Compartir a través de


Win32_ProcessStartTrace class

The Win32_ProcessStartTrace event WMI classindicates that a new process has started.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties. Properties and methods are in alphabetic order, not MOF order.

Syntax

[AMENDMENT]
class Win32_ProcessStartTrace : Win32_ProcessTrace
{
  uint8  SECURITY_DESCRIPTOR[];
  uint64 TIME_CREATED;
  uint32 ProcessID;
  uint32 ParentProcessID;
  uint8  Sid[];
  string ProcessName;
  uint32 SessionID;
};

Members

The Win32_ProcessStartTrace class has these types of members:

Properties

The Win32_ProcessStartTrace class has these properties.

ParentProcessID

Data type: uint32

Access type: Read-only

Process that starts an event.

This property is inherited from Win32_ProcessTrace.

ProcessID

Data type: uint32

Access type: Read-only

The ProcessID property identifies the process involved in the event.

This property is inherited from Win32_ProcessTrace.

ProcessName

Data type: string

Access type: Read-only

Name of the process. You can use this name to get the instance of the Win32_Process for same process.

This property is inherited from Win32_ProcessTrace.

SECURITY_DESCRIPTOR

Data type: uint8 array

Access type: Read-only

Descriptor used by the event provider to determine which users can receive the event. This property is inherited from __Event. For more information about constants used to set this security descriptor, see WMI Security Constants.

SessionID

Data type: uint32

Access type: Read-only

Session under which the process exists.

This property is inherited from Win32_ProcessTrace.

Sid

Data type: uint8 array

Access type: Read-only

The Sid property is the security identifier representing the user context under which the event happened.

This property is inherited from Win32_ProcessTrace.

TIME_CREATED

Data type: uint64

Access type: Read-only

Unique value that indicates the time at which the event was generated. This is a 64-bit value that represents the number of 100-nanosecond intervals after January 1, 1601. The information is in the Coordinated Universal Times (UTC) format. This property is inherited from __Event.

For more information about using uint64 values in scripts, see Scripting in WMI.

Remarks

The Win32_ProcessStartTrace class is derived from Win32_ProcessTrace.

Requirements

Minimum supported client
Windows Vista
Minimum supported server
Windows Server 2008
Namespace
Root\CIMV2
MOF
Krnlprov.mof
DLL
Krnlprov.dll

See also

Win32_ProcessTrace

Operating System Classes

Win32_Process