Win32_ProcessStopTrace class

The Win32_ProcessStopTrace event WMI class indicates that a process is terminated.

The following syntax is simplified from Managed Object Format (MOF) code, and includes all of the inherited properties.

Syntax

[AMENDMENT]
class Win32_ProcessStopTrace : Win32_ProcessTrace
{
  uint8  SECURITY_DESCRIPTOR[];
  uint64 TIME_CREATED;
  uint32 ProcessID;
  uint32 ParentProcessID;
  uint8  Sid[];
  uint32 ExitStatus;
  string ProcessName;
  uint32 SessionID;
};

Members

The Win32_ProcessStopTrace class has these types of members:

Properties

The Win32_ProcessStopTrace class has these properties.

ExitStatus
Data type: uint32
Access type: Read-only

Exit status of the stopped process.

ParentProcessID
Data type: uint32
Access type: Read-only

Process that starts an event.

This property is inherited from Win32_ProcessTrace.

ProcessID
Data type: uint32
Access type: Read-only

The ProcessID property identifies the process involved in the event.

This property is inherited from Win32_ProcessTrace.

ProcessName
Data type: string
Access type: Read-only

Name of the process that stops. You can use this name to get the instance of Win32_Process for the same process.

This property is inherited from Win32_ProcessTrace.

SECURITY_DESCRIPTOR
Data type: uint8 array
Access type: Read-only

Descriptor used by the event provider to determine which users can receive the event. This property is inherited from __Event. For more information about constants used to set this security descriptor, see WMI Security Constants.

SessionID
Data type: uint32
Access type: Read-only

Session under which the process exists.

This property is inherited from Win32_ProcessTrace.

Sid
Data type: uint8 array
Access type: Read-only

The Sid property is the security identifier representing the user context under which the event happened.

This property is inherited from Win32_ProcessTrace.

TIME_CREATED
Data type: uint64
Access type: Read-only

Unique value that indicates the time at which the event was generated. This is a 64-bit value that represents the number of 100-nanosecond intervals after January 1, 1601. The information is in the Coordinated Universal Times (UTC) format. This property is inherited from __Event.

For more information about using uint64 values in scripts, see Scripting in WMI.

Remarks

The Win32_ProcessStopTrace class is derived from Win32_ProcessTrace.

Examples

The following VBScript code example creates a Notepad process on the local computer that reports when the process stops. Run the script and close the Notepad window when the script shows the "Waiting for process to stop..." message.


Const SW_NORMAL = 1
strComputer = "."
strCommand = "Notepad.exe" 
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
                              & strComputer & "\root\cimv2")

Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_

objConfig.ShowWindow = SW_NORMAL
Set objProcess = objWMIService.Get("Win32_Process")
intReturn = objProcess.Create(strCommand, Null, objConfig, intProcessID)
If intReturn <> 0 Then
    Wscript.Echo "Process could not be created." & vbNewLine & _
                 "Command line: " & strCommand & vbNewLine & _
                 "Return value: " & intReturn
Else
    Wscript.Echo "Process created." & vbNewLine & _
                 "Command line: " & strCommand & vbNewLine & _
                 "Process ID: " & intProcessID    
    Set colProcessStopTrace = objWMIService.ExecNotificationQuery("SELECT * FROM Win32_ProcessStopTrace")
        WScript.Echo "Waiting for process to stop ..."
    Do
        Set objLatestEvent = colProcessStopTrace.NextEvent
        If objLatestEvent.ProcessId = intProcessID Then
            Wscript.Echo "StoppedProcess Name: " & objLatestEvent.ProcessName
            Wscript.Echo "Process ID: " & objLatestEvent.ProcessId
            WScript.Echo "Exit code: " & objLatestEvent.ExitStatus
    End If
  Loop
End If

Requirements

Minimum supported client

Windows Vista

Minimum supported server

Windows Server 2008

Namespace

Root\CIMV2

MOF

Krnlprov.mof

DLL

Krnlprov.dll

See also

Win32_ProcessTrace
Operating System Classes
Win32_Process

 

 

Show: