Microsoft-Windows-FilterManager

14 events across 1 channel

Event ID	Title	Channel
1	File System Filter 'DeviceName'.	System
2	Name caching for File System Filters has been disabled on volume 'ExtraString'.	System
3	Filter Manager failed to attach to volume 'ExtraString'.	System
4	File System Filter 'DeviceName'.	System
5	File System Filter 'DeviceName'.	System
6	File System Filter 'DeviceName'.	System
7	File System Filter 'DeviceName'.	System
8	Filter Manager successfully attached to volume 'ExtraString'.	System
9	Filter Manager failed to attach to file system control device object (CDO) …	System
10	Filter Manager successfully attached to file system 'ExtraString'.	System
11	File System Filter 'DeviceName'.	System
12	File System Filter 'Process'.	System
13	Filter Manager failed to load filter attach policy for this volume.	System
14	Filter Manager successfully loaded filter attach policy for this volume.	System

Event ID 1 — File System Filter 'DeviceName'.

Provider: Microsoft-Windows-FilterManager
Channel: System
Level: Informational

Description

File System Filter 'DeviceName' (Version DeviceVersionMajor.DeviceVersionMinor, DeviceTime) unloaded successfully.

Message #

File System Filter '%5' (Version %2.%3, %6) unloaded successfully.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`DeviceVersionMajor` UInt32	—
`DeviceVersionMinor` UInt32	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceTime` FILETIME	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-FilterManager",
    "guid": "F3C5E28E-63F6-49C7-A204-E48A1BC4B09D",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:40.330241+00:00",
    "event_record_id": 1681,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 52
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FinalStatus": "0x0",
    "DeviceVersionMajor": 10,
    "DeviceVersionMinor": 0,
    "DeviceNameLength": 6,
    "DeviceName": "CldFlt",
    "DeviceTime": "2074-05-01T16:21:15.000000Z"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2 — Name caching for File System Filters has been disabled on volume 'ExtraString'.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

Name caching for File System Filters has been disabled on volume 'ExtraString'.

Message #

Name caching for File System Filters has been disabled on volume '%3'.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`ExtraStringLength` UInt16	—
`ExtraString` UnicodeString	—

Event ID 3 — Filter Manager failed to attach to volume 'ExtraString'.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

Filter Manager failed to attach to volume 'ExtraString'. This volume will be unavailable for filtering until a reboot. The final status was FinalStatus.

Message #

Filter Manager failed to attach to volume '%3'.  This volume will be unavailable for filtering until a reboot.  The final status was %1.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`ExtraStringLength` UInt16	—
`ExtraString` UnicodeString	—

Event ID 4 — File System Filter 'DeviceName'.

Provider: Microsoft-Windows-FilterManager
Channel: System

Message #

File System Filter '%5' (Version %2.%3, %6) failed to attach to volume '%8'.  The filter returned a non-standard final status of %1.  This filter and/or its supporting applications should handle this condition.  If this condition persists, contact the vendor.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`DeviceVersionMajor` UInt32	—
`DeviceVersionMinor` UInt32	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceTime` FILETIME	—
`ExtraStringLength` UInt16	—
`ExtraString` UnicodeString	—

Event ID 5 — File System Filter 'DeviceName'.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

File System Filter 'DeviceName' (Version DeviceVersionMajor.DeviceVersionMinor, DeviceTime) failed to register with Filter Manager. The final status for this operation was FinalStatus.

Message #

File System Filter '%5' (Version %2.%3, %6) failed to register with Filter Manager.  The final status for this operation was %1.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`DeviceVersionMajor` UInt32	—
`DeviceVersionMinor` UInt32	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceTime` FILETIME	—

Event ID 6 — File System Filter 'DeviceName'.

Provider: Microsoft-Windows-FilterManager
Channel: System
Level: Informational
Collection Priority: Recommended (NSA)

Description

File System Filter 'DeviceName' (DeviceVersionMajor.DeviceVersionMinor, DeviceTime) has successfully loaded and registered with Filter Manager.

Message #

File System Filter '%5' (%2.%3, %6) has successfully loaded and registered with Filter Manager.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`DeviceVersionMajor` UInt32	—
`DeviceVersionMinor` UInt32	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceTime` FILETIME	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-FilterManager",
    "guid": "F3C5E28E-63F6-49C7-A204-E48A1BC4B09D",
    "event_source_name": "",
    "event_id": 6,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:40.431588+00:00",
    "event_record_id": 1684,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 52
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FinalStatus": "0x0",
    "DeviceVersionMajor": 10,
    "DeviceVersionMinor": 0,
    "DeviceNameLength": 7,
    "DeviceName": "bindflt",
    "DeviceTime": "2010-05-16T11:24:57.000000Z"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 7 — File System Filter 'DeviceName'.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

File System Filter 'DeviceName' (Version DeviceVersionMajor.DeviceVersionMinor, DeviceTime) failed to start filtering. The final status for this operation was FinalStatus.

Message #

File System Filter '%5' (Version %2.%3, %6) failed to start filtering.  The final status for this operation was %1.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`DeviceVersionMajor` UInt32	—
`DeviceVersionMinor` UInt32	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceTime` FILETIME	—

Event ID 8 — Filter Manager successfully attached to volume 'ExtraString'.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

Filter Manager successfully attached to volume 'ExtraString'.

Message #

Filter Manager successfully attached to volume '%3'.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`ExtraStringLength` UInt16	—
`ExtraString` UnicodeString	—

Event ID 9 — Filter Manager failed to attach to file system control device object (CDO) 'ExtraString'.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

Filter Manager failed to attach to file system control device object (CDO) 'ExtraString'. All volumes associated with this file system will be unavailable for filtering until a reboot. The final status was FinalStatus.

Message #

Filter Manager failed to attach to file system control device object (CDO) '%3'.  All volumes associated with this file system will be unavailable for filtering until a reboot. The final status was %1.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`ExtraStringLength` UInt16	—
`ExtraString` UnicodeString	—

Event ID 10 — Filter Manager successfully attached to file system 'ExtraString'.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

Filter Manager successfully attached to file system 'ExtraString'.

Message #

Filter Manager successfully attached to file system '%3'.

Fields #

Name	Description
`FinalStatus` HexInt32	—
`ExtraStringLength` UInt16	—
`ExtraString` UnicodeString	—

Event ID 11 — File System Filter 'DeviceName'.

Provider: Microsoft-Windows-FilterManager
Channel: System
Level: Warning

Description

File System Filter 'DeviceName' (Version DeviceVersionMajor.DeviceVersionMinor, DeviceTime) does not support bypass IO.

Message #

File System Filter '%1' (Version %2.%3, %4) does not support bypass IO.
Supported features: %5.

Fields #

Name	Description
`DeviceName` UnicodeString	—
`DeviceVersionMajor` UInt32	—
`DeviceVersionMinor` UInt32	—
`DeviceTime` FILETIME	—
`SupportedFeatures` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-FilterManager",
    "guid": "F3C5E28E-63F6-49C7-A204-E48A1BC4B09D",
    "event_source_name": "",
    "event_id": 11,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T00:12:50.565375+00:00",
    "event_record_id": 2060,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 10280
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceName": "avgntflt",
    "DeviceVersionMajor": 10,
    "DeviceVersionMinor": 0,
    "DeviceTime": "2021-10-12T03:32:13.000000Z",
    "SupportedFeatures": "0x7"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 12 — File System Filter 'Process'.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

File System Filter 'Process' (Version File.Bypass_IO_Operation, Vetoing_Reason) vetoed bypass IO.

Message #

File System Filter '%1' (Version %2.%3, %4) vetoed bypass IO.

     Process: %5
     File: %6
     Bypass IO Operation: %7
     Vetoing Reason: %8
     Operation Status: %9

Fields #

Name	Description
`Process`	—
`File`	—
`Bypass_IO_Operation`	—
`Vetoing_Reason`	—
`Operation_Status`	Process.
`DeviceName` UnicodeString	—
`DeviceVersionMajor` UInt32	—
`DeviceVersionMinor` UInt32	—
`DeviceTime` FILETIME	—
`ProcessName` AnsiString	—
`FileName` UnicodeString	—
`BypassIoOperation` UInt32	—
`BypassVetoingReason` UnicodeString	—
`OperationStatus` HexInt32	—

Event ID 13 — Filter Manager failed to load filter attach policy for this volume.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

Filter Manager failed to load filter attach policy for this volume.

Message #

Filter Manager failed to load filter attach policy for this volume.

     Volume name: %2
     Volume GUID: %3
     File system GUID: %4
     File system driver: %6
     Status: %7

Fields #

Name	Description
`Volume_name`	—
`Volume_GUID`	—
`File_system_GUID`	—
`File_system_driver`	—
`Status` HexInt32	— NTSTATUS reference
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	—
`VolumeGuid` GUID	—
`FsGuid` GUID	—
`FsDriverNameLength` UInt16	—
`FsDriverName` UnicodeString	—

Event ID 14 — Filter Manager successfully loaded filter attach policy for this volume.

Provider: Microsoft-Windows-FilterManager
Channel: System

Description

Filter Manager successfully loaded filter attach policy for this volume.

Message #

Filter Manager successfully loaded filter attach policy for this volume.

     Volume name: %2
     Volume GUID: %3
     File system GUID: %4
     File system driver: %6

     GpAllowStatus: %7
     SystemAllowStatus: %10
     VolumeAllowStatus: %13
     Allow antivirus filter: %16
     Antivirus policy is from group policy: %17

Fields #

Name	Description
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	—
`VolumeGuid` GUID	—
`FsGuid` GUID	—
`FsDriverNameLength` UInt16	—
`FsDriverName` UnicodeString	—
`GpAllowStatus` HexInt32	—
`GpAllowListLength` UInt16	—
`GpAllowList` UnicodeString	—
`SystemAllowStatus` HexInt32	—
`SystemAllowListLength` UInt16	—
`SystemAllowList` UnicodeString	—
`VolumeAllowStatus` HexInt32	—
`VolumeAllowListLength` UInt16	—
`VolumeAllowList` UnicodeString	—
`AllowAvFilter` Boolean	—
`AvPolicyIsFromGp` Boolean	—