Rediger

Del via


Process_V2 class

This class is the parent class for process events.

The following syntax is simplified from MOF code.

Syntax

[Guid("{3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c}"), EventVersion(2)]
class Process_V2 : MSNT_SystemTrace
{
};

Members

The Process class does not define any members.

Remarks

To enable process events in an NT Kernel logging session, specify the EVENT_TRACE_FLAG_PROCESS flag in the EnableFlags member of an EVENT_TRACE_PROPERTIES structure when calling the StartTrace function. You can also specify the following flag:

  • EVENT_TRACE_FLAG_PROCESS_COUNTERS

Event trace consumers can implement special processing for process events by calling the SetTraceCallback function and specifying ProcessGuid as the pGuid parameter. Use the following event types to identify the actual process event when consuming events.

Event type Description
EVENT_TRACE_TYPE_END(Event type value is 2)
End process event. The Process_V2_TypeGroup1 MOF class defines the event data for this event.
EVENT_TRACE_TYPE_START(Event type value is 1)
Start process event. The Process_V2_TypeGroup1 MOF class defines the event data for this event.
Event type value, 3 Start data collection process event. Enumerates processes that are currently running at the time the kernel session starts. The Process_V2_TypeGroup1 MOF class defines the event data for this event.
Event type value, 4 End data collection process event. Enumerates processes that are currently running at the time the kernel session ends. The Process_V2_TypeGroup1 MOF class defines the event data for this event.
Event type value, 32 Performance counters event. The Process_V2_TypeGroup2 MOF class defines the event data for this event.
Event type value, 33 Rundown of the performance counters at the start of the session. The Process_V2_TypeGroup2 MOF class defines the event data for this event.
Event type value, 39 Defunct process event. The Process_V2_TypeGroup1 MOF class defines the event data for this event.

 

Process and thread start events may be logged in the context of the parent process or thread. As a result, the ProcessId and ThreadId members of EVENT_TRACE_HEADER may not correspond to the process and thread being created. This is why these events contain the process and thread identifiers in the event data (in addition to those in the event header).

Requirements

Requirement Value
Minimum supported client
Windows Vista [desktop apps | UWP apps]
Minimum supported server
Windows Server 2008 [desktop apps | UWP apps]

See also

MSNT_SystemTrace

Process

Process_TypeGroup1

Process_V0

Process_V1