//******************************************
// System Trace Definitions
// Version 0006.1      22th Sep 2004
//******************************************

// The #typev statement may be used to convert
// messages into user readable forms.
// Syntax:
//
// Guid                 EventName
// #version             value
// #level               value                   // Not Supported
// #typeV name1 value1  FormatString
// {
//   MofFields
// }
// #typeV name2 value2  FormatString
// {
//   MofFields
// }
//
// With #typev all parameters are processed as strings and the default string
// processing of FormTMessage is used
// With #typev wherever possible parameters are processed as their native format
// and the %x!x! style of FormatMessage should be used.
//
// Note Parameter %1 through %9 are predefined
// Parameter            is                                      #typev
// %1                   GUID Friendly Name                      string
// %2                   GUID SubType Name                       string
// %3                   Thread ID                               ULONG_PTR
// %4                   System Time                             String
// %5                   Kernel Time     or User Time            String
// %6                   User Time       or NULL                 String
// %7                   Sequence Number                         LONG
// %8                   Unused                                  String
// %9                   CPU Number                              LONG
// %10 and above are the user parameters
// %255                 Is reserved
//
// Note these parameters are always present, but may not be valid 
// depending on the source.
//
// User defined messages always start at message number 10
// Messages 0 through 9 are reserved for system use.
// Message number 255 is reserved.
//
// Available formats for user arguments are -
//
//Name          Description                             #typev Format
//ItemChar                                              CHAR
//ItemUChar                                             UCHAR
//ItemCharShort                                         USHORT
//ItemCharSign                                          SHORT
//ItemShort     Signed Short                            SHORT
//ItemUShort    Unsigned Short                          USHORT
//ItemLong      Signed Long, decoded as decimal         LONG
//ItemULong     Unsigned Long, decoded as decimal       ULONG
//ItemULongX    Unsigned Long, seen as hexadecimal      ULONG
//ItemLongLong  Signed 64 Bit value                     LONGLONG
//ItemULongLong Unsigned 64 Bit value                   ULONGLONG
//ItemRString   Reduced Ascii String                    String
//      (\t, \n, \r, \,, converted to space, trailing sp removed)
//ItemWString   Unicode String, null terminated         String
//ItemPString   Counted Ascii String                    String
//ItemPWString  Counted Unicode String                  String
//ItemMLString  Multi-Line Ascii String                 String
//ItemKSid      Security identifier                     String
//ItemChar4                                             CHAR4
//ItemIPAddr    IP Address                              String          (If needed raw, use ItemUlong)
//              (string of form xxx.xxx.xxx.xxx)
//ItemPort                                              String          (If needed raw use ItemUshort)
//ItemNWString      Non-null terminated Wide Char String        String
//ItemListByte (element1,element2,....)                 String
//                      byte index into a list of strings
//ItemListShort(element1,element2,....)                 String
//                      short index into a list of strings
//ItemListLong (element1,element2,....)                 String
//                      Long index into a list of strings
//ItemGUID      Normal GUID format                      String
//ItemNTerror   Translates a ULONG error code to the    String
//              NT Error Text
//ItemNTSTATUS  Converts NTSTATUS to symbolic name      String
//ItemWINERROR Converts WINERROR to symbolic name       String
//ItemNETEVENT Converts NETEVENT to symbolic name       String
//ItemMerror module.ext                                 String
//              Translates a ULONG error code using the 
//              module specified.
//ItemTimeStamp Treats a LONGLONG as a timestamp        String
//ItemUnknown                                           String



68fdd900-4a3e-11d1-84f4-0000f80464e3 EventTrace
#typev LogFileHeader    0      "%0EventTrace Header"
{
    BufferSize,     ItemULong
    Version,        ItemULong
    BuildNumber,    ItemULong
    NumProc,        ItemULong
    EndTime,        ItemULongLong
    TimerResolution,ItemULong
    MaxFileSize,    ItemULong
    LogFileMode,    ItemULongX
    BuffersWritten, ItemULong
    StartBuffers,   ItemULong
    PointerSize,    ItemULong
    EventsLost,     ItemULong
    CPUSpeed,       ItemULong
    LoggerName,     ItemPtr
    LogFileName,    ItemPtr
    TimeZone,       ItemCharHidden[176]
    BootTime,       ItemULongLong
    PerfFrequency,  ItemULongLong
    StartTime,      ItemULongLong
    ReservedFlags,  ItemULongX
    BuffersLost,    ItemULong
}
#typev Extension     5 "%0extension"
{
    GroupMaks1,      ItemULongX
    GroupMaks2,      ItemULongX
    GroupMaks3,      ItemULongX
    GroupMaks4,      ItemULongX
    GroupMaks5,      ItemULongX
    GroupMaks6,      ItemULongX
    GroupMaks7,      ItemULongX
    GroupMaks8,      ItemULongX
}
#typev RDComplete    8 "%0rdcomplete"
{
}
3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c Process
#version        0
#typev Start   1  "%0Started Process %10!04X!.%11!04X! "%13!s!" :: %12!s!"
#typev End     2  "%0Ended   Process %10!04X!.%11!04X! "%13!s!" :: %12!s!"        
#typev DCStart 3  "%0Data Collection Started of %10!04X!.%11!04X! "%13!s!"  :: %12!s!"
#typev DCEnd   4  "%0Data Collection Ended for %10!04X!.%11!04X! "%13!s!" :: %12!s!"
{
    ProcessId, ItemPtr
    ParentId, ItemPtr
    UserSID, ItemKSid
    ImageFileName, ItemString
}
#version       1
#typev Start   1  "%0Started Process %11!04X!.%12!04X! "%16!s!" :: %15!s! (Session=%13!d!) "
#typev End     2  "%0Ended   Process %11!04X!.%12!04X! "%16!s!" :: %15!s! (Session=%13!d!) Exit Status %14!X!"    
#typev DCStart 3  "%0Data Collection Started of %11!04X!.%12!04X! "%16!s!"  :: %15!s! (Session=%13!d!)"
#typev DCEnd   4  "%0Data Collection Ended for %11!04X!.%12!04X! "%16!s!" :: %15!s! (Session=%13!d!)"
{
    PageDirectoryBase, ItemPtr
    Process Id, ItemULong
    Parent Id, ItemULong
    Session Id, ItemULong
    Exit Status, ItemUlong
    User SID, ItemKSid
    Image FileName, ItemString
}
#version       2
#typev Start   1  "%0Started Process %11!04X!.%12!04X! "%16!s!" :: %15!s! (Session=%13!d!) "
#typev End     2  "%0Ended   Process %11!04X!.%12!04X! "%16!s!" :: %15!s! (Session=%13!d!) Exit Status %14!X!"    
#typev DCStart 3  "%0Data Collection Started of %11!04X!.%12!04X! "%16!s!"  :: %15!s! (Session=%13!d!)"
#typev DCEnd   4  "%0Data Collection Ended for %11!04X!.%12!04X! "%16!s!" :: %15!s! (Session=%13!d!)"
{
    UniqueProcessKey, ItemPtr
    Process Id, ItemULong
    Parent Id, ItemULong
    Session Id, ItemULong
    Exit Status, ItemUlong
    User SID, ItemKSid
    Image FileName, ItemString
}
#version       3
#typev Start   1  "%0Started Process %11!04X!.%12!04X! %17!s! :: %16!s! (Session=%13!d!) "
#typev End     2  "%0Ended   Process %11!04X!.%12!04X! %17!s! :: %16!s! (Session=%13!d!) Exit Status %14!X!"    
#typev DCStart 3  "%0Data Collection Started of %11!04X!.%12!04X! %17!s!  :: %16!s! (Session=%13!d!)"
#typev DCEnd   4  "%0Data Collection Ended for %11!04X!.%12!04X! %17!s! :: %16!s! (Session=%13!d!)"
{
    UniqueProcessKey, ItemPtr
    Process Id, ItemULong
    Parent Id, ItemULong
    Session Id, ItemULong
    Exit Status, ItemUlong
    PageTable, ItemPtr
    User SID, ItemKSid
    Image FileName, ItemString
}

#version       3
#typev Start   1  "%0Started Process %11!04X!.%12!04X! "%17!s!" :: %16!s! (Session=%13!d!) "
#typev End     2  "%0Ended   Process %11!04X!.%12!04X! "%17!s!" :: %16!s! (Session=%13!d!) Exit Status %14!X!"    
#typev DCStart 3  "%0Data Collection Started of %11!04X!.%12!04X! "%17!s!"  :: %16!s! (Session=%13!d!)"
#typev DCEnd   4  "%0Data Collection Ended for %11!04X!.%12!04X! "%17!s!" :: %16!s! (Session=%13!d!)"
{
    UniqueProcessKey, ItemPtr
    Process Id, ItemULong
    Parent Id, ItemULong
    Session Id, ItemULong
    Exit Status, ItemUlong
    PageTable, ItemPtr
    User SID, ItemKSid
    Image FileName, ItemString
}


3d6fa8d1-fe05-11d0-9dda-00c04fd7ba7c Thread
#version 0
#typev Start    1 "%0Started  Thread %10!04X!.%11!04X!"
#typev End      2 "%0Ended    Thread %10!04X!.%11!04X!"
#typev DCStart  3 "%0Data Collection Started for %10!04X!.%11!04X!"
#typev DCEnd    4 "%0Data Collection Ended for %10!04X!.%11!04X!"
{
    Process Id, ItemULong
    Thread Id, ItemULong
}
#version 1
#typev Start    1 "%0Started  Thread %10!04X!.%11!04X!"
#typev DCStart  3 "%0Data Collection Started for %10!04X!.%11!04X!"
{
    Process Id, ItemULong
    Thread Id, ItemULong
    StackBase, ItemPtr
    StackLimit, ItemPtr
    UserStackBase, ItemPtr
    UserStackLimit, ItemPtr
    StartAddr, ItemPtr
    Win32StartAddr, ItemPtr
    WaitMode, ItemChar
}
#version 1
#typev End      2 "%0Ended    Thread %10!04X!.%11!04X!"
#typev DCEnd    4 "%0Data Collection Ended for %10!04X!.%11!04X!"
{
    Process Id, ItemULong
    Thread Id, ItemULong
}
#version 1
#typev CSwitch    36    "%0 Context Switch from %11!d!. to %10!d!."
{
    NewThreadId, ItemULongX
    OldThreadId, ItemULongX
    NewThreadPriority, ItemCharShort
    OldThreadPriority, ItemCharShort
    NewThreadQuantum, ItemCharShort
    OldThreadQuantum, ItemCharShort
    OldThreadWaitReason, ItemCharShort
    OldThreadWaitMode, ItemCharShort
    OldThreadState, ItemCharShort
    OldThreadWaitIdealProcessor, ItemCharShort
    NewThreadWaitTime, ItemULongX
}
#version 1
#typev CompCS    37    "%0 Compressed CS Event."
{
}
#version 1
#typev WorkerThread 57    "%0 WorkerThread ThreadId = %10!d!  :: ThreadRoutine  %12!d!"
{
    ThreadId , ItemULongX
    StartTime, ItemULongLong
    ThreadRoutine, ItemULongX
}
#version       2
#typev Start   1  "%0Started Thread %10!04X!.%11!04X! "
#typev End     2  "%0Ended   Thread %10!04X!.%11!04X! " 
#typev DCStart 3  "%0Data Collection Started of %10!04X!.%11!04X! "
#typev DCEnd   4  "%0Data Collection Ended for %10!04X!.%11!04X! "
{
    ProcessId, ItemULong
    ThreadId, ItemULong
    StackBase, ItemPtr
    StackLimit, ItemPtr
    UserStackBase, ItemPtr
    UserStackLimit, ItemPtr
    StartAddr, ItemPtr
    Win32StartAddr, ItemPtr
    TebBase, ItemPtr
    WaitMode, ItemChar    
}
    
#version 2
#typev CSwitch    36    "%0 Context Switch from %11!d!. to %10!d!."
{
    NewThreadId, ItemULongX
    OldThreadId, ItemULongX
    NewThreadPriority, ItemCharShort
    OldThreadPriority, ItemCharShort
    PreviousCState, ItemCharShort
    SpareByte, ItemCharShort
    OldThreadWaitReason, ItemCharShort
    OldThreadWaitMode, ItemCharShort
    OldThreadState, ItemCharShort
    OldThreadWaitIdealProcessor, ItemCharShort
    NewThreadWaitTime, ItemULongX
}
#version 2
#typev CompCS    37    "%0 Compressed CS Event."
{
}
#version 2
#typev WorkerThread 57    "%0 WorkerThread ThreadId = %10!d!  :: ThreadRoutine  %12!d!"
{
    ThreadId , ItemULongX
    StartTime, ItemULongLong
    ThreadRoutine, ItemULongX
}
#version 2
#typev ReserveCreate 48    "%0 ReserveCreate Reserve =%10!p! ::Period %11!d! :: ObjectFlags = %13!d!  :: Processor  %14!d!"
{
    Reserve , ItemPtr
    Period, ItemULong
    Budget, ItemULong
    ObjectFlags, ItemULong
    Processor,ItemChar
}
#version 2
#typev ReserveDelete 49    "%0 ReserveDelete Reserve =%10!p!"
{
    Reserve , ItemPtr
}
#version 2
#typev ReserveJoinThread 52    "%0 ReserveJoinThread Reserve =%10!p! :: ThreadId = %11!d!"
{
    Reserve , ItemPtr
    ThreadId, ItemULong
}
#version 2
#typev ReserveDisjoinThread 53    "%0 ReserveDisjoinThread Reserve =%10!p! :: ThreadId = %11!d!"
{
    Reserve , ItemPtr
    ThreadId, ItemULong
}
#version 2
#typev ReserveState 54    "%0 ReserveState Reserve =%10!p! :: DispatchState = %11!d!"
{
    Reserve , ItemPtr
    DispatchState, ItemChar
    Replenished,ItemChar //was ItemBool
}
#version 2
#typev ReserveBandwidth 55    "%0 ReserveBandwidth Reserve =%10!p! :: Period = %11!d!"
{
    Reserve , ItemPtr
    Period, ItemULong
    Budget, ItemULong
}
#version 2
#typev ReserveLateCount 56    "%0 ReserveLateCount Reserve =%10!p! :: LateCountIncrement = %11!d!"
{
    Reserve , ItemPtr
    LateCountIncrement, ItemULong
}
#version 2
#typev SubProcessTagChanged 69    "%0 SubProcessTag Changed From=%10!I32X! To=0x%11!I32X!"
{
    OldTag, ItemULong                   // 10
    NewTag, ItemULong                   // 11
}

3282fc76-feed-498e-8aa7-e70f459d430e Job
#typev Create           32       "%0Job_Create: Job Id=%10; Job Handle=0x%11!08X!; Flags=0x%12!08X!; Status=%13"
#typev Terminate        33       "%0Job_Terminate: Job Id=%10; Job Handle=0x%11!08X!; Flags=0x%12!08X!; Status=%13"
#typev Open             34       "%0Job_Open: Job Id=%10; Job Handle=0x%11!08X!; Flags=0x%12!08X!; Status=%13"
{
	JobId, ItemGUID         // 10
	JobHandle, ItemULongX   // 11
	Flags, ItemULongX       // 12
	Status, ItemNTSTATUS    // 13
}
#typev AssignProcess    35       "%0Job_Assign_Process: Job Id=%10; Job Handle=0x%11!08X!; Unique Process Id=0x%12!04X!; Status=%13"
{
	JobId, ItemGUID             // 10
	JobHandle, ItemULongX       // 11
	UniqueProcessId, ItemULongX // 12
	Status, ItemNTSTATUS        // 13
}
#typev RemoveProcess    36       "%0Job_Remove_Process: Job Id=%10; Job Handle=0x%11!08X!; Unique Process Id=0x%12!04X!; Removal Flags=0x%13!08X!; Status=%14"
{
	JobId, ItemGUID             // 10
	JobHandle, ItemULongX       // 11
	UniqueProcessId, ItemULongX // 12
	RemovalFlags, ItemULongX    // 13
	Status, ItemNTSTATUS        // 14
}
#typev Set              37       "%0Job_Set: Job Id=%10; Job Handle=0x%11!08X!; JobObjectInformationClass=0x%12!04X!"
#typev Query            38       "%0Job_Query: Job Id=%10; Job Handle=0x%11!08X!; JobObjectInformationClass=0x%12!04X!"
#typev SetNotification  41       "%0Job_Set_Notification: Job Id=%10; Job Handle=0x%11!08X!; JobObjectInformationClass=0x%12!04X!"
#typev QueryViolation   43       "%0Job_Query_Violation: Job Id=%10; Job Handle=0x%11!08X!; JobObjectInformationClass=0x%12!04X!"
#typev SetCpuRate       44       "%0Job_Set_Cpu_Rate: Job Id=%10; Job Handle=0x%11!08X!; JobObjectInformationClass=0x%12!04X!"
#typev SetNetRate       45       "%0Job_Set_Net_Rate: Job Id=%10; Job Handle=0x%11!08X!; JobObjectInformationClass=0x%12!04X!"
{
	JobId, ItemGUID                         // 10
	JobHandle, ItemULongX                   // 11
	JobObjectInformationClass, ItemULongX   // 12
}
#typev SetFailed        39       "%0Job_Set_Failed: Job Id=%10; Job Handle=0x%11!08X!; JobObjectInformationClass=0x%12!04X!; Status=%13"
#typev QueryFailed      40       "%0Job_Query_Failed: Job Id=%10; Job Handle=0x%11!08X!; JobObjectInformationClass=0x%12!04X!; Status=%13"
{
	JobId, ItemGUID                         // 10
	JobHandle, ItemULongX                   // 11
	JobObjectInformationClass, ItemULongX   // 12
	Status, ItemNTSTATUS                    // 13
}
#typev SendNotification 42       "%0Job_Send_Notification: Job Id=%10; Notification Id=0x%11!08X!"
{
	JobId, ItemGUID             // 10
	NotificationId, ItemULongX  // 11
}

3d6fa8d3-fe05-11d0-9dda-00c04fd7ba7c PageFault
#typev TransitionFault 10       "%0Pagefault Transition VA=0x%10!08X!, PC=0x%11!08X!"
#typev DemandZeroFault 11       "%0Pagefault DemandZero VA=0x%10!08X!, PC=0x%11!08X!"
#typev CopyOnWrite     12       "%0Pagefault CopyOnWrite VA=0x%10!08X!, PC=0x%11!08X!"
#typev GlobalPageFault 13       "%0Pagefault GuardPageFault VA=0x%10!08X!, PC=0x%11!08X!"
#typev Hard            14       "%0Pagefault Hard VA=0x%10!08X!, PC=0x%11!08X!"
{
        Virtual Address,ItemULongX
        Program Counter,ItemUlongX
}
#typev HardPageFault    32      "%0PageFault  Hard VA=0x%12!X! TID=0x%14!08X! ReadOffset=0x%11!I64X! Fileobject=0x%13!x! ByteCount=0x%15!08X!"
{
        InitialTime,ItemULongLong       //10
        ReadOffset,ItemULongLong        //11
        VirtualAddress,ItemULong          //12
        FileObject,ItemULong              //13
        ThreadId,ItemUlong              //14
        ByteCount,ItemUlong             //15
}
01853a65-418f-4f36-aefc-dc0f1d2fd235 Config
#typev CPU 10           "%0%15!s!(%16!s!) :: CPU # %11!d!, HyperThreadingFlag %17!d!, Speed %10!d!Mhz, Memory %12!d!K, PageSize %13!d!K, AllocationGranularity %14!d!"
{
    MHz, ItemULong                      //10
    NumberOfProcessors, ItemULong       //11
    MemSize, ItemULong                  //12
    PageSize, ItemULong                 //13
    AllocationGranularity, ItemULong    //14
    ComputerName, ItemWChar[256]        //15
    DomainName, ItemWChar[132]          //16
    HyperThreadingFlag, ItemULong       //17

}
#typev PhyDisk 11 "%0Phsical Disk %10!d!(%19!s!), SectorSize: %11!d!, SectorsperTrack: %12!d!, TracksPerCylinder %13!d! Cylinders %14!I64X!, SCSI (Port=%15!d!, Path %16!d!, Target=%17!d!, Lun=%18!d!)" 
{
    DiskNumber, ItemULong               //10
    BytesPerSector, ItemULong           //11
    SectorsPerTrack, ItemULong          //12
    TracksPerCylinder, ItemULong        //13
    Cylinders, ItemULongLong            //14
    SCSIPort, ItemULong                 //15
    SCSIPath, ItemULong                 //16
    SCSITarget, ItemULong               //17
    SCSILun, ItemULong                  //18
    Manufacturer, ItemWChar[256]        //19
    PartitionCount, ItemULong           //20
    WriteCacheEnabled, ItemChar //was ItemBool         //21
    BootDriveLetter, ItemWChar[3]       //22
}
#typev LogDisk 12   "%0Logical Disk %12!d! %15!s! "
{
    StartOffset, ItemULongLong          //10
    PartitionSize, ItemULongLong        //11
    DiskNumber, ItemULong               //12
    Size, ItemULong                     //13
    DriveType, ItemULong                //14
    DriveLetterString, ItemWChar[4]     //15
    Pad, ItemULong                      //16
    PartitionNumber, ItemULong          //17
    SectorsPerCluster, ItemULong        //18
    BytesPerSector, ItemULong           //19
    NumberOfFreeClusters, ItemLongLong  //20
    TotalNumberOfClusters, ItemLongLong //21
    FileSystem, ItemWChar[16]           //22
    VolumeExt, ItemULong

}
#typev NIC 13   "%0NIC %12!d! Name = %10!s! "
{
    NICName, ItemWChar[256]             //10
    Index, ItemULong                    //11
    PhysicalAddrLen, ItemULong          //12
    PhysicalAddr, ItemWChar[8]          //13
    Size, ItemULong                     //14
    IpAddress, ItemLong                 //15
    SubnetMask, ItemLong                //16
    DhcpServer, ItemLong                //17
    Gateway, ItemLong                   //18
    PrimaryWinsServer, ItemLong         //19
    SecondaryWinsServer, ItemLong       //20
    DnsServer1, ItemLong                //21
    DnsServer2, ItemLong                //21
    DnsServer3, ItemLong                //23
    DnsServer4, ItemLong                //24
    Data, ItemULong
}
#typev Video 14 "%0Video %17!s!"
{
    MemorySize, ItemULong               //10
    XResolution, ItemULong              //11
    YResolution, ItemULong              //12
    BitsPerPixel, ItemULong             //13
    VRefresh, ItemULong                 //14
    ChipType, ItemWCHAR[256]            //15
    DACType, ItemWCHAR[256]             //16
    AdapterString, ItemWCHAR[256]       //17
    BiosString, ItemWCHAR[256]          //18
    DeviceId, ItemWCHAR[256]            //19
    StateFlags, ItemULong
}
#typev Services 15 "%0Service (PID=%13!d!)  %10!s! %11!s! %12!s!"
{
    ServiceName, ItemWCHAR[34]
    DisplayName, ItemWCHAR[256]
    ProcessName, ItemWCHAR[34]
    ProcessId, ItemULong
}
#typev Power 16 "%0Power Configuration"
{
    S1, ItemChar //was ItemBool
    S2, ItemChar //was ItemBool
    S3, ItemChar //was ItemBool
    S4, ItemChar //was ItemBool
    S5, ItemChar //was ItemBool
    Pad1, ItemChar
    Pad2, ItemChar
    Pad3, ItemChar
}
#typev IRQ  21 "%0IRQ  Affinity : 0x%10!016I64X! :: IRQNum = %11!d! :: %13!s!"
{
    IRQAffinity, ItemLongLong
    IRQNum, ItemULong
    DeviceDescriptionLen, ItemULong
    DeviceDescription, ItemWString
}
#typev PnP 22 "%0PnP  DeviceId: %13!s! :: Description: %14!s! :: Name: %15!s!"
{
    IDLength, ItemULong
    DescriptionLength, ItemULong
    FriendlyNameLength, ItemULong
    DeviceID, ItemWString
    DeviceDescription, ItemWString
    FriendlyName, ItemWString
}
#version 3
#typev Services 15 "%0Service (PID=%10!d!)  %13!s! %14!s! %15!s!"
{
    ProcessId, ItemULong
    ServiceState, ItemULong
    ServiceTag, ItemULong
    ServiceName, ItemWString
    DisplayName, ItemWString
    ProcessName, ItemWString
    LoadOrderGroup, ItemWString
    SvchostrGroup, ItemWString
}

3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c DiskIo
#version 0
#typev Read  10 "%0Read  of %12!5d! bytes (FileObj=0x%15!p!)"
#typev Write 11 "%0Write of %12!5d! bytes (FileObj=0x%15!p!)"
{
        Disk Number, ItemULong
        Irp Flags, ItemULongX
        Transfer Size, ItemULong
        ResponseTime, ItemULong
        Byte Offset, ItemLongLong
        File Object, ItemPtr
        HighResResponseTime, ItemLongLong
}
#version 1
#typev Read  10 "%0Read  of %12!5d! bytes (FileObj=0x%15!p!)"
#typev Write 11 "%0Write of %12!5d! bytes (FileObj=0x%15!p!)"
{
        Disk Number, ItemULong
        Irp Flags, ItemULongX
        Transfer Size, ItemULong
        ResponseTime, ItemULong
        Byte Offset, ItemLongLong
        File Object, ItemPtr
        HighResResponseTime, ItemLongLong
}
#version 2
#typev Read  10 "%0Read  of %12!5d! bytes (FileObj=0x%15!p! ByteOffset=0x%14!I64X! IRP=0x%16!p! IRPFlags=0x%11!X!)"
#typev Write 11 "%0Write of %12!5d! bytes (FileObj=0x%15!p! ByteOffset=0x%14!I64X! IRP=0x%16!p! IRPFlags=0x%11!X!)"
{
        Disk Number, ItemULong          //10
        Irp Flags, ItemULongX           //11
        Transfer Size, ItemULong        //12
        ResponseTime, ItemULong         //13
        Byte Offset, ItemLongLong       //14
        File Object, ItemPtr            //15
        IRP, ItemPtr                    //16
        HighResResponseTime, ItemLongLong   //17
}
#version 2
#typev Read  12 "%0ReadInit  of (IRP=0x%15!08X!)"
#typev Write 13 "%0WriteInit of (IRP=0x%15!08X!)"
{
        IRP, ItemPtr
}

#version 2
#typev FlushBuffers 14 "%0Flush Buffers Event DiskNumber=%10!d! IRPFlags=0x%11!X! IRP=0x%13!p!"
{
        DiskNumber, ItemULong
        Irp Flags, ItemULongX
        HighResResponseTime, ItemLongLong
        IRP, ItemPtr
}
#version 3
#typev FlushBuffers 14 "%0Flush Buffers Event TID=%14!d! DiskNumber=%10!d! IRPFlags=0x%11!X! IRP=0x%13!p! HighResResponseTime=%12!I64d!"
{
        DiskNumber, ItemULong
        Irp Flags, ItemULongX
        HighResResponseTime, ItemLongLong
        IRP, ItemPtr
        IssuingThreadId, ItemULong
}

AE53722E-C863-11d2-8659-00C04FA321A1 Registry
#version 0
#typev Create            10 "%0Create  of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Open              11 "%0Open  of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Delete            12 "%0Delete of Handle = 0x%11!08X!(%14!s!) Status = %10!0X!"
#typev Query             13 "%0Query of (%13!s!) Handle = 0x%11!08X! Status = %10!0X!"
#typev SetValue          14 "%0SetValue  of %13!s! Handle = 0x%11!08X!(%14!s!)8X! Status = %10!0X! (TID =%3!0X!)"
#typev QueryValue        16 "%0QueryValue of (%13!s!) Handle = 0x%11!08X! Status = %10!0X!"
#typev EnumerateKey      17 "%0EnumerateKey  of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev EnumerateValueKey 18 "%0EnumerateValueKey  of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev QueryMultipleValue 19 "%0QueryMultiple  of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev SetInformation    20 "%0SetInformation  of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Flush             21 "%0Flush  of %13!s! Handle = 0x%11!08X! Status = %10!0X!"
{
        Status,ItemUlongX
        Key Handle, ItemULongX
        Elapsed Time, ItemLongLong
        KeyName, ItemWString
}
#version 1
#typev Create            10 "%0Create  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Open              11 "%0Open  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Delete            12 "%0Delete of Handle = 0x%11!08X!(%14!s!) Status = %10!0X!"
#typev Query             13 "%0Query of (%14!s!) Handle = 0x%11!08X! Status = %10!0X!"
#typev SetValue          14 "%0SetValue  of %14!s! Handle = 0x%11!08X!(%14!s!)8X! Status = %10!0X! (TID =%3!0X!)"
#typev QueryValue        16 "%0QueryValue of (%14!s!) Handle = 0x%11!08X! Status = %10!0X!"
#typev EnumerateKey      17 "%0EnumerateKey  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev EnumerateValueKey 18 "%0EnumerateValueKey  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev QueryMultipleValue 19 "%0QueryMultiple  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev SetInformation    20 "%0SetInformation  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Flush             21 "%0Flush  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev RunDown            22 "%0Rundown"
{
        Status,ItemUlongX
        Key Handle, ItemULongX
        Elapsed Time, ItemLongLong
        Index, ItemULong
        KeyName, ItemWString
}
#version 2
#typev Create            10 "%0Create  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Open              11 "%0Open  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Delete            12 "%0Delete of Handle = 0x%11!08X!(%14!s!) Status = %10!0X!"
#typev Query             13 "%0Query of (%14!s!) Handle = 0x%11!08X! Status = %10!0X!"
#typev SetValue          14 "%0SetValue  of %14!s! Handle = 0x%11!08X!(%14!s!)8X! Status = %10!0X! (TID =%3!0X!)"
#typev QueryValue        16 "%0QueryValue of (%14!s!) Handle = 0x%11!08X! Status = %10!0X!"
#typev EnumerateKey      17 "%0EnumerateKey  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev EnumerateValueKey 18 "%0EnumerateValueKey  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev QueryMultipleValue 19 "%0QueryMultiple  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev SetInformation    20 "%0SetInformation  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev Flush             21 "%0Flush  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev KCBCreate         22 "%0KCBCreate"
#typev KCBDelete         23 "%0KCBDelete"
#typev KCVBRundownBegin  24 "%0KCBRundown Begin"
#typev KCBRundownEnd     25 "%0KCBRundown End"
#typev SetSecurity       28 "%0SetSecurity  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
#typev QuerySecurity     28 "%0QuerySecurity  of %14!s! Handle = 0x%11!08X! Status = %10!0X!"
{
        Status,ItemUlongX
        Key Handle, ItemULongX
        Elapsed Time, ItemLongLong
        Index, ItemULong
        KeyName, ItemWString
}
90cbdc39-4a3e-11d1-84f4-0000f80464e3 FileIo
#version 0
#typev  Name   0 "%0Filio for %11 (FileObj=0x%10!X!)"
{
        FileObject, ItemPtr
        FileName, ItemWString
}
#version 1
#typev  Name            0 "%0Filio for %11 (FileObj=0x%10!X!)"
#typev  FileCreate     32 "%0File Create of %11 (FileObj=0x%10!X!)"
{
        FileObject, ItemUlong
        FileName, ItemWString
}
#version 2
#typev  Name            0 "%0Filio for %11 (FileObj=0x%10!X!)"
#typev  FileCreate     32 "%0File Create of %11 (FileObj=0x%10!X!)"
#typev  FileCreate     35 "%0File Delete of %11 (FileObj=0x%10!X!)"
#typev  FileCreate     36 "%0File Rundown of %11 (FileObj=0x%10!X!)"
{
        FileObject, ItemUlong
        FileName, ItemWString
}

9a280ac0-c8e0-11d1-84e2-00c04fb998a2 TcpIp
#version 0
#typev Send 10 "%0TCPIP Send    to   %10!13s!:%12!05d! from %11!13s!:%13!05d! of %14!5d! bytes" 
#typev Recv 11 "%0TCPIP Receive from %10!13s!:%12!05d! to   %11!13s!:%13!05d! of %14!5d! bytes" 
#typev Connect    12  "%0TCPIP Connect to   %10:%12!05d! from %11:%13!05d!" 
#typev Disconnect 13  "%0TCPIP Discon  From %10:%12!05d! to   %11:%13!05d!" 
#typev Retransmit 14  "%0TCPIP Retransmit to   %10:%12!05d!" 
#typev Accept     15  "%0TCPIP Accept  From %10:%12!05d!"
{
    daddr, ItemIPAddr   /10
    saddr, ItemIPAddr   /11
    dport, ItemUshort   /12
    sport, ItemUshort   /13
    size,  ItemULong    /14
    PID,   ItemUlong    /15
}
#version 1
#typev Send 10 "%0TCPIP Send    to   %12!13s!:%14!05d! from %13!13s!:%15!05d! of %11!5d! bytes" 
#typev Recv 11 "%0TCPIP Receive from %12!13s!:%14!05d! to   %13!13s!:%15!05d! of %11!5d! bytes" 
#typev Connect    12  "%0TCPIP Connect to   %12:%14!05d! from %13:%15!05d!" 
#typev Disconnect 13  "%0TCPIP Discon  From %12:%14!05d! to   %13:%15!05d!" 
#typev Retransmit 14  "%0TCPIP Retransmit to   %12:%14!05d!" 
#typev Accept     15  "%0TCPIP Accept  From %12:%14!05d!"
#typev Reconnect  16  "%0TCPIP Reconnect To %12:%14!05d!"
{
    PID,   ItemULong    /10
    size,  ItemULong    /11
    daddr, ItemIPAddr   /12
    saddr, ItemIPAddr   /13
    dport, ItemUshort   /14
    sport, ItemUshort   /15
}
#version 2
#typev Send 10 "%0TCPIP Send    to   %12!13s!:%14!05d! from %13!13s!:%15!05d! of %11!5d! bytes" 
#typev Recv 11 "%0TCPIP Receive from %12!13s!:%14!05d! to   %13!13s!:%15!05d! of %11!5d! bytes" 
#typev Connect    12  "%0TCPIP Connect to   %12:%14!05d! from %13:%15!05d!" 
#typev Disconnect 13  "%0TCPIP Discon  From %12:%14!05d! to   %13:%15!05d!" 
#typev Retransmit 14  "%0TCPIP Retransmit to   %12:%14!05d!" 
#typev Accept     15  "%0TCPIP Accept  From %12:%14!05d!"
#typev Reconnect  16  "%0TCPIP Reconnect To %12:%14!05d!"
{
    PID,   ItemULong    /10
    size,  ItemULong    /11
    daddr, ItemIPAddr   /12
    saddr, ItemIPAddr   /13
    dport, ItemUshort   /14
    sport, ItemUshort   /15
}

bf3a50c5-a9c9-4988-a005-2df0b7c80f80 UdpIp
#version 0
#typev Send   10 "%0UDP Send    to   %11!13s!:%12!05d! of %16!5d! bytes" 
#typev Recv   11 "%0UDP Receive from %11!13s!:%12!05d! of %16!5d! bytes" 
{
    context,    ItemPtr         /10
    saddr,      ItemIPAddr      /11
    sport,      ItemPort        /12
    size,       ItemUshort      /13
    daddr,      ItemIPAddr      /14
    dport,      ItemPort        /15     
    dsize,      ItemUshort      /16
}
#version 1
#typev Send   10 "%0UDP Send    to   %12!13s!:%14!05d! from %13!13s!:%15!05d! of %11!5d! bytes (Pid= %10!08X!)" 
#typev Recv   11 "%0UDP Receive from %12!13s!:%14!05d! to   %13!13s!:%15!05d! of %11!5d! bytes (Pid= %10!08X!)" 
{
    PID,        ItemULong       /10
    size,       ItemUlong       /11
    daddr,      ItemIPAddr      /12
    saddr,      ItemIPAddr      /13
    dport,      ItemUshort      /14     
    sport,      ItemUshort      /15
}
#version 2
#typev Send   10 "%0UDP Send    to   %12!13s!:%14!05d! from %13!13s!:%15!05d! of %11!5d! bytes (Pid= %10!08X!)" 
#typev Recv   11 "%0UDP Receive from %12!13s!:%14!05d! to   %13!13s!:%15!05d! of %11!5d! bytes (Pid= %10!08X!)" 
{
    PID,        ItemULong       /10
    size,       ItemUlong       /11
    daddr,      ItemIPAddr      /12
    saddr,      ItemIPAddr      /13
    dport,      ItemUshort      /14     
    sport,      ItemUshort      /15
}

2cb15d1d-5fc1-11d2-abe1-00a0c911f518 Image
#version 0
#typev Load     10 "%0ImageLoad of %12!s! (Base=0x%10!X!,size=0x%11!X!)"
{
    BaseAddress,        ItemPtr         /10
    ModuleSize,         ItemPtr         /11
    ImageFilename,      ItemWString     /12
}
#version 1
#typev Load     10 "%0ImageLoad of %13!s! (Process= %12!d!, Base=0x%10!X!,size=0x%11!X!)"
#typev DCStart  3 "%0Data Collection Started of %12!d! %21!s!"
#typev DCEnd    4 "%0Data Collection Ended for %12!d! $21!s!"
{
    BaseAddress,        ItemPtr         /10
    ModuleSize,         ItemPtr         /11
    ProcessId,          ItemUlong       /12
    ImageFilename,      ItemWString     /13
}
#version 2
#typev Load     10 "%0ImageLoad of %21!s! (Process= %12!d!, Base=0x%10!X!,size=0x%11!X!)"
#typev UnLoad   2 "%0Image UnLoad of %21!s! (Process= %12!d!, Base=0x%10!X!,size=0x%11!X!)"
#typev DCStart  3 "%0Data Collection Started of %12!d! %21!s!"
#typev DCEnd    4 "%0Data Collection Ended for %12!d! $21!s!"
{
    BaseAddress,        ItemPtr         /10
    ModuleSize,         ItemPtr         /11
    ProcessId,          ItemUlong       /12
    ImageChecksum,      ItemUlong       /13
    TimeDateStamp,      ItemUlong       /14
    Reserved0,          ItemUlong       /15
    DefaultBase,        ItemPtr         /16
    Reserved1,          ItemUlong       /17
    Reserved2,          ItemUlong       /18
    Reserved3,          ItemUlong       /19
    Reserved4,          ItemUlong       /20
    ImageFilename,      ItemWString     /21
}

222962ab-6180-4b88-a825-346b75f2a24a Heap
#typev HeapCreate 32 "%0Heap Create - Handle = %10!p!  :: flags = %11!d!"
{
    HeapHandle,         ItemPtr         /10
    HeapFlags,          ItemUlong       /11
}
#typev HeapTrace 33 "%0Heap Trace - Handle = %10!p!  :: Alloc Size = %11!d! Address = %12!p!, Source Id = %13!d!"
{
    HeapHandle,         ItemPtr         /10
    AllocSize,          ItemUlong       /11
    AllocAddress,       ItemPtr         /12
    SourceId,           ItemUlong       /13
}
#typev ReAlloc 34 "%0ReAlloc - Handle %10!p!  :: new Size = %13!d! :: old size = %14!d!, Source Id = %15!d!"
{
    HeapHandle,         ItemPtr         /10
    NewAllocAddress,    ItemPtr         /11
    OldAllocAddress,    ItemPtr         /12
    NewAllocSize,       ItemUlong       /13
    OldAllocSize,       ItemUlong
    SourceId,           ItemUlong
}
#typev Free 36 "%0Heap Free -  Handle = %10!p!  :: Address = %11!p!, Source Id = %12!d"
{
    HeapHandle,         ItemPtr         /10
    AllocAddress,       ItemPtr         /11
    SourceId,           ItemUlong       /12
}
#typev Expand 37 "%0Expand - Handle %10!p!"
{
    HeapHandle,    ItemPtr         /10
    CommittedSize, ItemUlong
    CommitAddress, ItemPtr       
    FreeSpace,     ItemUlong
    CommittedSpace, ItemUlong        
    ReservedSpace,  ItemUlong       
    NoOfUCRs, ItemUlong
}
#typev SnapShot 38 "%0SnapShot - Handle %10!p!  :: flags = %11!d! :: free space = %12!d!, committed = %13!d!,  reserverd %14!d!"
{
    HeapHandle,    ItemPtr         /10
    HeapFlags, ItemUlong
    FreeSpace,     ItemUlong
    CommittedSpace, ItemUlong        
    ReservedSpace,  ItemUlong       
}
#typev Walk 42 "%0Heap Walk - Handle = %10!p!"
{
    HeapHandle,         ItemPtr         /10
    DeCommittedSize, ItemUlong
    DeCommitAddress, ItemPtr       
    FreeSpace,     ItemUlong
    CommittedSpace, ItemUlong        
    ReservedSpace,  ItemUlong       
    NoOfUCRs, ItemUlong
}
#typev Destroy 35 "%0Heap Destroy - Handle = %10!p!"
#typev Lock 43 "%0Heap Lock - Handle = %10!p!"
#typev Unlock 44 "%0Heap Unlock - Handle = %10!p!"
#typev Validate 45 "%0Heap Validate - Handle = %10!p!"
#typev Walk 46 "%0Heap Walk - Handle = %10!p!"
{
    HeapHandle,         ItemPtr         /10
}
3AC66736-CC59-4cff-8115-8DF50E39816B CritSec
#typev Collision 34 "%0CritSec - LockCount = %10!d!, OwningThread = %12!p!"
{
        LockCount, ItemUlong
        SpinCount, ItemUlong
        OwningThread, ItemPtr
        CirtSecAddr, ItemPtr
}
#typev Initialize 35 "%0Initialize - SpinCount %10!d!,  CirtSecAddr = %11!p!"
{
        SpinCount, ItemUlong
        CirtSecAddr, ItemPtr
}
ce1dbfb4-137e-4da6-87b0-3f59aa102cbc PerfInfoEvent

#typev SampleProf 46 "%0InstructionPointer %10!p! ThreadId= 0x%11!X! Count=%12!d!"
{
        InstructionPointer,ItemPtr
        ThreadID,ItemUlong
        Count,ItemUlong
}

#typev SysClEnter 51 "%0System Call Enter SysCallAddress=0x%10!p!"
{
        SysCallAddress,ItemPtr
}
#typev SysClExit 52 "%0System Call Exit NtStatus = %10!s!"
{
        SysCallNtStatus,ItemNTSTATUS
}
#typev DBGEnabled 58 "%0Debugger Enabled"
{
}

#version 1
#typev ISR 67 "%0ISR      Initial Time=%10!I64d!. Routine=0x%11!p!  Return Value=0x%12!x!."
{
        InitialTime,ItemULongLong
        Routine,ItemPtr
        ReturnValue,ItemUchar
}

#version 2
#typev ISR 67 "%0ISR      Initial Time=%10!I64d!. Routine=0x%11!p!  Return Value=0x%12!x! Vector=0x%13!x!"
{
        InitialTime,ItemULongLong
        Routine,ItemPtr
        ReturnValue,ItemUchar
        Vector,ItemUShort
}

#typev ISR-MSI 50 "%0ISR-MSI      Initial Time=%10!I64d!. Routine=0x%11!p!  Return Value=0x%12!x! Vector=0x%13!x! Message Number=%15!d!"
{
        InitialTime,ItemULongLong
        Routine,ItemPtr
        ReturnValue,ItemUchar
        Vector,ItemUchar
        Reserved,ItemUchar
        MessageNumber,ItemUlong
}

#typev DPC 68 "%0DPC      Initial Time=%10!I64d!. Routine=0x%11!p!"
#typev TimerDPC 69 "%0TimerDPC Initial Time=%10!I64d!. Routine=0x%11!p!"         
#typev ThreadedDPC 66 "%0ThreadedDPC Initial Time=%10!I64d!. Routine=0x%11!p!"
{
        InitialTime,ItemULongLong
        Routine,ItemPtr
}
//******************************************
// RAC Events
//******************************************
22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716 PSProvider
#version 0
#typev ProcessStart 1 "%0Process Start Pid=0x%10!04x! Created=%11!s! ParentPid=0x%12!04x! SessionId=%13!d!. Image=%14!s!"
{
        ProcessId,ItemUlong
        CreateTime,ItemTimeStamp
        ParentProcessID,ItemUlong
        SessionID,ItemUlong
        ImageName,ItemWString
}
#version 0
#typev ProcessStop  2 "%0Process Stop  Pid=0x%10!04x! Created=%11!s! Exited=%12!s! ExitCode=0x%13!x! Image=%18!s!"
{
        ProcessId,ItemUlong                     /10
        CreateTime,ItemTimeStamp                /11
        ExitTime,ItemTimeStamp                  /12
        ExitCode,ItemULong                      /13
        TokenElevationType,ItemUlong            /14
        HandleCount,ItemUlong                   /15
        CommitCharge,ItemUlongLong              /16
        CommitPeak,ItemUlongLong                /17
        ImageName,ItemString                    /18
}
#version 1
#typev ProcessStop  2 "%0Process Stop  Pid=0x%10!04x! Created=%11!s! Exited=%12!s! ExitCode=0x%13!x! Image=%24!s!"
{
        ProcessId,ItemUlong                     /10
        CreateTime,ItemTimeStamp                /11
        ExitTime,ItemTimeStamp                  /12
        ExitCode,ItemULong                      /13
        TokenElevationType,ItemUlong            /14
        HandleCount,ItemUlong                   /15
        CommitCharge,ItemUlongLong              /16
        CommitPeak,ItemUlongLong                /17
        CycleTime,ItemUlongLong                 /18
        ReadCount,ItemUlong                     /19
        WriteCount,ItemUlong                    /20
        ReadSize,ItemUlong                      /21
        WriteSize,ItemUlong                     /22
        HardFaultCount,ItemUlong                /23
        ImageName,ItemString                    /24
}


9c205a39-1250-487d-abd7-e831c6290539 PNP
#typev PNP 1 "%0pnp start %10!s! 0x%11!x! %12!s! 0x%13!x!"
#typev PNP 2 "%0pnp stop  %10!s! 0x%11!x! %12!s! 0x%13!x!"
{
        Name,ItemCWString
        Unknown,ItemUlong
        file,ItemCWString
        Unknown2,ItemUlong
}


def2fe46-7bd6-4b80-bd94-f57fe20d0ce3 Stack
#typev Stack 32 "%0StackWalk Time=%10!I64d! PID=%11!d! TID=%12!d! Stack1=%13!p! Stack2=%14!p! Stack3=%15!p! Stack4=%16!p! Stack5=%17!p! Stack6=%18!p! Stack7=%19!p! Stack8=%20!p!"
{
        EventTimeStamp,ItemTimeStamp
        ProcessId,ItemULong
        ThreadId,ItemULong
        Stack1,ItemPtr
        Stack2,ItemPtr
        Stack3,ItemPtr
        Stack4,ItemPtr
        Stack5,ItemPtr
        Stack6,ItemPtr
        Stack7,ItemPtr
        Stack8,ItemPtr
        Stack9,ItemPtr
        Stack10,ItemPtr
        Stack11,ItemPtr
        Stack12,ItemPtr
        Stack13,ItemPtr
        Stack14,ItemPtr
        Stack15,ItemPtr
        Stack16,ItemPtr
}