Win32_ThreadStartTrace

The Win32_ThreadStartTrace event WMI class indicates that a new thread has started.

The Win32_ThreadStartTrace event WMI class indicates that a new thread has started.

Methods

Win32_ThreadStartTrace has no methods.

Properties

Win32_ThreadStartTrace returns 11 properties:

'ProcessID','SECURITY_DESCRIPTOR','StackBase','StackLimit','StartAddr','ThreadID',
'TIME_CREATED','UserStackBase','UserStackLimit','WaitMode','Win32StartAddr'

Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:

Get-CimInstance -ClassName Win32_ThreadStartTrace -Property *

Most WMI classes return one or more instances.

When Get-CimInstance returns no result, then apparently no instances of class Win32_ThreadStartTrace exist. This is normal behavior.

Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).

ProcessID

UINT32

Process identifier of the thread involved in the event.

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property ProcessID

SECURITY_DESCRIPTOR

UINT8 ARRAY

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property SECURITY_DESCRIPTOR

StackBase

UINT64

Base address of the thread’s stack.

For more information about using uint64 values in scripts, see Scripting in WMI.

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property StackBase

StackLimit

UINT64

Limit of the thread’s stack.

For more information about using uint64 values in scripts, see Scripting in WMI.

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property StackLimit

StartAddr

UINT64

Memory address at which the trace starts.

For more information about using uint64 values in scripts, see Scripting in WMI.

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property StartAddr

ThreadID

UINT32

Thread identifier of the thread involved in the event.

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property ThreadID

TIME_CREATED

UINT64

For more information about using uint64 values in scripts, see Scripting in WMI.

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property TIME_CREATED

UserStackBase

UINT64

Base address of the thread’s user-mode stack.

For more information about using uint64 values in scripts, see Scripting in WMI.

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property UserStackBase

UserStackLimit

UINT64

Limit of the thread’s user-mode stack.

For more information about using uint64 values in scripts, see Scripting in WMI.

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property UserStackLimit

WaitMode

UINT32

Processor mode in which the wait is to occur.

0

Kernel

1

User

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property WaitMode

Win32StartAddr

UINT64

Starting address of the function to be executed by this thread.

For more information about using uint64 values in scripts, see Scripting in WMI.

Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property Win32StartAddr

Examples

List all instances of Win32_ThreadStartTrace
Get-CimInstance -ClassName Win32_ThreadStartTrace

Learn more about Get-CimInstance and the deprecated Get-WmiObject.

View all properties
Get-CimInstance -ClassName Win32_ThreadStartTrace -Property *
View key properties only
Get-CimInstance -ClassName Win32_ThreadStartTrace -KeyOnly

Selecting Properties

To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.

Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.

Selecting Properties

The code below lists all available properties. Remove the ones you do not need:

$properties = 'ProcessID',
              'SECURITY_DESCRIPTOR',
              'StackBase',
              'StackLimit',
              'StartAddr',
              'ThreadID',
              'TIME_CREATED',
              'UserStackBase',
              'UserStackLimit',
              'WaitMode',
              'Win32StartAddr'
Get-CimInstance -ClassName Win32_ThreadStartTrace | Select-Object -Property $properties
Limiting Network Bandwidth

If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:

Get-CimInstance -Class Win32_ThreadStartTrace -Property $property | 
Select-Object -Property $property

Selecting Instances

To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).

The parameter -Filter runs a simple query.

Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class Win32_ThreadStartTrace -Filter 'Caption LIKE "a%"' 
Using a WQL Query

The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:

Get-CimInstance -Query "SELECT ThreadID, StackLimit, UserStackBase, UserStackLimit FROM Win32_ThreadStartTrace WHERE Caption LIKE 'a%'"

Any property you did not specify is still present but empty. You might need to use Select-Object to remove all unwanted properties:

Get-CimInstance -Query "SELECT ThreadID, StackLimit, UserStackBase, UserStackLimit FROM Win32_ThreadStartTrace WHERE Caption LIKE 'a%'" | Select-Object -Property ThreadID, StackLimit, UserStackBase, UserStackLimit

Accessing Remote Computers

To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.

Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with your current identity:
$result = Get-CimInstance -ClassName Win32_ThreadStartTrace -ComputerName $list 
$result
Authenticating as Different User

Use a CIMSession object to authenticate with a new identity:

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred

$result = Get-CimInstance Win32_ThreadStartTrace -CimSession $session

# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session

$result

Learn more about accessing remote computers.

Requirements

To use Win32_ThreadStartTrace, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

Win32_ThreadStartTrace was introduced on clients with Windows Vista and on servers with Windows Server 2008.

Namespace

Win32_ThreadStartTrace lives in the Namespace Root/CIMV2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance.

Implementation

Win32_ThreadStartTrace is implemented in Krnlprov.dll and defined in Krnlprov.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\Krnlprov.mof