This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. Win_Thread_Object 2.0 04/08/2013 The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. The Windows_Threat object is intended to characterize Windows process threads. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms684852(v=vs.85).aspx The Windows_ThreadObjectType is intended to characterize Windows process threads. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms684852(v=vs.85).aspx Represents the identifier of this thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms683183(v=vs.85).aspx Handle represents the handle of a specific thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682453(v=vs.85).aspx Running Status represents the running state that the thread is in. The Context field specifies the thread context structure, which contains processor-specific register data. Represents the priority of the thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms685100(v=vs.85).aspx The Creation flags field represents the creation flags that a thread may be launched with. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms684863(v=vs.85).aspx Creation time represents the creation time of the thread. Start address represents the start address of this thread, representing the memory address where this thread should start. See Also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms682453(v=vs.85).aspx Security attributes represents the security attributes for the thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/aa379560(v=vs.85).aspx Represents the stack size of the thread. See also: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686774(v=vs.85).aspx ThreadRunningStatusType specifies Windows thread running states via a union of the ThreadRunningStatusEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. Thread running status enumerates the various states that a thread may be in before, during, or after execution. See http://msdn.microsoft.com/en-us/library/system.diagnostics.threadstate(v=vs.110).aspx A state that indicates the thread has been initialized, but has not yet started. A state that indicates the thread is waiting to use a processor because no processor is free. The thread is preapared to run on the next available processor. A state that indicates the thread is currently using a prcoessor. A state that indicates the thread is about to use a processor. Only one thread can be in this state at a time. A state that indicates the thread has finished executing and has exited. A state that indicates the thread is not ready to use the processor because it is waiting for a peripheral operation to complete or a resource to become free. When the thread is ready, it will be rescheduled. A state that indicates the thread is waiting for a resource, other than the processor, before it can execute. The thread of the thread is unknown.