Microsoft-Windows-Kernel-IO

14 events across 2 channels

Event ID	Title	Channel
1	Windows has started processing the volume mount request.	Operational
2	The volume has been successfully mounted.	Operational
3	Windows failed to mount the volume.	Operational
1205	Windows is configured to block legacy file system filters.	System
1206	Legacy file system filters cannot attach to byte addressable volumes.	System
1207	Dumps are disabled on the machine since there was an error enabling dump …	System
1212	Failed to automatically attach a VHD during system startup.	System
1213	This volume is configured to block legacy file system filters.	System
1300		Operational
1301		Operational
1302		Operational
1303		Operational
1304		Operational
1305		Operational

Event ID 1 — Windows has started processing the volume mount request.

Provider: Microsoft-Windows-Kernel-IO
Channel: Operational
Level: Informational
Task: VolumeMount
Opcode: Start

Description

Windows has started processing the volume mount request.

Message #

Windows has started processing the volume mount request.

           Volume GUID: %1
           Volume Name: %3

Fields #

Name	Description
`VolumeGuid` GUID	—
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-IO",
    "guid": "ABF1F586-2E50-4BA8-928D-49044E6F0DB7",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 1,
    "keywords": 9223372036854775809,
    "time_created": "2022-04-07T17:41:20.068195+00:00",
    "event_record_id": 981,
    "correlation": {},
    "execution": {
      "process_id": 3228,
      "thread_id": 4516
    },
    "channel": "Microsoft-Windows-Kernel-IO/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeGuid": "00000000-0000-0000-0000-000000000000",
    "VolumeNameLength": 0,
    "VolumeName": ""
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2 — The volume has been successfully mounted.

Provider: Microsoft-Windows-Kernel-IO
Channel: Operational
Level: Informational
Task: VolumeMount
Opcode: Stop

Description

The volume has been successfully mounted.

Message #

The volume has been successfully mounted.

           Volume GUID: %1
           Volume Name: %3

Fields #

Name	Description
`VolumeGuid` GUID	—
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-IO",
    "guid": "ABF1F586-2E50-4BA8-928D-49044E6F0DB7",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 2,
    "keywords": 9223372036854775809,
    "time_created": "2022-04-07T17:41:19.983659+00:00",
    "event_record_id": 958,
    "correlation": {},
    "execution": {
      "process_id": 3228,
      "thread_id": 3296
    },
    "channel": "Microsoft-Windows-Kernel-IO/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeGuid": "00000000-0000-0000-0000-000000000000",
    "VolumeNameLength": 0,
    "VolumeName": ""
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3 — Windows failed to mount the volume.

Provider: Microsoft-Windows-Kernel-IO
Channel: Operational
Level: Warning
Task: VolumeMount
Opcode: Stop

Description

Windows failed to mount the volume.

Message #

Windows failed to mount the volume.

           Status: %4
           Volume GUID: %1
           Volume Name: %3

Fields #

Name	Description
`VolumeGuid` GUID	—
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	—
`Error` HexInt32	Status.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-IO",
    "guid": "ABF1F586-2E50-4BA8-928D-49044E6F0DB7",
    "event_source_name": "",
    "event_id": 3,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 2,
    "keywords": 9223372036854775809,
    "time_created": "2022-04-07T17:41:20.068196+00:00",
    "event_record_id": 982,
    "correlation": {},
    "execution": {
      "process_id": 3228,
      "thread_id": 4516
    },
    "channel": "Microsoft-Windows-Kernel-IO/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeGuid": "00000000-0000-0000-0000-000000000000",
    "VolumeNameLength": 0,
    "VolumeName": "",
    "Error": "0xc0000001"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1205 — Windows is configured to block legacy file system filters.

Provider: Microsoft-Windows-Kernel-IO
Channel: System
Opcode: Info

Description

Windows is configured to block legacy file system filters.

Message #

Windows is configured to block legacy file system filters.

           Filter name: %2

Fields #

Name	Description
`Filter_name`	—
`FilterNameLength` UInt16	—
`FilterName` UnicodeString	—

Event ID 1206 — Legacy file system filters cannot attach to byte addressable volumes.

Provider: Microsoft-Windows-Kernel-IO
Channel: System
Opcode: Info

Description

Legacy file system filters cannot attach to byte addressable volumes.

Message #

Legacy file system filters cannot attach to byte addressable volumes.

           Filter name: %2
           Volume name: %4

Fields #

Name	Description
`Filter_name`	—
`Volume_name`	—
`FilterNameLength` UInt16	—
`FilterName` UnicodeString	—
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	—

Event ID 1207 — Dumps are disabled on the machine since there was an error enabling dump encryption: DumpEncryptionFailureReason.

Provider: Microsoft-Windows-Kernel-IO
Channel: System
Opcode: Info

Description

Dumps are disabled on the machine since there was an error enabling dump encryption: DumpEncryptionFailureReason.

Message #

Dumps are disabled on the machine since there was an error enabling dump encryption: %1.                  
See http://go.microsoft.com/fwlink/?LinkId=824149 for more information on dump encryption

Fields #

Name	Description
`DumpEncryptionFailureReason` UInt32	—

Event ID 1212 — Failed to automatically attach a VHD during system startup.

Provider: Microsoft-Windows-Kernel-IO
Channel: System

Description

Failed to automatically attach a VHD during system startup.

Message #

Failed to automatically attach a VHD during system startup.

          VHD name: %2
          Status: %3

Fields #

Name	Description
`VHD_name`	—
`Status` HexInt32	— NTSTATUS reference
`NameLength` UInt16	—
`Name` UnicodeString	—

Event ID 1213 — This volume is configured to block legacy file system filters.

Provider: Microsoft-Windows-Kernel-IO
Channel: System

Description

This volume is configured to block legacy file system filters.

Message #

This volume is configured to block legacy file system filters.

           Filter name: %2
           Volume name: %4

Fields #

Name	Description
`Filter_name`	—
`Volume_name`	—
`FilterNameLength` UInt16	—
`FilterName` UnicodeString	—
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	—

Event ID 1300 —

Provider: Microsoft-Windows-Kernel-IO
Channel: Operational
Task: LoadBootHotPatches
Opcode: Start

Event ID 1301 —

Provider: Microsoft-Windows-Kernel-IO
Channel: Operational
Task: LoadBootHotPatches
Opcode: Stop

Event ID 1302 —

Provider: Microsoft-Windows-Kernel-IO
Channel: Operational
Task: WheaInitialize
Opcode: Start

Fields #

Name	Description
`Phase` UInt32	—

Event ID 1303 —

Provider: Microsoft-Windows-Kernel-IO
Channel: Operational
Task: WheaInitialize
Opcode: Stop

Event ID 1304 —

Provider: Microsoft-Windows-Kernel-IO
Channel: Operational
Task: CrashDumpInitialize
Opcode: Start

Event ID 1305 —

Provider: Microsoft-Windows-Kernel-IO
Channel: Operational
Task: CrashDumpInitialize
Opcode: Stop

Fields #

Name	Description
`Status` UInt32	— NTSTATUS reference