SystemPropertiesType Complex Type

Defines the information that identifies the provider and how it was enabled, the event, the channel to which the event was written, and system information such as the process and thread IDs.

<xs:complexType name="SystemPropertiesType">
    <xs:sequence>
        <xs:element name="Provider">
            <xs:complexType>
                <xs:attribute name="Name"
                    type="anyURI"
                    use="optional"
                 />
                <xs:attribute name="Guid"
                    type="GUIDType"
                    use="optional"
                 />
                <xs:attribute name="EventSourceName"
                    type="string"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:element name="EventID">
            <xs:complexType>
                <xs:simpleContent>
                    <xs:extension
                        base="unsignedShort"
                    >
                        <xs:attribute name="Qualifiers"
                            type="unsignedShort"
                            use="optional"
                         />
                    </xs:extension>
                </xs:simpleContent>
            </xs:complexType>
        </xs:element>
        <xs:element name="Version"
            type="unsignedByte"
            minOccurs="0"
         />
        <xs:element name="Level"
            type="unsignedByte"
            minOccurs="0"
         />
        <xs:element name="Task"
            type="unsignedShort"
            minOccurs="0"
         />
        <xs:element name="Opcode"
            type="unsignedByte"
            minOccurs="0"
         />
        <xs:element name="Keywords"
            type="HexInt64Type"
            minOccurs="0"
         />
        <xs:element name="TimeCreated"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="SystemTime"
                    type="dateTime"
                    use="optional"
                 />
                <xs:attribute name="RawTime"
                    type="unsignedLong"
                    use="optional"
                 />
            </xs:complexType>
            <xs:key name="uniqueAtt">
                <xs:selector
                    xpath="."
                 />
                <xs:field
                    xpath="@SystemTime|@RawTime"
                 />
            </xs:key>
        </xs:element>
        <xs:element name="EventRecordID"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:simpleContent>
                    <xs:extension
                        base="unsignedLong"
                     />
                </xs:simpleContent>
            </xs:complexType>
        </xs:element>
        <xs:element name="Correlation"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="ActivityID"
                    type="GUIDType"
                    use="optional"
                 />
                <xs:attribute name="RelatedActivityID"
                    type="GUIDType"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:element name="Execution"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="ProcessID"
                    type="unsignedInt"
                    use="required"
                 />
                <xs:attribute name="ThreadID"
                    type="unsignedInt"
                    use="required"
                 />
                <xs:attribute name="ProcessorID"
                    type="unsignedByte"
                    use="optional"
                 />
                <xs:attribute name="SessionID"
                    type="unsignedInt"
                    use="optional"
                 />
                <xs:attribute name="KernelTime"
                    type="unsignedInt"
                    use="optional"
                 />
                <xs:attribute name="UserTime"
                    type="unsignedInt"
                    use="optional"
                 />
                <xs:attribute name="ProcessorTime"
                    type="unsignedInt"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:element name="Channel"
            type="anyURI"
            minOccurs="0"
         />
        <xs:element name="Computer"
            type="string"
         />
        <xs:element name="Security"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="UserID"
                    type="string"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:any
            processContents="lax"
            minOccurs="0"
            maxOccurs="unbounded"
            namespace="##other"
         />
    </xs:sequence>
    <xs:anyAttribute
        processContents="lax"
        namespace="##other"
     />
</xs:complexType>

Child elements

Element Type Description
Channel anyURI The channel to which the event was logged.
Computer string The name of the computer on which the event occurred.
Correlation The activity identifiers that consumers can use to group related events together.
EventID The identifier that the provider used to identify the event.
EventRecordID The record number assigned to the event when it was logged.
Execution Contains information about the process and thread that logged the event.
Keywords HexInt64Type A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
Level unsignedByte The severity level defined in the event.
Opcode unsignedByte The opcode defined in the event. Task and opcode are typcially used to identify the location in the application from where the event was logged.
Provider Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
Security Identifies the user that logged the event.
Task unsignedShort The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
TimeCreated The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
Version unsignedByte The version number of the event's definition.

Attributes

Name Type Description
ActivityID GUIDType A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
EventSourceName string The name of the event source that published the event (if the event source is from the legacy Event Logging API).
Guid GUIDType The globally unique identifier that uniquely identifies the provider.
KernelTime unsignedInt Elapsed execution time for kernel-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file).
Name anyURI The name of the provider.
ProcessID unsignedInt Identifies the process that generated the event.
ProcessorID unsignedByte The identification number for the processor that processed the event. Only available for events logged to an event tracing log file (.etl file).
ProcessorTime unsignedInt For ETW private sessions, the elapsed execution time for user-mode instructions, in CPU ticks. Only available for events logged to an event tracing log file (.etl file).
Qualifiers unsignedShort A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier.
RawTime unsignedLong The raw time stamp value; the format of the time stamp depends on the time source used to collect the trace. The raw time stamp offers higher precision than system time. The rendered event output will only contain raw time if you use TraceRpt.exe with the -rts switch.
RelatedActivityID GUIDType A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier.
SessionID unsignedInt The identification number for the terminal server session in which the event occurred. Only available for events logged to an event tracing log file (.etl file).
SystemTime dateTime The system time of when the event was logged.
ThreadID unsignedInt Identifies the thread that generated the event.
UserID string The security identifier (SID) of the user in string form.
UserTime unsignedInt Elapsed execution time for user-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file).

Remarks

By default, the event contains the fully qualified domain name (FQDN) of a computer. To use the NETBIOS name rather than the FQDN, you must create a DWORD registry value named CompatFlags under the following registry key, and set the value of CompatFlags to 0x2.

HKEY_LOCAL_MACHINE
   SOFTWARE
      Microsoft
         Windows
            CurrentVersion
               WINEVT

Requirements

Requirement Value
Minimum supported client
Windows Vista [desktop apps only]
Minimum supported server
Windows Server 2008 [desktop apps only]