Export (0) Print
Expand All

SystemPropertiesType Complex Type

Defines the information that identifies the provider and how it was enabled, the event, the channel to which the event was written, and system information such as the process and thread IDs.

<xs:complexType name="SystemPropertiesType">
    <xs:sequence>
        <xs:element name="Provider">
            <xs:complexType>
                <xs:attribute name="Name"
                    type="anyURI"
                    use="optional"
                 />
                <xs:attribute name="Guid"
                    type="GUIDType"
                    use="optional"
                 />
                <xs:attribute name="EventSourceName"
                    type="string"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:element name="EventID">
            <xs:complexType>
                <xs:simpleContent>
                    <xs:extension
                        base="unsignedShort"
                    >
                        <xs:attribute name="Qualifiers"
                            type="unsignedShort"
                            use="optional"
                         />
                    </xs:extension>
                </xs:simpleContent>
            </xs:complexType>
        </xs:element>
        <xs:element name="Version"
            type="unsignedByte"
            minOccurs="0"
         />
        <xs:element name="Level"
            type="unsignedByte"
            minOccurs="0"
         />
        <xs:element name="Task"
            type="unsignedShort"
            minOccurs="0"
         />
        <xs:element name="Opcode"
            type="unsignedByte"
            minOccurs="0"
         />
        <xs:element name="Keywords"
            type="HexInt64Type"
            minOccurs="0"
         />
        <xs:element name="TimeCreated"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="SystemTime"
                    type="dateTime"
                    use="optional"
                 />
                <xs:attribute name="RawTime"
                    type="unsignedLong"
                    use="optional"
                 />
            </xs:complexType>
            <xs:key name="uniqueAtt">
                <xs:selector
                    xpath="."
                 />
                <xs:field
                    xpath="@SystemTime|@RawTime"
                 />
            </xs:key>
        </xs:element>
        <xs:element name="EventRecordID"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:simpleContent>
                    <xs:extension
                        base="unsignedLong"
                     />
                </xs:simpleContent>
            </xs:complexType>
        </xs:element>
        <xs:element name="Correlation"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="ActivityID"
                    type="GUIDType"
                    use="optional"
                 />
                <xs:attribute name="RelatedActivityID"
                    type="GUIDType"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:element name="Execution"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="ProcessID"
                    type="unsignedInt"
                    use="required"
                 />
                <xs:attribute name="ThreadID"
                    type="unsignedInt"
                    use="required"
                 />
                <xs:attribute name="ProcessorID"
                    type="unsignedByte"
                    use="optional"
                 />
                <xs:attribute name="SessionID"
                    type="unsignedInt"
                    use="optional"
                 />
                <xs:attribute name="KernelTime"
                    type="unsignedInt"
                    use="optional"
                 />
                <xs:attribute name="UserTime"
                    type="unsignedInt"
                    use="optional"
                 />
                <xs:attribute name="ProcessorTime"
                    type="unsignedInt"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:element name="Channel"
            type="anyURI"
            minOccurs="0"
         />
        <xs:element name="Computer"
            type="string"
         />
        <xs:element name="Security"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="UserID"
                    type="string"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:any
            processContents="lax"
            minOccurs="0"
            maxOccurs="unbounded"
            namespace="##other"
         />
    </xs:sequence>
    <xs:anyAttribute
        processContents="lax"
        namespace="##other"
     />
</xs:complexType>

Child elements

ElementTypeDescription
Channel anyURI

The channel to which the event was logged.

Computer string

The name of the computer on which the event occurred.

Correlation

The activity identifiers that consumers can use to group related events together.

EventID

The identifier that the provider used to identify the event.

EventRecordID

The record number assigned to the event when it was logged.

Execution

Contains information about the process and thread that logged the event.

Keywords HexInt64Type

A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).

Level unsignedByte

The severity level defined in the event.

Opcode unsignedByte

The opcode defined in the event. Task and opcode are typcially used to identify the location in the application from where the event was logged.

Provider

Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.

Security

Identifies the user that logged the event.

Task unsignedShort

The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.

TimeCreated

The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.

Version unsignedByte

The version number of the event's definition.

Attributes

NameTypeDescription
ActivityID GUIDType

A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.

EventSourceNamestring

The name of the event source that published the event (if the event source is from the legacy Event Logging API).

Guid GUIDType

The globally unique identifier that uniquely identifies the provider.

KernelTimeunsignedInt

Elapsed execution time for kernel-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file).

NameanyURI

The name of the provider.

ProcessIDunsignedInt

Identifies the process that generated the event.

ProcessorIDunsignedByte

The identification number for the processor that processed the event. Only available for events logged to an event tracing log file (.etl file).

ProcessorTimeunsignedInt

For ETW private sessions, the elapsed execution time for user-mode instructions, in CPU ticks. Only available for events logged to an event tracing log file (.etl file).

QualifiersunsignedShort

A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier.

RawTimeunsignedLong

The raw time stamp value; the format of the time stamp depends on the time source used to collect the trace. The raw time stamp offers higher precision than system time. The rendered event output will only contain raw time if you use TraceRpt.exe with the -rts switch.

RelatedActivityID GUIDType

A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier.

SessionIDunsignedInt

The identification number for the terminal server session in which the event occurred. Only available for events logged to an event tracing log file (.etl file).

SystemTimedateTime

The system time of when the event was logged.

ThreadIDunsignedInt

Identifies the thread that generated the event.

UserIDstring

The security identifier (SID) of the user in string form.

UserTimeunsignedInt

Elapsed execution time for user-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file).

Remarks

By default, the event contains the fully qualified domain name (FQDN) of a computer. To use the NETBIOS name rather than the FQDN, you must create a DWORD registry value named CompatFlags under the following registry key, and set the value of CompatFlags to 0x2.

HKEY_LOCAL_MACHINE
   SOFTWARE
      Microsoft
         Windows
            CurrentVersion
               WINEVT

Requirements

Minimum supported client

Windows Vista [desktop apps only]

Minimum supported server

Windows Server 2008 [desktop apps only]

 

 

Community Additions

ADD
Show:
© 2015 Microsoft