-
Notifications
You must be signed in to change notification settings - Fork 49
/
Microsoft-Windows-Kernel-Audit-API-Calls.xml
64 lines (64 loc) · 3.88 KB
/
Microsoft-Windows-Kernel-Audit-API-Calls.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events">
<instrumentation xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events">
<events>
<provider name="Microsoft-Windows-Kernel-Audit-API-Calls" guid="{e02a841c-75a3-4fa7-afc8-ae09cf9b7f23}" resourceFileName="Microsoft-Windows-Kernel-Audit-API-Calls" messageFileName="Microsoft-Windows-Kernel-Audit-API-Calls" symbol="MicrosoftWindowsKernelAuditAPICalls" source="Xml" >
<keywords>
</keywords>
<tasks>
<task name="task_0" message="$(string.task_task_0)" value="0"/>
</tasks>
<events>
<event value="1" symbol="KERNEL_AUDIT_API_PSSETLOADIMAGENOTIFYROUTINE" version="0" task="task_0" level="win:Informational" template="KERNEL_AUDIT_API_PSSETLOADIMAGENOTIFYROUTINEArgs"/>
<event value="2" symbol="KERNEL_AUDIT_API_TERMINATEPROCESS" version="0" task="task_0" level="win:Informational" template="KERNEL_AUDIT_API_TERMINATEPROCESSArgs"/>
<event value="3" symbol="KERNEL_AUDIT_API_CREATESYMBOLICLINKOBJECT" version="0" task="task_0" level="win:Informational" template="KERNEL_AUDIT_API_CREATESYMBOLICLINKOBJECTArgs"/>
<event value="4" symbol="KERNEL_AUDIT_API_SETCONTEXTTHREAD" version="0" task="task_0" level="win:Informational" template="KERNEL_AUDIT_API_SETCONTEXTTHREADArgs"/>
<event value="5" symbol="KERNEL_AUDIT_API_OPENPROCESS" version="0" task="task_0" level="win:Informational" template="KERNEL_AUDIT_API_OPENPROCESSArgs"/>
<event value="6" symbol="KERNEL_AUDIT_API_OPENTHREAD" version="0" task="task_0" level="win:Informational" template="KERNEL_AUDIT_API_OPENTHREADArgs"/>
<event value="7" symbol="KERNEL_AUDIT_API_IOREGISTERLASTCHANCESHUTDOWNNOTIFICATION" version="0" task="task_0" level="win:Informational" template="KERNEL_AUDIT_API_IOREGISTERSHUTDOWNNOTIFICATIONArgs"/>
<event value="8" symbol="KERNEL_AUDIT_API_IOREGISTERSHUTDOWNNOTIFICATION" version="0" task="task_0" level="win:Informational" template="KERNEL_AUDIT_API_IOREGISTERSHUTDOWNNOTIFICATIONArgs"/>
</events>
<templates>
<template tid="KERNEL_AUDIT_API_PSSETLOADIMAGENOTIFYROUTINEArgs">
<data name="NotifyRoutineAddress" inType="win:Pointer"/>
<data name="ReturnCode" inType="win:UInt32"/>
</template>
<template tid="KERNEL_AUDIT_API_TERMINATEPROCESSArgs">
<data name="TargetProcessId" inType="win:UInt32"/>
<data name="ReturnCode" inType="win:UInt32"/>
</template>
<template tid="KERNEL_AUDIT_API_CREATESYMBOLICLINKOBJECTArgs">
<data name="LinkSourceName" inType="win:UnicodeString"/>
<data name="LinkTargetName" inType="win:UnicodeString"/>
<data name="DesiredAccess" inType="win:UInt32"/>
<data name="ReturnCode" inType="win:UInt32"/>
</template>
<template tid="KERNEL_AUDIT_API_SETCONTEXTTHREADArgs">
<data name="ReturnCode" inType="win:UInt32"/>
</template>
<template tid="KERNEL_AUDIT_API_OPENPROCESSArgs">
<data name="TargetProcessId" inType="win:UInt32"/>
<data name="DesiredAccess" inType="win:UInt32"/>
<data name="ReturnCode" inType="win:UInt32"/>
</template>
<template tid="KERNEL_AUDIT_API_OPENTHREADArgs">
<data name="TargetProcessId" inType="win:UInt32"/>
<data name="TargetThreatId" inType="win:UInt32"/>
<data name="DesiredAccess" inType="win:UInt32"/>
<data name="ReturnCode" inType="win:UInt32"/>
</template>
<template tid="KERNEL_AUDIT_API_IOREGISTERSHUTDOWNNOTIFICATIONArgs">
<data name="DriverName" inType="win:UnicodeString"/>
<data name="ReturnCode" inType="win:UInt32"/>
</template>
</templates>
</provider>
</events>
</instrumentation>
<localization>
<resources culture="en-US">
<stringTable>
<string id="task_task_0" value="task_0"/>
</stringTable>
</resources>
</localization>
</instrumentationManifest>