Message

RundownStart

Message

RundownComplete

Message

RundownVolumeInformation VolumeId: %1, DeviceName: %3

Fields

Message

The NTFS volume has been successfully mounted.

           Volume GUID: %4
           Volume Name: %6
           Volume Label: %8
           Device Name: %3

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 4
  version: 1
  level: 4
  task: 6
  opcode: 0
  keywords: 4611967493404098592
  time_created: '2023-11-06T06:25:20.848685+00:00'
  event_record_id: 147
  correlation: {}
  execution:
    process_id: 4
    thread_id: 96
  channel: Microsoft-Windows-Ntfs/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  VolumeCorrelationId: F8B2740A-2324-44DB-BBF8-80523FE5334B
  VolumeIdLength: 48
  VolumeId: \\?\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}
  VolumeLabelLength: 5
  VolumeLabel: WINRE
  DeviceNameLength: 23
  DeviceName: \Device\HarddiskVolume1
  DeviceGuid: 33A0A150-7C6D-11EE-9369-806E6F6E6963
  VendorIdLength: 8
  VendorId: 'VMware, '
  ProductIdLength: 16
  ProductId: VMware Virtual S
  ProductRevisionLength: 4
  ProductRevision: '1.0 '
  DeviceSerialNumberLength: 0
  DeviceSerialNumber: ''
  BusType: 10
  AdapterSerialNumberLength: 0
  AdapterSerialNumber: ''
  Vcb: '0xffffa60dd18c01b0'
  MountDurationUs: 32215
  MountDuration: 32 ms
  LongestStage: 5
  LongestStageDuration: 16 ms
  LongestStagePercentage: 50
  SecondLongestStage: 2
  SecondLongestStageDuration: 16 ms
  SecondLongestStagePercentage: 50
  RestartApplied: false
  IsBootVolume: false
  Stage1DurationUs: 0
  Stage2DurationUs: 16042
  Stage3DurationUs: 0
  Stage4DurationUs: 0
  Stage5DurationUs: 16172
  Stage6DurationUs: 0
  Stage7DurationUs: 0
  Stage8DurationUs: 0
  Stage9DurationUs: 0
  Stage10DurationUs: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

NTFS KSR data retrieved successfully.

           Volume GUID: %4
           Device Name: %3

           NTFS KSR version: %5
           Number of runs restored: %6
           Time to restore (ms): %7

Fields

Message

NTFS KSR data retrieval failed.

           Volume GUID: %4
           Device Name: %3
           Error: %6

Fields

Message

Ntfs has detected torn write on a volume.

           Volume correlation Id: %1
           Volume name: %3
           Volume label: %5
           File reference: %6
           File name: %8
           Byte offset of the buffer within the file: %9
           Byte offset of the torn structure within the buffer: %10
           Block index: %11
           Expected sequence number: %12
           Actual sequence number: %13

Fields

Message

File's duplicate info has been updated during flush.

           Volume correlation Id: %1
           Volume name: %3
           File Reference: %4
           File Name: %6
           File Link name: %8
           Parent file reference: %9
           Parent file name: %11
           Update Reason: [%12] %13

Fields

Message

NTFS scanned entire volume bitmap.

           Volume correlation Id: %1
           Volume name: %3
           Volume label: %5

           Device name: %7
           Device GUID: %8
           Device manufacturer: %10
           Device model: %12
           Device revision: %14
           Device serial number: %16
           Bus type: %17

           Adapter serial number: %19

           Duration (micro seconds): %20
           InputFlags: %21
           Reason: %22
           Flags: %23

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 9
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018429485056
  time_created: '2023-11-06T06:25:25.774221+00:00'
  event_record_id: 149
  correlation:
    ActivityID: 405E6FE6-7C77-466B-8D93-5F354CA37E8C
  execution:
    process_id: 4
    thread_id: 108
  channel: Microsoft-Windows-Ntfs/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  VolumeCorrelationId: F8B2740A-2324-44DB-BBF8-80523FE5334B
  VolumeIdLength: 48
  VolumeId: \\?\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}
  VolumeLabelLength: 5
  VolumeLabel: WINRE
  DeviceNameLength: 23
  DeviceName: \Device\HarddiskVolume1
  DeviceGuid: 33A0A150-7C6D-11EE-9369-806E6F6E6963
  VendorIdLength: 8
  VendorId: 'VMware, '
  ProductIdLength: 16
  ProductId: VMware Virtual S
  ProductRevisionLength: 4
  ProductRevision: '1.0 '
  DeviceSerialNumberLength: 0
  DeviceSerialNumber: ''
  BusType: 10
  AdapterSerialNumberLength: 0
  AdapterSerialNumber: ''
  DurationUs: 49
  InputFlags: '0x10'
  Reason: 7
  Flags: '0x10'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

NTFS cached runs statistics.

           Volume correlation Id: %1
           Volume name: %2
           Volume label: %3

           Device name: %4
           Device GUID: %5
           Device manufacturer: %6
           Device model: %7
           Device revision: %8
           Device serial number: %9
           Bus type: %10

           Adapter serial number: %11

           Media type: %12
           Runs cached: %13
           Longest run cached: %15
           Most populated bin Count: %16
           Most populated bin's minimum length: %18
           Most populated bin's maximum length: %20

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 10
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018429485056
  time_created: '2023-11-06T06:25:25.774232+00:00'
  event_record_id: 150
  correlation: {}
  execution:
    process_id: 4
    thread_id: 108
  channel: Microsoft-Windows-Ntfs/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  VolumeCorrelationId: F8B2740A-2324-44DB-BBF8-80523FE5334B
  VolumeId: \\?\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}
  VolumeLabel: WINRE
  DeviceName: \Device\HarddiskVolume1
  DeviceGuid: 33A0A150-7C6D-11EE-9369-806E6F6E6963
  VendorId: 'VMware, '
  ProductId: VMware Virtual S
  ProductRevision: '1.0 '
  DeviceSerialNumber: ''
  BusType: 10
  AdapterSerialNumber: ''
  MediaType: 1
  RunsCached: 3
  LongestRunCached: 209448960
  LongestRunCachedStr: 199.75 MB
  MostPopulatedBinCount: 1
  MostPopulatedBinMinLength: 2363392
  MostPopulatedBinMinLengthStr: 2.26 MB
  MostPopulatedBinMaxLength: 2490368
  MostPopulatedBinMaxLengthStr: 2.38 MB
  TotalCachedRuns: 1
  CachedRunsLogged: 1
  CachedRunsAlignment: '1'
  RunsInCachedRuns: '3'
  LongestRunInCachedRuns: '209448960'
  MostPopulatedBinCountInCachedRuns: '1'
  MostPopulatedBinMinLengthInCachedRuns: '2363392'
  MostPopulatedBinMaxLengthInCachedRuns: '2490368'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

NTFS KSR data prepared successfully.

           Volume GUID: %4
           Device Name: %3

           NTFS KSR version: %5
           Number of runs prepared: %6
           Time to prepare (ms): %7

Fields

Message

NTFS KSR data prepare failed.

           Volume GUID: %4
           Device Name: %3
           Error: %6
           Failure Status: %7           Source Tag: %8

Fields

Message

NTFS KSR data filled successfully.

           Volume GUID: %4
           Device Name: %3

           NTFS KSR version: %5
           Number of runs filled: %6
           Time to fill (ms): %7

Fields

Message

NTFS KSR data fill failed.

           Volume GUID: %4
           Device Name: %3
           Error: %6
           Failure Status: %7           Source Tag: %8

Fields

Message

Volume %1 (%2) %3

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 98
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775810
  time_created: '2023-11-06T06:25:20.848748+00:00'
  event_record_id: 1651
  correlation: {}
  execution:
    process_id: 4
    thread_id: 96
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  DriveName: \\?\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}
  DeviceName: \Device\HarddiskVolume1
  CorruptionActionState: 0
message: ''

Sigma Rules

• Volume Shadow Copy Mount
  Detects volume shadow copy mount via Windows event log

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

NTFS global corruption action state is now %1.

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 100
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 2305843009213693953
  time_created: '2023-11-06T06:25:12.106652+00:00'
  event_record_id: 11
  correlation: {}
  execution:
    process_id: 4
    thread_id: 8
  channel: Microsoft-Windows-Ntfs/WHC
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  hc_stateid: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The file system structure that maintains security information on volume %1 (%2) has grown excessively large and fragmented.  The structure has reached %3%% of its maximum fragmentation limit.  If the structure continues to grow and reaches this limit, it may not be possible to create new files on this volume.  It is strongly recommended that the volume be taken offline for preventative maintenance.

Fields

Message

The system failed to flush data to the transaction log. Corruption may occur in VolumeId: %2, DeviceName: %4.

           Failure status: %5

           Device GUID: %6
           Device manufacturer: %8
           Device model: %10
           Device revision: %12
           Device serial number: %14
           Bus type: %15

           Adapter serial number: %17

Fields

Message

An operation failed because the disk was full.

           Process: %5
           Free space in bytes: %7
           Total reserved space in bytes: %8
           Txf TotalAbortReservation space in bytes: %9
           Requested space in bytes: %10
           Page file size in bytes: %11
           Volume guid: %1
           Volume name: %3
           Is boot volume: %6
           Source Tag: %12

Your disk '%3' is full. Use disk cleanup to free up disk space by deleting unnecessary files. If this is a thinly provisioned volume the physical storage backing this volume may have been exhausted.

Fields

Message

Summary of disk space usage, since last event:

           Lowest free space in bytes: %4
           Highest free space in bytes: %5
           Page file size in bytes: 0
           Volume guid: %1
           Volume name: %3
           Is boot volume: %6

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 142
  version: 3
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018429485056
  time_created: '2023-11-06T06:25:25.734659+00:00'
  event_record_id: 148
  correlation: {}
  execution:
    process_id: 4
    thread_id: 108
  channel: Microsoft-Windows-Ntfs/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  VolumeGuid: F8B2740A-2324-44DB-BBF8-80523FE5334B
  VolumeNameLength: 48
  VolumeName: \\?\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}
  IsBootVolume: false
  ElapsedSeconds: 0
  AvailabeSpaceMinStr: 287.18 MB
  AvailabeSpaceMaxStr: 291.18 MB
  AvailabeSpaceDeltaStr: 4 MB
  AvailableClustersMin: 73518
  AvailableClustersMax: 74542
  UnallocatedClustersMin: 74542
  UnallocatedClustersMax: 74542
  ReservedClustersMin: 0
  ReservedClustersMax: 0
  TxfAbortReservedClustersMin: 1024
  TxfAbortReservedClustersMax: 1024
  PageFileSizeInBytes: 0
  PageFileSizeStr: 0 Bytes
  VolumeSizeInBytes: 314568704
  VolumeSizeStr: 300 MB
  ClusterSize: 4096
  CachedRunsMissCountForMft: 0
  CachedRunsMissCountForMftZone: 0
  CachedRunsMissCount: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Surprise removal of a persistent memory device with active DAX mappings. This might lead to data corruption.

           Volume GUID: %4
           Volume Name: %6
           Volume Label: %8

Guidance:
A reboot is required to clean up the DAX mappings.

Fields

Message

A volume that already has DAX mappings is being mounted. This generally occurs after surprise removal. This might lead to data corruption.

           Volume GUID: %4
           Volume Name: %6

Guidance:
A reboot is required to clean up the DAX mappings.

Fields

Message

IO latency summary common data for volume:

           Volume Id: %2
           Volume name: %4
           Is boot volume: %5

           Device GUID: %7
           Device manufacturer: %9
           Device model: %11
           Device revision: %13
           Device serial number: %15
           Bus type: %16

           Adapter serial number: %18

           Max Acceptable IO Latency: %19 ms

           Read/Write latency buckets (ns): [%20, %21, %22, %23, %24, %25, %26]
           Trim latency buckets (ns): [%27, %28, %29, %30, %31, %32, %33]
           Flush latency buckets (ns): [%34, %35, %36, %37, %38, %39, %40]

Fields

Message

IO latency summary:

           Volume Id: %2
           Volume name: %4
           Is boot volume: %5

           Device GUID: %7
           Device manufacturer: %9
           Device model: %11
           Device revision: %13
           Device serial number: %15
           Bus type: %16

           Adapter serial number: %18

           Max Acceptable IO Latency: %19 ms

           Read/Write latency buckets (ns): [%20, %21, %22, %23, %24, %25, %26]
           Trim latency buckets (ns): [%27, %28, %29, %30, %31, %32, %33]
           Flush latency buckets (ns): [%34, %35, %36, %37, %38, %39, %40]

           Interval duration: %42 us

           Non-cached reads:
                     IO count: %43
                     Total bytes: %44
                     Avg latency: %45 ns

           Non-cached writes:
                     IO count: %46
                     Total bytes: %47
                     Avg latency: %48 ns

           File flushes:
                     IO count: %49
                     Avg latency: %50 ns

           Directory flushes:
                     IO count: %51
                     Avg latency: %52 ns

           Volume flushes:
                     IO count: %53
                     Avg latency: %54 ns

           File level trims:
                     IO count: %55
                     Total bytes: %56
                     Extents count: %57
                     Avg latency: %58 ns

           Volume trims:
                     IO count: %59
                     Total bytes: %60
                     Extents count: %61
                     Avg latency: %62 ns

           VCB exclusive resource acquires:
                     Acquire count: %71
                     Max wait duration: %72 ms
                     Avg wait duration: %73 ms
                     Max hold duration: %74 ms
                     Avg hold duration: %75 ms
                     Max combined duration: %76 ms
                     Avg combined duration: %77 ms

           For more details see the details tab.

Fields

Message

An IO took more than %5 ms to complete:

           Process Id: %6
           Process name: %7
           File name: %9
           File offset: %12
           IO Type: %10
           IO Size: %11 bytes
           %15 cluster(s) starting at cluster %14
           Latency: %13 ms

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %16
           Device manufacturer: %18
           Device model: %20
           Device revision: %22
           Device serial number: %24
           Bus type: %25

           Adapter serial number: %27

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 147
  version: 4
  level: 3
  task: 0
  opcode: 0
  keywords: 4611967493406195712
  time_created: '2023-11-06T01:29:13.914837+00:00'
  event_record_id: 229
  correlation: {}
  execution:
    process_id: 4
    thread_id: 17620
  channel: Microsoft-Windows-Ntfs/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  VolumeCorrelationId: 7597D2A3-4404-4F99-B979-6233378A81BF
  VolumeNameLength: 2
  VolumeName: 'C:'
  IsBootVolume: true
  MaxLatencyMs: 30000
  ProcessId: 18984
  ProcessName: MBAMService.ex
  FileNameLength: 74
  FileName: \ProgramData\Malwarebytes\MBAMService\tmp\cde8f2247c4311ee8e26000c293379ba
  FileIdHigh: '0x0'
  FileIdLow: '0x200000004f2d1'
  IoType: 5
  IoTypeStr: 'Write: NonPaging, Cached, Sync'
  IoSize: 23213552
  FileOffset: 0
  LatencyMs: 38428
  StartingLcn: 15120321
  ClustersCount: 5668
  DeviceGuid: 22A04354-7C2B-11EE-936C-806E6F6E6963
  VendorIdLength: 8
  VendorId: 'VMware, '
  ProductIdLength: 16
  ProductId: VMware Virtual S
  ProductRevisionLength: 4
  ProductRevision: '1.0 '
  DeviceSerialNumberLength: 0
  DeviceSerialNumber: ''
  BusType: 10
  AdapterSerialNumberLength: 0
  AdapterSerialNumber: ''
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

A %9 failed with %14.
This may indicate a failing disk.

           Process Id: %5
           Process name: %6
           File name: %8
           IO Size: %10 bytes
           File offset: %11
           %13 cluster(s) starting at cluster %12
           Latency: %15 ms

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %16
           Device manufacturer: %18
           Device model: %20
           Device revision: %22
           Device serial number: %24
           Bus type: %25

           Adapter serial number: %27

Fields

Message

In the past %17 seconds we had high latency IOs and/or IO failures.

           High latency IO count: %18
           Failed writes: %19
           Failed reads: %20
           Bad clusters relocated: %21

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %5
           Device manufacturer: %7
           Device model: %9
           Device revision: %11
           Device serial number: %13
           Bus type: %14

           Adapter serial number: %16

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 149
  version: 2
  level: 3
  task: 0
  opcode: 0
  keywords: 4611967493406195712
  time_created: '2023-11-06T01:32:12.814212+00:00'
  event_record_id: 249
  correlation: {}
  execution:
    process_id: 4
    thread_id: 18088
  channel: Microsoft-Windows-Ntfs/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  VolumeCorrelationId: 7597D2A3-4404-4F99-B979-6233378A81BF
  VolumeNameLength: 2
  VolumeName: 'C:'
  IsBootVolume: true
  DeviceGuid: 22A04354-7C2B-11EE-936C-806E6F6E6963
  VendorIdLength: 8
  VendorId: 'VMware, '
  ProductIdLength: 16
  ProductId: VMware Virtual S
  ProductRevisionLength: 4
  ProductRevision: '1.0 '
  DeviceSerialNumberLength: 0
  DeviceSerialNumber: ''
  BusType: 10
  AdapterSerialNumberLength: 0
  AdapterSerialNumber: ''
  SecondsElapsed: 3602
  HighLatencyCount: 4
  FailedWriteCount: 0
  FailedReadCount: 0
  BadClusterHotfixCount: 0
  ValuesCount: 3
  HighLatencyArray: 1
  FailedWriteArray: 0
  FailedReadArray: 0
  BadClusterHotfixArray: 0
  StatusArray: '0x0'
  TableIndexArray: 3
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

An IO failed with %12 and NTFS has relocated the clusters. The original clusters are now marked as bad and they will not be reused.
This may indicate a failing disk.

           Process Id: %5
           Process name: %6
           File name: %8
           File offset: %9
           %11 cluster(s) were marked as bad starting at cluster %10

           Volume guid: %1
           Volume name: %3
           Is boot volume: %4

Fields

Message

In the past %5 seconds %6 files were deleted from the user's popular known folders (i.e. Desktop, Documents, Downloads, Music, Pictures, Videos, etc.).
%7 of the deletions recorded their process names.

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Process names: [%8]
           Delete counts: 
             Desktop: [%9]
             Documents: [%10]
             Downloads: [%11]
             Music: [%12]
             Pictures: [%13]
             Videos: [%14]
             Other: [%15]

Fields

Message

A process has not acknowledged an NTFS oplock break in a long time.

           Time (seconds): %1
           Owner Process: %2
           Breaking Process: %3

Fields

Message

System file pages are now locked into memory.

                    Volume Id: %1
                    Volume name: %3

                    File reference: %4
                    File name: %6

Fields

Message

System file pages are no longer locked into memory.

                    Volume Id: %1
                    Volume name: %3

                    File reference: %4
                    File name: %6

                    Reason: %7

Fields

Message

VCB exclusive resource acquires:

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Interval duration: %18

           Acquire count: %19
           Max wait duration: %20 ms
           Avg wait duration: %21 ms
           Max hold duration: %22 ms
           Avg hold duration: %23 ms
           Max combined duration: %24 ms
           Avg combined duration: %25 ms

           Device GUID: %5
           Device manufacturer: %7
           Device model: %9
           Device revision: %11
           Device serial number: %13
           Bus type: %14
           
           Adapter serial number: %16
           
           For more details see the details tab.

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 156
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018429485056
  time_created: '2023-11-06T01:32:12.811781+00:00'
  event_record_id: 230
  correlation: {}
  execution:
    process_id: 4
    thread_id: 18088
  channel: Microsoft-Windows-Ntfs/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  VolumeCorrelationId: 7597D2A3-4404-4F99-B979-6233378A81BF
  VolumeNameLength: 2
  VolumeName: 'C:'
  IsBootVolume: true
  DeviceGuid: 22A04354-7C2B-11EE-936C-806E6F6E6963
  VendorIdLength: 8
  VendorId: 'VMware, '
  ProductIdLength: 16
  ProductId: VMware Virtual S
  ProductRevisionLength: 4
  ProductRevision: '1.0 '
  DeviceSerialNumberLength: 0
  DeviceSerialNumber: ''
  BusType: 10
  AdapterSerialNumberLength: 0
  AdapterSerialNumber: ''
  IntervalDurationMs: 3602451
  IntervalDurationStr: 3602 s
  VcbExAcquireCount: 171
  VcbExMaxWaitDurationMs: 15210
  VcbExAvgWaitDurationMs: 90
  VcbExMaxHoldDurationMs: 18627
  VcbExAvgHoldDurationMs: 237
  VcbExMaxCombinedDurationMs: 18627
  VcbExAvgCombinedDurationMs: 327
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

An exclusive resource duration exceeded %5 ms:

           Process Id: %6
           Process name: %7
           Major function: %8
           Minor function: %9
           Control code: %10
           Resource name: %11
           Wait duration: %12 ms
           Hold duration: %13 ms
           Combined duration: %14 ms

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %15
           Device manufacturer: %17
           Device model: %19
           Device revision: %21
           Device serial number: %23
           Bus type: %24

           Adapter serial number: %26

Fields

Message

NTFS metadata statistics for volume:

           Volume Id: %1
           Volume name: %3

           UserFileReads: %4
           UserFileReadBytes: %5
           UserDiskReads: %6
           UserFileWrites: %7
           UserFileWriteBytes: %8
           UserDiskWrites: %9

           MetaDataReads: %10
           MetaDataReadBytes: %11
           MetaDataDiskReads: %12
           MetaDataWrites: %13
           MetaDataWriteBytes: %14
           MetaDataDiskWrites: %15

           MftReads: %16
           MftReadBytes: %17
           MftWrites: %18
           MftWriteBytes: %19
           Mft2Writes: %20
           Mft2WriteBytes: %21
           RootIndexReads: %22
           RootIndexReadBytes: %23
           RootIndexWrites: %24
           RootIndexWriteBytes: %25
           BitmapReads: %26
           BitmapReadBytes: %27
           BitmapWrites: %28
           BitmapWriteBytes: %29
           MftBitmapReads: %30
           MftBitmapReadBytes: %31
           MftBitmapWrites: %32
           MftBitmapWriteBytes: %33
           UserIndexReads: %34
           UserIndexReadBytes: %35
           UserIndexWrites: %36
           UserIndexWriteBytes: %37
           LogFileReads: %38
           LogFileReadBytes: %39
           LogFileWrites: %40
           LogFileWriteBytes: %41
           LogFileFull: %42
           LogFileFullReasons:
                     LF_LOG_SPACE: %43
                     LF_DIRTY_PAGES: %44
                     LF_OPEN_ATTRIBUTES: %45
                     LF_TRANSACTION_DRAIN: %46
                     LF_FASTIO_CALLBACK: %47
                     LF_DEALLOCATED_CLUSTERS: %48
                     LF_DEALLOCATED_CLUSTERS_MEM: %49
                     LF_RECORD_STACK_CHECK: %50
                     LF_DISMOUNT: %51
                     LF_COMPRESSION: %52
                     LF_SNAPSHOT: %53
                     LF_MOUNT: %54
                     LF_SHUTDOWN: %55
                     LF_RECURSIVE_COMPRESSION: %56
                     LF_TESTING: %57

           DiskResourceFailure: %58
           VolumeTrimCount: %59
                     VolumeTrimTime (ms): %60
                     VolumeTrimSize (KB): %61
                     AvgVolumeTrimTime (ms): %62
                     AvgVolumeTrimSize (KB): %63
           VolumeTrimSkippedCount: %64
                     VolumeTrimSkippedSize (KB): %65
           FileLevelTrimCount: %66
                     FileLevelTrimTime (ms): %67
                     FileLevelTrimSize (KB): %68
                     AvgFileLevelTrimTime (ms): %69
                     AvgFileLevelTrimSize (KB): %70
           NtfsFillStatInfoFromMftRecordCalledCount: %71
           NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount: %72
           NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount: %73

Fields

Example Event

system:
  provider: Microsoft-Windows-Ntfs
  guid: 3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482
  event_source_name: ''
  event_id: 158
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018429485056
  time_created: '2023-11-05T22:47:04.964890+00:00'
  event_record_id: 183
  correlation: {}
  execution:
    process_id: 4
    thread_id: 52
  channel: Microsoft-Windows-Ntfs/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  VolumeCorrelationId: F8B2740A-2324-44DB-BBF8-80523FE5334B
  VolumeNameLength: 48
  VolumeName: \\?\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}
  UserFileReads: 5
  UserFileReadBytes: 20480
  UserDiskReads: 5
  UserFileWrites: 0
  UserFileWriteBytes: 0
  UserDiskWrites: 0
  MetaDataReads: 12
  MetaDataReadBytes: 217088
  MetaDataDiskReads: 14
  MetaDataWrites: 1
  MetaDataWriteBytes: 8192
  MetaDataDiskWrites: 2
  MftReads: 6
  MftReadBytes: 53248
  MftWrites: 1
  MftWriteBytes: 8192
  Mft2Writes: 0
  Mft2WriteBytes: 0
  RootIndexReads: 0
  RootIndexReadBytes: 0
  RootIndexWrites: 0
  RootIndexWriteBytes: 0
  BitmapReads: 1
  BitmapReadBytes: 12288
  BitmapWrites: 0
  BitmapWriteBytes: 0
  MftBitmapReads: 1
  MftBitmapReadBytes: 8192
  MftBitmapWrites: 0
  MftBitmapWriteBytes: 0
  UserIndexReads: 1
  UserIndexReadBytes: 4096
  UserIndexWrites: 1
  UserIndexWriteBytes: 4096
  LogFileReads: 8
  LogFileReadBytes: 32768
  LogFileWrites: 16
  LogFileWriteBytes: 65536
  LogFileFull: 0
  LogFileFullReasonBucket1: 0
  LogFileFullReasonBucket2: 0
  LogFileFullReasonBucket3: 0
  LogFileFullReasonBucket4: 0
  LogFileFullReasonBucket5: 0
  LogFileFullReasonBucket6: 0
  LogFileFullReasonBucket7: 0
  LogFileFullReasonBucket8: 0
  LogFileFullReasonBucket9: 0
  LogFileFullReasonBucket10: 0
  LogFileFullReasonBucket11: 0
  LogFileFullReasonBucket12: 0
  LogFileFullReasonBucket13: 0
  LogFileFullReasonBucket14: 0
  LogFileFullReasonBucket15: 0
  DiskResourceFailure: 0
  VolumeTrimCount: 0
  VolumeTrimTime: 0
  VolumeTrimSize: 0
  AvgVolumeTrimTime: 0
  AvgVolumeTrimSize: 0
  VolumeTrimSkippedCount: 0
  VolumeTrimSkippedSize: 0
  FileLevelTrimCount: 0
  FileLevelTrimTime: 0
  FileLevelTrimSize: 0
  AvgFileLevelTrimTime: 0
  AvgFileLevelTrimSize: 0
  NtfsFillStatInfoFromMftRecordCalledCount: 0
  NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount: 0
  NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount: 0
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

NTFS has successfully completed the %19 request in %20 ms when trying to %18 the volume size from %4 (MB) to %5 (MB).

           Volume Id: %1
           Volume name: %3

           Device GUID: %6
           Device manufacturer: %8
           Device model: %10
           Device revision: %12
           Device serial number: %14
           Bus type: %15

           Adapter serial number: %17

           Operation: %18
                     Request Type: %19

           Stage Durations:
                     Stage 1. Verify input and calculate new volume size (ms): %21
                     Stage 2. Set boundary and allocate/deallocate cluster (ms): %22
                     Stage 3. Update bitmap (ms): %23

Fields