 74 00
 1B0: 49 00 44 00 00 00 1f 00-00 00 06 29 da 0a 00 51
 1C0: 00 75 00 61 00 6c 00 69-00 66 00 69 00 65 00 72
 1D0: 00 73 00 00 00 0e 04 00-06 02 0e 03 00 06 04 01 </EventID> 
 1E0: 0b 00 1a 00 00 00 18 09-07 00 56 00 65 00 72 00
 1F0: 73 00 69 00 6f 00 6e 00-00 00 02 0e 0b 00 04 04
 200: 01 00 00 16 00 00 00 64-ce 05 00 4c 00 65 00 76
 210: 00 65 00 6c 00 00 00 02-0e 00 00 04 04 01 02 00
 220: 14 00 00 00 45 7b 04 00-54 00 61 00 73 00 6b 00
 230: 00 00 02 0e 02 00 06 04-01 01 00 18 00 00 00 ae
 240: 1e 06 00 4f 00 70 00 63-00 6f 00 64 00 65 00 00
 250: 00 02 0e 01 00 04 04 01-05 00 1c 00 00 00 6a cf
 260: 08 00 4b 00 65 00 79 00-77 00 6f 00 72 00 64 00
 270: 73 00 00 00 02 0e 05 00-15 04 41 ff ff 40 00 00
 280: 00 3b 8e 0b 00 54 00 69-00 6d 00 65 00 43 00 72
 290: 00 65 00 61 00 74 00 65-00 64 00 00 00 1f 00 00
 2A0: 00 06 3c 7b 0a 00 53 00-79 00 73 00 74 00 65 00
 2B0: 6d 00 54 00 69 00 6d 00-65 00 00 00 0e 06 00 11
 2C0: 03 01 0a 00 26 00 00 00-46 03 0d 00 45 00 76 00
 2D0: 65 00 6e 00 74 00 52 00-65 00 63 00 6f 00 72 00
 2E0: 64 00 49 00 44 00 00 00-02 0e 0a 00 0a 04 41 ff
 2F0: ff 6d 00 00 00 a2 f2 0b-00 43 00 6f 00 72 00 72
 300: 00 65 00 6c 00 61 00 74-00 69 00 6f 00 6e 00 00
 310: 00 4c 00 00 00 46 0a f1-0a 00 41 00 63 00 74 00
 320: 69 00 76 00 69 00 74 00-79 00 49 00 44 00 00 00
 330: 0e 07 00 0f 06 35 c5 11-00 52 00 65 00 6c 00 61
 340: 00 74 00 65 00 64 00 41-00 63 00 74 00 69 00 76
 350: 00 69 00 74 00 79 00 49-00 44 00 00 00 0e 12 00
 360: 0f 03 41 ff ff 55 00 00-00 b8 b5 09 00 45 00 78
 370: 00 65 00 63 00 75 00 74-00 69 00 6f 00 6e 00 00
 380: 00 38 00 00 00 46 0a d7-09 00 50 00 72 00 6f 00
 390: 63 00 65 00 73 00 73 00-49 00 44 00 00 00 0e 08
 3A0: 00 08 06 85 39 08 00 54-00 68 00 72 00 65 00 61
 3B0: 00 64 00 49 00 44 00 00-00 0e 09 00 08 03 01 ff
 3C0: ff 78 00 00 00 83 61 07-00 43 00 68 00 61 00 6e
 3D0: 00 6e 00 65 00 6c 00 00-00 02 05 01 2f 00 4d 00
 3E0: 69 00 63 00 72 00 6f 00-73 00 6f 00 66 00 74 00
 3F0: 2d 00 57 00 69 00 6e 00-64 00 6f 00 77 00 73 00
 400: 2d 00 57 00 65 00 76 00-74 00 74 00 65 00 73 00
 410: 74 00 2f 00 4f 00 70 00-65 00 72 00 61 00 74 00
 420: 69 00 6f 00 6e 00 61 00-6c 00 2f 00 57 00 65 00
 430: 76 00 74 00 74 00 65 00-73 00 74 00 04 01 ff ff
 440: 66 00 00 00 3b 6e 08 00-43 00 6f 00 6d 00 70 00
 450: 75 00 74 00 65 00 72 00-00 00 02 05 01 25 00 6d
 460: 00 69 00 63 00 68 00 61-00 65 00 6c 00 6d 00 34
 470: 00 2d 00 6c 00 68 00 2e-00 6e 00 74 00 64 00 65
 480: 00 76 00 2e 00 63 00 6f-00 72 00 70 00 2e 00 6d
 490: 00 69 00 63 00 72 00 6f-00 73 00 6f 00 66 00 74
 4A0: 00 2e 00 63 00 6f 00 6d-00 04 41 ff ff 32 00 00
 4B0: 00 a0 2e 08 00 53 00 65-00 63 00 75 00 72 00 69
 4C0: 00 74 00 79 00 00 00 17-00 00 00 06 66 4c 06 00
 4D0: 55 00 73 00 65 00 72 00-49 00 44 00 00 00 0e 0c      </System>
 4E0: 00 13 03 04 01 13 00 1c-00 00 00 35 44 08 00 55      <UserData>
 4F0: 00 73 00 65 00 72 00 44-00 61 00 74 00 61 00 00
 500: 00 02 0e 13 00 21 04 04-00 </UserData> </Event> EOF

Start of <Event> TemplateInstanceData ValueSpec ...

            
                                 14 00 00 00 01 00 04
 510: 00 01 00 04 00 02 00 06-00 02 00 06 00 00 00 00
 520: 00 08 00 15 00 08 00 11-00 00 00 00 00 04 00 08
 530: 00 04 00 08 00 08 00 0a-00 01 00 04 00 1c 00 13
 540: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
 550: 00 00 00 00 00 00 00 00-00 83 01 21 00

Start of <Event> TemplateInstanceData Values ...

            
                                             01 01 64
 560: 00 64 00 00 00 e0 00 00-00 00 40 9c f4 d6 36 fb
 570: 8f c6 01 28 08 00 00 a0-09 00 00 06 00 00 00 00
 580: 00 00 00 00 01 05 00 00-00 00 00 05 15 00 00 00
 590: 59 51 b8 17 66 72 5d 25-64 63 3b 0b 1e 49 2d 00

Start of <MyEvent> inner TemplateInstance ...

            
 5A0: 0f 01 01 00 0c 00 a7 65-05 7a 02 84 f0 a1 67 ab   
 5B0: 96 df 09 0d 39 a7 54 01-00 00 41 ff ff 04 01 00  <MyEvent>
 5C0: 00 4e c0 07 00 4d 00 79-00 45 00 76 00 65 00 6e
 5D0: 00 74 00 00 00 a2 00 00-00 46 4d 77 0e 00 78 00
 5E0: 6d 00 6c 00 6e 00 73 00-3a 00 61 00 75 00 74 00
 5F0: 6f 00 2d 00 6e 00 73 00-32 00 00 00 05 01 2f 00
 600: 68 00 74 00 74 00 70 00-3a 00 2f 00 2f 00 73 00
 610: 63 00 68 00 65 00 6d 00-61 00 73 00 2e 00 6d 00
 620: 69 00 63 00 72 00 6f 00-73 00 6f 00 66 00 74 00
 630: 2e 00 63 00 6f 00 6d 00-2f 00 77 00 69 00 6e 00
 640: 2f 00 32 00 30 00 30 00-34 00 2f 00 30 00 38 00
 650: 2f 00 65 00 76 00 65 00-6e 00 74 00 73 00 06 bc
 660: 0f 05 00 78 00 6d 00 6c-00 6e 00 73 00 00 00 05
 670: 01 04 00 6d 00 79 00 4e-00 73 00 02 01 ff ff 1c  <Property>
 680: 00 00 00 b5 db 08 00 50-00 72 00 6f 00 70 00 65
 690: 00 72 00 74 00 79 00 00-00 02 0d 00 00 08 04 01  
    </Property> <Property2>
 6A0: ff ff 1e 00 00 00 bd 11-09 00 50 00 72 00 6f 00
 6B0: 70 00 65 00 72 00 74 00-79 00 32 00 00 00 02 0d
 6C0: 01 00 08 04 04 00           </Property2> </MyEvent> EOF

Waste bytes that could occur after template definition EOF but included in TemplateDefLength ...

            
                        00 00-00 00 08 08 00 00 00 00   
 6D0: 00 00 00 00 00 00 08 07-00 00 00 00 00 00 08 08
 6E0: 00 00 00 00 00 00 00 00-00 00 18 07 00 00 10 00
 6F0: 00 00 50 00 72 00 6f 00-70 00 31 00 00 00 10 00
 700: 00 00 50 00 72 00 6f 00-70 00 32 00 00 00

Start of <MyEvent> inner TemplateInstanceData ...

            
                                                02 00
 710: 00 00 04 00 08 00 04 00-08 00 01 00 00 00 02 00
 720: 00 00 00 00

Token offset	Token type	Comments on encoding
0x00	0x0F - FragmentHeaderToken	Version1.1, Flags = 0. This is at the "document" level, and it is likely that an EOFToken will occur at the end.
0x04	0x0C - TemplateInstanceToken	Outer template instance <Event>. The TempleDefByteLength is 0x4EF and the template definition starts at 0x1A. This means that the end of the template definition will be at 0x1A + 0x4EF = 0x509 (which is the start of the TemplateInstanceData). The ValueSpec of the TemplateInstanceData specifies that there are 0x14 values with a total length of 0x1C6 bytes. This length is calculated by adding up all the lengths of the values specified in the value spec entries. The actual raw values of the template instance data start just after the value spec entries (at offset 0x55D). Offset 0x55D + 0x1C6 bytes leave us at the EOF token for the outer fragment containing the TemplateInstance.
0x1A	0x0F - FragmentHeaderToken	Version for template definition BinXml. This could be different from the template instance version.
0x1E	0x41 - OpenStartElementToken (more Bit)	<Event>. Note that because this is a template definition, the dependency ID is included, but 0xFFFF indicates no dependency. This value actually consists of two parts. The 0x01 indicates that it is an OpenStartElementToken, and the 0x40 is the "more" bit, which indicates that there are additional attributes.
0xB9	0x1 - OpenStartElementToken	<System>. This has a dependency of 0xFFFF.
0x19B	0x41 - OpenStartElementToken (more Bit)	<EventID>. This does have a dependency (of 0x03). This means that if the template instance value at index 3 (the fourth value), in the ValueSpec, is of NULL type, then this element is to be omitted from the XML text. In this case, the type is non-NULL and so the element is included in the XML text representation. This value actually consists of two parts. The 0x01 indicates that it is an OpenStartElementToken. The 0x40 is the "more" bit, which indicates that there are additional attributes.
0x1BA	0x06 - AttributeToken	Attribute called EventIDQualifiers. Note that it does not appear in the XML text due to the OptionalSubstitutionToken specified next.
0x1D5	0x0E - OptionalSubstitutionToken	Optional substitution of the value specified at index 4 in the value spec. Looking forward into the TemplateInstanceData shows that this value is of NULL type, and so the enclosing attribute is not included in the XML text representation.
0x1D9	0x02 - CloseStartElementToken	Close <EventID> start tag.
0x1DA	0x0E - OptionalSubstitutionToken	OptionalSubstitution of the value specified at index 3 in the value spec. The value is 100 (in decimal).
0x4E4	0x01 - OpenStartElementToken	<UserData> start tag. It specifies that it is dependent on the value at index 0x13 in the value spec. This value is the BinXml for the inner template <MyEvent>. Because it is present, <UserData> is included in the XML representation.
0x502	0x0E - OptionalSubstitutionToken	This is the substitution for the BinXml, and its expected type is BinXmlType. The index into the value spec is 0x13.
0x506	0x04 - EndElementToken	End <UserData>.
0x507	0x04 - EndElementToken	End <Event>.
0x508	0x00 - EOFToken	EOF for the outer template definition.
0x5A0	0x0F - FragmentHeaderToken	This is actually the last value that is specified in the outer TemplateInstance; however, because this value is itself BinXml, it starts with an (optional) header token and ends with an EOFToken.
0x5A4	0x0C - TemplateInstanceToken	For the inner template instance <MyEvent>, the TempleDefByteLength is 0x154 and the template definition itself starts at 0x5BA. This means that end of template definition will be at offset 0x5BA + 0x154 = 0x70E (which is the offset of the start of the TemplateInstanceData). The ValueSpec of the TemplateInstanceData specifies that there are 2 values with a total length of 8 bytes. This length is calculated by adding up all the lengths of the values specified in the value spec entries. The actual raw values of the template instance data start just after the value spec entries (at offset 0x71A). Adding the offset 0x71A to 0x8 bytes leaves us at the EOFToken for the inner fragment containing the TemplateInstance.
0x722	0x00 - EOFToken	EOF for the inner TemplateInstance.
0x723	0x00 - EOFToken	EOF for the outer TemplateInstance.

Share via

4.8 BinXml Example Using Templates

Additional resources