#pragma classflags(64)
#pragma namespace("\\\\.\\root\\wmi")
instance of __namespace{ name="ms_804";};
#pragma namespace("\\\\.\\root\\wmi\\ms_804")

[Description("File Kernel Trace; Operation Set 1") : Amended,AMENDMENT, LOCALE(0x0804)] 
class MSNT_FileBaseTrace_Set1 : EventTrace
{
  [Description("启用标志") : Amended,ValueDescriptions{"创建", "创建命名管道", "关闭", "读取", "写入", "查询信息", "设置信息", "查询 EA", "设置 EA", "刷新缓冲区", "查询卷信息", "设置卷信息", "目录控制", "文件系统控制", "设备控制", "内部设备控制", "关闭", "锁控制", "清理", "创建邮件槽", "查询安全性", "设置安全性", "电源", "系统控制", "设备更改", "查询配额", "设置配额", "PNP"} : Amended] uint32 Flags;
};

[Description("File Kernel Trace; Operation Set 2") : Amended,AMENDMENT, LOCALE(0x0804)] 
class MSNT_FileBaseTrace_Set2 : EventTrace
{
  [Description("启用标志") : Amended,ValueDescriptions{"获取以进行区域同步", "释放以进行区域同步", "获取以进行 Mod 写入", "释放以进行 Mod 写入", "获取以进行 CC 刷新", "释放以进行 CC 刷新", "通知流文件对象", "快速 IO 检查(如果可能)", "网络查询打开", "MDL 读取", "MDL 读取完成", "准备 MDL 写入", "MDL 写入完成", "卷装载", "卷卸载"} : Amended] uint32 Flags;
};

[Description("File Kernel Trace; Optional Data") : Amended,AMENDMENT, LOCALE(0x0804)] 
class MSNT_FileBaseTrace_OptionalData : EventTrace
{
  [Description("启用标志") : Amended,ValueDescriptions{"用户上下文", "会话 ID", "上次访问时间", "调用参数", "调用结果数据", "以前的数据", "在现有文件上创建", "进程窗口站", "块分页 IO"} : Amended] uint32 Flags;
};

[Description("File Kernel Trace; Volume To Log") : Amended,AMENDMENT, LOCALE(0x0804)] 
class MSNT_FileBaseTrace_VolumeToLog : EventTrace
{
  [Description("启用标志") : Amended,ValueDescriptions{"A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "全部", "本地", "网络"} : Amended] uint32 Flags;
};

[Description("文件跟踪") : Amended,DisplayName("文件跟踪") : Amended,AMENDMENT, LOCALE(0x0804)] 
class FileTrace : MSNT_FileBaseTrace_Set1
{
};

[Description("文件跟踪事件") : Amended,AMENDMENT, LOCALE(0x0804)] 
class FileOperation : FileTrace
{
  [Description("状态") : Amended] uint32 Status;
  [Description("操作") : Amended] uint8 Operation;
  [Description("次要操作") : Amended] uint8 MinorOperation;
  [Description("序列号") : Amended] uint32 SequenceNumber;
  [Description("这是分页操作") : Amended] uint8 IsPagingIO;
  [Description("这是快速 IO 操作") : Amended] uint8 IsFastIO;
  [Description("IsDirectory") : Amended] uint8 IsDirectory;
  [Description("在现有文件上调用了创建") : Amended] uint8 CreateOnExisting;
  [Description("操作开始的时间") : Amended] sint64 StartTime;
  [Description("操作的进程 ID") : Amended] uint32 ProcessId;
  [Description("进程的创建时间") : Amended] sint64 ProcessCreateTime;
  [Description("文件对象") : Amended] uint64 FileObject;
  [Description("文件的上次访问时间") : Amended] sint64 LastAccessTime;
  [Description("会话 ID") : Amended] uint32 SessionId;
  [Description("窗口站") : Amended] uint64 WindowStation;
  [Description("访问令牌地址") : Amended] uint32 AccessToken;
  [Description("用户 Sid 数据长度") : Amended] uint32 SidLength;
  [Description("参数数据长度") : Amended] uint32 ParametersLength;
  [Description("结果数据长度") : Amended] uint32 ResultLength;
  [Description("以前的值长度") : Amended] uint32 PreviousValueLength;
  [Description("用户 Sid") : Amended] object UserSID;
  [description("操作参数") : Amended] uint8 OperationalParameters[];
  [description("查询结果数据") : Amended] uint8 ResultData[];
  [description("以前的值") : Amended] uint8 PreviousValue[];
  [Description("文件名") : Amended] string FileName;
  [Description("卷 Dos 名称") : Amended] string VolumeDosName;
  [Description("卷 Guid 名称") : Amended] string VolumeGuidName;
  [Description("卷名") : Amended] string VolumeName;
};