diff --git a/EventMonitor/Main.cpp b/EventMonitor/Main.cpp
index 5dbc2e9..8a2e229 100644
--- a/EventMonitor/Main.cpp
+++ b/EventMonitor/Main.cpp
@@ -21,6 +21,7 @@
 #include "StdAfx.h"
 
 #pragma comment(lib, "tdh.lib")
+#pragma comment(lib, "Ws2_32.lib")
 
 using namespace std;
 using namespace winstd;
@@ -43,17 +44,382 @@ static BOOL WINAPI ConsoleHandler(_In_ DWORD dwCtrlType)
 }
 
 
+static tstring MapToString(_In_ const EVENT_MAP_INFO *pMapInfo, _In_ LPCBYTE pData)
+{
+    if ( (pMapInfo->Flag &  EVENTMAP_INFO_FLAG_MANIFEST_VALUEMAP) ||
+        ((pMapInfo->Flag &  EVENTMAP_INFO_FLAG_WBEM_VALUEMAP    ) && (pMapInfo->Flag & ~EVENTMAP_INFO_FLAG_WBEM_VALUEMAP) != EVENTMAP_INFO_FLAG_WBEM_FLAG))
+    {
+        if ((pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_NO_MAP) == EVENTMAP_INFO_FLAG_WBEM_NO_MAP)
+            return tstring_printf(_T("%ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[*(PULONG)pData].OutputOffset);
+        else {
+            for (ULONG i = 0; ; i++) {
+                if (i >= pMapInfo->EntryCount)
+                    return tstring_printf(_T("%lu"), *(PULONG)pData);
+                else if (pMapInfo->MapEntryArray[i].Value == *(PULONG)pData)
+                    return tstring_printf(_T("%ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[i].OutputOffset);
+            }
+        }
+    } else if (
+         (pMapInfo->Flag &  EVENTMAP_INFO_FLAG_MANIFEST_BITMAP) ||
+         (pMapInfo->Flag &  EVENTMAP_INFO_FLAG_WBEM_BITMAP    ) ||
+        ((pMapInfo->Flag &  EVENTMAP_INFO_FLAG_WBEM_VALUEMAP  ) && (pMapInfo->Flag & ~EVENTMAP_INFO_FLAG_WBEM_VALUEMAP) == EVENTMAP_INFO_FLAG_WBEM_FLAG))
+    {
+        tstring out;
+
+        if (pMapInfo->Flag & EVENTMAP_INFO_FLAG_WBEM_NO_MAP) {
+            for (ULONG i = 0; i < pMapInfo->EntryCount; i++)
+                if (*(PULONG)pData & (1 << i))
+                    out.append(tstring_printf(out.empty() ? _T("%ls") : _T(" | %ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[i].OutputOffset));
+        } else {
+            for (ULONG i = 0; i < pMapInfo->EntryCount; i++)
+                if ((pMapInfo->MapEntryArray[i].Value & *(PULONG)pData) == pMapInfo->MapEntryArray[i].Value)
+                    out.append(tstring_printf(out.empty() ? _T("%ls") : _T(" | %ls"), (PBYTE)pMapInfo + pMapInfo->MapEntryArray[i].OutputOffset));
+        }
+
+        return out.empty() ? tstring_printf(_T("%lu"), *(PULONG)pData) : out;
+    }
+
+    return _T("<unknown map>");
+}
+
+
+static tstring DataToString(_In_ USHORT InType, _In_ USHORT OutType, _In_count_(nDataSize) LPCBYTE pData, _In_ SIZE_T nDataSize, _In_ const EVENT_MAP_INFO *pMapInfo, _In_ BYTE nPtrSize)
+{
+    assert(pData || !nDataSize);
+
+    switch (InType) {
+        case TDH_INTYPE_UNICODESTRING:
+        case TDH_INTYPE_NONNULLTERMINATEDSTRING:
+        case TDH_INTYPE_UNICODECHAR:
+            return tstring_printf(_T("%.*ls"), nDataSize/sizeof(WCHAR), pData);
+
+        case TDH_INTYPE_ANSISTRING:
+        case TDH_INTYPE_NONNULLTERMINATEDANSISTRING:
+        case TDH_INTYPE_ANSICHAR: {
+            // Convert strings from ANSI code page, all others (JSON, XML etc.) from UTF-8
+            wstring str;
+            MultiByteToWideChar(OutType == TDH_OUTTYPE_STRING ? CP_ACP : CP_UTF8, 0, (LPCSTR)pData, (int)nDataSize, str);
+            return tstring_printf(_T("%ls"), str.c_str());
+        }
+
+        case TDH_INTYPE_COUNTEDSTRING:
+            return DataToString(TDH_INTYPE_NONNULLTERMINATEDSTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), *(PUSHORT)pData, pMapInfo, nPtrSize);
+
+        case TDH_INTYPE_COUNTEDANSISTRING:
+            return DataToString(TDH_INTYPE_NONNULLTERMINATEDANSISTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), *(PUSHORT)pData, pMapInfo, nPtrSize);
+
+        case TDH_INTYPE_REVERSEDCOUNTEDSTRING:
+            return DataToString(TDH_INTYPE_NONNULLTERMINATEDSTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), MAKEWORD(HIBYTE(*(PUSHORT)pData), LOBYTE(*(PUSHORT)pData)), pMapInfo, nPtrSize);
+
+        case TDH_INTYPE_REVERSEDCOUNTEDANSISTRING:
+            return DataToString(TDH_INTYPE_NONNULLTERMINATEDANSISTRING, OutType, (LPCBYTE)((PUSHORT)pData + 1), MAKEWORD(HIBYTE(*(PUSHORT)pData), LOBYTE(*(PUSHORT)pData)), pMapInfo, nPtrSize);
+
+        case TDH_INTYPE_INT8:
+            assert(nDataSize >= sizeof(CHAR));
+            switch (OutType) {
+            case TDH_OUTTYPE_STRING: return DataToString(TDH_INTYPE_ANSICHAR, TDH_OUTTYPE_NULL, pData, nDataSize, pMapInfo, nPtrSize);
+            default                : return tstring_printf(_T("%hd"), *(PCHAR)pData);
+            }
+
+        case TDH_INTYPE_UINT8:
+            assert(nDataSize >= sizeof(BYTE));
+            switch (OutType) {
+            case TDH_OUTTYPE_STRING : return DataToString(TDH_INTYPE_ANSICHAR, TDH_OUTTYPE_NULL, pData, nDataSize, pMapInfo, nPtrSize);
+            case TDH_OUTTYPE_HEXINT8: return tstring_printf(_T("0x%x"), *(PBYTE)pData);
+            default                 : return tstring_printf(_T("%hu" ), *(PBYTE)pData);
+            }
+
+        case TDH_INTYPE_INT16:
+            assert(nDataSize >= sizeof(SHORT));
+            return tstring_printf(_T("%hd"), *(PSHORT)pData);
+
+        case TDH_INTYPE_UINT16:
+            assert(nDataSize >= sizeof(USHORT));
+            switch (OutType) {
+            case TDH_OUTTYPE_PORT    : return tstring_printf(_T("%hu" ), ntohs(*(PUSHORT)pData));
+            case TDH_OUTTYPE_HEXINT16: return tstring_printf(_T("0x%x"),       *(PUSHORT)pData );
+            case TDH_OUTTYPE_STRING  : return tstring_printf(_T("%lc" ),       *(PUSHORT)pData );
+            default                  : return tstring_printf(_T("%hu" ),       *(PUSHORT)pData );
+            }
+
+        case TDH_INTYPE_INT32:
+            assert(nDataSize >= sizeof(LONG));
+            switch (OutType) {
+            case TDH_OUTTYPE_HRESULT: return tstring_printf(_T("0x%x"), *(PLONG)pData);
+            default                 : return tstring_printf(_T("%ld" ), *(PLONG)pData);
+            }
+
+        case TDH_INTYPE_UINT32:
+            assert(nDataSize >= sizeof(ULONG));
+            switch (OutType) {
+                case TDH_OUTTYPE_HRESULT   :
+                case TDH_OUTTYPE_WIN32ERROR:
+                case TDH_OUTTYPE_NTSTATUS  :
+                case TDH_OUTTYPE_HEXINT32  : return tstring_printf(_T("0x%x"       ),  *(PULONG)pData);
+                case TDH_OUTTYPE_IPV4      : return tstring_printf(_T("%d.%d.%d.%d"), (*(PULONG)pData >> 0) & 0xff, (*(PULONG)pData >> 8) & 0xff, (*(PULONG)pData >> 16) & 0xff, (*(PULONG)pData >> 24) & 0xff);
+                default:                     return pMapInfo ? MapToString(pMapInfo, pData) : tstring_printf(_T("%lu"), *(PULONG)pData);
+            }
+
+        case TDH_INTYPE_HEXINT32:
+            return DataToString(TDH_INTYPE_UINT32, TDH_OUTTYPE_HEXINT32, pData, nDataSize, pMapInfo, nPtrSize);
+
+        case TDH_INTYPE_INT64:
+            assert(nDataSize >= sizeof(LONGLONG));
+            return tstring_printf(_T("%I64d"), *(PLONGLONG)pData);
+
+        case TDH_INTYPE_UINT64:
+            assert(nDataSize >= sizeof(ULONGLONG));
+            switch (OutType) {
+            case TDH_OUTTYPE_HEXINT64: return tstring_printf(_T("0x%I64x"), *(PULONGLONG)pData);
+            default                  : return tstring_printf(_T("%I64u"  ), *(PULONGLONG)pData);
+            }
+
+        case TDH_INTYPE_HEXINT64:
+            return DataToString(TDH_INTYPE_UINT64, TDH_OUTTYPE_HEXINT64, pData, nDataSize, pMapInfo, nPtrSize);
+
+        case TDH_INTYPE_FLOAT:
+            assert(nDataSize >= sizeof(FLOAT));
+            return tstring_printf(_T("%f"), *(PFLOAT)pData);
+
+        case TDH_INTYPE_DOUBLE:
+            assert(nDataSize >= sizeof(DOUBLE));
+            return tstring_printf(_T("%I64f"), *(DOUBLE*)pData);
+
+        case TDH_INTYPE_BOOLEAN:
+            assert(nDataSize >= sizeof(ULONG)); // Yes, boolean is really 32-bit.
+            return *(PULONG)pData ? _T("true") : _T("false");
+
+        case TDH_INTYPE_BINARY:
+            switch (OutType) {
+            case TDH_OUTTYPE_IPV6: {
+                auto RtlIpv6AddressToString = (LPTSTR(NTAPI*)(const IN6_ADDR*, LPTSTR))GetProcAddress(GetModuleHandle(_T("ntdll.dll")),
+#ifdef _UNICODE
+                    "RtlIpv6AddressToStringW"
+#else
+                    "RtlIpv6AddressToStringA"
+#endif
+                    );
+                if (RtlIpv6AddressToString) {
+                    TCHAR szIPv6Addr[47];
+                    RtlIpv6AddressToString((IN6_ADDR*)pData, szIPv6Addr);
+                    return tstring_printf(_T("%s"), szIPv6Addr);
+                } else
+                    return _T("<IPv6 address>");
+            }
+            default: {
+                tstring out;
+                for (SIZE_T i = 0; i < nDataSize; i++)
+                    out.append(tstring_printf(i ? _T(" %02x") : _T("%02x"), pData[i]));
+                return out;
+            }}
+
+        case TDH_INTYPE_HEXDUMP:
+            return DataToString(TDH_INTYPE_BINARY, TDH_OUTTYPE_NULL, pData, nDataSize, pMapInfo, nPtrSize);
+
+        case TDH_INTYPE_GUID: {
+            assert(nDataSize >= sizeof(GUID));
+            WCHAR szGuid[39];
+            StringFromGUID2(*(GUID*)pData, szGuid, _countof(szGuid));
+            return tstring_printf(_T("%ls"), szGuid);
+        }
+
+        case TDH_INTYPE_POINTER:
+            assert(nDataSize >= nPtrSize);
+            switch (nPtrSize) {
+            case sizeof(ULONG    ): return tstring_printf(_T("0x%08x"   ), *(PULONG    )pData);
+            case sizeof(ULONGLONG): return tstring_printf(_T("0x%016I64x"), *(PULONGLONG)pData);
+            default: // Unsupported pointer size.
+                assert(0);
+                return _T("<pointer>");
+            }
+
+        case TDH_INTYPE_SIZET:
+            assert(nDataSize >= nPtrSize);
+            switch (nPtrSize) {
+            case sizeof(ULONG    ): return tstring_printf(_T("%u"   ), *(PULONG    )pData);
+            case sizeof(ULONGLONG): return tstring_printf(_T("%I64u"), *(PULONGLONG)pData);
+            default: // Unsupported size_t size.
+                assert(0);
+                return _T("<size_t>");
+            }
+
+        case TDH_INTYPE_FILETIME: {
+            assert(nDataSize >= sizeof(FILETIME));
+            SYSTEMTIME st, st_local;
+            FileTimeToSystemTime((PFILETIME)pData, &st);
+            SystemTimeToTzSpecificLocalTime(NULL, &st, &st_local);
+            return DataToString(TDH_INTYPE_SYSTEMTIME, OutType, (LPCBYTE)&st_local, sizeof(st_local), pMapInfo, nPtrSize);
+        }
+
+        case TDH_INTYPE_SYSTEMTIME:
+            assert(nDataSize >= sizeof(SYSTEMTIME));
+            switch (OutType) {
+            case TDH_OUTTYPE_CULTURE_INSENSITIVE_DATETIME: return tstring_printf(_T("%04d-%02d-%02d %02d:%02d:%02d.%03u"), ((PSYSTEMTIME)pData)->wYear, ((PSYSTEMTIME)pData)->wMonth, ((PSYSTEMTIME)pData)->wDay, ((PSYSTEMTIME)pData)->wHour, ((PSYSTEMTIME)pData)->wMinute, ((PSYSTEMTIME)pData)->wSecond, ((PSYSTEMTIME)pData)->wMilliseconds);
+            default: {
+                tstring out;
+                return GetDateFormat(LOCALE_USER_DEFAULT, DATE_LONGDATE, (PSYSTEMTIME)pData, NULL, out) ? out : tstring(_T("<time>"));
+            }}
+
+        case TDH_INTYPE_WBEMSID:
+            // A WBEM SID is actually a TOKEN_USER structure followed 
+            // by the SID. The size of the TOKEN_USER structure differs 
+            // depending on whether the events were generated on a 32-bit 
+            // or 64-bit architecture. Also the structure is aligned
+            // on an 8-byte boundary, so its size is 8 bytes on a
+            // 32-bit computer and 16 bytes on a 64-bit computer.
+            // Doubling the pointer size handles both cases.
+            assert(nDataSize >= nPtrSize * 2);
+            return (PULONG)pData > 0 ? DataToString(TDH_INTYPE_SID, OutType, pData + nPtrSize * 2, nDataSize - nPtrSize * 2, pMapInfo, nPtrSize) : _T("<WBEM SID>");
+
+        case TDH_INTYPE_SID: {
+            assert(nDataSize >= sizeof(SID));
+            tstring user_name, domain_name;
+            SID_NAME_USE eNameUse;
+            if (LookupAccountSid(NULL, (PSID)pData, &user_name, &domain_name, &eNameUse))
+                return tstring_printf(_T("%s\\%s"), domain_name.c_str(), user_name.c_str());
+            else {
+                unique_ptr<TCHAR[], LocalFree_delete<TCHAR[]> > sid;
+                if (GetLastError() == ERROR_NONE_MAPPED &&
+                    ConvertSidToStringSid((PSID)pData, (LPTSTR*)&sid))
+                    return tstring_printf(_T("%s"), sid.get());
+                else
+                    return _T("<SID>");
+            }
+        }
+
+    default:
+        // It is not actually an error if we do not understand the given data type.
+        assert(0);
+        return _T("<unknown data type>");
+    }
+}
+
+
+static ULONG GetArraySize(PEVENT_RECORD pEvent, PTRACE_EVENT_INFO pInfo, ULONG i, ULONG *pulArraySize)
+{
+    if (pInfo->EventPropertyInfoArray[i].Flags & PropertyParamCount) {
+        ULONG ulResult;
+
+        // Get array count property.
+        PROPERTY_DATA_DESCRIPTOR data_desc = { (ULONGLONG)((LPBYTE)pInfo + pInfo->EventPropertyInfoArray[pInfo->EventPropertyInfoArray[i].countPropertyIndex].NameOffset), ULONG_MAX };
+        vector<unsigned char> count;
+        if ((ulResult = TdhGetProperty(pEvent, 0, NULL, 1, &data_desc, count)) != ERROR_SUCCESS)
+            return ulResult;
+
+        // Copy count value to output.
+        switch (count.size()) {
+        case sizeof(BYTE  ): *pulArraySize = *(const BYTE*  )count.data(); break;
+        case sizeof(USHORT): *pulArraySize = *(const USHORT*)count.data(); break;
+        case sizeof(ULONG ): *pulArraySize = *(const ULONG* )count.data(); break;
+        default            : return ERROR_MORE_DATA;
+        }
+    } else
+        *pulArraySize = pInfo->EventPropertyInfoArray[i].count;
+
+    return ERROR_SUCCESS;
+}
+
+
+static tstring PropertyToString(PEVENT_RECORD pEvent, PTRACE_EVENT_INFO pInfo, ULONG ulPropIndex, LPWSTR pStructureName, ULONG ulStructIndex, BYTE nPtrSize)
+{
+    ULONG ulResult;
+
+    // Get the size of the array if the property is an array.
+    ULONG ulArraySize = 0;
+    if ((ulResult = GetArraySize(pEvent, pInfo, ulPropIndex, &ulArraySize)) != ERROR_SUCCESS)
+        return tstring_printf(_T("<Error getting array size (error %u)>"), ulResult);;
+
+    tstring out;
+
+    if (ulArraySize > 1)
+        out += tstring_printf(_T("[%u]("), ulArraySize);
+
+    for (ULONG k = 0; k < ulArraySize; k++) {
+        if (pInfo->EventPropertyInfoArray[ulPropIndex].Flags & PropertyStruct) {
+            // The property is a structure: print the members of the structure.
+            tstring out;
+            out += _T('(');
+            for (USHORT j = pInfo->EventPropertyInfoArray[ulPropIndex].structType.StructStartIndex, usLastMember = pInfo->EventPropertyInfoArray[ulPropIndex].structType.StructStartIndex + pInfo->EventPropertyInfoArray[ulPropIndex].structType.NumOfStructMembers; j < usLastMember; j++) {
+                out += tstring_printf(_T("%ls: "), (LPBYTE)pInfo + pInfo->EventPropertyInfoArray[j].NameOffset);
+                out += PropertyToString(pEvent, pInfo, j, (LPWSTR)((LPBYTE)(pInfo) + pInfo->EventPropertyInfoArray[ulPropIndex].NameOffset), k, nPtrSize);
+            }
+            out += _T(')');
+        } else {
+            if (pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.InType  == TDH_INTYPE_BINARY &&
+                pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.OutType == TDH_OUTTYPE_IPV6)
+            {
+                // The TDH API does not support IPv6 addresses. If the output type is TDH_OUTTYPE_IPV6,
+                // you will not be able to consume the rest of the event. If you try to consume the
+                // remainder of the event, you will get ERROR_EVT_INVALID_EVENT_DATA.
+                return _T("<The event contains an IPv6 address. Skipping.>");
+            } else {
+                vector<BYTE> data;
+                if (pStructureName) {
+                    // To retrieve a member of a structure, you need to specify an array of descriptors. 
+                    // The first descriptor in the array identifies the name of the structure and the second 
+                    // descriptor defines the member of the structure whose data you want to retrieve. 
+                    PROPERTY_DATA_DESCRIPTOR data_desc[2] = {
+                        { (ULONGLONG)pStructureName                                                         , ulStructIndex },
+                        { (ULONGLONG)((LPBYTE)pInfo + pInfo->EventPropertyInfoArray[ulPropIndex].NameOffset), k             }
+                    };
+                    ulResult = TdhGetProperty(pEvent, 0, NULL, _countof(data_desc), data_desc, data);
+                } else {
+                    PROPERTY_DATA_DESCRIPTOR data_desc = { (ULONGLONG)((LPBYTE)pInfo + pInfo->EventPropertyInfoArray[ulPropIndex].NameOffset), k };
+                    ulResult = TdhGetProperty(pEvent, 0, NULL, 1, &data_desc, data);
+                }
+                if (ulResult == ERROR_EVT_INVALID_EVENT_DATA) {
+                    // This happens with empty/NULL data. Not an error actually.
+                    assert(data.empty());
+                } else if (ulResult != ERROR_SUCCESS)
+                    return tstring_printf(_T("<Error getting property (error %u)>"), ulResult);
+
+                // Get the name/value mapping if the property specifies a value map.
+                unique_ptr<EVENT_MAP_INFO> map_info;
+                ulResult = TdhGetEventMapInformation(pEvent, (LPWSTR)((LPBYTE)pInfo + pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.MapNameOffset), map_info);
+                if (ulResult == ERROR_NOT_FOUND) {
+                    // name/value mapping not found. Not an error actually.
+                    assert(!map_info);
+                } else if (ulResult != ERROR_SUCCESS)
+                    return tstring_printf(_T("<Error getting map information (error %u)>"), ulResult);
+                else if (pInfo->DecodingSource == DecodingSourceXMLFile) {
+                    // The mapped string values defined in a manifest will contain a trailing space
+                    // in the EVENT_MAP_ENTRY structure. Replace the trailing space with a null-
+                    // terminating character, so that the bit mapped strings are correctly formatted.
+                    for (ULONG i = 0; i < map_info->EntryCount; i++) {
+                        SIZE_T len = _tcslen((LPCTSTR)((PBYTE)map_info.get() + map_info->MapEntryArray[i].OutputOffset)) - 1;
+                        ((LPWSTR)((PBYTE)map_info.get() + map_info->MapEntryArray[i].OutputOffset))[len] = 0;
+                    }
+                }
+
+                if (!out.empty()) out += _T(", ");
+                out += !data.empty() ? DataToString(
+                    pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.InType,
+                    pInfo->EventPropertyInfoArray[ulPropIndex].nonStructType.OutType,
+                    data.data(),
+                    data.size(),
+                    map_info.get(),
+                    nPtrSize) : _T("<null>");
+            }
+        }
+    }
+
+    if (ulArraySize > 1)
+        out += _T(')');
+
+    return out;
+}
+
+
 static VOID WINAPI EventRecordCallback(_In_ PEVENT_RECORD pEvent)
 {
     {
+        // Calculate and print event time-stamp.
         FILETIME ft;
         ft.dwHighDateTime = pEvent->EventHeader.TimeStamp.HighPart;
         ft.dwLowDateTime = pEvent->EventHeader.TimeStamp.LowPart;
 
-        SYSTEMTIME st;
+        SYSTEMTIME st, st_local;
         FileTimeToSystemTime(&ft, &st);
-
-        SYSTEMTIME st_local;
         SystemTimeToTzSpecificLocalTime(NULL, &st, &st_local);
 
         ULONGLONG
@@ -65,10 +431,36 @@ static VOID WINAPI EventRecordCallback(_In_ PEVENT_RECORD pEvent)
     }
 
     {
+        // Get event meta-info.
         unique_ptr<TRACE_EVENT_INFO> info;
         ULONG ulResult;
         if ((ulResult = TdhGetEventInformation(pEvent, 0, NULL, info)) == ERROR_SUCCESS) {
-            _ftprintf(stdout, _T(" %ls"), info->EventMessageOffset ? (LPCWSTR)((LPCBYTE)info.get() + info->EventMessageOffset) : L"");
+            if (info->DecodingSource != DecodingSourceWPP) {
+                if (pEvent->EventHeader.Flags & EVENT_HEADER_FLAG_STRING_ONLY) {
+                    // This is a string-only event. Print it.
+                    _ftprintf(stdout, _T(" %ls"), pEvent->UserData);
+                } else {
+                    // This is not a string-only event. Prepare parameters.
+
+                    BYTE nPtrSize = (pEvent->EventHeader.Flags & EVENT_HEADER_FLAG_32_BIT_HEADER) ? 4 : 8;
+                    vector<tstring> props;
+                    vector<DWORD_PTR> props_msg;
+                    props.reserve(info->TopLevelPropertyCount);
+                    props_msg.reserve(info->TopLevelPropertyCount);
+                    for (ULONG i = 0; i < info->TopLevelPropertyCount; i++) {
+                        props.push_back(std::move(PropertyToString(pEvent, info.get(), i, NULL, 0, nPtrSize)));
+                        props_msg.push_back((DWORD_PTR)props[i].c_str());
+                    }
+
+                    if (info->EventMessageOffset) {
+                        // Format the message.
+                        _ftprintf(stdout, _T(" %ls"), wstring_msg(0, (LPCTSTR)((LPCBYTE)info.get() + info->EventMessageOffset), props_msg.data()).c_str());
+                    }
+                }
+            } else if (info->EventMessageOffset) {
+                // This is a WPP event.
+                _ftprintf(stdout, _T(" %ls"), (LPCBYTE)info.get() + info->EventMessageOffset);
+            }
         }
     }
 
diff --git a/EventMonitor/StdAfx.h b/EventMonitor/StdAfx.h
index 0cc00ef..ffbfe10 100644
--- a/EventMonitor/StdAfx.h
+++ b/EventMonitor/StdAfx.h
@@ -24,8 +24,12 @@
 
 #include <WinStd/COM.h>
 #include <WinStd/ETW.h>
+#include <WinStd/Win.h>
 
 #include <Windows.h>
+#include <in6addr.h>
+#include <MSTcpIP.h>
+#include <Sddl.h>
 #include <tchar.h>
 
 #include <vector>
diff --git a/lib/WinStd b/lib/WinStd
index b7e21e9..5c03df0 160000
--- a/lib/WinStd
+++ b/lib/WinStd
@@ -1 +1 @@
-Subproject commit b7e21e972fe4f154a4d9f92a04f8ca08f0a00ad8
+Subproject commit 5c03df0d74a3984c7ba23398b10ea061cffafc84