File Kernel Trace; Operation Set 1

43 events across 1 channel

Event ID	Title	Channel
0		ETW Trace
1		ETW Trace
2		ETW Trace
3		ETW Trace
4		ETW Trace
5		ETW Trace
6		ETW Trace
7		ETW Trace
8		ETW Trace
9		ETW Trace
10		ETW Trace
11		ETW Trace
12		ETW Trace
13		ETW Trace
14		ETW Trace
15		ETW Trace
16		ETW Trace
17		ETW Trace
18		ETW Trace
19		ETW Trace
20		ETW Trace
21		ETW Trace
22		ETW Trace
23		ETW Trace
24		ETW Trace
25		ETW Trace
26		ETW Trace
27		ETW Trace
236		ETW Trace
237		ETW Trace
238		ETW Trace
239		ETW Trace
240		ETW Trace
241		ETW Trace
242		ETW Trace
243		ETW Trace
249		ETW Trace
250		ETW Trace
251		ETW Trace
252		ETW Trace
253		ETW Trace
254		ETW Trace
255		ETW Trace

Event ID 0 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 1 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 2 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 3 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 4 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 5 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 6 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 7 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 8 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 9 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 10 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 11 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 12 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 13 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 14 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 15 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 16 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 17 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 18 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 19 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 20 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 21 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 22 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 23 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 24 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 25 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 26 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 27 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 236 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 237 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 238 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 239 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 240 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 241 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 242 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 243 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 249 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 250 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 251 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 252 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 253 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 254 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—

Event ID 255 —

Provider: File Kernel Trace; Operation Set 1
Channel: ETW Trace
Source: Trace

Fields #

Name	Description
`Status` mof:UInt32	— NTSTATUS reference
`Operation` mof:UInt8	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`MinorOperation` mof:UInt8	—
`SequenceNumber` mof:UInt32	—
`IsPagingIO` mof:UInt8	—
`IsFastIO` mof:UInt8	—
`IsDirectory` mof:UInt8	—
`CreateOnExisting` mof:UInt8	—
`StartTime` mof:SInt64	—
`ProcessId` mof:UInt32	—
`ProcessCreateTime` mof:SInt64	—
`FileObject` mof:UInt64	—
`LastAccessTime` mof:SInt64	—
`SessionId` mof:UInt32	—
`WindowStation` mof:UInt64	—
`AccessToken` mof:UInt32	—
`SidLength` mof:UInt32	—
`ParametersLength` mof:UInt32	—
`ResultLength` mof:UInt32	—
`PreviousValueLength` mof:UInt32	—
`UserSID` mof:Object	—
`OperationalParameters` mof:UInt8	—
`ResultData` mof:UInt8	—
`PreviousValue` mof:UInt8	—
`FileName` mof:String	—
`VolumeDosName` mof:String	—
`VolumeGuidName` mof:String	—
`VolumeName` mof:String	—