detection.wiki

Microsoft-Windows-Kernel-StoreMgr

19 events across 2 channels

Event IDTitleChannel
1Analytic
2Analytic
3Analytic
4Analytic
5Analytic
6VirtualAddress Virtual Address: Physical_Address Physical Address: …Operational
7Analytic
8Analytic
9Analytic
10A ReadyBoost cache failed to persist across boot.Operational
11Analytic
12Analytic
13Analytic
14Analytic
15Analytic
16Analytic
17Analytic
18Device_name Device name: FailStatus Cache path: DeviceDescription.Operational
19Operational

Event ID 1 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreAdd

Fields #

NameDescription
DataKey UInt32
DataMgr Pointer
StoreOffset UInt32
CompressedSize UInt16
Flags UInt16

Event ID 2 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreRemove

Fields #

NameDescription
DataKey UInt32
DataMgr Pointer
StoreOffset UInt32

Event ID 3 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreCreate
Opcode
Info

Fields #

NameDescription
StoreKey Pointer
StoreFileKey Pointer
UserDataMgr Pointer
MetadataMgr Pointer
RegionSize UInt32
RegionCount UInt32
BlockSize UInt32
SectorSize UInt32
EncryptionStrength UInt32
StoreType UInt16
StoreId UInt16
BlocksStored UInt32
RegionsInUse UInt32
TotalSpaceUsed UInt32
Flags UInt32
MetaRegionCount UInt32
MetaRegionsInUse UInt32
MetaRegionsSpaceUsed UInt32
StoreTime UInt32
OwnerProcessId UInt32
PartitionId UInt32

Event ID 4 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreDelete

Fields #

NameDescription
StoreKey Pointer

Event ID 5 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreRundown
Opcode
Info

Fields #

NameDescription
StoreKey Pointer
StoreFileKey Pointer
UserDataMgr Pointer
MetadataMgr Pointer
RegionSize UInt32
RegionCount UInt32
BlockSize UInt32
SectorSize UInt32
EncryptionStrength UInt32
StoreType UInt16
StoreId UInt16
BlocksStored UInt32
RegionsInUse UInt32
TotalSpaceUsed UInt32
Flags UInt32
MetaRegionCount UInt32
MetaRegionsInUse UInt32
MetaRegionsSpaceUsed UInt32
StoreTime UInt32
OwnerProcessId UInt32
PartitionId UInt32

Event ID 6 — VirtualAddress Virtual Address: Physical_Address Physical Address: Corruption_Window_Size Corruption Window Size: DataMgr.

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Operational
Task
StoreCorruption

Message #

%5

Virtual Address: %2
Physical Address: %3
Corruption Window Size: %4

Fields #

NameDescription
Virtual_Address
Physical_Address
Corruption_Window_Size
DataMgr Pointer
VirtualAddress Pointer
PhysicalAddress UInt64
Size UInt16
FileBacked UInt8
CorruptionType UInt8
Flags UInt32

Event ID 7 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StorePageRundown

Fields #

NameDescription
DataKey UInt32
DataMgr Pointer
StoreOffset UInt32
CompressedSize UInt16
Flags UInt16

Event ID 8 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionEvict

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 9 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionWrite

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 10 — A ReadyBoost cache failed to persist across boot.

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Operational
Task
UnpersistFailure

Description

A ReadyBoost cache failed to persist across boot. This may happen if the cache device was modified on another computer or if this computer was booted into another operating system.

Message #

A ReadyBoost cache failed to persist across boot. This may happen if the cache device was modified on another computer or if this computer was booted into another operating system.

Fields #

NameDescription
FailReason UInt32
FailStatus HexInt32
ObjectPathLength UInt16
ObjectPath UnicodeString

Event ID 11 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreIoStats

Fields #

NameDescription
StoreKey Pointer
Size UInt32
Data Binary

Event ID 12 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
GlobalStats

Fields #

NameDescription
Size UInt32
Data Binary

Event ID 13 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreEmpty

Fields #

NameDescription
StoreKey Pointer
Param Pointer

Event ID 14 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionRelease

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 15 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionCompact
Opcode
Start

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 16 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionCompact
Opcode
Stop

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 17 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionRundown

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 18 — Device_name Device name: FailStatus Cache path: DeviceDescription.

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Operational
Task
CacheTermination

Message #

%1

Device name: %4
Cache path: %6

Fields #

NameDescription
Device_name
Cache_path
Reason UInt8
FailStatus HexInt32
DeviceDescLength UInt16
DeviceDescription UnicodeString
ObjectPathLength UInt16
ObjectPath UnicodeString

Event ID 19 —

Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Operational
Opcode
Info

Fields #

NameDescription
SqmType UInt32
SqmSessionGuid GUID
SqmID UInt32
SqmStreamRowLength UInt32
SqmStreamRow Int16