TRACEPOINTS

Tracepoints

The following table lists of all possible tracepoints, and indicates whether they are bracketed, their hexadecimal event masks, their default aliases, and some basic interpretation of each record.

Bracketed refers to whether the kernel "event" being traced has tracepoints which are triggered before and after the event takes place. For instance, the WRITE_PRE tracepoint is triggered when the OS/2 DosWrite() API is called, but before the requested writing is allowed to take place. The WRITE_POST tracepoint is triggered immediately after the requested writing is completed. These "pre" and "post" tracepoints generally will contain different information. A bracketed event will have the "pre" tracepoint listed first and the "post" tracepoint listed next.

Mask refers to a hexadecimal number which is used to uniquely identify a tracepoint, both to the Kernel Trace control program (KTRACE.EXE) when using the -t option at the command line, and in the associated trace record in the resulting trace file.

Tracepoint Alias refers to the alias assigned to each tracepoint in the default KTRACE.CFG configuration file. Note that this alias may be overridden by the user, by editing this configuration file.

Details. The SES hooks exploited by Kernel Trace are only sparsely documented. These details represent Golden Code's best estimates of the origins of these tracepoints.

Tracepoint Name Bracketed? Mask Tracepoint
Alias Details

Change Directory N 0x010000000 CHANGEDIR Whenever a program changes the current directory, via OS/2 API DosSetCurrentDir() or via a DOS interface in a VDM.

Change File Pointer N 0x000000080 CHGFILEPTR Whenever a program seeks to a new read/write position in an open file, via OS/2 API DosSetFilePtr() or via a DOS interface in a VDM.

Close N 0x000000040 CLOSE The close of any file handle, whether via the OS/2 API DosClose() or via a DOS interface in a VDM.

Create VDM Y 0x040000000
0x080000000 CREATEVDM
CREATEVDMPOST The start of a DOS VDM session by the OS/2 loader.

Delete Y 0x000000100
0x000000200 DELETE_PRE
DELETE_POST The deletion of any file, whether via the OS/2 API DosDelete() or via a DOS interface in a VDM.

Device I/O Control N 0x200000000 DEVIOCTL Any direct access to a logical or physical disk via the OS/2 API DosDevIOTCL().

Execute Program Y 0x000004000
0x000008000 EXECPGM
EXECPGMPOST The start of a new process via DosExecPgm(), DosStartSession() or via a DOS interface in a VDM.

Find N 0x000010000 FINDFIRST When a program searches for files via DosFindFirst().

Find Next N 0x000040000 FINDNEXT When a program continues a search for files via DosFindNext().

Find 3X N 0x000020000 FINDFIRST3X Same as "Find" but seems to be used for VDMs and possibly 16-bit APIs.

Find 3X Next N 0x000080000 FINDFIRTSNEXT3X Same as "Find Next" but seems to be used for VDMs and possibly 16-bit APIs.

Find Close N 0x000100000 FINDCLOSE Ends a search for files with DosFindClose().

Find 3X Close N 0x000200000 FINDCLOSE3X Same as "Find Close" but seems to be used for VDMs and possibly 16-bit APIs.

Get Module N 0x000002000 GETMODULE Whenever the OS/2 loader attempts to access a DLL (already loaded or not).

Loader Open N 0x000001000 LOADEROPEN Whenever the OS/2 loader attempts to open a program file (EXE or DLL).

Make Directory N 0x008000000 MAKEDIR The creation of a new directory, using the OS/2 API DosCreateDir() or viaa DOS interface in a VDM.

Move Y 0x000000400
0x000000800 MOVE_PRE
MOVE_POST The move or renaming of a file, using the OS/2 API DosMove() or via a DOS interface in a VDM.

Open Y 0x000000001
0x000000002 OPEN_PRE
OPEN_POST The open of a new file, using the OS/2 API DosOpen() or via a DOS interface in a VDM.

Query File Information N 0x000800000 QUERYFILEINFO The querying of a file's attributes, using the OS/2 API DosQueryFileInfo(), DosEnumAttribute(), or via a DOS interface in a VDM.

Read Y 0x000000004
0x000000008 READ_PRE
READ_POST The reading of bytes from an open file, using the OS/2 API DosRead() or via a DOS interface in a VDM.

Remove Directory N 0x020000000 REMOVEDIR The deletion of a directory, using the OS/2 API DosDeleteDir() or viaa DOS interface in a VDM.

Set Date/Time N 0x100000000 SETDATETIME The changing of the system date or time using the OS/2 API DosSetDateTime() or via a DOS interface in a VDM.

Set File Information N 0x001000000 SETFILEINFO The changing of a file's attributes using the OS/2 API DosSetFileInfo() or via a DOS interface in a VDM.

Set File Mode N 0x002000000 SETFILEMODE This may be used by a 16-bit OS/2 API. It is currently unknown.

Set File Size N 0x000400000 SETFILESIZE The changing of a file's size using the OS/2 API DosSetFileInfo() or via a DOS interface in a VDM.

Set Path Information N 0x004000000 SETPATHINFO The setting of directory attributes, using the OS/2 API DosSetPathInfo() or via a DOS interface in a VDM.

Write Y 0x000000010
0x000000020 WRITE_PRE
WRITE_POST The writing of bytes to an open file the OS/2 API DosWrite() or via a DOS interface in a VDM.

Tracepoint Name	Bracketed?	Mask	Tracepoint Alias	Details
Change Directory	N	`0x010000000`	`CHANGEDIR`	Whenever a program changes the current directory, via OS/2 API DosSetCurrentDir() or via a DOS interface in a VDM.
Change File Pointer	N	`0x000000080`	`CHGFILEPTR`	Whenever a program seeks to a new read/write position in an open file, via OS/2 API DosSetFilePtr() or via a DOS interface in a VDM.
Close	N	`0x000000040`	`CLOSE`	The close of any file handle, whether via the OS/2 API DosClose() or via a DOS interface in a VDM.
Create VDM	Y	`0x040000000` `0x080000000`	`CREATEVDM` `CREATEVDMPOST`	The start of a DOS VDM session by the OS/2 loader.
Delete	Y	`0x000000100` `0x000000200`	`DELETE_PRE` `DELETE_POST`	The deletion of any file, whether via the OS/2 API DosDelete() or via a DOS interface in a VDM.
Device I/O Control	N	`0x200000000`	`DEVIOCTL`	Any direct access to a logical or physical disk via the OS/2 API DosDevIOTCL().
Execute Program	Y	`0x000004000` `0x000008000`	`EXECPGM` `EXECPGMPOST`	The start of a new process via DosExecPgm(), DosStartSession() or via a DOS interface in a VDM.
Find	N	`0x000010000`	`FINDFIRST`	When a program searches for files via DosFindFirst().
Find Next	N	`0x000040000`	`FINDNEXT`	When a program continues a search for files via DosFindNext().
Find 3X	N	`0x000020000`	`FINDFIRST3X`	Same as "Find" but seems to be used for VDMs and possibly 16-bit APIs.
Find 3X Next	N	`0x000080000`	`FINDFIRTSNEXT3X`	Same as "Find Next" but seems to be used for VDMs and possibly 16-bit APIs.
Find Close	N	`0x000100000`	`FINDCLOSE`	Ends a search for files with DosFindClose().
Find 3X Close	N	`0x000200000`	`FINDCLOSE3X`	Same as "Find Close" but seems to be used for VDMs and possibly 16-bit APIs.
Get Module	N	`0x000002000`	`GETMODULE`	Whenever the OS/2 loader attempts to access a DLL (already loaded or not).
Loader Open	N	`0x000001000`	`LOADEROPEN`	Whenever the OS/2 loader attempts to open a program file (EXE or DLL).
Make Directory	N	`0x008000000`	`MAKEDIR`	The creation of a new directory, using the OS/2 API DosCreateDir() or viaa DOS interface in a VDM.
Move	Y	`0x000000400` `0x000000800`	`MOVE_PRE` `MOVE_POST`	The move or renaming of a file, using the OS/2 API DosMove() or via a DOS interface in a VDM.
Open	Y	`0x000000001` `0x000000002`	`OPEN_PRE` `OPEN_POST`	The open of a new file, using the OS/2 API DosOpen() or via a DOS interface in a VDM.
Query File Information	N	`0x000800000`	`QUERYFILEINFO`	The querying of a file's attributes, using the OS/2 API DosQueryFileInfo(), DosEnumAttribute(), or via a DOS interface in a VDM.
Read	Y	`0x000000004` `0x000000008`	`READ_PRE` `READ_POST`	The reading of bytes from an open file, using the OS/2 API DosRead() or via a DOS interface in a VDM.
Remove Directory	N	`0x020000000`	`REMOVEDIR`	The deletion of a directory, using the OS/2 API DosDeleteDir() or viaa DOS interface in a VDM.
Set Date/Time	N	`0x100000000`	`SETDATETIME`	The changing of the system date or time using the OS/2 API DosSetDateTime() or via a DOS interface in a VDM.
Set File Information	N	`0x001000000`	`SETFILEINFO`	The changing of a file's attributes using the OS/2 API DosSetFileInfo() or via a DOS interface in a VDM.
Set File Mode	N	`0x002000000`	`SETFILEMODE`	This may be used by a 16-bit OS/2 API. It is currently unknown.
Set File Size	N	`0x000400000`	`SETFILESIZE`	The changing of a file's size using the OS/2 API DosSetFileInfo() or via a DOS interface in a VDM.
Set Path Information	N	`0x004000000`	`SETPATHINFO`	The setting of directory attributes, using the OS/2 API DosSetPathInfo() or via a DOS interface in a VDM.
Write	Y	`0x000000010` `0x000000020`	`WRITE_PRE` `WRITE_POST`	The writing of bytes to an open file the OS/2 API DosWrite() or via a DOS interface in a VDM.