/*++ Copyright (c) Microsoft Corporation. All rights reserved. Module Name: Wmistr.h Abstract: WMI structure definitions --*/ #ifndef _WMISTR_ #define _WMISTR_ #pragma warning(disable: 4200) // nonstandard extension used : zero-sized array in struct/union #pragma warning(disable: 4201) // nonstandard extension used : nameless struct/union // // WNODE definition typedef struct _WNODE_HEADER { ULONG BufferSize; // Size of entire buffer inclusive of this ULONG ULONG ProviderId; // Provider Id of driver returning this buffer union { ULONG64 HistoricalContext; // Logger use struct { ULONG Version; // Reserved ULONG Linkage; // Linkage field reserved for WMI }; }; union { ULONG CountLost; // Reserved HANDLE KernelHandle; // Kernel handle for data block LARGE_INTEGER TimeStamp; // Timestamp as returned in units of 100ns // since 1/1/1601 }; GUID Guid; // Guid for data block returned with results ULONG ClientContext; ULONG Flags; // Flags, see below } WNODE_HEADER, *PWNODE_HEADER; // // WNODE_HEADER flags are defined as follows #define WNODE_FLAG_ALL_DATA 0x00000001 // set for WNODE_ALL_DATA #define WNODE_FLAG_SINGLE_INSTANCE 0x00000002 // set for WNODE_SINGLE_INSTANCE #define WNODE_FLAG_SINGLE_ITEM 0x00000004 // set for WNODE_SINGLE_ITEM #define WNODE_FLAG_EVENT_ITEM 0x00000008 // set for WNODE_EVENT_ITEM // Set if data block size is // identical for all instances // (used with WNODE_ALL_DATA // only) #define WNODE_FLAG_FIXED_INSTANCE_SIZE 0x00000010 #define WNODE_FLAG_TOO_SMALL 0x00000020 // set for WNODE_TOO_SMALL // Set when a data provider returns a // WNODE_ALL_DATA in which the number of // instances and their names returned // are identical to those returned from the // previous WNODE_ALL_DATA query. Only data // blocks registered with dynamic instance // names should use this flag. #define WNODE_FLAG_INSTANCES_SAME 0x00000040 // Instance names are not specified in // WNODE_ALL_DATA; values specified at // registration are used instead. Always // set for guids registered with static // instance names #define WNODE_FLAG_STATIC_INSTANCE_NAMES 0x00000080 #define WNODE_FLAG_INTERNAL 0x00000100 // Used internally by WMI // timestamp should not be modified by // a historical logger #define WNODE_FLAG_USE_TIMESTAMP 0x00000200 #define WNODE_FLAG_PERSIST_EVENT 0x00000400 #define WNODE_FLAG_EVENT_REFERENCE 0x00002000 // Set if Instance names are ansi. Only set when returning from // WMIQuerySingleInstanceA and WMIQueryAllDataA #define WNODE_FLAG_ANSI_INSTANCENAMES 0x00004000 // Set if WNODE is a method call #define WNODE_FLAG_METHOD_ITEM 0x00008000 // Set if instance names originated from a PDO #define WNODE_FLAG_PDO_INSTANCE_NAMES 0x00010000 // The second byte, except the first bit is used exclusively for tracing #define WNODE_FLAG_TRACED_GUID 0x00020000 // denotes a trace #define WNODE_FLAG_LOG_WNODE 0x00040000 // request to log Wnode #define WNODE_FLAG_USE_GUID_PTR 0x00080000 // Guid is actually a pointer #define WNODE_FLAG_USE_MOF_PTR 0x00100000 // MOF data are dereferenced #define WNODE_FLAG_NO_HEADER 0x00200000 // Trace without header // Set for events that are WNODE_EVENT_REFERENCE // Mask for event severity level. Level 0xff is the most severe type of event #define WNODE_FLAG_SEVERITY_MASK 0xff000000 // // This structure is used within the WNODE_ALL_DATA when the data blocks // for the different instances are different lengths. If the data blocks // for the different instances are identical lengths then // WNODE_FLAG_FIXED_INSTANCE_SIZE should be set and FixedInstanceSize // set to the common data block size. typedef struct { ULONG OffsetInstanceData; // Offset from beginning of WNODE_ALL_DATA // to Data block for instance ULONG LengthInstanceData; // Length of data block for instance } OFFSETINSTANCEDATAANDLENGTH, *POFFSETINSTANCEDATAANDLENGTH; typedef struct tagWNODE_ALL_DATA { struct _WNODE_HEADER WnodeHeader; ULONG DataBlockOffset;// Offset from begin of WNODE to first data block ULONG InstanceCount; // Count of instances whose data follows. // Offset to an array of offsets to the instance names ULONG OffsetInstanceNameOffsets; // If WNODE_FLAG_FIXED_INSTANCE_SIZE is set in Flags then // FixedInstanceSize specifies the size of each data block. In this case // there is one ULONG followed by the data blocks. // If WNODE_FLAG_FIXED_INSTANCE_SIZE is not set // then OffsetInstanceDataAndLength // is an array of OFFSETINSTANCEDATAANDLENGTH that specifies the // offsets and lengths of the data blocks for each instance. union { ULONG FixedInstanceSize; OFFSETINSTANCEDATAANDLENGTH OffsetInstanceDataAndLength[]; /* [InstanceCount] */ }; // padding so that first data block begins on a 8 byte boundry // data blocks and instance names for all instances } WNODE_ALL_DATA, *PWNODE_ALL_DATA; typedef struct tagWNODE_SINGLE_INSTANCE { struct _WNODE_HEADER WnodeHeader; // Offset from beginning of WNODE_SINGLE_INSTANCE // to instance name. Use when // WNODE_FLAG_STATIC_INSTANCE_NAMES is reset // (Dynamic instance names) ULONG OffsetInstanceName; // Instance index when // WNODE_FLAG_STATIC_INSTANCE_NAME is set ULONG InstanceIndex; // (Static Instance Names) ULONG DataBlockOffset; // offset from beginning of WNODE to data block ULONG SizeDataBlock; // Size of data block for instance UCHAR VariableData[]; // instance names and padding so data block begins on 8 byte boundry // data block } WNODE_SINGLE_INSTANCE, *PWNODE_SINGLE_INSTANCE; typedef struct tagWNODE_SINGLE_ITEM { struct _WNODE_HEADER WnodeHeader; // Offset from beginning of WNODE_SINGLE_INSTANCE // to instance name. Examine when // WNODE_FLAG_STATIC_INSTANCE_NAME is reset // (Dynamic instance names) ULONG OffsetInstanceName; // Instance index when // WNODE_FLAG_STATIC_INSTANCE_NAME ULONG InstanceIndex; // set (Static Instance Names) ULONG ItemId; // Item Id for data item being set ULONG DataBlockOffset; // offset from WNODE begin to data item value ULONG SizeDataItem; // Size of data item UCHAR VariableData[]; // instance names and padding so data value begins on 8 byte boundry // data item value } WNODE_SINGLE_ITEM, *PWNODE_SINGLE_ITEM; typedef struct tagWNODE_METHOD_ITEM { struct _WNODE_HEADER WnodeHeader; // Offset from beginning of WNODE_METHOD_ITEM // to instance name. Examine when // WNODE_FLAG_STATIC_INSTANCE_NAME is reset // (Dynamic instance names) ULONG OffsetInstanceName; // Instance index when // WNODE_FLAG_STATIC_INSTANCE_NAME ULONG InstanceIndex; // set (Static Instance Names) ULONG MethodId; // Method id of method being called ULONG DataBlockOffset; // On Entry: offset from WNODE to input data // On Return: offset from WNODE to input and // output data blocks ULONG SizeDataBlock; // On Entry: Size of input data, 0 if no input // data // On Return: Size of output data, 0 if no output // data UCHAR VariableData[]; // instance names and padding so data value begins on 8 byte boundry // data item value } WNODE_METHOD_ITEM, *PWNODE_METHOD_ITEM; typedef struct tagWNODE_EVENT_ITEM { struct _WNODE_HEADER WnodeHeader; // Different data could be here depending upon the flags set in the // WNODE_HEADER above. If the WNODE_FLAG_ALL_DATA flag is set then the // contents of a WNODE_ALL_DATA (excluding WNODE_HEADER) is here. If the // WNODE_FLAG_SINGLE_INSTANCE flag is set then a WNODE_SINGLE_INSTANCE // (excluding WNODE_HEADER) is here. Lastly if the WNODE_FLAG_SINGLE_ITEM // flag is set then a WNODE_SINGLE_ITEM (excluding WNODE_HEADER) is here. } WNODE_EVENT_ITEM, *PWNODE_EVENT_ITEM; // // If a KM data provider needs to fire an event that is larger than the // maximum size that WMI allows then it should fire a WNODE_EVENT_REFERENCE // that specifies which guid and instance name to query for the actual data // that should be part of the event. typedef struct tagWNODE_EVENT_REFERENCE { struct _WNODE_HEADER WnodeHeader; GUID TargetGuid; ULONG TargetDataBlockSize; union { ULONG TargetInstanceIndex; WCHAR TargetInstanceName[]; }; } WNODE_EVENT_REFERENCE, *PWNODE_EVENT_REFERENCE; typedef struct tagWNODE_TOO_SMALL { struct _WNODE_HEADER WnodeHeader; ULONG SizeNeeded; // Size needed to build WNODE result } WNODE_TOO_SMALL, *PWNODE_TOO_SMALL; typedef struct { GUID Guid; // Guid of data block being registered or updated ULONG Flags; // Flags ULONG InstanceCount; // Count of static instances names for the guid union { // If WMIREG_FLAG_INSTANCE_LIST then this has the offset // to a list of InstanceCount counted UNICODE // strings placed end to end. ULONG InstanceNameList; // If WMIREG_FLAG_INSTANCE_BASENAME then this has the // offset to a single counted UNICODE string that // has the basename for the instance names. ULONG BaseNameOffset; // If WMIREG_FLAG_INSTANCE_PDO is set then InstanceInfo // has the PDO whose device instance path will // become the instance name ULONG_PTR Pdo; // If WMIREG_FLAG_INSTANCE_REFERENCE then this points to // a WMIREGINSTANCEREF structure. ULONG_PTR InstanceInfo;// Offset from beginning of the WMIREGINFO structure to }; } WMIREGGUIDW, *PWMIREGGUIDW; typedef WMIREGGUIDW WMIREGGUID; typedef PWMIREGGUIDW PWMIREGGUID; // Set if collection must be enabled for the guid before the data provider // can be queried for data. #define WMIREG_FLAG_EXPENSIVE 0x00000001 // Set if instance names for this guid are specified in a static list within // the WMIREGINFO #define WMIREG_FLAG_INSTANCE_LIST 0x00000004 // Set if instance names are to be static and generated by WMI using a // base name in the WMIREGINFO and an index #define WMIREG_FLAG_INSTANCE_BASENAME 0x00000008 // Set if WMI should do automatic mapping of a PDO to device instance name // as the instance name for the guid. This flag should only be used by // kernel mode data providers. #define WMIREG_FLAG_INSTANCE_PDO 0x00000020 // Note the flags WMIREG_FLAG_INSTANCE_LIST, WMIREG_FLAG_INSTANCE_BASENAME, // WMIREG_FLAG_INSTANCE_REFERENCE and WMIREG_FLAG_INSTANCE_PDO are mutually // exclusive. // // These flags are only valid in a response to WMI_GUID_REGUPDATE #define WMIREG_FLAG_REMOVE_GUID 0x00010000 // Remove support for guid #define WMIREG_FLAG_RESERVED1 0x00020000 // Reserved by WMI #define WMIREG_FLAG_RESERVED2 0x00040000 // Reserved by WMI // Set if guid is one that is written to trace log. // This guid cannot be queried directly via WMI, but must be read using // logger apis. #define WMIREG_FLAG_TRACED_GUID 0x00080000 // // Only those Trace Guids that have this bit set can receive // Enable/Disable Notifications. // #define WMIREG_FLAG_TRACE_CONTROL_GUID 0x00001000 // // Set if the guid is only used for firing events. Guids that can be queried // and that fire events should not have this bit set. #define WMIREG_FLAG_EVENT_ONLY_GUID 0x00000040 typedef struct { // Size of entire WMIREGINFO structure including this ULONG // and any static instance names that follow ULONG BufferSize; ULONG NextWmiRegInfo; // Offset to next WMIREGINFO structure ULONG RegistryPath; // Offset from beginning of WMIREGINFO structure to a // counted Unicode string containing // the driver registry path (under HKLM\CCS\Services) // This must be filled only by kernel mode data // providers // Offset from beginning of WMIREGINFO structure to a // counted Unicode string containing // the name of resource in driver file containing MOF info ULONG MofResourceName; // Count of WMIREGGUID structures immediately following ULONG GuidCount; WMIREGGUIDW WmiRegGuid[]; // array of GuidCount WMIREGGUID structures // Variable length data including : // Instance Names } WMIREGINFOW, *PWMIREGINFOW; typedef WMIREGINFOW WMIREGINFO; typedef PWMIREGINFOW PWMIREGINFO; // // WMI request codes typedef enum { #ifndef _WMIKM_ WMI_GET_ALL_DATA = 0, WMI_GET_SINGLE_INSTANCE = 1, WMI_SET_SINGLE_INSTANCE = 2, WMI_SET_SINGLE_ITEM = 3, WMI_ENABLE_EVENTS = 4, WMI_DISABLE_EVENTS = 5, WMI_ENABLE_COLLECTION = 6, WMI_DISABLE_COLLECTION = 7, WMI_REGINFO = 8, WMI_EXECUTE_METHOD = 9 #endif } WMIDPREQUESTCODE; #if defined(_WINNT_) || defined(WINNT) // // WMI guid objects have the following rights // WMIGUID_QUERY // WMIGUID_SET // WMIGUID_NOTIFICATION // WMIGUID_READ_DESCRIPTION // WMIGUID_EXECUTE // TRACELOG_CREATE_REALTIME // TRACELOG_CREATE_ONDISK // TRACELOG_GUID_ENABLE // TRACELOG_ACCESS_KERNEL_LOGGER // TRACELOG_CREATE_INPROC // TRACELOG_ACCESS_REALTIME // // GuidTypes // //#ifndef _WMIKM_ #define WMI_GUIDTYPE_TRACECONTROL 0 #define WMI_GUIDTYPE_TRACE 1 #define WMI_GUIDTYPE_DATA 2 #define WMI_GUIDTYPE_EVENT 3 //#endif // // Specific rights for WMI guid objects. These are available from 0x0001 to // 0xffff (ie up to 16 rights) // #define WMIGUID_QUERY 0x0001 #define WMIGUID_SET 0x0002 #define WMIGUID_NOTIFICATION 0x0004 #define WMIGUID_READ_DESCRIPTION 0x0008 #define WMIGUID_EXECUTE 0x0010 #define TRACELOG_CREATE_REALTIME 0x0020 #define TRACELOG_CREATE_ONDISK 0x0040 #define TRACELOG_GUID_ENABLE 0x0080 #define TRACELOG_ACCESS_KERNEL_LOGGER 0x0100 #define TRACELOG_CREATE_INPROC 0x0200 #define TRACELOG_ACCESS_REALTIME 0x0400 #define TRACELOG_REGISTER_GUIDS 0x0800 #define WMIGUID_ALL_ACCESS (STANDARD_RIGHTS_READ | \ SYNCHRONIZE | \ WMIGUID_QUERY | \ WMIGUID_SET | \ WMIGUID_NOTIFICATION | \ WMIGUID_READ_DESCRIPTION | \ WMIGUID_EXECUTE | \ TRACELOG_CREATE_REALTIME | \ TRACELOG_CREATE_ONDISK | \ TRACELOG_GUID_ENABLE | \ TRACELOG_ACCESS_KERNEL_LOGGER |\ TRACELOG_CREATE_INPROC | \ TRACELOG_ACCESS_REALTIME | \ TRACELOG_REGISTER_GUIDS ) #define WMI_GLOBAL_LOGGER_ID 0x0001 #endif #endif