📄 filter.mof
字号:
[WmiDataId(10),
read, write,
DisplayName("DateTime") : amended,
Description("absolute or relative date and time") : amended
] datetime Xdatetime;
};
[WMI,
Dynamic,
Provider("WmiProv"),
Locale("MS\\0x409"),
Description("Event containing embedded class 1") : amended,
guid("{15D851E2-6539-11d1-A529-00A0C9062910}")]
class Vendor_EventClass2 : WmiEvent
{
[key, read]
string InstanceName;
[read] boolean Active;
[WmiDataId(1),
Description("Embedded class data") : amended
] Vendor_EC1 EmbeddedClass1;
};
[WMI,
Dynamic,
Provider("WmiProv"),
Locale("MS\\0x409"),
Description("Event containing a fixed length array embedded class 1") : amended,
guid("{15D851E3-6539-11d1-A529-00A0C9062910}")]
class Vendor_EventClass3 : WmiEvent
{
[key, read]
string InstanceName;
[read] boolean Active;
[WmiDataId(1),
Description("Fixed length array of 4 embedded classes") : amended
] Vendor_EC1 EmbeddedClass1[4];
};
[WMI,
Dynamic,
Provider("WmiProv"),
Locale("MS\\0x409"),
Description("Event containing a variable length array embedded class 1") : amended,
guid("{15D851E4-6539-11d1-A529-00A0C9062910}")]
class Vendor_EventClass4 : WmiEvent
{
[key, read]
string InstanceName;
[read] boolean Active;
[WmiDataId(1),
Description("Number of elements in array") : amended
] uint32 Count;
[WmiDataId(2),
Description("Variable length array of embedded classes. Count specifies the number of elements in the array") : amended,
WmiSizeIs("Count")] Vendor_EC1 EmbeddedClass1[];
};
[WMI,
Dynamic,
Provider("WmiProv"),
Locale("MS\\0x409"),
Description("Event containing embedded class 2") : amended,
guid("{15D851E5-6539-11d1-A529-00A0C9062910}")]
class Vendor_EventClass5 : WmiEvent
{
[key, read]
string InstanceName;
[read] boolean Active;
[WmiDataId(1)] Vendor_EC2 EmbeddedClass2;
};
[WMI,
Dynamic,
Provider("WmiProv"),
Locale("MS\\0x409"),
Description("Event containing a fixed length array of embedded class 2") : amended,
guid("{15D851E6-6539-11d1-A529-00A0C9062910}")]
class Vendor_EventClass6 : WmiEvent
{
[key, read]
string InstanceName;
[read] boolean Active;
[WmiDataId(1)] Vendor_EC2 EmbeddedClass2[4];
};
[WMI,
Dynamic,
Provider("WmiProv"),
Locale("MS\\0x409"),
Description("Event containing a variable length array of embedded class 2") : amended,
guid("{15D851E7-6539-11d1-A529-00A0C9062910}")]
class Vendor_EventClass7 : WmiEvent
{
[key, read]
string InstanceName;
[read] boolean Active;
[WmiDataId(1),
Description("Number of elements in array") : amended
] uint32 Count;
[WmiDataId(2),
Description("Variable length array of embedded classes. Count specifies the number of elements in the array") : amended,
WmiSizeIs("Count")] Vendor_EC2 EmbeddedClass2[];
};
[WMI,
Dynamic,
Provider("WmiProv"),
Locale("MS\\0x409"),
Description("Event used to illustrate an event reference") : amended,
guid("{15D851E8-6539-11d1-A529-00A0C9062910}")]
class Vendor_EventReferenceClass : WmiEvent
{
[key, read]
string InstanceName;
[read] boolean Active;
[WmiDataId(1),
read, write,
DisplayName("BOOLEAN") : amended,
Description("boolean data") : amended
] boolean Xboolean;
[WmiDataId(2),
read, write,
DisplayName("UCHAR") : amended,
Description("unsigned character data") : amended
] uint8 Xuint8;
[WmiDataId(3),
read, write,
DisplayName("USHORT") : amended,
Description("unsigned short data") : amended
] uint16 Xuint16;
[WmiDataId(4),
read, write,
DisplayName("ULONG") : amended,
Description("unsigned long data") : amended
] uint32 Xuint32;
[WmiDataId(5),
read, write,
DisplayName("ULONGLONG") : amended,
Description("unsigned long long data") : amended
] uint64 Xuint64;
[WmiDataId(6),
read, write,
DisplayName("CHAR") : amended,
Description("signed byte data") : amended
] sint8 Xint8;
[WmiDataId(7),
read, write,
DisplayName("SHORT") : amended,
Description("singed short data") : amended
] sint16 Xint16;
[WmiDataId(8),
read, write,
DisplayName("LONG") : amended,
Description("singed long data") : amended
] sint32 Xint32;
[WmiDataId(9),
read, write,
DisplayName("LONGLONG") : amended,
Description("signed long long data") : amended
] sint64 Xint64;
[WmiDataId(10),
read, write,
DisplayName("DateTime") : amended,
Description("absolute or relative date and time") : amended
] datetime Xdatetime;
};
[WMI,
Dynamic,
Provider("WmiProv"),
Locale("MS\\0x409"),
Description("Method that fire events") : amended,
guid("{15D851F9-6539-11d1-A529-00A0C9062910}")]
class Vendor_FireEvent
{
[key, read]
string InstanceName;
[read] boolean Active;
[Implemented,
Description("Method to fire an event") : amended,
WmiMethodId(1)] void FireEvent([in,
Description("Type of WNODE to fire") : amended,
Values{"0", "1"},
ValueMap{"WNODE all data",
"WNODE single instance"} : amended
] uint32 WnodeType,
[in,
description("Which type of event to fire"),
Values{"1", "2", "5", "8"},
ValueMap{"Class 1 data",
"Embedded class 1 data",
"Embedded class 2 data",
"Event Reference"}
] uint32 DataType,
[in,
Description("Index of block of data to fire") : amended,
Values{"0", "1", "2", "3"},
ValueMap{"Block 1",
"Block 2",
"Block 3",
"Block 4"} : amended
] uint32 BlockIndex);
};
//
// Define schema for performance counters to be displayed by sysmon/perfmon
//
// All perf counter classes must derived from Win32_PerfRawData and
// have the hiperf qualifier.
//
// Each property within the class must have the following qualifiers:
//
// CounterType - This defines the type of counter. See winperf.h
// for more information on what values to place in this
// qualifier.
//
// PerfDetail - The amount of detail supplied by the counter.
// PERF_DETAIL_NOVICE 100 // The uninformed can understand it
// PERF_DETAIL_ADVANCED 200 // For the advanced user
// PERF_DETAIL_EXPERT 300 // For the expert user
// PERF_DETAIL_WIZARD 400 // For the system designer
//
// DefaultScale - Power if 10 by which to scale chart line if
// vertical axis is 100. 0 ==> 1, 1 ==> 10,
// -1 ==> 1/10. Used for purposes display only.
//
// Also property may have the following optional qualifiers
//
// PerfDefault - Denotes the property that is the default counter
// as displayed by the Sysmon list box. Only one
// property may have this qualifier.
//
// Costly - Indicates that the value for the property may
// be costly to obtain
//
//
// Only int32, uint32, int64 and uint64 properties will be displayed in sysmon
//
// All performance counter classes should be localizable, which means that
// they should include ammended DisplayName and Description class and property
// qualifiers.
//
[WMI,
Dynamic,
Provider("WmiProv"),
Locale("MS\\0x409"),
Description("Performance counter class that keeps track of the count of irps handled by the driver") : amended,
DisplayName("Vendor Irp Counts") : amended,
guid("{C0D6F033-FD94-4dc5-9DEC-076D42124147}"),
PerfDetail(100),
HiPerf
]
class Vendor_IrpCounter : Win32_PerfRawData
{
[key, read]
string InstanceName;
[read] boolean Active;
[WmiDataId(1),
DisplayName("Total Irp Count") : amended,
PerfDefault,
CounterType(0x00000000), // PERF_COUNTER_RAWCOUNT
DefaultScale(0),
PerfDetail(100),
read,
Description("Count of irps received") : amended
] uint32 TotalIrpCount;
[WmiDataId(2),
DisplayName("Total Irp Rate") : amended,
CounterType(0x10410400), // PERF_COUNTER_COUNTER
DefaultScale(0),
PerfDetail(100),
read,
Description("Rate of irps received") : amended
] uint32 TotalIrpRate;
[WmiDataId(3),
DisplayName("WMI Irp Count") : amended,
CounterType(0x00000000), // PERF_COUNTER_RAWCOUNT
DefaultScale(0),
PerfDetail(100),
read,
Description("Count of WMI irps received") : amended
] uint32 WmiIrpCount;
};
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -