Win32_ProcessStartTrace class

The Win32_ProcessStartTrace event WMI classindicates that a new process has started.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.

Syntax

class Win32_ProcessStartTrace : Win32_ProcessTrace
{
  uint4  PageDirectoryBase;
  uint32 ParentProcessID;
  uint32 ProcessID;
  string ProcessName;
  uint8  SECURITY_DESCRIPTOR[];
  uint32 SessionID;
  uint8  Sid[];
  uint8  TIME_CREATED;
};

Members

The Win32_ProcessStartTrace class has these types of members:

Properties

The Win32_ProcessStartTrace class has these properties.

PageDirectoryBase
Data type: uint4
Access type: Read-only

Identifies the process page directory base. Beginning with Windows Vista, this property is not available.

Windows Server 2003 and Windows XP:  This property is available, but does not contain data that is useful outside of the operating system.

ParentProcessID
Data type: uint32
Access type: Read-only

Process that started the new process. This property is inherited from Win32_ProcessTrace.

ProcessID
Data type: uint32
Access type: Read-only

Identifying the process involved in the event. This property is inherited from Win32_ProcessTrace.

ProcessName
Data type: string
Access type: Read-only

Name of the process. You can use this name to get the instance of the Win32_Process for same process.

SECURITY_DESCRIPTOR
Data type: uint8 array
Access type: Read-only

Descriptor used by the event provider to determine the users who can receive the event. This property is inherited from __Event.

Note  A NULL access control list (ACL) in the SECURITY_DESCRIPTOR grants unlimited access to everyone all of the time. For more information, see Creating a Security Descriptor for a New Object.

SessionID
Data type: uint32
Access type: Read-only

Session under which the process exists.

Sid
Data type: uint8 array
Access type: Read-only

Security identifier (SID) for the user context under which the event happens. This property is inherited from Win32_ProcessTrace.

TIME_CREATED
Data type: uint8
Access type: Read-only

Unique value that indicates the time the event was generated. This property is inherited from __Event.

Remarks

The Win32_ProcessStartTrace class is derived from Win32_ProcessTrace.

Examples

For script code examples, see WMI Tasks for Scripts and Applications and the TechNet ScriptCenter Script Repository.

For C++ code examples, see WMI C++ Application Examples.

Requirements

Minimum supported client

Windows XP

Minimum supported server

Windows Server 2003

Namespace

\root\CIMV2

MOF

Krnlprov.mof

DLL

Krnlprov.dll

See also

Operating System Classes
Win32_Process

 

 

Show:
© 2014 Microsoft