Microsoft-Windows-FilterManager

14 events across 1 channel

Event ID	Title	Channel
1	File System Filter '.	System
2	Name caching for File System Filters has been disabled on volume '.	System
3	Filter Manager failed to attach to volume '.	System
4	File System Filter '.	System
5	File System Filter '.	System
6	File System Filter 'FileInfo' (6.1, 1.247502111e+09) has successfully loaded and …	System
7	File System Filter '.	System
8	Filter Manager successfully attached to volume '.	System
9	Filter Manager failed to attach to file system control device object (CDO) '.	System
10	Filter Manager successfully attached to file system '.	System
11	File System Filter '.	System
12	File System Filter '.	System
13	Filter Manager failed to load filter attach policy for this volume.	System
14	Filter Manager successfully loaded filter attach policy for this volume.	System

Event ID 1 — File System Filter '.

Provider: Microsoft-Windows-FilterManager
Channel: System
Level: 4
Samples: 1

Message

File System Filter '%5' (Version %2.%3, %6) unloaded successfully.

Fields

Name	Description
`FinalStatus`	—
`DeviceVersionMajor`	—
`DeviceVersionMinor`	—
`DeviceNameLength`	—
`DeviceName`	—
`DeviceTime`	—

Example Event

system:
  provider: Microsoft-Windows-FilterManager
  guid: F3C5E28E-63F6-49C7-A204-E48A1BC4B09D
  event_source_name: ''
  event_id: 1
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:40.330241+00:00'
  event_record_id: 1681
  correlation: {}
  execution:
    process_id: 4
    thread_id: 52
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  FinalStatus: '0x0'
  DeviceVersionMajor: 10
  DeviceVersionMinor: 0
  DeviceNameLength: 6
  DeviceName: CldFlt
  DeviceTime: '2074-05-01T16:21:15.000000Z'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2 — Name caching for File System Filters has been disabled on volume '.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

Name caching for File System Filters has been disabled on volume '%3'.

Fields

Name	Description
`FinalStatus`	—
`ExtraStringLength`	—
`ExtraString`	—

Event ID 3 — Filter Manager failed to attach to volume '.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

Filter Manager failed to attach to volume '%3'.  This volume will be unavailable for filtering until a reboot.  The final status was %1.

Fields

Name	Description
`FinalStatus`	—
`ExtraStringLength`	—
`ExtraString`	—

Event ID 4 — File System Filter '.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

File System Filter '%5' (Version %2.%3, %6) failed to attach to volume '%8'.  The filter returned a non-standard final status of %1.  This filter and/or its supporting applications should handle this condition.  If this condition persists, contact the vendor.

Fields

Name	Description
`FinalStatus`	—
`DeviceVersionMajor`	—
`DeviceVersionMinor`	—
`DeviceNameLength`	—
`DeviceName`	—
`DeviceTime`	—
`ExtraStringLength`	—
`ExtraString`	—

Event ID 5 — File System Filter '.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

File System Filter '%5' (Version %2.%3, %6) failed to register with Filter Manager.  The final status for this operation was %1.

Fields

Name	Description
`FinalStatus`	—
`DeviceVersionMajor`	—
`DeviceVersionMinor`	—
`DeviceNameLength`	—
`DeviceName`	—
`DeviceTime`	—

Event ID 6 — File System Filter 'FileInfo' (6.1, 1.247502111e+09) has successfully loaded and registered with Filter Manager.

Provider: Microsoft-Windows-FilterManager
Channel: System
Level: 4
Samples: 1

Message

File System Filter '%5' (%2.%3, %6) has successfully loaded and registered with Filter Manager.

Fields

Name	Description
`FinalStatus`	—
`DeviceVersionMajor`	—
`DeviceVersionMinor`	—
`DeviceNameLength`	—
`DeviceName`	—
`DeviceTime`	—

Example Event

system:
  provider: Microsoft-Windows-FilterManager
  guid: F3C5E28E-63F6-49C7-A204-E48A1BC4B09D
  event_source_name: ''
  event_id: 6
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T06:25:40.431588+00:00'
  event_record_id: 1684
  correlation: {}
  execution:
    process_id: 4
    thread_id: 52
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  FinalStatus: '0x0'
  DeviceVersionMajor: 10
  DeviceVersionMinor: 0
  DeviceNameLength: 7
  DeviceName: bindflt
  DeviceTime: '2010-05-16T11:24:57.000000Z'
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 7 — File System Filter '.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

File System Filter '%5' (Version %2.%3, %6) failed to start filtering.  The final status for this operation was %1.

Fields

Name	Description
`FinalStatus`	—
`DeviceVersionMajor`	—
`DeviceVersionMinor`	—
`DeviceNameLength`	—
`DeviceName`	—
`DeviceTime`	—

Event ID 8 — Filter Manager successfully attached to volume '.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

Filter Manager successfully attached to volume '%3'.

Fields

Name	Description
`FinalStatus`	—
`ExtraStringLength`	—
`ExtraString`	—

Event ID 9 — Filter Manager failed to attach to file system control device object (CDO) '.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

Filter Manager failed to attach to file system control device object (CDO) '%3'.  All volumes associated with this file system will be unavailable for filtering until a reboot. The final status was %1.

Fields

Name	Description
`FinalStatus`	—
`ExtraStringLength`	—
`ExtraString`	—

Event ID 10 — Filter Manager successfully attached to file system '.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

Filter Manager successfully attached to file system '%3'.

Fields

Name	Description
`FinalStatus`	—
`ExtraStringLength`	—
`ExtraString`	—

Event ID 11 — File System Filter '.

Provider: Microsoft-Windows-FilterManager
Channel: System
Level: 3
Samples: 1

Message

File System Filter '%1' (Version %2.%3, %4) does not support bypass IO.
Supported features: %5.

Fields

Name	Description
`DeviceName`	—
`DeviceVersionMajor`	—
`DeviceVersionMinor`	—
`DeviceTime`	—
`SupportedFeatures`	—

Example Event

system:
  provider: Microsoft-Windows-FilterManager
  guid: F3C5E28E-63F6-49C7-A204-E48A1BC4B09D
  event_source_name: ''
  event_id: 11
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T00:12:50.565375+00:00'
  event_record_id: 2060
  correlation: {}
  execution:
    process_id: 4
    thread_id: 10280
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  DeviceName: avgntflt
  DeviceVersionMajor: 10
  DeviceVersionMinor: 0
  DeviceTime: '2021-10-12T03:32:13.000000Z'
  SupportedFeatures: '0x7'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 12 — File System Filter '.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

File System Filter '%1' (Version %2.%3, %4) vetoed bypass IO.

     Process: %5
     File: %6
     Bypass IO Operation: %7
     Vetoing Reason: %8
     Operation Status: %9

Fields

Name	Description
`Process`	—
`File`	—
`Bypass_IO_Operation`	—
`Vetoing_Reason`	—
`Operation_Status`	Process.
`DeviceName`	—
`DeviceVersionMajor`	—
`DeviceVersionMinor`	—
`DeviceTime`	—
`ProcessName`	—
`FileName`	—
`BypassIoOperation`	—
`BypassVetoingReason`	—
`OperationStatus`	—

Event ID 13 — Filter Manager failed to load filter attach policy for this volume.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

Filter Manager failed to load filter attach policy for this volume.

     Volume name: %2
     Volume GUID: %3
     File system GUID: %4
     File system driver: %6
     Status: %7

Fields

Name	Description
`Volume_name`	—
`Volume_GUID`	—
`File_system_GUID`	—
`File_system_driver`	—
`Status`	—
`VolumeNameLength`	—
`VolumeName`	—
`VolumeGuid`	—
`FsGuid`	—
`FsDriverNameLength`	—
`FsDriverName`	—

Event ID 14 — Filter Manager successfully loaded filter attach policy for this volume.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message

Filter Manager successfully loaded filter attach policy for this volume.

     Volume name: %2
     Volume GUID: %3
     File system GUID: %4
     File system driver: %6

     GpAllowStatus: %7
     SystemAllowStatus: %10
     VolumeAllowStatus: %13
     Allow antivirus filter: %16
     Antivirus policy is from group policy: %17

Fields

Name	Description
`VolumeNameLength`	—
`VolumeName`	—
`VolumeGuid`	—
`FsGuid`	—
`FsDriverNameLength`	—
`FsDriverName`	—
`GpAllowStatus`	—
`GpAllowListLength`	—
`GpAllowList`	—
`SystemAllowStatus`	—
`SystemAllowListLength`	—
`SystemAllowList`	—
`VolumeAllowStatus`	—
`VolumeAllowListLength`	—
`VolumeAllowList`	—
`AllowAvFilter`	—
`AvPolicyIsFromGp`	—