SystemPropertiesType Complex Type

Defines the information that identifies the provider and how it was enabled, the event, the channel to which the event was written, and system information such as the process and thread IDs.

<xs:complexType name="SystemPropertiesType">
    <xs:sequence>
        <xs:element name="Provider">
            <xs:complexType>
                <xs:attribute name="Name"
                    type="anyURI"
                    use="optional"
                 />
                <xs:attribute name="Guid"
                    type="GUIDType"
                    use="optional"
                 />
                <xs:attribute name="EventSourceName"
                    type="string"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:element name="EventID">
            <xs:complexType>
                <xs:simpleContent>
                    <xs:extension
                        base="unsignedShort"
                    >
                        <xs:attribute name="Qualifiers"
                            type="unsignedShort"
                            use="optional"
                         />
                    </xs:extension>
                </xs:simpleContent>
            </xs:complexType>
        </xs:element>
        <xs:element name="Version"
            type="unsignedByte"
            minOccurs="0"
         />
        <xs:element name="Level"
            type="unsignedByte"
            minOccurs="0"
         />
        <xs:element name="Task"
            type="unsignedShort"
            minOccurs="0"
         />
        <xs:element name="Opcode"
            type="unsignedByte"
            minOccurs="0"
         />
        <xs:element name="Keywords"
            type="HexInt64Type"
            minOccurs="0"
         />
        <xs:element name="TimeCreated"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="SystemTime"
                    type="dateTime"
                    use="optional"
                 />
                <xs:attribute name="RawTime"
                    type="unsignedLong"
                    use="optional"
                 />
            </xs:complexType>
            <xs:key name="uniqueAtt">
                <xs:selector
                    xpath="."
                 />
                <xs:field
                    xpath="@SystemTime|@RawTime"
                 />
            </xs:key>
        </xs:element>
        <xs:element name="EventRecordID"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:simpleContent>
                    <xs:extension
                        base="unsignedLong"
                     />
                </xs:simpleContent>
            </xs:complexType>
        </xs:element>
        <xs:element name="Correlation"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="ActivityID"
                    type="GUIDType"
                    use="optional"
                 />
                <xs:attribute name="RelatedActivityID"
                    type="GUIDType"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:element name="Execution"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="ProcessID"
                    type="unsignedInt"
                    use="required"
                 />
                <xs:attribute name="ThreadID"
                    type="unsignedInt"
                    use="required"
                 />
                <xs:attribute name="ProcessorID"
                    type="unsignedByte"
                    use="optional"
                 />
                <xs:attribute name="SessionID"
                    type="unsignedInt"
                    use="optional"
                 />
                <xs:attribute name="KernelTime"
                    type="unsignedInt"
                    use="optional"
                 />
                <xs:attribute name="UserTime"
                    type="unsignedInt"
                    use="optional"
                 />
                <xs:attribute name="ProcessorTime"
                    type="unsignedInt"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:element name="Channel"
            type="anyURI"
            minOccurs="0"
         />
        <xs:element name="Computer"
            type="string"
         />
        <xs:element name="Security"
            minOccurs="0"
        >
            <xs:complexType>
                <xs:attribute name="UserID"
                    type="string"
                    use="optional"
                 />
            </xs:complexType>
        </xs:element>
        <xs:any
            processContents="lax"
            minOccurs="0"
            maxOccurs="unbounded"
            namespace="##other"
         />
    </xs:sequence>
    <xs:anyAttribute
        processContents="lax"
        namespace="##other"
     />
</xs:complexType>

Child elements

Element	Type	Description
Channel	anyURI	The channel to which the event was logged.
Computer	string	The name of the computer on which the event occurred.
Correlation		The activity identifiers that consumers can use to group related events together.
EventID		The identifier that the provider used to identify the event.
EventRecordID		The record number assigned to the event when it was logged.
Execution		Contains information about the process and thread that logged the event.
Keywords	HexInt64Type	A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
Level	unsignedByte	The severity level defined in the event.
Opcode	unsignedByte	The opcode defined in the event. Task and opcode are typcially used to identify the location in the application from where the event was logged.
Provider		Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
Security		Identifies the user that logged the event.
Task	unsignedShort	The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
TimeCreated		The time stamp that identifies when the event was logged. The time stamp will include either the SystemTime attribute or the RawTime attribute.
Version	unsignedByte	The version number of the event's definition.

Attributes

Name	Type	Description
ActivityID	GUIDType	A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
EventSourceName	string	The name of the event source that published the event (if the event source is from the legacy Event Logging API).
Guid	GUIDType	The globally unique identifier that uniquely identifies the provider.
KernelTime	unsignedInt	Elapsed execution time for kernel-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file).
Name	anyURI	The name of the provider.
ProcessID	unsignedInt	Identifies the process that generated the event.
ProcessorID	unsignedByte	The identification number for the processor that processed the event. Only available for events logged to an event tracing log file (.etl file).
ProcessorTime	unsignedInt	For ETW private sessions, the elapsed execution time for user-mode instructions, in CPU ticks. Only available for events logged to an event tracing log file (.etl file).
Qualifiers	unsignedShort	A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier.
RawTime	unsignedLong	The raw time stamp value; the format of the time stamp depends on the time source used to collect the trace. The raw time stamp offers higher precision than system time. The rendered event output will only contain raw time if you use TraceRpt.exe with the -rts switch.
RelatedActivityID	GUIDType	A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier.
SessionID	unsignedInt	The identification number for the terminal server session in which the event occurred. Only available for events logged to an event tracing log file (.etl file).
SystemTime	dateTime	The system time of when the event was logged.
ThreadID	unsignedInt	Identifies the thread that generated the event.
UserID	string	The security identifier (SID) of the user in string form.
UserTime	unsignedInt	Elapsed execution time for user-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file).

Remarks

By default, the event contains the fully qualified domain name (FQDN) of a computer. To use the NETBIOS name rather than the FQDN, you must create a DWORD registry value named CompatFlags under the following registry key, and set the value of CompatFlags to 0x2.

HKEY_LOCAL_MACHINE
   SOFTWARE
      Microsoft
         Windows
            CurrentVersion
               WINEVT

Requirements

Requirement	Value
Minimum supported client	Windows Vista [desktop apps only]
Minimum supported server	Windows Server 2008 [desktop apps only]