Win32_ModuleLoadTrace class
The Win32_ModuleLoadTrace event WMI class indicates that a process has loaded a new module.
The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.
Syntax
class Win32_ModuleLoadTrace : Win32_ModuleTrace
{
string FileName;
uint64 DefaultBase;
uint64 ImageBase;
uint32 ImageChecksum;
uint64 ImageSize;
uint32 ProcessID;
uint8 SECURITY_DESCRIPTOR[];
uint64 TIME_CREATED;
uint32 TimeDateSTamp;
};
Members
The Win32_ModuleLoadTrace class has these types of members:
Properties
The Win32_ModuleLoadTrace class has these properties.
- DefaultBase
-
- Data type: uint64
- Access type: Read-only
Default base address for loading the image, as listed in the binary image header. If the requested address is unavailable, the image is loaded at the ImageBase address, which causes recalculation of images addresses.
Windows Server 2003 and Windows XP: This property is not available. - FileName
-
- Data type: string
- Access type: Read-only
File name of the loaded module from the binary image header.
- ImageBase
-
- Data type: uint64
- Access type: Read-only
Base address where the module is loaded into process memory.
For more information about using uint64 values in scripts, see Scripting in WMI.
- ImageChecksum
-
- Data type: uint32
- Access type: Read-only
Binary image checksum for the module as listed in the image header. The image checksum is a hash that is used to verify that the image has not been changed. The hash is usually set when the module is linked and is not an encryption mechanism.
Windows Server 2003 and Windows XP: This property is not available. - ImageSize
-
- Data type: uint64
- Access type: Read-only
Size, in bytes, of the loaded module.
Windows Server 2003 and Windows XP: The datatype is uint32. - ProcessID
-
- Data type: uint32
- Access type: Read-only
Identifies the process that loaded the module.
- SECURITY_DESCRIPTOR
-
- Data type: uint8 array
- Access type: Read-only
Descriptor used by the event provider to determine which users can receive the event. This property is inherited from __Event.
- TIME_CREATED
-
- Data type: uint64
- Access type: Read-only
Unique value that indicates the time at which the event was generated. This property is inherited from __Event.
For more information about using uint64 values in scripts, see Scripting in WMI.
- TimeDateSTamp
-
- Data type: uint32
- Access type: Read-only
Binary image time stamp as listed in the image header. TimeDateSTamp is used with FileName and ImageSize to identify the binary image uniquely.
Windows Server 2003 and Windows XP: This property is not available.
Remarks
The Win32_ModuleLoadTrace class is derived from Win32_ModuleTrace.
Examples
For script code examples, see WMI Tasks for Scripts and Applications and the TechNet ScriptCenter Script Repository.
For C++ code examples, see WMI C++ Application Examples.
Requirements
|
Minimum supported client | Windows XP [desktop apps only] |
|---|---|
|
Minimum supported server | Windows Server 2003 [desktop apps only] |
|
Namespace |
\root\CIMV2 |
|
MOF |
|
|
DLL |
|
See also
Send comments about this topic to Microsoft
Build date: 11/19/2012
