This topic has not yet been rated - Rate this topic

Win32_ProcessStartTrace class

The Win32_ProcessStartTrace event WMI classindicates that a new process has started.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.

Syntax

class Win32_ProcessStartTrace : Win32_ProcessTrace
{
  uint4  PageDirectoryBase;
  uint32 ParentProcessID;
  uint32 ProcessID;
  string ProcessName;
  uint8  SECURITY_DESCRIPTOR[];
  uint32 SessionID;
  uint8  Sid[];
  uint8  TIME_CREATED;
};

Members

The Win32_ProcessStartTrace class has these types of members:

Properties

Properties

The Win32_ProcessStartTrace class has these properties.

PageDirectoryBase

Data type: uint4
Access type: Read-only

Identifies the process page directory base. Beginning with Windows Vista, this property is not available.

Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This property is available, but does not contain data that is useful outside of the operating system.

ParentProcessID

Data type: uint32
Access type: Read-only

Process that started the new process. This property is inherited from Win32_ProcessTrace.

ProcessID

Data type: uint32
Access type: Read-only

Identifying the process involved in the event. This property is inherited from Win32_ProcessTrace.

ProcessName

Data type: string
Access type: Read-only

Name of the process. You can use this name to get the instance of the Win32_Process for same process.

SECURITY_DESCRIPTOR

Data type: uint8 array
Access type: Read-only

Descriptor used by the event provider to determine the users who can receive the event. This property is inherited from __Event.

Note A NULL access control list (ACL) in the SECURITY_DESCRIPTOR grants unlimited access to everyone all of the time. For more information, see Creating a Security Descriptor for a New Object.

SessionID

Data type: uint32
Access type: Read-only

Session under which the process exists.

Sid

Data type: uint8 array
Access type: Read-only

Security identifier (SID) for the user context under which the event happens. This property is inherited from Win32_ProcessTrace.

TIME_CREATED

Data type: uint8
Access type: Read-only

Unique value that indicates the time the event was generated. This property is inherited from __Event.

Remarks

The Win32_ProcessStartTrace class is derived from Win32_ProcessTrace.

Examples

For script code examples, see WMI Tasks for Scripts and Applications and the TechNet ScriptCenter Script Repository.

For C++ code examples, see WMI C++ Application Examples.

Requirements

Minimum supported client	Windows XP [desktop apps only]
Minimum supported server	Windows Server 2003 [desktop apps only]
Namespace	\root\CIMV2
MOF	Krnlprov.mof
DLL	Krnlprov.dll

Community Additions

ADD