dissect.etl.headers.system#

Module Contents#

Classes#

SystemSpecificHeader

A baseclass for the different ETL headers.

SystemHeader

Creates a System header.

CompactSystemHeader

Creates a compact system header.

PerfinfoTraceHeader

A header that records performance events for windows.
class dissect.etl.headers.system.SystemSpecificHeader(marker: Marker, data: memoryview, etl)#

Bases: dissect.etl.headers.headers.Header

A baseclass for the different ETL headers.

property size: int#

The size of the event.

In most cases this is inside the remainder field of the marker.

property minimal_size: int#

Minimum header size.

Adds additional header bytes to the result to create a correct payload offset.

property hook_id: int#

An ID that identifies who created the event.

property opcode: int#

A code used to select the type of event inside the header.

property group: int#

A code used to select the provider for this header.

property provider_id: uuid.UUID#

Provider that generated this event.

class dissect.etl.headers.system.SystemHeader(marker: Marker, data: memoryview, etl)#

Bases: SystemSpecificHeader

Creates a System header. This header has the following types associated with them.

Version Marker Size OpCode Group ThreadId ProcessId TimeDelta ProcessorTime

property process_id: int#

The process id that created this event.

property processor_time: int#

The time it took on the processor.

property thread_id: int#

The thread id that created this event.

additional_header_fields() Dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.

class dissect.etl.headers.system.CompactSystemHeader(marker: Marker, data: memoryview, etl)#

Bases: SystemSpecificHeader

Creates a compact system header. This header has the following types associated with them.

Version Marker Size OpCode Group ThreadId ProcessId TimeDelta

property process_id: int#

The process id that created this event.

property thread_id: int#

The thread id that created this event.

additional_header_fields() Dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.

class dissect.etl.headers.system.PerfinfoTraceHeader(marker: Marker, data: memoryview, etl)#

Bases: SystemSpecificHeader

A header that records performance events for windows.

additional_header_fields() Dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.