2.2.53 SERVICE_TRIGGER
The SERVICE_TRIGGER <26> structure contains information about one trigger of a service.
-
typedef struct _SERVICE_TRIGGER { DWORD dwTriggerType; DWORD dwAction; GUID* pTriggerSubtype; [range(0, 64)] DWORD cDataItems; [size_is(cDataItems)] PSERVICE_TRIGGER_SPECIFIC_DATA_ITEM pDataItems; } SERVICE_TRIGGER, *PSERVICE_TRIGGER;
dwTriggerType: The type of trigger. This MUST be one of the following values.
-
Value
Meaning
0x00000001
SERVICE_TRIGGER_TYPE_DEVICE_INTERFACE_ARRIVAL
The event is triggered when a device of the specified device interface class arrives or is present when the system starts. This trigger event is commonly used to start a service.
Interface arrival occurs when a device belonging to a device interface class has been inserted.
The pTriggerSubtype member specifies the device interface class GUID, as defined in [MS-DTYP] section 2.3.4. These GUIDs are defined in device-specific header files provided with the Windows Driver Kit (WDK) [MSDN-WinDriverKit].
The pDataItems member specifies one or more hardware ID and compatible ID strings for the device interface class. Strings MUST be Unicode. If more than one string is specified, the event is triggered if any one of the strings matches. For example, the Wpdbusenum service is started when a device of device interface class GUID_DEVINTERFACE_DISK {53f56307-b6bf-11d0-94f2-00a0c91efb8b} and a hardware ID string of "USBSTOR\GenDisk" arrives.
0x00000002
SERVICE_TRIGGER_TYPE_IP_ADDRESS_AVAILABILITY
The event is triggered when the first IP address on the TCP/IP networking stack becomes available or the last IP address on the stack becomes unavailable. This trigger event can be used to start or stop a service.
The pTriggerSubtype member specifies NETWORK_MANAGER_FIRST_IP_ADDRESS_ARRIVAL_GUID or NETWORK_MANAGER_LAST_IP_ADDRESS_REMOVAL_GUID.
The pDataItems member is not used.
0x00000003
SERVICE_TRIGGER_TYPE_DOMAIN_JOIN
The event is triggered when the computer joins or leaves a domain. This trigger event can be used to start or stop a service.
The pTriggerSubtype member specifies DOMAIN_JOIN_GUID or DOMAIN_LEAVE_GUID.
The pDataItems member is not used.
0x00000004
SERVICE_TRIGGER_TYPE_FIREWALL_PORT_EVENT
The event is triggered when a firewall port is opened or approximately 60 seconds after the firewall port is closed. This trigger event can be used to start or stop a service.
The pTriggerSubtype member specifies FIREWALL_PORT_OPEN_GUID or FIREWALL_PORT_CLOSE_GUID.
The pDataItems member specifies the port, the protocol, and optionally the executable path and user information (SID string or name) of the service listening on the event. The "RPC" token can be used in place of the port to specify any listening socket used by RPC. The "system" token can be used in place of the executable path to specify ports created by and listened on by the Windows kernel.
The event is triggered only if all strings match. For example, if MyService hosted inside Svchost.exe is to be trigger-started when port UDP 5001 opens, the trigger-specific data would be the Unicode representation of "5001\0UDP\0%systemroot%\system32\svchost.exe\0MyService\0\0".
0x00000005
SERVICE_TRIGGER_TYPE_GROUP_POLICY
The event is triggered when a machine policy or user policy change occurs. This trigger event is commonly used to start a service.
The pTriggerSubtype member specifies MACHINE_POLICY_PRESENT_GUID or USER_POLICY_PRESENT_GUID.
The pDataItems member is not used.
0x00000020
SERVICE_TRIGGER_TYPE_CUSTOM
The event is a custom event generated by an Event Tracing for Windows (ETW) provider. This trigger event can be used to start or stop a service.
The pTriggerSubtype member specifies the event provider's GUID.
The pDataItems member specifies trigger-specific data defined by the provider.
dwAction: The type of action to be taken on the trigger arrival. This MUST be one of the following values.
-
Value
Meaning
0x00000001
SERVICE_TRIGGER_ACTION_SERVICE_START
0x00000002
SERVICE_TRIGGER_ACTION_SERVICE_STOP
pTriggerSubtype: Points to a GUID that identifies the trigger event subtype. The value of this member depends on the value of the dwTriggerType member.
If dwTriggerType is SERVICE_TRIGGER_TYPE_CUSTOM, pTriggerSubtype is the GUID that identifies the custom event provider.
If dwTriggerType is SERVICE_TRIGGER_TYPE_DEVICE_INTERFACE_ARRIVAL, pTriggerSubtype is the GUID that identifies the device interface class.
-
For other trigger event types, pTriggerSubtype can be one of the following values.
-
Value
Meaning
DOMAIN_JOIN_GUID
1ce20aba-9851-4421-9430-1ddeb766e809
The event is triggered when the computer joins a domain. The dwTriggerType member MUST be SERVICE_TRIGGER_TYPE_DOMAIN_JOIN.
DOMAIN_LEAVE_GUID
ddaf516e-58c2-4866-9574-c3b615d42ea1
The event is triggered when the computer leaves a domain. The dwTriggerType member MUST be SERVICE_TRIGGER_TYPE_DOMAIN_JOIN.
FIREWALL_PORT_OPEN_GUID
b7569e07-8421-4ee0-ad10-86915afdad09
The event is triggered when the specified firewall port is opened. The dwTriggerType member MUST be SERVICE_TRIGGER_TYPE_FIREWALL_PORT_EVENT.
FIREWALL_PORT_CLOSE_GUID
a144ed38-8e12-4de4-9d96-e64740b1a524
The event is triggered approximately 60 seconds after the specified firewall port is closed. The dwTriggerType member MUST be SERVICE_TRIGGER_TYPE_FIREWALL_PORT_EVENT.
MACHINE_POLICY_PRESENT_GUID
659FCAE6-5BDB-4DA9-B1FF-CA2A178D46E0
The event is triggered when the machine policy has changed. The dwTriggerType member MUST be SERVICE_TRIGGER_TYPE_GROUP_POLICY.
NETWORK_MANAGER_FIRST_IP_ADDRESS_ARRIVAL_GUID
4f27f2de-14e2-430b-a549-7cd48cbc8245
The event is triggered when the first IP address on the TCP/IP networking stack becomes available. The dwTriggerType member MUST be SERVICE_TRIGGER_TYPE_IP_ADDRESS_AVAILABILITY.
NETWORK_MANAGER_LAST_IP_ADDRESS_REMOVAL_GUID
cc4ba62a-162e-4648-847a-b6bdf993e335
The event is triggered when the last IP address on the TCP/IP networking stack becomes unavailable. The dwTriggerType member MUST be SERVICE_TRIGGER_TYPE_IP_ADDRESS_AVAILABILITY.
USER_POLICY_PRESENT_GUID
54FB46C8-F089-464C-B1FD-59D1B62C3B50
The event is triggered when the user policy has changed. The dwTriggerType member MUST be SERVICE_TRIGGER_TYPE_GROUP_POLICY.
cDataItems: Number of data items in the pDataItems array.
pDataItems: Array of SERVICE_TRIGGER_SPECIFIC_DATA_ITEM structures.