Win32_ModuleLoadTrace class

The Win32_ModuleLoadTrace event WMI class indicates that a process has loaded a new module.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.

Syntax

[AMENDMENT]
class Win32_ModuleLoadTrace : Win32_ModuleTrace
{
  uint8  SECURITY_DESCRIPTOR[];
  uint64 TIME_CREATED;
  string FileName;
  uint64 DefaultBase;
  uint64 ImageBase;
  uint32 ImageChecksum;
  uint64 ImageSize;
  uint32 ProcessID;
  uint32 TimeDateSTamp;
};

Members

The Win32_ModuleLoadTrace class has these types of members:

Properties

The Win32_ModuleLoadTrace class has these properties.

DefaultBase
Data type: uint64
Access type: Read-only

Default base address for loading the image, as listed in the binary image header. If the requested address is unavailable, the image is loaded at the ImageBase address, which causes recalculation of images addresses.

FileName
Data type: string
Access type: Read-only

File name of the loaded module from the binary image header.

ImageBase
Data type: uint64
Access type: Read-only

Base address where the module is loaded into process memory.

For more information about using uint64 values in scripts, see Scripting in WMI.

ImageChecksum
Data type: uint32
Access type: Read-only

Binary image checksum for the module as listed in the image header. The image checksum is a hash that is used to verify that the image has not been changed. The hash is usually set when the module is linked and is not an encryption mechanism.

ImageSize
Data type: uint64
Access type: Read-only

Size, in bytes, of the loaded module.

ProcessID
Data type: uint32
Access type: Read-only

Identifies the process that loaded the module.

SECURITY_DESCRIPTOR
Data type: uint8 array
Access type: Read-only

Descriptor used by the event provider to determine which users can receive the event. This property is inherited from __Event. For more information about constants used to set this security descriptor, see WMI Security Constants.

TIME_CREATED
Data type: uint64
Access type: Read-only

Unique value that indicates the time at which the event was generated. This is a 64-bit value that represents the number of 100-nanosecond intervals after January 1, 1601. The information is in the Coordinated Universal Times (UTC) format. This property is inherited from __Event.

For more information about using uint64 values in scripts, see Scripting in WMI.

TimeDateSTamp
Data type: uint32
Access type: Read-only

Binary image time stamp as listed in the image header. TimeDateSTamp is used with FileName and ImageSize to identify the binary image uniquely.

Remarks

The Win32_ModuleLoadTrace class is derived from Win32_ModuleTrace.

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2008

Namespace

Root\CIMV2

MOF

Krnlprov.mof

DLL

Krnlprov.dll

See also

Win32_ModuleTrace
Operating System Classes

 

 

Show: