detection.wiki
Blog

Microsoft-Windows-Kernel-IO

14 events across 2 channels

Event IDTitleChannel
1Windows has started processing the volume mount request.Operational
2The volume has been successfully mounted.Operational
3Windows failed to mount the volume.Operational
1205Windows is configured to block legacy file system filters.System
1206Legacy file system filters cannot attach to byte addressable volumes.System
1207Dumps are disabled on the machine since there was an error enabling dump …System
1212Failed to automatically attach a VHD during system startup.System
1213This volume is configured to block legacy file system filters.System
1300Operational
1301Operational
1302Operational
1303Operational
1304Operational
1305Operational

Event ID 1 — Windows has started processing the volume mount request.

Provider
Microsoft-Windows-Kernel-IO
Channel
Operational
Level
4
Samples
1

Message

Windows has started processing the volume mount request.

           Volume GUID: %1
           Volume Name: %3

Fields

NameDescription
VolumeGuid
VolumeNameLength
VolumeName

Example Event

system:
  provider: Microsoft-Windows-Kernel-IO
  guid: ABF1F586-2E50-4BA8-928D-49044E6F0DB7
  event_source_name: ''
  event_id: 1
  version: 0
  level: 4
  task: 1
  opcode: 1
  keywords: 9223372036854775809
  time_created: '2022-04-07T17:41:20.068195+00:00'
  event_record_id: 981
  correlation: {}
  execution:
    process_id: 3228
    thread_id: 4516
  channel: Microsoft-Windows-Kernel-IO/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  VolumeGuid: 00000000-0000-0000-0000-000000000000
  VolumeNameLength: 0
  VolumeName: ''
message: ''

References

Event ID 2 — The volume has been successfully mounted.

Provider
Microsoft-Windows-Kernel-IO
Channel
Operational
Level
4
Samples
1

Message

The volume has been successfully mounted.

           Volume GUID: %1
           Volume Name: %3

Fields

NameDescription
VolumeGuid
VolumeNameLength
VolumeName

Example Event

system:
  provider: Microsoft-Windows-Kernel-IO
  guid: ABF1F586-2E50-4BA8-928D-49044E6F0DB7
  event_source_name: ''
  event_id: 2
  version: 0
  level: 4
  task: 1
  opcode: 2
  keywords: 9223372036854775809
  time_created: '2022-04-07T17:41:19.983659+00:00'
  event_record_id: 958
  correlation: {}
  execution:
    process_id: 3228
    thread_id: 3296
  channel: Microsoft-Windows-Kernel-IO/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  VolumeGuid: 00000000-0000-0000-0000-000000000000
  VolumeNameLength: 0
  VolumeName: ''
message: ''

References

Event ID 3 — Windows failed to mount the volume.

Provider
Microsoft-Windows-Kernel-IO
Channel
Operational
Level
3
Samples
1

Message

Windows failed to mount the volume.

           Status: %4
           Volume GUID: %1
           Volume Name: %3

Fields

NameDescription
VolumeGuid
VolumeNameLength
VolumeName
ErrorStatus.

Example Event

system:
  provider: Microsoft-Windows-Kernel-IO
  guid: ABF1F586-2E50-4BA8-928D-49044E6F0DB7
  event_source_name: ''
  event_id: 3
  version: 0
  level: 3
  task: 1
  opcode: 2
  keywords: 9223372036854775809
  time_created: '2022-04-07T17:41:20.068196+00:00'
  event_record_id: 982
  correlation: {}
  execution:
    process_id: 3228
    thread_id: 4516
  channel: Microsoft-Windows-Kernel-IO/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  VolumeGuid: 00000000-0000-0000-0000-000000000000
  VolumeNameLength: 0
  VolumeName: ''
  Error: '0xc0000001'
message: ''

References

Event ID 1205 — Windows is configured to block legacy file system filters.

Provider
Microsoft-Windows-Kernel-IO
Channel
System

Message

Windows is configured to block legacy file system filters.

           Filter name: %2

Fields

NameDescription
Filter_name
FilterNameLength
FilterName

Event ID 1206 — Legacy file system filters cannot attach to byte addressable volumes.

Provider
Microsoft-Windows-Kernel-IO
Channel
System

Message

Legacy file system filters cannot attach to byte addressable volumes.

           Filter name: %2
           Volume name: %4

Fields

NameDescription
Filter_name
Volume_name
FilterNameLength
FilterName
VolumeNameLength
VolumeName

Event ID 1207 — Dumps are disabled on the machine since there was an error enabling dump encryption.

Provider
Microsoft-Windows-Kernel-IO
Channel
System

Message

Dumps are disabled on the machine since there was an error enabling dump encryption: %1.                  
See http://go.microsoft.com/fwlink/?LinkId=824149 for more information on dump encryption

Fields

NameDescription
DumpEncryptionFailureReason

Event ID 1212 — Failed to automatically attach a VHD during system startup.

Provider
Microsoft-Windows-Kernel-IO
Channel
System

Message

Failed to automatically attach a VHD during system startup.

          VHD name: %2
          Status: %3

Fields

NameDescription
VHD_name
Status
NameLength
Name

Event ID 1213 — This volume is configured to block legacy file system filters.

Provider
Microsoft-Windows-Kernel-IO
Channel
System

Message

This volume is configured to block legacy file system filters.

           Filter name: %2
           Volume name: %4

Fields

NameDescription
Filter_name
Volume_name
FilterNameLength
FilterName
VolumeNameLength
VolumeName

Event ID 1300 —

Provider
Microsoft-Windows-Kernel-IO
Channel
Operational

Event ID 1301 —

Provider
Microsoft-Windows-Kernel-IO
Channel
Operational

Event ID 1302 —

Provider
Microsoft-Windows-Kernel-IO
Channel
Operational

Fields

NameDescription
Phase

Event ID 1303 —

Provider
Microsoft-Windows-Kernel-IO
Channel
Operational

Event ID 1304 —

Provider
Microsoft-Windows-Kernel-IO
Channel
Operational

Event ID 1305 —

Provider
Microsoft-Windows-Kernel-IO
Channel
Operational

Fields

NameDescription
Status