Microsoft-Windows-Kernel-File
25 events across 1 channel
Event ID 10 —
Fields #
| Name | Description |
|---|---|
FileKey Pointer | — |
FileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "10",
"version": "0",
"level": "4",
"task": "10",
"opcode": "0",
"keywords": 9223372036854775824,
"time_created": "2026-03-16T00:21:37.078046800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "8688",
"thread_id": "2504"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FileKey": "0xFFFF810C435113E0",
"FileName": "\\Device\\HarddiskVolume4\\Temp\\etw_hv.etl"
},
"message": ""
}
Event ID 11 —
Fields #
| Name | Description |
|---|---|
FileKey Pointer | — |
FileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "11",
"version": "0",
"level": "4",
"task": "11",
"opcode": "0",
"keywords": 9223372036854775824,
"time_created": "2026-03-16T00:21:37.779030500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "4168",
"thread_id": "6656"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"FileKey": "0xFFFF810C43172170",
"FileName": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Beats\\9.2.3\\winlogbeat\\data\\.winlogbeat.yml.new"
},
"message": ""
}
Event ID 12 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
IssuingThreadId UInt32 | — |
CreateOptions UInt32 | — |
CreateAttributes UInt32 | — |
ShareAccess UInt32 | — |
FileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "12",
"version": "1",
"level": "4",
"task": "12",
"opcode": "0",
"keywords": 9223372036854775968,
"time_created": "2026-03-16T00:21:35.061838900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3264",
"thread_id": "3448"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A105DBAD8",
"FileObject": "0xFFFF980A11C43D80",
"IssuingThreadId": " 3448",
"CreateOptions": "0x1000060",
"CreateAttributes": "0x0",
"ShareAccess": "0x1",
"FileName": "\\Device\\HarddiskVolume4\\Windows\\Prefetch\\LOGMAN.EXE-F6000818.pf"
},
"message": ""
}
Event ID 13 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
IssuingThreadId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "13",
"version": "1",
"level": "4",
"task": "13",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:35.057098000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12824",
"thread_id": "8012"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A1150BA98",
"FileObject": "0xFFFF980A1586E480",
"FileKey": "0xFFFF810C2F207700",
"IssuingThreadId": " 8012"
},
"message": ""
}
Event ID 14 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
IssuingThreadId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "14",
"version": "1",
"level": "4",
"task": "14",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:35.057163300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12824",
"thread_id": "8012"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A1150BA98",
"FileObject": "0xFFFF980A1586E480",
"FileKey": "0xFFFF810C2F207700",
"IssuingThreadId": " 8012"
},
"message": ""
}
Event ID 15 —
Fields #
| Name | Description |
|---|---|
ByteOffset UInt64 | — |
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
IssuingThreadId UInt32 | — |
IOSize UInt32 | — |
IOFlags UInt32 | — |
ExtraFlags UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "15",
"version": "1",
"level": "4",
"task": "15",
"opcode": "0",
"keywords": 9223372036854776096,
"time_created": "2026-03-16T00:21:35.069305000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3264",
"thread_id": "3448"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ByteOffset": "0x0",
"Irp": "0xFFFF980A119BB0F8",
"FileObject": "0xFFFF980A11C43D80",
"FileKey": "0xFFFF810C52FFA170",
"IssuingThreadId": " 3448",
"IOSize": "0x2",
"IOFlags": "0x0",
"ExtraFlags": "0x0"
},
"message": ""
}
Event ID 16 —
Fields #
| Name | Description |
|---|---|
ByteOffset UInt64 | — |
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
IssuingThreadId UInt32 | — |
IOSize UInt32 | — |
IOFlags UInt32 | — |
ExtraFlags UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "16",
"version": "1",
"level": "4",
"task": "16",
"opcode": "0",
"keywords": 9223372036854776352,
"time_created": "2026-03-16T00:21:35.057748500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "4",
"thread_id": "10452"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"ByteOffset": "0x46000",
"Irp": "0xFFFF980A0E10FB08",
"FileObject": "0xFFFF980A1DA02520",
"FileKey": "0xFFFF810C41087170",
"IssuingThreadId": " 10452",
"IOSize": "0x2000",
"IOFlags": "0x60A01",
"ExtraFlags": "0x0"
},
"message": ""
}
Event ID 17 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "17",
"version": "1",
"level": "4",
"task": "17",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:36.406280900+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "4",
"thread_id": "10636"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A17BFA0F8",
"FileObject": "0xFFFF980A10F6C260",
"FileKey": "0xFFFF810C2E0681B0",
"ExtraInformation": "0x1C",
"IssuingThreadId": " 10636",
"InfoClass": " 20"
},
"message": ""
}
Event ID 18 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "18",
"version": "1",
"level": "4",
"task": "18",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:22:31.171200000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "7124",
"thread_id": "4044"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A10A97758",
"FileObject": "0xFFFF980A1585B7E0",
"FileKey": "0xFFFF810C396CB170",
"ExtraInformation": "0x1",
"IssuingThreadId": " 4044",
"InfoClass": " 64"
},
"message": ""
}
Event ID 19 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "19",
"version": "1",
"level": "4",
"task": "19",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:37.778249300+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "4168",
"thread_id": "6656"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A0DA56AF8",
"FileObject": "0xFFFF980A126899A0",
"FileKey": "0xFFFF810C43172170",
"ExtraInformation": "0x0",
"IssuingThreadId": " 6656",
"InfoClass": " 10"
},
"message": ""
}
Event ID 20 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
IssuingThreadId UInt32 | — |
Length UInt32 | — |
InfoClass UInt32 | — |
FileIndex UInt32 | — |
FileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "20",
"version": "1",
"level": "4",
"task": "20",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:35.065257100+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10736",
"thread_id": "11352"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A17D957C8",
"FileObject": "0xFFFF980A15851700",
"FileKey": "0xFFFF810C2ACDE700",
"IssuingThreadId": " 11352",
"Length": " 616",
"InfoClass": " 3",
"FileIndex": " 0",
"FileName": "logman\"*"
},
"message": ""
}
Event ID 21 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
IssuingThreadId UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "21",
"version": "1",
"level": "4",
"task": "21",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:35.372972200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "4168",
"thread_id": "6972"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A0EF5A358",
"FileObject": "0xFFFF980A11C3D0A0",
"FileKey": "0xFFFF810C40FC5170",
"IssuingThreadId": " 6972"
},
"message": ""
}
Event ID 22 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "22",
"version": "1",
"level": "4",
"task": "22",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:35.052538600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3668",
"thread_id": "9620"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A0EB930F8",
"FileObject": "0xFFFF980A11C41EA0",
"FileKey": "0xFFFF810C40FC5170",
"ExtraInformation": "0x0",
"IssuingThreadId": " 9620",
"InfoClass": " 22"
},
"message": ""
}
Event ID 23 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "23",
"version": "1",
"level": "4",
"task": "23",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:35.062034500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3264",
"thread_id": "3448"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A11B41A08",
"FileObject": "0xFFFF980A11C43D80",
"FileKey": "0xFFFF810C52FFA170",
"ExtraInformation": "0x0",
"IssuingThreadId": " 3448",
"InfoClass": " 590059"
},
"message": ""
}
Event ID 24 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
ExtraInformation Pointer | — |
Status UInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "24",
"version": "0",
"level": "4",
"task": "24",
"opcode": "0",
"keywords": 9223372036854775904,
"time_created": "2026-03-16T00:21:35.052579700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3668",
"thread_id": "9620"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A0EB930F8",
"ExtraInformation": "0x26",
"Status": "0x0"
},
"message": ""
}
Event ID 25 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
IssuingThreadId UInt32 | — |
Length UInt32 | — |
InfoClass UInt32 | — |
FileIndex UInt32 | — |
FileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "25",
"version": "1",
"level": "4",
"task": "25",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:23:59.612990800+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "12488",
"thread_id": "13240"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A16FECAC8",
"FileObject": "0xFFFF980A1598A500",
"FileKey": "0xFFFF810C53AE7170",
"IssuingThreadId": " 13240",
"Length": " 32",
"InfoClass": " 3",
"FileIndex": " 0",
"FileName": ""
},
"message": ""
}
Event ID 26 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
FilePath UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "26",
"version": "1",
"level": "4",
"task": "26",
"opcode": "0",
"keywords": 9223372036854776832,
"time_created": "2026-03-16T00:22:31.171214700+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "7124",
"thread_id": "4044"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A10A97758",
"FileObject": "0xFFFF980A1585B7E0",
"FileKey": "0xFFFF810C396CB170",
"ExtraInformation": "0x0",
"IssuingThreadId": " 4044",
"InfoClass": " 64",
"FilePath": "\\Device\\HarddiskVolume4\\Users\\domainadmin\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2hphljyo.ubn.ps1"
},
"message": ""
}
Event ID 27 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
FilePath UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "27",
"version": "1",
"level": "4",
"task": "27",
"opcode": "0",
"keywords": 9223372036854777856,
"time_created": "2026-03-16T00:21:37.778427000+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "4168",
"thread_id": "6656"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A0DA56AF8",
"FileObject": "0xFFFF980A126899A0",
"FileKey": "0xFFFF810C43172170",
"ExtraInformation": "0x0",
"IssuingThreadId": " 6656",
"InfoClass": " 10",
"FilePath": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Beats\\9.2.3\\winlogbeat\\data\\.winlogbeat.yml"
},
"message": ""
}
Event ID 28 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
FilePath UnicodeString | — |
Event ID 29 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Event ID 30 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
IssuingThreadId UInt32 | — |
CreateOptions UInt32 | — |
CreateAttributes UInt32 | — |
ShareAccess UInt32 | — |
FileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "30",
"version": "1",
"level": "4",
"task": "30",
"opcode": "0",
"keywords": 9223372036854779904,
"time_created": "2026-03-16T00:21:35.067497500+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3264",
"thread_id": "3448"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A105DBAD8",
"FileObject": "0xFFFF980A11C43D80",
"IssuingThreadId": " 3448",
"CreateOptions": "0x5000060",
"CreateAttributes": "0x0",
"ShareAccess": "0x0",
"FileName": "\\Device\\HarddiskVolume4\\Windows\\Prefetch\\LOGMAN.EXE-F6000818.pf"
},
"message": ""
}
Event ID 31 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "31",
"version": "1",
"level": "4",
"task": "31",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:24:30.201502200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3436",
"thread_id": "9824"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A1F3F90F8",
"FileObject": "0xFFFF980A1598D900",
"FileKey": "0xFFFF810C376F7170",
"ExtraInformation": "0x0",
"IssuingThreadId": " 9824",
"InfoClass": " 0"
},
"message": ""
}
Event ID 32 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "32",
"version": "1",
"level": "4",
"task": "32",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:35.065175200+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "10736",
"thread_id": "11352"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A17D957C8",
"FileObject": "0xFFFF980A15851700",
"FileKey": "0xFFFF810C2ACDE700",
"ExtraInformation": "0x0",
"IssuingThreadId": " 11352",
"InfoClass": " 0"
},
"message": ""
}
Event ID 33 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Event ID 34 —
Fields #
| Name | Description |
|---|---|
Irp Pointer | — |
FileObject Pointer | — |
FileKey Pointer | — |
ExtraInformation Pointer | — |
IssuingThreadId UInt32 | — |
InfoClass UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-File",
"guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
"event_source_name": "",
"event_id": "34",
"version": "1",
"level": "4",
"task": "34",
"opcode": "0",
"keywords": 9223372036854775840,
"time_created": "2026-03-16T00:21:35.061972600+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{00000000-0000-0000-0000-000000000000}"
},
"execution": {
"process_id": "3264",
"thread_id": "3448"
},
"channel": "Microsoft-Windows-Kernel-File/Analytic",
"computer": "",
"security": {
"user_id": ""
}
},
"event_data": {
"Irp": "0xFFFF980A11B41A08",
"FileObject": "0xFFFF980A11C43D80",
"FileKey": "0xFFFF810C52FFA170",
"ExtraInformation": "0x0",
"IssuingThreadId": " 3448",
"InfoClass": " 0"
},
"message": ""
}