CEL_MODULE_LOAD (Compact 2013)
3/28/2014
This structure identifies a module that was loaded.
Syntax
typedef __CEL_MODULE_LOAD {
HANDLE hProcess;
HANDLE hModule;
DWORD dwBase;
WCHAR szName[0];
} CEL_MODULE_LOAD, *PCEL_MODULE_LOAD;
Members
- hProcess
Handle of the process that loaded the module.
- hModule
Handle of the loaded module.
- dwBase
Base virtual memory address assigned to the loaded module.
- szName
Null-terminated string that contains the name of the module that was loaded. The length can be inferred from the length given in the event header, CEL_HEADER.
Remarks
CEL_MODULE_LOAD is logged each time a process loads the module for the first time.
When a process is the first process to load a module, the kernel logs two CEL_MODULE_LOAD structures:
- A CEL_MODULE_LOAD structure is logged with an hProcess value of INVALID_HANDLE_VALUE to indicate that the module is being loaded for the first time by any process.
- Another CEL_MODULE_LOAD structure is logged with an hProcess value set to the handle of the first process to load the module.
If subsequent processes also load the module, one CEL_MODULE_LOAD event is logged for each process.
If any process loads the module more than once, only one CEL_MODULE_LOAD event is logged for that process.
Requirements
Header |
celog.h |