Process_TypeGroup1 class

This class is the event type class for process events.

The following syntax is simplified from MOF code.

Syntax

[EventType{1, 2, 3, 4, 39}, EventTypeName{"Start", "End", "DCStart", "DCEnd", "Defunct"}]
class Process_TypeGroup1 : Process
{
  uint32 UniqueProcessKey;
  uint32 ProcessId;
  uint32 ParentId;
  uint32 SessionId;
  sint32 ExitStatus;
  uint32 DirectoryTableBase;
  object UserSID;
  string ImageFileName;
  string CommandLine;
};

Members

The Process_TypeGroup1 class has these types of members:

• Properties

Properties

The Process_TypeGroup1 class has these properties.

CommandLine

Data type: string

Access type: Read-only

Qualifiers: WmiDataId(9), StringTermination("NullTerminated"), Format("w")

Full command line of the process.

DirectoryTableBase

Data type: uint32

Access type: Read-only

Qualifiers: WmiDataId(6), Pointer

The physical address of the page table of the process.

ExitStatus

Data type: sint32

Access type: Read-only

Qualifiers: WmiDataId(5)

Exit status of the stopped process.

ImageFileName

Data type: string

Access type: Read-only

Qualifiers: WmiDataId(8), StringTermination("NullTerminated")

Path to the executable file of the process.

ParentId

Data type: uint32

Access type: Read-only

Qualifiers: WmiDataId(3), Format("x")

Unique identifier of the process that creates this process. Process identifier numbers are reused, so they only identify a process for the lifetime of that process. It is possible that the process identified by ParentProcessId is terminated, so ParentProcessId may not refer to a running process. It is also possible that ParentProcessId incorrectly refers to a process that reuses a process identifier.

ProcessId

Data type: uint32

Access type: Read-only

Qualifiers: WmiDataId(2), Format("x")

Global process identifier that you can use to identify a process. The value is valid from the time a process is created until it is terminated.

SessionId

Data type: uint32

Access type: Read-only

Qualifiers: WmiDataId(4)

Unique identifier that an operating system generates when it creates a new session. A session spans a period of time from log on until log off from a specific system.

UniqueProcessKey

Data type: uint32

Access type: Read-only

Qualifiers: WmiDataId(1), Pointer

The address of the process object in the kernel.

UserSID

Data type: object

Access type: Read-only

Qualifiers: WmiDataId(7), Extension("Sid")

Security identifier (SID) for the user context under which the event happens.

Remarks

The DCStart and DCEnd event types enumerate the process that are currently running, including idle and system process, at the time the kernel session starts and ends, respectively.

Requirements

See also

Process