SystemPropertiesType Complex Type
Defines the information that identifies the provider and how it was enabled, the event, the channel to which the event was written, and system information such as the process and thread IDs.
<xs:complexType name="SystemPropertiesType">
<xs:sequence>
<xs:element name="Provider">
<xs:complexType>
<xs:attribute name="Name"
type="anyURI"
use="optional"
/>
<xs:attribute name="Guid"
type="GUIDType"
use="optional"
/>
<xs:attribute name="EventSourceName"
type="string"
use="optional"
/>
</xs:complexType>
</xs:element>
<xs:element name="EventID">
<xs:complexType>
<xs:simpleContent>
<xs:extension
base="unsignedShort"
>
<xs:attribute name="Qualifiers"
type="unsignedShort"
use="optional"
/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Version"
type="unsignedByte"
minOccurs="0"
/>
<xs:element name="Level"
type="unsignedByte"
minOccurs="0"
/>
<xs:element name="Task"
type="unsignedShort"
minOccurs="0"
/>
<xs:element name="Opcode"
type="unsignedByte"
minOccurs="0"
/>
<xs:element name="Keywords"
type="HexInt64Type"
minOccurs="0"
/>
<xs:element name="TimeCreated"
minOccurs="0"
>
<xs:complexType>
<xs:attribute name="SystemTime"
type="dateTime"
use="optional"
/>
<xs:attribute name="RawTime"
type="unsignedLong"
use="optional"
/>
</xs:complexType>
<xs:key name="uniqueAtt">
<xs:selector
xpath="."
/>
<xs:field
xpath="@SystemTime|@RawTime"
/>
</xs:key>
</xs:element>
<xs:element name="EventRecordID"
minOccurs="0"
>
<xs:complexType>
<xs:simpleContent>
<xs:extension
base="unsignedLong"
/>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Correlation"
minOccurs="0"
>
<xs:complexType>
<xs:attribute name="ActivityID"
type="GUIDType"
use="optional"
/>
<xs:attribute name="RelatedActivityID"
type="GUIDType"
use="optional"
/>
</xs:complexType>
</xs:element>
<xs:element name="Execution"
minOccurs="0"
>
<xs:complexType>
<xs:attribute name="ProcessID"
type="unsignedInt"
use="required"
/>
<xs:attribute name="ThreadID"
type="unsignedInt"
use="required"
/>
<xs:attribute name="ProcessorID"
type="unsignedByte"
use="optional"
/>
<xs:attribute name="SessionID"
type="unsignedInt"
use="optional"
/>
<xs:attribute name="KernelTime"
type="unsignedInt"
use="optional"
/>
<xs:attribute name="UserTime"
type="unsignedInt"
use="optional"
/>
<xs:attribute name="ProcessorTime"
type="unsignedInt"
use="optional"
/>
</xs:complexType>
</xs:element>
<xs:element name="Channel"
type="anyURI"
minOccurs="0"
/>
<xs:element name="Computer"
type="string"
/>
<xs:element name="Security"
minOccurs="0"
>
<xs:complexType>
<xs:attribute name="UserID"
type="string"
use="optional"
/>
</xs:complexType>
</xs:element>
<xs:any
processContents="lax"
minOccurs="0"
maxOccurs="unbounded"
namespace="##other"
/>
</xs:sequence>
<xs:anyAttribute
processContents="lax"
namespace="##other"
/>
</xs:complexType>
Child elements
| Element | Type | Description |
|---|---|---|
| Channel | anyURI | The channel to which the event was logged. |
| Computer | string | The name of the computer on which the event occurred. |
| Correlation | The activity identifiers that consumers can use to group related events together. |
|
| EventID | The identifier that the provider used to identify the event. |
|
| EventRecordID | The record number assigned to the event when it was logged. |
|
| Execution | Contains information about the process and thread that logged the event. |
|
| Keywords | HexInt64Type | A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data). |
| Level | unsignedByte | The severity level defined in the event. |
| Opcode | unsignedByte | The opcode defined in the event. Task and opcode are typcially used to identify the location in the application from where the event was logged. |
| Provider | Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event. |
|
| Security | Identifies the user that logged the event. |
|
| Task | unsignedShort | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. |
| TimeCreated | The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute. |
|
| Version | unsignedByte | The version number of the event's definition. |
Attributes
| Name | Type | Description |
|---|---|---|
| ActivityID | GUIDType | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. |
| EventSourceName | string | The name of the event source that published the event (if the event source is from the legacy Event Logging API). |
| Guid | GUIDType | The globally unique identifier that uniquely identifies the provider. |
| KernelTime | unsignedInt | Elapsed execution time for kernel-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file). |
| Name | anyURI | The name of the provider. |
| ProcessID | unsignedInt | Identifies the process that generated the event. |
| ProcessorID | unsignedByte | The identification number for the processor that processed the event. Only available for events logged to an event tracing log file (.etl file). |
| ProcessorTime | unsignedInt | For ETW private sessions, the elapsed execution time for user-mode instructions, in CPU ticks. Only available for events logged to an event tracing log file (.etl file). |
| Qualifiers | unsignedShort | A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier. |
| RawTime | unsignedLong | The raw time stamp value; the format of the time stamp depends on the time source used to collect the trace. The raw time stamp offers higher precision than system time. The rendered event output will only contain raw time if you use TraceRpt.exe with the -rts switch. |
| RelatedActivityID | GUIDType | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier. |
| SessionID | unsignedInt | The identification number for the terminal server session in which the event occurred. Only available for events logged to an event tracing log file (.etl file). |
| SystemTime | dateTime | The system time of when the event was logged. |
| ThreadID | unsignedInt | Identifies the thread that generated the event. |
| UserID | string | The security identifier (SID) of the user in string form. |
| UserTime | unsignedInt | Elapsed execution time for user-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file). |
Remarks
By default, the event contains the fully qualified domain name (FQDN) of a computer. To use the NETBIOS name rather than the FQDN, you must create a DWORD registry value named CompatFlags under the following registry key, and set the value of CompatFlags to 0x2.
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows
CurrentVersion
WINEVT
Requirements
| Requirement | Value |
|---|---|
| Minimum supported client |
Windows Vista [desktop apps only] |
| Minimum supported server |
Windows Server 2008 [desktop apps only] |
Feedback
Submit and view feedback for