Subset: Microsoft
Microsoft Corp technologies
URI: Microsoft
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/uco-observable
Classes in subset
| Class | Description |
|---|---|
| AlternateDataStream | "An alternate data stream is data content stored within an NTFS file that is ... |
| AlternateDataStreamFacet | "An alternate data stream facet is a grouping of characteristics unique to da... |
| GlobalFlagType | 'A globalFlagType is a grouping of characteristics unique to the Windows syst... |
| IComHandlerActionType | "An IComHandler action type is a grouping of characteristics unique to a Wind... |
| IExecActionType | "An IExec action type is a grouping of characteristics unique to an action th... |
| Junction | "A junction is a specific NTFS (New Technology file System) reparse point to ... |
| MftRecordFacet | "An MFT record facet is a grouping of characteristics unique to the details o... |
| NTFSFile | "An NTFS file is a New Technology file System (NTFS) file |
| NTFSFileFacet | "An NTFS file facet is a grouping of characteristics unique to a file on an N... |
| NTFSFilePermissionsFacet | "An NTFS file permissions facet is a grouping of characteristics unique to th... |
| RegistryDatatype | "Data types used in Windows operating systems Registry, and the earlier IBM/M... |
| ReparsePoint | "A reparse point is a type of NTFS (New Technology file System) object which ... |
| TriggerType | "A triggerType is a grouping of characterizes unique to a set of criteria tha... |
| WindowsAccount | "A Windows account is a user account on a Windows operating system |
| WindowsAccountFacet | "A Windows account facet is a grouping of characteristics unique to a user ac... |
| WindowsActiveDirectoryAccount | "A Windows Active Directory account is an account managed by directory-based ... |
| WindowsActiveDirectoryAccountFacet | "A Windows Active Directory account facet is a grouping of characteristics un... |
| WindowsComputerSpecification | "A Windows computer specification is the hardware ans software of a programma... |
| WindowsComputerSpecificationFacet | "A Windows computer specification facet is a grouping of characteristics uniq... |
| WindowsCriticalSection | "A Windows critical section is a Windows object that provides synchronization... |
| WindowsEvent | "A Windows event is a notification record of an occurance of interest (system... |
| WindowsFileMapping | "A windows file mapping is the association of a file's contents with a portio... |
| WindowsHandle | "A Windows handle is an abstract reference to a resource within the Windows o... |
| WindowsHook | "A Windows hook is a mechanism by which an application can intercept events, ... |
| WindowsMailSlot | "A Windows mailslot is is a pseudofile that resides in memory, and may be acc... |
| WindowsNetworkShare | "A Windows network share is a Windows computer resource made available from o... |
| WindowsPEBinaryFile | "A Windows PE binary file is a Windows portable executable (PE) file |
| WindowsPEBinaryFileFacet | "A Windows PE binary file facet is a grouping of characteristics unique to a ... |
| WindowsPEBinaryType | |
| WindowsPEFileHheader | "A Windows PE file header is a grouping of characteristics unique to the 'hea... |
| WindowsPEOptionalHeader | "A Windows PE optional header is a grouping of characteristics unique to the ... |
| WindowsPESection | "A Windows PE section is a grouping of characteristics unique to a specific d... |
| WindowsPrefetch | "The Windows prefetch contains entries in a Windows prefetch file (used to sp... |
| WindowsPrefetchFacet | "A Windows prefetch facet is a grouping of characteristics unique to entries ... |
| WindowsProcess | "A Windows process is a program running on a Windows operating system |
| WindowsProcessFacet | "A Windows process facet is a grouping of characteristics unique to a program... |
| WindowsRegistryHive | "The Windows registry hive is a particular logical group of keys, subkeys, an... |
| WindowsRegistryHiveFacet | "A Windows registry hive facet is a grouping of characteristics unique to a p... |
| WindowsRegistryKey | "A Windows registry key is a particular key within a Windows registry (a hier... |
| WindowsRegistrykeyFacet | "A Windows registry key facet is a grouping of characteristics unique to a pa... |
| WindowsRegistryValue | "A Windows registry value is a grouping of characteristics unique to a partic... |
| WindowsService | "A Windows service is a specific Windows service (a computer program that ope... |
| WindowsServiceFacet | "A Windows service facet is a grouping of characteristics unique to a specifi... |
| WindowsServiceStartType | |
| WindowsServiceStatus | |
| WindowsServiceType | |
| WindowsSystemRestore | "A Windows system restore is a capture of a Windows computer's state (includi... |
| WindowsTask | "A Windows task is a process that is scheduled to execute on a Windows operat... |
| WindowsTaskFacet | "A Windows Task facet is a grouping of characteristics unique to a Windows Ta... |
| WindowsThread | "A Windows thread is a single thread of execution within a Windows process |
| WindowsThreadFacet | "A Windows thread facet is a grouping os characteristics unique to a single t... |
| WindowsVolumeFacet | "A Windows volume facet is a grouping of characteristics unique to a single a... |
| WindowsWaitableTime | "A Windows waitable timer is a synchronization object within the Windows oper... |
| WirelessNetworkConnection | "A wireless network connection is a connection (completed or attempted) acros... |
AlternateDataStream
"An alternate data stream is data content stored within an NTFS file that is independent of the standard content stream of the file and isHidden from access by default NTFS file viewing mechanisms."
| Name | Cardinality and Range | Description |
|---|---|---|
AlternateDataStreamFacet
"An alternate data stream facet is a grouping of characteristics unique to data content stored within an NTFS file that is independent of the standard content stream of the file and isHidden from access by default NTFS file viewing mechanisms."
| Name | Cardinality and Range | Description |
|---|---|---|
GlobalFlagType
'A globalFlagType is a grouping of characteristics unique to the Windows systemwide global variable named NtGlobalFlag that enables various internal debugging, tracing, and validation support in the operating system. [based on "Windows Global Flags, Chapter 3: System Mechanisms of Windows Internals by Solomon, Russinovich, and Ionescu]'
| Name | Cardinality and Range | Description |
|---|---|---|
IComHandlerActionType
"An IComHandler action type is a grouping of characteristics unique to a Windows Task-related action that fires a Windows COM handler (smart code in the client address space that can optimize calls between a client and server). [based on https://docs.microsoft.com/en-us/windows/win32/taskschd/comhandleraction]"
| Name | Cardinality and Range | Description |
|---|---|---|
IExecActionType
"An IExec action type is a grouping of characteristics unique to an action that executes a command-line operation on a Windows operating system. [based on https://docs.microsoft.com/en-us/windows/win32/api/taskschd/nn-taskschd-iexecaction?redirectedfrom=MSDN]"
| Name | Cardinality and Range | Description |
|---|---|---|
Junction
"A junction is a specific NTFS (New Technology file System) reparse point to redirect a directory access to another directory which can be on the same volume or another volume. A junction is similar to a directory symbolic link but may differ on whether they are processed on the local system or on the remote file server. [based on https://jp-andre.pagesperso-orange.fr/junctions.html]"
| Name | Cardinality and Range | Description |
|---|---|---|
MftRecordFacet
"An MFT record facet is a grouping of characteristics unique to the details of a single file as managed in an NTFS (new technology filesystem) master file table (which is a collection of information about all files on an NTFS filesystem). [based on https://docs.microsoft.com/en-us/windows/win32/devnotes/master-file-table]"
| Name | Cardinality and Range | Description |
|---|---|---|
| mftFileID | 0..1 xsd:integer |
"Specifies the record number for the file within an NTFS Master file Table |
| mftFileNameLength | 0..1 xsd:integer |
" Specifies the length of an NTFS fileName, in unicode characters |
| mftParentID | 0..1 xsd:integer |
"Specifies the record number within an NTFS Master file Table for parent dire... |
| mftRecordChangeTime | 0..1 xsd:dateTime |
"The date and time at which an NTFS file metadata was last modified |
| ntfsHardLinkCount | 0..1 xsd:integer |
"Specifies the number of directory entries that reference an NTFS file record |
| ntfsOwnerID | 0..1 xsd:string |
"Specifies the identifier of the file owner, from the security index |
| ntfsOwnerSID | 0..1 xsd:string |
"Specifies the security ID (key in the $SII Index and $SDS DataStream in the ... |
NTFSFile
"An NTFS file is a New Technology file System (NTFS) file."
| Name | Cardinality and Range | Description |
|---|---|---|
NTFSFileFacet
"An NTFS file facet is a grouping of characteristics unique to a file on an NTFS (new technology filesystem) file system."
| Name | Cardinality and Range | Description |
|---|---|---|
NTFSFilePermissionsFacet
"An NTFS file permissions facet is a grouping of characteristics unique to the access rights (e.g., view, change, navigate, execute) of a file on an NTFS (new technology filesystem) file system."
| Name | Cardinality and Range | Description |
|---|---|---|
RegistryDatatype
"Data types used in Windows operating systems Registry, and the earlier IBM/Microsoft OS/2 operating system"
| Name | Cardinality and Range | Description |
|---|---|---|
ReparsePoint
"A reparse point is a type of NTFS (New Technology file System) object which is an optional attribute of files and directories meant to define some sort of preprocessing before accessing the said file or directory. For instance reparse points can be used to redirect access to files which have been moved to long term storage so that some application would retrieve them and make them directly accessible. A reparse point contains a reparse tag and data that are interpreted by a filesystem filter identified by the tag. [based on https://jp-andre.pagesperso-orange.fr/junctions.html ; https://en.wikipedia.org/wiki/NTFS_reparse_point]"
| Name | Cardinality and Range | Description |
|---|---|---|
TriggerType
"A triggerType is a grouping of characterizes unique to a set of criteria that, when met, starts the execution of a task within a Windows operating system. [based on https://docs.microsoft.com/en-us/windows/win32/taskschd/task-triggers]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsAccount
"A Windows account is a user account on a Windows operating system."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsAccountFacet
"A Windows account facet is a grouping of characteristics unique to a user account on a Windows operating system."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsActiveDirectoryAccount
"A Windows Active Directory account is an account managed by directory-based identity-related services of a Windows operating system."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsActiveDirectoryAccountFacet
"A Windows Active Directory account facet is a grouping of characteristics unique to an account managed by directory-based identity-related services of a Windows operating system."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsComputerSpecification
"A Windows computer specification is the hardware ans software of a programmable electronic device that can store, retrieve, and process data running a Microsoft Windows operating system. [based on merriam-webster.com/dictionary/computer]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsComputerSpecificationFacet
"A Windows computer specification facet is a grouping of characteristics unique to the hardware and software of a programmable electronic device that can store, retrieve, and process data running a Microsoft Windows operating system. [based on merriam-webster.com/dictionary/computer]"
| Name | Cardinality and Range | Description |
|---|---|---|
| msProductID | 0..1 xsd:string |
"The Microsoft Product ID |
| msProductName | 0..1 xsd:string |
"The Microsoft ProductName of the current installation of Windows |
| netBIOSName | 0..1 xsd:string |
"Specifies the NetBIOS (network Basic Input/Output System) name of the Windo... |
| registeredOrganization | 0..1 Identity |
"The organization that this copy of Windows is registered to |
| registeredOwner | 0..1 Identity |
"The person or organization that is the registeredOwner of this copy of Windo... |
| windowsDirectory | 0..1 ObservableObject |
"The Windows_Directory field specifies the fully-qualified path to the Window... |
| windowsSystemDirectory | 0..1 ObservableObject |
"The Windows_System_Directory field specifies the fully-qualified path to the... |
| windowsTempDirectory | 0..1 ObservableObject |
"The Windows_Temp_Directory field specifies the fully-qualified path to the W... |
WindowsCriticalSection
"A Windows critical section is a Windows object that provides synchronization similar to that provided by a mutex object, except that a critical section can be used only by the threads of a single process. Critical section objects cannot be shared across processes. Event, mutex, and semaphore objects can also be used in a single-process application, but critical section objects provide a slightly faster, more efficient mechanism for mutual-exclusion synchronization (a processor-specific test and set instruction). Like a mutex object, a critical section object can be owned by only one thread at a time, which makes it useful for protecting a shared resource from simultaneous access. Unlike a mutex object, there is no way to tell whether a critical section has been abandoned. [based on https://docs.microsoft.com/en-us/windows/win32/sync/critical-section-objects]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsEvent
"A Windows event is a notification record of an occurance of interest (system, security, application, etc.) on a Windows operating system."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsFileMapping
"A windows file mapping is the association of a file's contents with a portion of the virtual address space of a process within a Windows operating system. The system creates a file mapping object (also known as a section object) to maintain this association. A file view is the portion of virtual address space that a process uses to access the file's contents. file mapping allows the process to use both random input and output (I/O) and sequential I/O. It also allows the process to work efficiently with a large data file, such as a database, without having to map the whole file into memory. Multiple processes can also use memory-mapped files to share data. processes read from and write to the file view using pointers, just as they would with dynamically allocated memory. The use of file mapping improves efficiency because the file resides on disk, but the file view resides in memory.[based on https://docs.microsoft.com/en-us/windows/win32/memory/file-mapping]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsHandle
"A Windows handle is an abstract reference to a resource within the Windows operating system, such as a window, memory, an open file or a pipe. It is the mechanism by which applications interact with such resources in the Windows operating system."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsHook
"A Windows hook is a mechanism by which an application can intercept events, such as messages, mouse actions, and keystrokes within the Windows operating system. A function that intercepts a particular type of event is known as a hook procedure. A hook procedure can act on each event it receives, and then modify or discard the event. [based on https://docs.microsoft.com/en-us/windows/win32/winmsg/about-hooks]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsMailSlot
"A Windows mailslot is is a pseudofile that resides in memory, and may be accessed using standard file functions. The data in a mailslot message can be in any form, but cannot be larger than 424 bytes when sent between computers. Unlike disk files, mailslots are temporary. When all handles to a mailslot are closed, the mailslot and all the data it contains are deleted. [based on https://docs.microsoft.com/en-us/windows/win32/ipc/about-mailslots]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsNetworkShare
"A Windows network share is a Windows computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer transparently as if it were a resource in the local machine. network sharing is made possible by inter-process communication over the network. [based on https://en.wikipedia.org/wiki/Shared_resource]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsPEBinaryFile
"A Windows PE binary file is a Windows portable executable (PE) file."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsPEBinaryFileFacet
"A Windows PE binary file facet is a grouping of characteristics unique to a Windows portable executable (PE) file."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsPEBinaryType
None
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsPEFileHheader
"A Windows PE file header is a grouping of characteristics unique to the 'header' of a Windows PE (Portable Executable) file, consisting of a collection of metadata about the overall nature and structure of the file."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsPEOptionalHeader
"A Windows PE optional header is a grouping of characteristics unique to the 'optionalHeader' of a Windows PE (Portable Executable) file, consisting of a collection of metadata about the executable code structure of the file."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsPESection
"A Windows PE section is a grouping of characteristics unique to a specific default or custom-defined region of a Windows PE (Portable Executable) file, consisting of an individual portion of the actual executable content of the file delineated according to unique purpose and memory protection requirements."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsPrefetch
"The Windows prefetch contains entries in a Windows prefetch file (used to speed up application startup starting with Windows XP)."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsPrefetchFacet
"A Windows prefetch facet is a grouping of characteristics unique to entries in the Windows prefetch file (used to speed up application startup starting with Windows XP)."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsProcess
"A Windows process is a program running on a Windows operating system."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsProcessFacet
"A Windows process facet is a grouping of characteristics unique to a program running on a Windows operating system."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsRegistryHive
"The Windows registry hive is a particular logical group of keys, subkeys, and values in a Windows registry (a hierarchical database that stores low-level settings for the Microsoft Windows operating sytem and for applications that opt to use the registry). [based on https://en.wikipedia.org/wiki/Windows_Registry]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsRegistryHiveFacet
"A Windows registry hive facet is a grouping of characteristics unique to a particular logical group of keys, subkeys, and values in a Windows registry (a hierarchical database that stores low-level settings for the Microsoft Windows operating sytem and for applications that opt to use the registry). [based on https://en.wikipedia.org/wiki/Windows_Registry]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsRegistryKey
"A Windows registry key is a particular key within a Windows registry (a hierarchical database that stores low-level settings for the Microsoft Windows operating sytem and for applications that opt to use the registry). [based on https://en.wikipedia.org/wiki/Windows_Registry]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsRegistrykeyFacet
"A Windows registry key facet is a grouping of characteristics unique to a particular key within a Windows registry (A hierarchical database that stores low-level settings for the Microsoft Windows operating sytem and for applications that opt to use the registry). [based on https://en.wikipedia.org/wiki/Windows_Registry]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsRegistryValue
"A Windows registry value is a grouping of characteristics unique to a particular value within a Windows registry (a hierarchical database that stores low-level settings for the Microsoft Windows operating sytem and for applications that opt to use the registry. [based on https://en.wikipedia.org/wiki/Windows_Registry]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsService
"A Windows service is a specific Windows service (a computer program that operates in the background of a Windows operating system, similar to the way a UNIX daemon runs on UNIX ). [based on https://en.wikipedia.org/wiki/Windows_service]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsServiceFacet
"A Windows service facet is a grouping of characteristics unique to a specific Windows service (a computer program that operates in the background of a Windows operating system, similar to the way a UNIX daemon runs on UNIX ). [based on https://en.wikipedia.org/wiki/Windows_service]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsServiceStartType
None
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsServiceStatus
None
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsServiceType
None
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsSystemRestore
"A Windows system restore is a capture of a Windows computer's state (including system files, installed applications, Windows Registry, and system settings) at a particular point in time such that the computer can be reverted to that state in the event of system malfunctions or other problems. [based on https://en.wikipedia.org/wiki/System_Restore]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsTask
"A Windows task is a process that is scheduled to execute on a Windows operating system by the Windows Task Scheduler. [based on http://msdn.microsoft.com/en-us/library/windows/desktop/aa381311(v=vs.85).aspx]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsTaskFacet
"A Windows Task facet is a grouping of characteristics unique to a Windows Task (a process that is scheduled to execute on a Windows operating system by the Windows Task Scheduler). [based on http://msdn.microsoft.com/en-us/library/windows/desktop/aa381311(v=vs.85).aspx]"
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsThread
"A Windows thread is a single thread of execution within a Windows process."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsThreadFacet
"A Windows thread facet is a grouping os characteristics unique to a single thread of execution within a Windows process."
| Name | Cardinality and Range | Description |
|---|---|---|
WindowsVolumeFacet
"A Windows volume facet is a grouping of characteristics unique to a single accessible storage area (volume) with a single windows file system. [based on https://en.wikipedia.org/wiki/volume_(computing)]"
| Name | Cardinality and Range | Description |
|---|---|---|
| driveType | 0..1 WindowsDriveTypeEnum |
"Specifies the driveType of a windows volume |
| windowsVolumeAttributes | 0..1 xsd:string |
"Specifies the attributes of a windows volume |
WindowsWaitableTime
"A Windows waitable timer is a synchronization object within the Windows operating system whose state is set to signaled when a specified due time arrives. There are two types of waitable timers that can be created: manual-reset and synchronization. A timer of either type can also be a periodic timer. [based on https://docs.microsoft.com/en-us/windows/win32/sync/waitable-timer-objects]"
| Name | Cardinality and Range | Description |
|---|---|---|
WirelessNetworkConnection
"A wireless network connection is a connection (completed or attempted) across an IEEE 802.11 standards-confromant digital network (a group of two or more computer systems linked together). [based on https://www.webopedia.com/TERM/N/network.html]"
| Name | Cardinality and Range | Description |
|---|---|---|
Slots in subset
| Slot | Description |
|---|---|
| driveType | "Specifies the driveType of a windows volume |
| mftFileID | "Specifies the record number for the file within an NTFS Master file Table |
| mftFileNameLength | " Specifies the length of an NTFS fileName, in unicode characters |
| mftParentID | "Specifies the record number within an NTFS Master file Table for parent dire... |
| mftRecordChangeTime | "The date and time at which an NTFS file metadata was last modified |
| msProductID | "The Microsoft Product ID |
| msProductName | "The Microsoft ProductName of the current installation of Windows |
| netBIOSName | "Specifies the NetBIOS (network Basic Input/Output System) name of the Windo... |
| ntfsHardLinkCount | "Specifies the number of directory entries that reference an NTFS file record |
| ntfsOwnerID | "Specifies the identifier of the file owner, from the security index |
| ntfsOwnerSID | "Specifies the security ID (key in the $SII Index and $SDS DataStream in the ... |
| registeredOrganization | "The organization that this copy of Windows is registered to |
| registeredOwner | "The person or organization that is the registeredOwner of this copy of Windo... |
| windowsDirectory | "The Windows_Directory field specifies the fully-qualified path to the Window... |
| windowsSystemDirectory | "The Windows_System_Directory field specifies the fully-qualified path to the... |
| windowsTempDirectory | "The Windows_Temp_Directory field specifies the fully-qualified path to the W... |
| windowsVolumeAttributes | "Specifies the attributes of a windows volume |
Enumerations in subset
| Enumeration | Description |
|---|---|
| WindowsNetworkSecurityModeEnum | |
| WindowsPEBinaryTypeEnum | |
| WindowsServiceStartTypeEnum | |
| WindowsServiceStatusEnum | |
| WindowsServiceTypeEnum |