Condividi tramite


Win32_ModuleLoadTrace class

The Win32_ModuleLoadTrace event WMI class indicates that a process has loaded a new module.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.

Syntax

[AMENDMENT]
class Win32_ModuleLoadTrace : Win32_ModuleTrace
{
  uint8  SECURITY_DESCRIPTOR[];
  uint64 TIME_CREATED;
  string FileName;
  uint64 DefaultBase;
  uint64 ImageBase;
  uint32 ImageChecksum;
  uint64 ImageSize;
  uint32 ProcessID;
  uint32 TimeDateSTamp;
};

Members

The Win32_ModuleLoadTrace class has these types of members:

Properties

The Win32_ModuleLoadTrace class has these properties.

DefaultBase

Data type: uint64

Access type: Read-only

Default base address for loading the image, as listed in the binary image header. If the requested address is unavailable, the image is loaded at the ImageBase address, which causes recalculation of images addresses.

FileName

Data type: string

Access type: Read-only

File name of the loaded module from the binary image header.

ImageBase

Data type: uint64

Access type: Read-only

Base address where the module is loaded into process memory.

For more information about using uint64 values in scripts, see Scripting in WMI.

ImageChecksum

Data type: uint32

Access type: Read-only

Binary image checksum for the module as listed in the image header. The image checksum is a hash that is used to verify that the image has not been changed. The hash is usually set when the module is linked and is not an encryption mechanism.

ImageSize

Data type: uint64

Access type: Read-only

Size, in bytes, of the loaded module.

ProcessID

Data type: uint32

Access type: Read-only

Identifies the process that loaded the module.

SECURITY_DESCRIPTOR

Data type: uint8 array

Access type: Read-only

Descriptor used by the event provider to determine which users can receive the event. This property is inherited from __Event. For more information about constants used to set this security descriptor, see WMI Security Constants.

TIME_CREATED

Data type: uint64

Access type: Read-only

Unique value that indicates the time at which the event was generated. This is a 64-bit value that represents the number of 100-nanosecond intervals after January 1, 1601. The information is in the Coordinated Universal Times (UTC) format. This property is inherited from __Event.

For more information about using uint64 values in scripts, see Scripting in WMI.

TimeDateSTamp

Data type: uint32

Access type: Read-only

Binary image time stamp as listed in the image header. TimeDateSTamp is used with FileName and ImageSize to identify the binary image uniquely.

Remarks

The Win32_ModuleLoadTrace class is derived from Win32_ModuleTrace.

Requirements

Minimum supported client
Windows Vista
Minimum supported server
Windows Server 2008
Namespace
Root\CIMV2
MOF
Krnlprov.mof
DLL
Krnlprov.dll

See also

Win32_ModuleTrace

Operating System Classes