Heads up! These docs are for STIX 1.1.1, which is not the latest version (1.2). View the latest!

WindowsThreadObjectTypeWin Thread Object Schema

The Windows_ThreadObjectType is intended to characterize Windows process threads. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms684852(v=vs.85).aspx.


Fields

Field Name Type Description
@object_referenceoptional QName

The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.

Custom_Properties0..1 CustomPropertiesType

The Custom_Properties construct is optional and enables the specification of a set of custom Object Properties that may not be defined in existing Properties schemas.

Thread_ID0..1 NonNegativeIntegerObjectPropertyType

Represents the identifier of this thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms683183(v=vs.85).aspx.

Handle0..1 WindowsHandleObjectType

Handle represents the handle of a specific thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682453(v=vs.85).aspx.

Running_Status0..1 ThreadRunningStatusType

Running Status represents the running state that the thread is in.

Context0..1 StringObjectPropertyType

The Context field specifies the thread context structure, which contains processor-specific register data.

Priority0..1 UnsignedIntegerObjectPropertyType

Represents the priority of the thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms685100(v=vs.85).aspx.

Creation_Flags0..1 HexBinaryObjectPropertyType

The Creation flags field represents the creation flags that a thread may be launched with. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms684863(v=vs.85).aspx.

Creation_Time0..1 DateTimeObjectPropertyType

Creation time represents the creation time of the thread.

Start_Address0..1 HexBinaryObjectPropertyType

Start address represents the start address of this thread, representing the memory address where this thread should start. See Also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682453(v=vs.85).aspx.

Parameter_Address0..1 HexBinaryObjectPropertyType
Security_Attributes0..1 StringObjectPropertyType

Security attributes represents the security attributes for the thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379560(v=vs.85).aspx.

Stack_Size0..1 NonNegativeIntegerObjectPropertyType

Represents the stack size of the thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686774(v=vs.85).aspx.