Win32_ModuleLoadTrace class
The Win32_ModuleLoadTrace event WMI class indicates that a process has loaded a new module.
The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.
Syntax
[AMENDMENT]
class Win32_ModuleLoadTrace : Win32_ModuleTrace
{
uint8 SECURITY_DESCRIPTOR[];
uint64 TIME_CREATED;
string FileName;
uint64 DefaultBase;
uint64 ImageBase;
uint32 ImageChecksum;
uint64 ImageSize;
uint32 ProcessID;
uint32 TimeDateSTamp;
};
Members
The Win32_ModuleLoadTrace class has these types of members:
Properties
The Win32_ModuleLoadTrace class has these properties.
-
DefaultBase
-
-
Data type: uint64
-
Access type: Read-only
Default base address for loading the image, as listed in the binary image header. If the requested address is unavailable, the image is loaded at the ImageBase address, which causes recalculation of images addresses.
-
-
FileName
-
-
Data type: string
-
Access type: Read-only
File name of the loaded module from the binary image header.
-
-
ImageBase
-
-
Data type: uint64
-
Access type: Read-only
Base address where the module is loaded into process memory.
For more information about using uint64 values in scripts, see Scripting in WMI.
-
-
ImageChecksum
-
-
Data type: uint32
-
Access type: Read-only
Binary image checksum for the module as listed in the image header. The image checksum is a hash that is used to verify that the image has not been changed. The hash is usually set when the module is linked and is not an encryption mechanism.
-
-
ImageSize
-
-
Data type: uint64
-
Access type: Read-only
Size, in bytes, of the loaded module.
-
-
ProcessID
-
-
Data type: uint32
-
Access type: Read-only
Identifies the process that loaded the module.
-
-
SECURITY_DESCRIPTOR
-
-
Data type: uint8 array
-
Access type: Read-only
Descriptor used by the event provider to determine which users can receive the event. This property is inherited from __Event. For more information about constants used to set this security descriptor, see WMI Security Constants.
-
-
TIME_CREATED
-
-
Data type: uint64
-
Access type: Read-only
Unique value that indicates the time at which the event was generated. This is a 64-bit value that represents the number of 100-nanosecond intervals after January 1, 1601. The information is in the Coordinated Universal Times (UTC) format. This property is inherited from __Event.
For more information about using uint64 values in scripts, see Scripting in WMI.
-
-
TimeDateSTamp
-
-
Data type: uint32
-
Access type: Read-only
Binary image time stamp as listed in the image header. TimeDateSTamp is used with FileName and ImageSize to identify the binary image uniquely.
-
Remarks
The Win32_ModuleLoadTrace class is derived from Win32_ModuleTrace.
Requirements
| Minimum supported client |
Windows Vista |
| Minimum supported server |
Windows Server 2008 |
| Namespace |
Root\CIMV2 |
| MOF |
|
| DLL |
|