TraceEvent Library: Incorrect CreateOptions flags enumeration for FileIOCreateTraceData

[advapi32]

In FileIOCreateTraceData, the CreateOptions field appears to be incorrect and misleading.

Right now the flag enumeration used for CreateOptions contains values from the Win32 CreateFileA dwFlagsAndAttributes parameter (e.g., FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_ARCHIVE, etc.):

/// <summary>
/// See Windows CreateFile function FlagsAndAttributes parameter.
/// TODO FIX NOW: these have not been validated yet.
/// </summary>
[Flags]
public enum CreateOptions
{
  NONE = 0,
  FILE_ATTRIBUTE_ARCHIVE = 32,
  FILE_ATTRIBUTE_COMPRESSED = 2048,
  FILE_ATTRIBUTE_DEVICE = 64,
  FILE_ATTRIBUTE_DIRECTORY = 16,
  FILE_ATTRIBUTE_ENCRYPTED = 16384,
  FILE_ATTRIBUTE_HIDDEN = 2,
  FILE_ATTRIBUTE_INTEGRITY_STREAM = 32768,
  FILE_ATTRIBUTE_NORMAL = 128,
  FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 8192,
  FILE_ATTRIBUTE_NO_SCRUB_DATA = 131072,
  FILE_ATTRIBUTE_OFFLINE = 4096,
  FILE_ATTRIBUTE_READONLY = 1,
  FILE_ATTRIBUTE_REPARSE_POINT = 1024,
  FILE_ATTRIBUTE_SPARSE_FILE = 512,
  FILE_ATTRIBUTE_SYSTEM = 4,
  FILE_ATTRIBUTE_TEMPORARY = 256,
  FILE_ATTRIBUTE_VIRTUAL = 65536,
}

However, the field is named CreateOptions, which implies that it represents the NT native CreateOptions parameter (used by NtCreateFile, e.g., FILE_DIRECTORY_FILE, FILE_ATTRIBUTE_NORMAL, etc.). These NT flags are completely different from the Win32 file attributes listed above.

Using the actual CreateOptions flags from NtCreateFile and defining them as a flags enumeration produced correct results - so it looks like the wrong flags enumeration (the Win32 file attributes) was accidentally placed here.

As it stands, the naming is misleading because the values don't match the NT CreateOptions bitmask at all - and the kernel should be logging the NT CreateOptions flags from NtCreateFile, not the Win32 file attributes.