Microsoft-Windows-Ntfs

72 events across 4 channels

Event ID	Title	Channel
1	RundownStart	Performance
2	RundownComplete	Performance
3	RundownVolumeInformation VolumeId: RundownVolumeInformation_VolumeId, …	Performance
4	The NTFS volume has been successfully mounted.	Operational
5	NTFS KSR data retrieved successfully.	Operational
6	NTFS KSR data retrieval failed.	Operational
7	Ntfs has detected torn write on a volume.	System
8	File's duplicate info has been updated during flush.	Operational
9	NTFS scanned entire volume bitmap.	Operational
10	NTFS cached runs statistics.	Operational
11	NTFS KSR data prepared successfully.	Operational
12	NTFS KSR data prepare failed.	Operational
13	NTFS KSR data filled successfully.	Operational
14	NTFS KSR data fill failed.	Operational
98	Volume DriveName (DeviceName) CorruptionActionState.	System
100	NTFS global corruption action state is now hc_stateid.	WHC
139	The file system structure that maintains security information on volume …	Operational
140	The system failed to flush data to the transaction log.	System
141	An operation failed because the disk was full.	Operational
142	Summary of disk space usage, since last event.	Operational
143	Surprise removal of a persistent memory device with active DAX mappings.	System
144	A volume that already has DAX mappings is being mounted.	System
145	IO latency summary common data for volume.	Operational
146	IO latency summary.	Operational
147	An IO took more than MaxLatencyMs ms to complete.	Operational
148	A FileIdHigh failed with StartingLcn.	Operational
149	In the past SecondsElapsed seconds we had high latency IOs and/or IO failures.	Operational
150	An IO failed with FailureStatus and NTFS has relocated the clusters.	System
151	In the past SecondsElapsed seconds TotalCountDeleteFile files were deleted from …	Operational
152	A process has not acknowledged an NTFS oplock break in a long time.	Operational
154	System file pages are now locked into memory.	Operational
155	System file pages are no longer locked into memory.	Operational
156	VCB exclusive resource acquires.	Operational
157	An exclusive resource duration exceeded MaxDurationMs ms.	Operational
158	NTFS metadata statistics for volume.	Operational
159	NTFS has successfully completed the VolumeSizeChangeRequestType request in …	Operational
160	NTFS has failed to complete the VolumeSizeChangeOperation request after …	Operational
161	An operation has failed due to a file system limitation.	Operational
162	The data read from the storage does not match what was previously written or …	System
163	MftBitmap is not big enough for MftData or does not have required allocations.	System
170	IO latency summary.	Operational
171	File-Level Trim Summary.	Operational
201	NtfsLogFileFull VolumeId: NtfsLogFileFull_VolumeId, Reason: Reason.	Performance
202	PeriodicCheckpointStart VolumeId: PeriodicCheckpointStart_VolumeId, Reason: …	Performance
203	PeriodicCheckpointComplete VolumeId: PeriodicCheckpointComplete_VolumeId, …	Performance
204	CleanCheckpointStart VolumeId: CleanCheckpointStart_VolumeId, Reason: Reason, …	Performance
205	CleanCheckpointComplete VolumeId: CleanCheckpointComplete_VolumeId, …	Performance
206	MftRecordRead VolumeId: MftRecordRead_VolumeId, BaseFileId: BaseFileId, FileId: …	Performance
208	MftRecordRead VolumeId: MftRecordRead_VolumeId, BaseFileId: BaseFileId, FileId: …	Performance
210	Thinly provisioned volume VolumeId (DeviceName).	System
211	Thinly provisioned volume VolumeId (DeviceName).	System
230	WorkItem queued, WorkItem: WorkItem_queued_WorkItem, Reason: Reason.	Performance
231	WorkItem queue failed, WorkItem: WorkItem_queue_failed_WorkItem, Reason: Reason, …	Performance
232	WorkItem started, WorkItem: WorkItem_started_WorkItem, Reason: Reason.	Performance
233	WorkItem completed, WorkItem: WorkItem_completed_WorkItem, Reason: Reason.	Performance
240	File metadata optimization started.	Performance
241	File metadata optimization completed.	Performance
300	NTFS volume dismount has started.	Operational
301	NTFS has sent volume dismount event notification and is waiting for the …	Operational
302	The volume dismount event notification on the NTFS volume has completed.	Operational
303	The NTFS volume has successfully dismounted.	Operational
304	The NTFS volume dismount failed.	Operational
305	NTFS failed to mount the volume.	Operational
401	Efs offloading initiated.	Performance
402	Efs offloading read regular file.	Performance
403	Efs offloading write regular file.	Performance
404	Efs legacy initiated.	Performance
405	Efs legacy read regular file.	Performance
406	Efs legacy write regular file.	Performance
500	A process has created a USN journal on a volume.	Operational
501	A process has deleted a USN journal on a volume.	Operational
502	File has been opened by an isolated reader.	Performance

Event ID 1 — RundownStart

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: Rundown
Opcode: Start

Description

RundownStart.

Message #

RundownStart

Event ID 2 — RundownComplete

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: Rundown
Opcode: Stop

Description

RundownComplete.

Message #

RundownComplete

Event ID 3 — RundownVolumeInformation VolumeId: RundownVolumeInformation_VolumeId, DeviceName: Vcb.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: Rundown

Description

RundownVolumeInformation VolumeId: RundownVolumeInformation_VolumeId, DeviceName: Vcb.

Message #

RundownVolumeInformation VolumeId: %1, DeviceName: %3

Fields #

Name	Description
`RundownVolumeInformation_VolumeId`	—
`DeviceName` UnicodeString	—
`Vcb` Pointer	—
`DeviceNameLength` UInt16	—

Event ID 4 — The NTFS volume has been successfully mounted.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: Volumemount

Description

The NTFS volume has been successfully mounted.

Message #

The NTFS volume has been successfully mounted.

           Volume GUID: %4
           Volume Name: %6
           Volume Label: %8
           Device Name: %3

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	Volume name.
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`Vcb` Pointer	—
`MountDurationUs` UInt64	—
`MountDuration` UnicodeString	Total mount duration.
`LongestStage` UInt64	—
`LongestStageDuration` UnicodeString	—
`LongestStagePercentage` UInt64	—
`SecondLongestStage` UInt64	—
`SecondLongestStageDuration` UnicodeString	—
`SecondLongestStagePercentage` UInt64	—
`RestartApplied` Boolean	Volume restart applied.
`IsBootVolume` Boolean	—
`Stage1DurationUs` UInt64	—
`Stage2DurationUs` UInt64	—
`Stage3DurationUs` UInt64	—
`Stage4DurationUs` UInt64	—
`Stage5DurationUs` UInt64	—
`Stage6DurationUs` UInt64	—
`Stage7DurationUs` UInt64	—
`Stage8DurationUs` UInt64	—
`Stage9DurationUs` UInt64	—
`Stage10DurationUs` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 4,
    "version": 1,
    "level": 4,
    "task": 6,
    "opcode": 0,
    "keywords": 4611967493404098592,
    "time_created": "2023-11-06T06:25:20.848685+00:00",
    "event_record_id": 147,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 96
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeIdLength": 48,
    "VolumeId": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "VolumeLabelLength": 5,
    "VolumeLabel": "WINRE",
    "DeviceNameLength": 23,
    "DeviceName": "\\Device\\HarddiskVolume1",
    "DeviceGuid": "33A0A150-7C6D-11EE-9369-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "Vcb": "0xffffa60dd18c01b0",
    "MountDurationUs": 32215,
    "MountDuration": "32 ms",
    "LongestStage": 5,
    "LongestStageDuration": "16 ms",
    "LongestStagePercentage": 50,
    "SecondLongestStage": 2,
    "SecondLongestStageDuration": "16 ms",
    "SecondLongestStagePercentage": 50,
    "RestartApplied": false,
    "IsBootVolume": false,
    "Stage1DurationUs": 0,
    "Stage2DurationUs": 16042,
    "Stage3DurationUs": 0,
    "Stage4DurationUs": 0,
    "Stage5DurationUs": 16172,
    "Stage6DurationUs": 0,
    "Stage7DurationUs": 0,
    "Stage8DurationUs": 0,
    "Stage9DurationUs": 0,
    "Stage10DurationUs": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 5 — NTFS KSR data retrieved successfully.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Task: KSR

Description

NTFS KSR data retrieved successfully.

Message #

NTFS KSR data retrieved successfully.

           Volume GUID: %4
           Device Name: %3

           NTFS KSR version: %5
           Number of runs restored: %6
           Time to restore (ms): %7

Fields #

Name	Description
`Vcb` Pointer	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`VolumeGuid` GUID	—
`Version` UInt16	—
`CachedRunsRestoredRunCount` UInt32	—
`CachedRunsRestoredTimeMs` UInt32	—

Event ID 6 — NTFS KSR data retrieval failed.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Task: KSR

Description

NTFS KSR data retrieval failed.

Message #

NTFS KSR data retrieval failed.

           Volume GUID: %4
           Device Name: %3
           Error: %6

Fields #

Name	Description
`Device_Name`	—
`Volume_GUID`	—
`Error`	Device Name.
`Vcb` Pointer	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`VolumeGuid` GUID	—
`MessageLength` UInt16	—
`Message` UnicodeString	—
`FailureStatus` HexInt32	—
`SourceTag` UInt32	—

Event ID 7 — Ntfs has detected torn write on a volume.

Provider: Microsoft-Windows-Ntfs
Channel: System
Opcode: Info

Description

Ntfs has detected torn write on a volume.

Message #

Ntfs has detected torn write on a volume.

           Volume correlation Id: %1
           Volume name: %3
           Volume label: %5
           File reference: %6
           File name: %8
           Byte offset of the buffer within the file: %9
           Byte offset of the torn structure within the buffer: %10
           Block index: %11
           Expected sequence number: %12
           Actual sequence number: %13

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—
`BufferOffset` UInt64	—
`TornStructureOffset` UInt32	—
`BlockIndex` UInt16	—
`ExpectedSequenceNumber` UInt16	—
`ActualSequenceNumber` UInt16	—
`FrsFileReference` UInt64	—
`FrsFileNameLength` UInt32	—
`FrsFileName` UnicodeString	—
`IsChildFRS` Boolean	—

Event ID 8 — File's duplicate info has been updated during flush.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

File's duplicate info has been updated during flush.

Message #

File's duplicate info has been updated during flush.

           Volume correlation Id: %1
           Volume name: %3
           File Reference: %4
           File Name: %6
           File Link name: %8
           Parent file reference: %9
           Parent file name: %11
           Update Reason: [%12] %13

Fields #

Name	Description
`Volume_correlation_Id`	—
`Volume_name`	—
`File_Reference`	—
`File_Name`	—
`File_Link_name`	—
`Parent_file_reference`	File Name.
`Parent_file_name`	—
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—
`FileLinkNameLength` UInt32	—
`FileLinkName` UnicodeString	—
`ParentFileReference` UInt64	—
`ParentFileNameLength` UInt32	—
`ParentFileName` UnicodeString	—
`Reason` HexInt32	—
`ReasonText` UInt16	—

Event ID 9 — NTFS scanned entire volume bitmap.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

NTFS scanned entire volume bitmap.

Message #

NTFS scanned entire volume bitmap.

           Volume correlation Id: %1
           Volume name: %3
           Volume label: %5

           Device name: %7
           Device GUID: %8
           Device manufacturer: %10
           Device model: %12
           Device revision: %14
           Device serial number: %16
           Bus type: %17

           Adapter serial number: %19

           Duration (micro seconds): %20
           InputFlags: %21
           Reason: %22
           Flags: %23

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	Volume name.
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`DurationUs` UInt32	Duration (micro seconds).
`InputFlags` HexInt32	—
`Reason` UInt32	—
`Flags` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 9,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-06T06:25:25.774221+00:00",
    "event_record_id": 149,
    "correlation": {
      "ActivityID": "405E6FE6-7C77-466B-8D93-5F354CA37E8C"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 108
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeIdLength": 48,
    "VolumeId": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "VolumeLabelLength": 5,
    "VolumeLabel": "WINRE",
    "DeviceNameLength": 23,
    "DeviceName": "\\Device\\HarddiskVolume1",
    "DeviceGuid": "33A0A150-7C6D-11EE-9369-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "DurationUs": 49,
    "InputFlags": "0x10",
    "Reason": 7,
    "Flags": "0x10"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10 — NTFS cached runs statistics.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

NTFS cached runs statistics.

Message #

NTFS cached runs statistics.

           Volume correlation Id: %1
           Volume name: %2
           Volume label: %3

           Device name: %4
           Device GUID: %5
           Device manufacturer: %6
           Device model: %7
           Device revision: %8
           Device serial number: %9
           Bus type: %10

           Adapter serial number: %11

           Media type: %12
           Runs cached: %13
           Longest run cached: %15
           Most populated bin Count: %16
           Most populated bin's minimum length: %18
           Most populated bin's maximum length: %20

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeId` UnicodeString	Volume name.
`VolumeLabel` UnicodeString	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorId` UnicodeString	Device manufacturer.
`ProductId` UnicodeString	Device model.
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`MediaType`	Capacity tier name.
`RunsCached`	Media type.
`LongestRunCached`	Runs cached.
`LongestRunCachedStr`	—
`MostPopulatedBinCount`	Longest run cached.
`MostPopulatedBinMinLength`	—
`MostPopulatedBinMinLengthStr`	—
`MostPopulatedBinMaxLength`	Most populated bin's minimum length.
`MostPopulatedBinMaxLengthStr`	—
`TotalCachedRuns`	Most populated bin's maximum length.
`CachedRunsLogged`	—
`CachedRunsAlignment`	—
`RunsInCachedRuns`	—
`LongestRunInCachedRuns`	—
`MostPopulatedBinCountInCachedRuns`	—
`MostPopulatedBinMinLengthInCachedRuns`	—
`MostPopulatedBinMaxLengthInCachedRuns`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 10,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-06T06:25:25.774232+00:00",
    "event_record_id": 150,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 108
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeId": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "VolumeLabel": "WINRE",
    "DeviceName": "\\Device\\HarddiskVolume1",
    "DeviceGuid": "33A0A150-7C6D-11EE-9369-806E6F6E6963",
    "VendorId": "VMware, ",
    "ProductId": "VMware Virtual S",
    "ProductRevision": "1.0 ",
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumber": "",
    "MediaType": 1,
    "RunsCached": 3,
    "LongestRunCached": 209448960,
    "LongestRunCachedStr": "199.75 MB",
    "MostPopulatedBinCount": 1,
    "MostPopulatedBinMinLength": 2363392,
    "MostPopulatedBinMinLengthStr": "2.26 MB",
    "MostPopulatedBinMaxLength": 2490368,
    "MostPopulatedBinMaxLengthStr": "2.38 MB",
    "TotalCachedRuns": 1,
    "CachedRunsLogged": 1,
    "CachedRunsAlignment": "1",
    "RunsInCachedRuns": "3",
    "LongestRunInCachedRuns": "209448960",
    "MostPopulatedBinCountInCachedRuns": "1",
    "MostPopulatedBinMinLengthInCachedRuns": "2363392",
    "MostPopulatedBinMaxLengthInCachedRuns": "2490368"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 11 — NTFS KSR data prepared successfully.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Task: KSR

Description

NTFS KSR data prepared successfully.

Message #

NTFS KSR data prepared successfully.

           Volume GUID: %4
           Device Name: %3

           NTFS KSR version: %5
           Number of runs prepared: %6
           Time to prepare (ms): %7

Fields #

Name	Description
`Vcb` Pointer	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`VolumeGuid` GUID	—
`Version` UInt16	—
`CachedRunsPreparedRunCount` UInt32	—
`CachedRunsPreparedTimeMs` UInt32	—

Event ID 12 — NTFS KSR data prepare failed.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Task: KSR

Description

NTFS KSR data prepare failed.

Message #

NTFS KSR data prepare failed.

           Volume GUID: %4
           Device Name: %3
           Error: %6
           Failure Status: %7           Source Tag: %8

Fields #

Name	Description
`Device_Name`	—
`Volume_GUID`	—
`Error`	Device Name.
`Failure_Status`	Volume GUID.
`Source_Tag`	—
`Vcb` Pointer	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`VolumeGuid` GUID	—
`MessageLength` UInt16	—
`Message` UnicodeString	—
`FailureStatus` HexInt32	—
`SourceTag` UInt32	—

Event ID 13 — NTFS KSR data filled successfully.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Task: KSR

Description

NTFS KSR data filled successfully.

Message #

NTFS KSR data filled successfully.

           Volume GUID: %4
           Device Name: %3

           NTFS KSR version: %5
           Number of runs filled: %6
           Time to fill (ms): %7

Fields #

Name	Description
`Vcb` Pointer	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`VolumeGuid` GUID	—
`Version` UInt16	—
`CachedRunsFilledRunCount` UInt32	—
`CachedRunsFilledTimeMs` UInt32	—

Event ID 14 — NTFS KSR data fill failed.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Task: KSR

Description

NTFS KSR data fill failed.

Message #

NTFS KSR data fill failed.

           Volume GUID: %4
           Device Name: %3
           Error: %6
           Failure Status: %7           Source Tag: %8

Fields #

Name	Description
`Device_Name`	—
`Volume_GUID`	—
`Error`	Device Name.
`Failure_Status`	Volume GUID.
`Source_Tag`	—
`Vcb` Pointer	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`VolumeGuid` GUID	—
`MessageLength` UInt16	—
`Message` UnicodeString	—
`FailureStatus` HexInt32	—
`SourceTag` UInt32	—

Event ID 98 — Volume DriveName (DeviceName) CorruptionActionState.

Provider: Microsoft-Windows-Ntfs
Channel: System
Level: Informational
Opcode: Info

Description

Volume DriveName (DeviceName) CorruptionActionState.

Message #

Volume %1 (%2) %3

Fields #

Name	Description
`DriveName` UnicodeString	—
`DeviceName` UnicodeString	—
`CorruptionActionState` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 98,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775810,
    "time_created": "2023-11-06T06:25:20.848748+00:00",
    "event_record_id": 1651,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 96
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DriveName": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "DeviceName": "\\Device\\HarddiskVolume1",
    "CorruptionActionState": 0
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Volume Shadow Copy Mount source low: Detects volume shadow copy mount via Windows event log

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 100 — NTFS global corruption action state is now hc_stateid.

Provider: Microsoft-Windows-Ntfs
Channel: WHC
Level: Informational
Opcode: Info

Description

NTFS global corruption action state is now hc_stateid.

Message #

NTFS global corruption action state is now %1.

Fields #

Name	Description
`hc_stateid` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 100,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693953,
    "time_created": "2023-11-06T06:25:12.106652+00:00",
    "event_record_id": 11,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8
    },
    "channel": "Microsoft-Windows-Ntfs/WHC",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "hc_stateid": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 139 — The file system structure that maintains security information on volume DriveName (DeviceName) has grown excessively large and fragmented.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Message #

The file system structure that maintains security information on volume %1 (%2) has grown excessively large and fragmented.  The structure has reached %3%% of its maximum fragmentation limit.  If the structure continues to grow and reaches this limit, it may not be possible to create new files on this volume.  It is strongly recommended that the volume be taken offline for preventative maintenance.

Fields #

Name	Description
`DriveName` UnicodeString	—
`DeviceName` UnicodeString	—
`FragmentationLevel` UInt16	—

Event ID 140 — The system failed to flush data to the transaction log.

Provider: Microsoft-Windows-Ntfs
Channel: System
Opcode: Info

Description

The system failed to flush data to the transaction log. Corruption may occur in VolumeId: VolumeId, DeviceName: DeviceName.

Message #

The system failed to flush data to the transaction log. Corruption may occur in VolumeId: %2, DeviceName: %4.

           Failure status: %5

           Device GUID: %6
           Device manufacturer: %8
           Device model: %10
           Device revision: %12
           Device serial number: %14
           Bus type: %15

           Adapter serial number: %17

Fields #

Name	Description
`VolumeIdLength` UInt32	—
`VolumeId` UnicodeString	—
`DeviceNameLength` UInt32	—
`DeviceName` UnicodeString	The system failed to flush data to the transaction log. Corruption may occur in VolumeId.
`Error` HexInt32	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—

Event ID 141 — An operation failed because the disk was full.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

An operation failed because the disk was full.

Message #

An operation failed because the disk was full.

           Process: %5
           Free space in bytes: %7
           Total reserved space in bytes: %8
           Txf TotalAbortReservation space in bytes: %9
           Requested space in bytes: %10
           Page file size in bytes: %11
           Volume guid: %1
           Volume name: %3
           Is boot volume: %6
           Source Tag: %12

Your disk '%3' is full. Use disk cleanup to free up disk space by deleting unnecessary files. If this is a thinly provisioned volume the physical storage backing this volume may have been exhausted.

Fields #

Name	Description
`VolumeGuid` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`ProcessNameLength` UInt32	—
`ProcessName` UnicodeString	—
`IsBootVolume` Boolean	—
`FreeSpaceInBytes` UInt64	—
`TotalReservedSpaceInBytes` UInt64	—
`TotalAbortReservationSpaceInBytes` UInt64	—
`RequestedSpaceInBytes` UInt64	—
`PageFileSize` UInt64	—
`SourceTag` HexInt64	—

Event ID 142 — Summary of disk space usage, since last event.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

Summary of disk space usage, since last event.

Message #

Summary of disk space usage, since last event:

           Lowest free space in bytes: %4
           Highest free space in bytes: %5
           Page file size in bytes: 0
           Volume guid: %1
           Volume name: %3
           Is boot volume: %6

Fields #

Name	Description
`VolumeGuid` GUID	[Summary of disk space usage, since last event] Volume guid.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	[Summary of disk space usage, since last event] Volume name.
`IsBootVolume` Boolean	[Summary of disk space usage, since last event] Is boot volume.
`ElapsedSeconds` UInt64	[Summary of disk space usage, since last event] Elapsed seconds.
`AvailabeSpaceMinStr` UnicodeString	—
`AvailabeSpaceMaxStr` UnicodeString	—
`AvailabeSpaceDeltaStr` UnicodeString	[Summary of disk space usage, since last event] Change in available space.
`AvailableClustersMin` UInt64	[Summary of disk space usage, since last event] Available clusters were between.
`AvailableClustersMax` UInt64	—
`UnallocatedClustersMin` UInt64	—
`UnallocatedClustersMax` UInt64	—
`ReservedClustersMin` UInt64	[Summary of disk space usage, since last event] Reserved clusters were between.
`ReservedClustersMax` UInt64	—
`TxfAbortReservedClustersMin` UInt64	[Summary of disk space usage, since last event] Txf abort reserved clusters were between.
`TxfAbortReservedClustersMax` UInt64	—
`PageFileSizeInBytes` UInt64	—
`PageFileSizeStr` UnicodeString	[Summary of disk space usage, since last event] Pagefile size.
`VolumeSizeInBytes` UInt64	—
`VolumeSizeStr` UnicodeString	[Summary of disk space usage, since last event] Volume size.
`ClusterSize` UInt64	[Summary of disk space usage, since last event] Bytes per cluster.
`CachedRunsMissCountForMft` UInt32	—
`CachedRunsMissCountForMftZone` UInt32	[Summary of disk space usage, since last event] Slab size.
`CachedRunsMissCount` UInt32	[Summary of disk space usage, since last event] Slabs in use.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 142,
    "version": 3,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-06T06:25:25.734659+00:00",
    "event_record_id": 148,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 108
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeGuid": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeNameLength": 48,
    "VolumeName": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "IsBootVolume": false,
    "ElapsedSeconds": 0,
    "AvailabeSpaceMinStr": "287.18 MB",
    "AvailabeSpaceMaxStr": "291.18 MB",
    "AvailabeSpaceDeltaStr": "4 MB",
    "AvailableClustersMin": 73518,
    "AvailableClustersMax": 74542,
    "UnallocatedClustersMin": 74542,
    "UnallocatedClustersMax": 74542,
    "ReservedClustersMin": 0,
    "ReservedClustersMax": 0,
    "TxfAbortReservedClustersMin": 1024,
    "TxfAbortReservedClustersMax": 1024,
    "PageFileSizeInBytes": 0,
    "PageFileSizeStr": "0 Bytes",
    "VolumeSizeInBytes": 314568704,
    "VolumeSizeStr": "300 MB",
    "ClusterSize": 4096,
    "CachedRunsMissCountForMft": 0,
    "CachedRunsMissCountForMftZone": 0,
    "CachedRunsMissCount": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 143 — Surprise removal of a persistent memory device with active DAX mappings.

Provider: Microsoft-Windows-Ntfs
Channel: System
Opcode: Info

Description

Surprise removal of a persistent memory device with active DAX mappings. This might lead to data corruption.

Message #

Surprise removal of a persistent memory device with active DAX mappings. This might lead to data corruption.

           Volume GUID: %4
           Volume Name: %6
           Volume Label: %8

Guidance:
A reboot is required to clean up the DAX mappings.

Fields #

Name	Description
`Volume_GUID`	—
`Volume_Name`	—
`Volume_Label`	—
`Vcb` Pointer	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`VolumeGuid` GUID	—
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	—
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—

Event ID 144 — A volume that already has DAX mappings is being mounted.

Provider: Microsoft-Windows-Ntfs
Channel: System
Opcode: Info

Description

A volume that already has DAX mappings is being mounted. This generally occurs after surprise removal. This might lead to data corruption.

Message #

A volume that already has DAX mappings is being mounted. This generally occurs after surprise removal. This might lead to data corruption.

           Volume GUID: %4
           Volume Name: %6

Guidance:
A reboot is required to clean up the DAX mappings.

Fields #

Name	Description
`Volume_GUID`	—
`Volume_Name`	—
`Vcb` Pointer	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`VolumeGuid` GUID	—
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	—

Event ID 145 — IO latency summary common data for volume.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

IO latency summary common data for volume.

Message #

IO latency summary common data for volume:

           Volume Id: %2
           Volume name: %4
           Is boot volume: %5

           Device GUID: %7
           Device manufacturer: %9
           Device model: %11
           Device revision: %13
           Device serial number: %15
           Bus type: %16

           Adapter serial number: %18

           Max Acceptable IO Latency: %19 ms

           Read/Write latency buckets (ns): [%20, %21, %22, %23, %24, %25, %26]
           Trim latency buckets (ns): [%27, %28, %29, %30, %31, %32, %33]
           Flush latency buckets (ns): [%34, %35, %36, %37, %38, %39, %40]

Fields #

Name	Description
`Version` UInt32	—
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`TierIndex` UInt32	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`MaxLatencyMs` UInt64	—
`ReadWriteLatencyBucket1` Int64	—
`ReadWriteLatencyBucket2` Int64	—
`ReadWriteLatencyBucket3` Int64	—
`ReadWriteLatencyBucket4` Int64	—
`ReadWriteLatencyBucket5` Int64	—
`ReadWriteLatencyBucket6` Int64	—
`ReadWriteLatencyBucket7` Int64	—
`TrimLatencyBucket1` Int64	—
`TrimLatencyBucket2` Int64	—
`TrimLatencyBucket3` Int64	—
`TrimLatencyBucket4` Int64	—
`TrimLatencyBucket5` Int64	—
`TrimLatencyBucket6` Int64	—
`TrimLatencyBucket7` Int64	—
`FlushLatencyBucket1` Int64	—
`FlushLatencyBucket2` Int64	—
`FlushLatencyBucket3` Int64	—
`FlushLatencyBucket4` Int64	—
`FlushLatencyBucket5` Int64	—
`FlushLatencyBucket6` Int64	—
`FlushLatencyBucket7` Int64	—

Event ID 146 — IO latency summary.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

IO latency summary.

Message #

IO latency summary:

           Volume Id: %2
           Volume name: %4
           Is boot volume: %5

           Device GUID: %7
           Device manufacturer: %9
           Device model: %11
           Device revision: %13
           Device serial number: %15
           Bus type: %16

           Adapter serial number: %18

           Max Acceptable IO Latency: %19 ms

           Read/Write latency buckets (ns): [%20, %21, %22, %23, %24, %25, %26]
           Trim latency buckets (ns): [%27, %28, %29, %30, %31, %32, %33]
           Flush latency buckets (ns): [%34, %35, %36, %37, %38, %39, %40]

           Interval duration: %42 us

           Non-cached reads:
                     IO count: %43
                     Total bytes: %44
                     Avg latency: %45 ns

           Non-cached writes:
                     IO count: %46
                     Total bytes: %47
                     Avg latency: %48 ns

           File flushes:
                     IO count: %49
                     Avg latency: %50 ns

           Directory flushes:
                     IO count: %51
                     Avg latency: %52 ns

           Volume flushes:
                     IO count: %53
                     Avg latency: %54 ns

           File level trims:
                     IO count: %55
                     Total bytes: %56
                     Extents count: %57
                     Avg latency: %58 ns

           Volume trims:
                     IO count: %59
                     Total bytes: %60
                     Extents count: %61
                     Avg latency: %62 ns

           VCB exclusive resource acquires:
                     Acquire count: %71
                     Max wait duration: %72 ms
                     Avg wait duration: %73 ms
                     Max hold duration: %74 ms
                     Avg hold duration: %75 ms
                     Max combined duration: %76 ms
                     Avg combined duration: %77 ms

           For more details see the details tab.

Fields #

Name	Description
`Version` UInt32	—
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`TierIndex` UInt32	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`MaxLatencyMs` UInt64	—
`ReadWriteLatencyBucket1` Int64	—
`ReadWriteLatencyBucket2` Int64	—
`ReadWriteLatencyBucket3` Int64	—
`ReadWriteLatencyBucket4` Int64	—
`ReadWriteLatencyBucket5` Int64	—
`ReadWriteLatencyBucket6` Int64	—
`ReadWriteLatencyBucket7` Int64	—
`TrimLatencyBucket1` Int64	—
`TrimLatencyBucket2` Int64	—
`TrimLatencyBucket3` Int64	—
`TrimLatencyBucket4` Int64	—
`TrimLatencyBucket5` Int64	—
`TrimLatencyBucket6` Int64	—
`TrimLatencyBucket7` Int64	—
`FlushLatencyBucket1` Int64	—
`FlushLatencyBucket2` Int64	—
`FlushLatencyBucket3` Int64	—
`FlushLatencyBucket4` Int64	—
`FlushLatencyBucket5` Int64	—
`FlushLatencyBucket6` Int64	—
`FlushLatencyBucket7` Int64	—
`HighIoLatencyCount` UInt32	—
`IntervalDurationUs` Int64	—
`NCReadIOCount` UInt64	—
`NCReadTotalBytes` UInt64	—
`NCReadAvgLatencyNs` UInt64	—
`NCWriteIOCount` UInt64	—
`NCWriteTotalBytes` UInt64	—
`NCWriteAvgLatencyNs` UInt64	—
`FileFlushCount` UInt64	—
`FileFlushAvgLatencyNs` UInt64	—
`DirectoryFlushCount` UInt64	—
`DirectoryFlushAvgLatencyNs` UInt64	—
`VolumeFlushCount` UInt64	—
`VolumeFlushAvgLatencyNs` UInt64	—
`FileLevelTrimCount` UInt64	—
`FileLevelTrimTotalBytes` UInt64	—
`FileLevelTrimExtentsCount` UInt64	—
`FileLevelTrimAvgLatencyNs` UInt64	—
`VolumeTrimCount` UInt64	—
`VolumeTrimTotalBytes` UInt64	—
`VolumeTrimExtentsCount` UInt64	—
`VolumeTrimAvgLatencyNs` UInt64	—
`IoBucketsCount` UInt8	—
`TotalBytesBucketsCount` UInt8	—
`ExtentsBucketsCount` UInt8	—
`IoCount` UInt64	—
`TotalLatencyUs` UInt64	—
`TotalBytes` UInt64	—
`TrimExtentsCount` UInt64	—
`IoTypeIndex` UInt16	—
`VcbExAcquireCount` UInt32	—
`VcbExMaxWaitDurationMs` UInt64	—
`VcbExAvgWaitDurationMs` UInt64	—
`VcbExMaxHoldDurationMs` UInt64	—
`VcbExAvgHoldDurationMs` UInt64	—
`VcbExMaxCombinedDurationMs` UInt64	—
`VcbExAvgCombinedDurationMs` UInt64	—

Event ID 147 — An IO took more than MaxLatencyMs ms to complete.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Warning
Opcode: Info

Description

An IO took more than MaxLatencyMs ms to complete.

Message #

An IO took more than %5 ms to complete:

           Process Id: %6
           Process name: %7
           File name: %9
           File offset: %12
           IO Type: %10
           IO Size: %11 bytes
           %15 cluster(s) starting at cluster %14
           Latency: %13 ms

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %16
           Device manufacturer: %18
           Device model: %20
           Device revision: %22
           Device serial number: %24
           Bus type: %25

           Adapter serial number: %27

Fields #

Name	Description
`VolumeCorrelationId` GUID	Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`MaxLatencyMs` UInt64	—
`ProcessId` UInt32	—
`ProcessName` AnsiString	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—
`FileIdHigh` HexInt64	—
`FileIdLow` HexInt64	—
`IoType` UInt16	—
`IoTypeStr` UnicodeString	IO Type.
`IoSize`	Latency.
`FileOffset`	Device GUID.
`LatencyMs` UInt64	—
`StartingLcn`	Device manufacturer.
`ClustersCount`	—
`DeviceGuid` GUID	Device model.
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device revision.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device serial number.
`ProductRevisionLength` UInt32	Bus type.
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	Adapter serial number.
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 147,
    "version": 4,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 4611967493406195712,
    "time_created": "2023-11-06T01:29:13.914837+00:00",
    "event_record_id": 229,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 17620
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "MaxLatencyMs": 30000,
    "ProcessId": 18984,
    "ProcessName": "MBAMService.ex",
    "FileNameLength": 74,
    "FileName": "\\ProgramData\\Malwarebytes\\MBAMService\\tmp\\cde8f2247c4311ee8e26000c293379ba",
    "FileIdHigh": "0x0",
    "FileIdLow": "0x200000004f2d1",
    "IoType": 5,
    "IoTypeStr": "Write: NonPaging, Cached, Sync",
    "IoSize": 23213552,
    "FileOffset": 0,
    "LatencyMs": 38428,
    "StartingLcn": 15120321,
    "ClustersCount": 5668,
    "DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": ""
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 148 — A FileIdHigh failed with StartingLcn.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

A FileIdHigh failed with StartingLcn.

Message #

A %9 failed with %14.
This may indicate a failing disk.

           Process Id: %5
           Process name: %6
           File name: %8
           IO Size: %10 bytes
           File offset: %11
           %13 cluster(s) starting at cluster %12
           Latency: %15 ms

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %16
           Device manufacturer: %18
           Device model: %20
           Device revision: %22
           Device serial number: %24
           Bus type: %25

           Adapter serial number: %27

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`ProcessId` UInt32	—
`ProcessName` AnsiString	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—
`FileIdHigh` HexInt64	—
`FileIdLow` HexInt64	—
`IoType` UInt32	—
`IoSize` UInt32	—
`FileOffset` UInt64	—
`StartingLcn` UInt64	—
`ClustersCount` UInt32	—
`FailureStatus` HexInt32	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`NativeNVMe` Boolean	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—

Event ID 149 — In the past SecondsElapsed seconds we had high latency IOs and/or IO failures.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Warning
Opcode: Info

Description

In the past SecondsElapsed seconds we had high latency IOs and/or IO failures.

Message #

In the past %17 seconds we had high latency IOs and/or IO failures.

           High latency IO count: %18
           Failed writes: %19
           Failed reads: %20
           Bad clusters relocated: %21

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %5
           Device manufacturer: %7
           Device model: %9
           Device revision: %11
           Device serial number: %13
           Bus type: %14

           Adapter serial number: %16

Fields #

Name	Description
`VolumeCorrelationId` GUID	Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`SecondsElapsed` UInt32	—
`HighLatencyCount` UInt32	High latency IO count.
`FailedWriteCount` UInt32	Failed writes.
`FailedReadCount` UInt32	Failed reads.
`BadClusterHotfixCount` UInt32	Bad clusters relocated.
`ValuesCount` UInt32	—
`HighLatencyArray` UInt32	—
`FailedWriteArray` UInt32	—
`FailedReadArray` UInt32	—
`BadClusterHotfixArray` UInt32	—
`StatusArray` HexInt32	—
`TableIndexArray` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 149,
    "version": 2,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 4611967493406195712,
    "time_created": "2023-11-06T01:32:12.814212+00:00",
    "event_record_id": 249,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 18088
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "SecondsElapsed": 3602,
    "HighLatencyCount": 4,
    "FailedWriteCount": 0,
    "FailedReadCount": 0,
    "BadClusterHotfixCount": 0,
    "ValuesCount": 3,
    "HighLatencyArray": 1,
    "FailedWriteArray": 0,
    "FailedReadArray": 0,
    "BadClusterHotfixArray": 0,
    "StatusArray": "0x0",
    "TableIndexArray": 3
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 150 — An IO failed with FailureStatus and NTFS has relocated the clusters.

Provider: Microsoft-Windows-Ntfs
Channel: System
Opcode: Info

Description

An IO failed with FailureStatus and NTFS has relocated the clusters. The original clusters are now marked as bad and they will not be reused.

Message #

An IO failed with %12 and NTFS has relocated the clusters. The original clusters are now marked as bad and they will not be reused.
This may indicate a failing disk.

           Process Id: %5
           Process name: %6
           File name: %8
           File offset: %9
           %11 cluster(s) were marked as bad starting at cluster %10

           Volume guid: %1
           Volume name: %3
           Is boot volume: %4

Fields #

Name	Description
`VolumeGuid` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`ProcessId` UInt32	—
`ProcessName` AnsiString	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—
`BadFileOffset` UInt64	—
`BadLcn` UInt64	—
`ClustersCount` UInt32	—
`FailureStatus` HexInt32	—

Event ID 151 — In the past SecondsElapsed seconds TotalCountDeleteFile files were deleted from the user's popular known folders.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

In the past SecondsElapsed seconds TotalCountDeleteFile files were deleted from the user's popular known folders (i.e. Desktop, Documents, Downloads, Music, Pictures, Videos, etc.).

Message #

In the past %5 seconds %6 files were deleted from the user's popular known folders (i.e. Desktop, Documents, Downloads, Music, Pictures, Videos, etc.).
%7 of the deletions recorded their process names.

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Process names: [%8]
           Delete counts: 
             Desktop: [%9]
             Documents: [%10]
             Downloads: [%11]
             Music: [%12]
             Pictures: [%13]
             Videos: [%14]
             Other: [%15]

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`SecondsElapsed` UInt32	—
`TotalCountDeleteFile` UInt32	—
`TotalCountDeleteFileLogged` UInt32	—
`ProcessNamesArray` AnsiString	—
`CountDeletesInDesktopArray` AnsiString	—
`CountDeletesInDocumentsArray` AnsiString	—
`CountDeletesInDownloadsArray` AnsiString	—
`CountDeletesInMusicArray` AnsiString	—
`CountDeletesInPicturesArray` AnsiString	—
`CountDeletesInVideosArray` AnsiString	—
`CountDeletesInOtherArray` AnsiString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 151,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2026-03-13T17:16:12.046261+00:00",
    "event_record_id": 5903,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 8128
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "77AC4D73-0000-0000-0000-100000000000",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "SecondsElapsed": 3601,
    "TotalCountDeleteFile": 2,
    "TotalCountDeleteFileLogged": 2,
    "ProcessNamesArray": "powershell_ise",
    "CountDeletesInDesktopArray": "0",
    "CountDeletesInDocumentsArray": "2",
    "CountDeletesInDownloadsArray": "0",
    "CountDeletesInMusicArray": "0",
    "CountDeletesInPicturesArray": "0",
    "CountDeletesInVideosArray": "0",
    "CountDeletesInOtherArray": "0"
  },
  "message": ""
}

Event ID 152 — A process has not acknowledged an NTFS oplock break in a long time.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

A process has not acknowledged an NTFS oplock break in a long time.

Message #

A process has not acknowledged an NTFS oplock break in a long time.

           Time (seconds): %1
           Owner Process: %2
           Breaking Process: %3

Fields #

Name	Description
`Time_seconds`	Time (seconds).
`Owner_Process`	—
`Breaking_Process`	—
`TimeoutSeconds` UInt32	—
`OwnerProcessNameLength` UInt32	—
`OwnerProcessName` UnicodeString	—
`BreakingProcessNameLength` UInt32	—
`BreakingProcessName` UnicodeString	—

Event ID 154 — System file pages are now locked into memory.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

System file pages are now locked into memory.

Message #

System file pages are now locked into memory.

                    Volume Id: %1
                    Volume name: %3

                    File reference: %4
                    File name: %6

Fields #

Name	Description
`Volume_Id`	—
`Volume_name`	—
`File_reference`	—
`File_name`	—
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—

Event ID 155 — System file pages are no longer locked into memory.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

System file pages are no longer locked into memory.

Message #

System file pages are no longer locked into memory.

                    Volume Id: %1
                    Volume name: %3

                    File reference: %4
                    File name: %6

                    Reason: %7

Fields #

Name	Description
`Volume_Id`	—
`Volume_name`	—
`File_reference`	—
`File_name`	—
`Reason`	—
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—
`UnlockReason` UInt32	—

Event ID 156 — VCB exclusive resource acquires.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

VCB exclusive resource acquires.

Message #

VCB exclusive resource acquires:

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Interval duration: %18

           Acquire count: %19
           Max wait duration: %20 ms
           Avg wait duration: %21 ms
           Max hold duration: %22 ms
           Avg hold duration: %23 ms
           Max combined duration: %24 ms
           Avg combined duration: %25 ms

           Device GUID: %5
           Device manufacturer: %7
           Device model: %9
           Device revision: %11
           Device serial number: %13
           Bus type: %14
           
           Adapter serial number: %16
           
           For more details see the details tab.

Fields #

Name	Description
`VolumeCorrelationId` GUID	[VCB exclusive resource acquires] Volume Id.
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	[VCB exclusive resource acquires] Volume name.
`IsBootVolume` Boolean	[VCB exclusive resource acquires] Is boot volume.
`DeviceGuid` GUID	[VCB exclusive resource acquires] Device GUID.
`VendorIdLength` UInt16	—
`VendorId` UnicodeString	[VCB exclusive resource acquires] Device manufacturer.
`ProductIdLength` UInt16	—
`ProductId` UnicodeString	[VCB exclusive resource acquires] Device model.
`ProductRevisionLength` UInt16	—
`ProductRevision` UnicodeString	[VCB exclusive resource acquires] Device revision.
`DeviceSerialNumberLength` UInt16	—
`DeviceSerialNumber` UnicodeString	[VCB exclusive resource acquires] Device serial number.
`BusType` UInt32	[VCB exclusive resource acquires] Bus type.
`AdapterSerialNumberLength` UInt16	—
`AdapterSerialNumber` UnicodeString	[VCB exclusive resource acquires] Adapter serial number.
`IntervalDurationMs` UInt64	—
`IntervalDurationStr` UnicodeString	[VCB exclusive resource acquires] Interval duration.
`VcbExAcquireCount` UInt32	[VCB exclusive resource acquires] Acquire count.
`VcbExMaxWaitDurationMs` UInt64	[VCB exclusive resource acquires] Max wait duration.
`VcbExAvgWaitDurationMs` UInt64	[VCB exclusive resource acquires] Avg wait duration.
`VcbExMaxHoldDurationMs` UInt64	[VCB exclusive resource acquires] Max hold duration.
`VcbExAvgHoldDurationMs` UInt64	[VCB exclusive resource acquires] Avg hold duration.
`VcbExMaxCombinedDurationMs` UInt64	[VCB exclusive resource acquires] Max combined duration.
`VcbExAvgCombinedDurationMs` UInt64	[VCB exclusive resource acquires] Avg combined duration.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 156,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-06T01:32:12.811781+00:00",
    "event_record_id": 230,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 18088
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "IntervalDurationMs": 3602451,
    "IntervalDurationStr": "3602 s",
    "VcbExAcquireCount": 171,
    "VcbExMaxWaitDurationMs": 15210,
    "VcbExAvgWaitDurationMs": 90,
    "VcbExMaxHoldDurationMs": 18627,
    "VcbExAvgHoldDurationMs": 237,
    "VcbExMaxCombinedDurationMs": 18627,
    "VcbExAvgCombinedDurationMs": 327
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 157 — An exclusive resource duration exceeded MaxDurationMs ms.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

An exclusive resource duration exceeded MaxDurationMs ms.

Message #

An exclusive resource duration exceeded %5 ms:

           Process Id: %6
           Process name: %7
           Major function: %8
           Minor function: %9
           Control code: %10
           Resource name: %11
           Wait duration: %12 ms
           Hold duration: %13 ms
           Combined duration: %14 ms

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %15
           Device manufacturer: %17
           Device model: %19
           Device revision: %21
           Device serial number: %23
           Bus type: %24

           Adapter serial number: %26

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`MaxDurationMs` UInt64	—
`ProcessId` UInt32	—
`ProcessName` AnsiString	—
`MajorFunction` UInt8	—
`MinorFunction` UInt8	—
`ControlCode` UInt32	—
`ResourceName` UInt32	—
`WaitDurationMs` UInt64	—
`HoldDurationMs` UInt64	—
`CombinedDurationMs` UInt64	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`NativeNVMe` Boolean	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—

Event ID 158 — NTFS metadata statistics for volume.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

NTFS metadata statistics for volume.

Message #

NTFS metadata statistics for volume:

           Volume Id: %1
           Volume name: %3

           UserFileReads: %4
           UserFileReadBytes: %5
           UserDiskReads: %6
           UserFileWrites: %7
           UserFileWriteBytes: %8
           UserDiskWrites: %9

           MetaDataReads: %10
           MetaDataReadBytes: %11
           MetaDataDiskReads: %12
           MetaDataWrites: %13
           MetaDataWriteBytes: %14
           MetaDataDiskWrites: %15

           MftReads: %16
           MftReadBytes: %17
           MftWrites: %18
           MftWriteBytes: %19
           Mft2Writes: %20
           Mft2WriteBytes: %21
           RootIndexReads: %22
           RootIndexReadBytes: %23
           RootIndexWrites: %24
           RootIndexWriteBytes: %25
           BitmapReads: %26
           BitmapReadBytes: %27
           BitmapWrites: %28
           BitmapWriteBytes: %29
           MftBitmapReads: %30
           MftBitmapReadBytes: %31
           MftBitmapWrites: %32
           MftBitmapWriteBytes: %33
           UserIndexReads: %34
           UserIndexReadBytes: %35
           UserIndexWrites: %36
           UserIndexWriteBytes: %37
           LogFileReads: %38
           LogFileReadBytes: %39
           LogFileWrites: %40
           LogFileWriteBytes: %41
           LogFileFull: %42
           LogFileFullReasons:
                     LF_LOG_SPACE: %43
                     LF_DIRTY_PAGES: %44
                     LF_OPEN_ATTRIBUTES: %45
                     LF_TRANSACTION_DRAIN: %46
                     LF_FASTIO_CALLBACK: %47
                     LF_DEALLOCATED_CLUSTERS: %48
                     LF_DEALLOCATED_CLUSTERS_MEM: %49
                     LF_RECORD_STACK_CHECK: %50
                     LF_DISMOUNT: %51
                     LF_COMPRESSION: %52
                     LF_SNAPSHOT: %53
                     LF_MOUNT: %54
                     LF_SHUTDOWN: %55
                     LF_RECURSIVE_COMPRESSION: %56
                     LF_TESTING: %57

           DiskResourceFailure: %58
           VolumeTrimCount: %59
                     VolumeTrimTime (ms): %60
                     VolumeTrimSize (KB): %61
                     AvgVolumeTrimTime (ms): %62
                     AvgVolumeTrimSize (KB): %63
           VolumeTrimSkippedCount: %64
                     VolumeTrimSkippedSize (KB): %65
           FileLevelTrimCount: %66
                     FileLevelTrimTime (ms): %67
                     FileLevelTrimSize (KB): %68
                     AvgFileLevelTrimTime (ms): %69
                     AvgFileLevelTrimSize (KB): %70
           NtfsFillStatInfoFromMftRecordCalledCount: %71
           NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount: %72
           NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount: %73

Fields #

Name	Description
`VolumeCorrelationId` GUID	[NTFS metadata statistics for volume] Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	[NTFS metadata statistics for volume] Volume name.
`UserFileReads` UInt64	[NTFS metadata statistics for volume] UserFileReads.
`UserFileReadBytes` UInt64	[NTFS metadata statistics for volume] UserFileReadBytes.
`UserDiskReads` UInt64	[NTFS metadata statistics for volume] UserDiskReads.
`UserFileWrites` UInt64	[NTFS metadata statistics for volume] UserFileWrites.
`UserFileWriteBytes` UInt64	[NTFS metadata statistics for volume] UserFileWriteBytes.
`UserDiskWrites` UInt64	[NTFS metadata statistics for volume] UserDiskWrites.
`MetaDataReads` UInt64	[NTFS metadata statistics for volume] MetaDataReads.
`MetaDataReadBytes` UInt64	[NTFS metadata statistics for volume] MetaDataReadBytes.
`MetaDataDiskReads` UInt64	[NTFS metadata statistics for volume] MetaDataDiskReads.
`MetaDataWrites` UInt64	[NTFS metadata statistics for volume] MetaDataWrites.
`MetaDataWriteBytes` UInt64	[NTFS metadata statistics for volume] MetaDataWriteBytes.
`MetaDataDiskWrites` UInt64	[NTFS metadata statistics for volume] MetaDataDiskWrites.
`MftReads` UInt64	[NTFS metadata statistics for volume] MftReads.
`MftReadBytes` UInt64	[NTFS metadata statistics for volume] MftReadBytes.
`MftWrites` UInt64	[NTFS metadata statistics for volume] MftWrites.
`MftWriteBytes` UInt64	[NTFS metadata statistics for volume] MftWriteBytes.
`Mft2Writes` UInt64	[NTFS metadata statistics for volume] Mft2Writes.
`Mft2WriteBytes` UInt64	[NTFS metadata statistics for volume] Mft2WriteBytes.
`RootIndexReads` UInt64	[NTFS metadata statistics for volume] RootIndexReads.
`RootIndexReadBytes` UInt64	[NTFS metadata statistics for volume] RootIndexReadBytes.
`RootIndexWrites` UInt64	[NTFS metadata statistics for volume] RootIndexWrites.
`RootIndexWriteBytes` UInt64	[NTFS metadata statistics for volume] RootIndexWriteBytes.
`BitmapReads` UInt64	[NTFS metadata statistics for volume] BitmapReads.
`BitmapReadBytes` UInt64	[NTFS metadata statistics for volume] BitmapReadBytes.
`BitmapWrites` UInt64	[NTFS metadata statistics for volume] BitmapWrites.
`BitmapWriteBytes` UInt64	[NTFS metadata statistics for volume] BitmapWriteBytes.
`MftBitmapReads` UInt64	[NTFS metadata statistics for volume] MftBitmapReads.
`MftBitmapReadBytes` UInt64	[NTFS metadata statistics for volume] MftBitmapReadBytes.
`MftBitmapWrites` UInt64	[NTFS metadata statistics for volume] MftBitmapWrites.
`MftBitmapWriteBytes` UInt64	[NTFS metadata statistics for volume] MftBitmapWriteBytes.
`UserIndexReads` UInt64	[NTFS metadata statistics for volume] UserIndexReads.
`UserIndexReadBytes` UInt64	[NTFS metadata statistics for volume] UserIndexReadBytes.
`UserIndexWrites` UInt64	[NTFS metadata statistics for volume] UserIndexWrites.
`UserIndexWriteBytes` UInt64	[NTFS metadata statistics for volume] UserIndexWriteBytes.
`LogFileReads` UInt64	[NTFS metadata statistics for volume] LogFileReads.
`LogFileReadBytes` UInt64	[NTFS metadata statistics for volume] LogFileReadBytes.
`LogFileWrites` UInt64	[NTFS metadata statistics for volume] LogFileWrites.
`LogFileWriteBytes` UInt64	[NTFS metadata statistics for volume] LogFileWriteBytes.
`LogFileFull` UInt64	[NTFS metadata statistics for volume] LogFileFull.
`LogFileFullReasonBucket1` UInt64	[LogFileFullReasons] LF_LOG_SPACE.
`LogFileFullReasonBucket2` UInt64	[LogFileFullReasons] LF_DIRTY_PAGES.
`LogFileFullReasonBucket3` UInt64	[LogFileFullReasons] LF_OPEN_ATTRIBUTES.
`LogFileFullReasonBucket4` UInt64	[LogFileFullReasons] LF_TRANSACTION_DRAIN.
`LogFileFullReasonBucket5` UInt64	[LogFileFullReasons] LF_FASTIO_CALLBACK.
`LogFileFullReasonBucket6` UInt64	[LogFileFullReasons] LF_DEALLOCATED_CLUSTERS.
`LogFileFullReasonBucket7` UInt64	[LogFileFullReasons] LF_DEALLOCATED_CLUSTERS_MEM.
`LogFileFullReasonBucket8` UInt64	[LogFileFullReasons] LF_RECORD_STACK_CHECK.
`LogFileFullReasonBucket9` UInt64	[LogFileFullReasons] LF_DISMOUNT.
`LogFileFullReasonBucket10` UInt64	[LogFileFullReasons] LF_COMPRESSION.
`LogFileFullReasonBucket11` UInt64	[LogFileFullReasons] LF_SNAPSHOT.
`LogFileFullReasonBucket12` UInt64	[LogFileFullReasons] LF_MOUNT.
`LogFileFullReasonBucket13` UInt64	[LogFileFullReasons] LF_SHUTDOWN.
`LogFileFullReasonBucket14` UInt64	[LogFileFullReasons] LF_RECURSIVE_COMPRESSION.
`LogFileFullReasonBucket15` UInt64	[LogFileFullReasons] LF_TESTING.
`DiskResourceFailure` UInt64	[LogFileFullReasons] DiskResourceFailure.
`VolumeTrimCount` UInt64	—
`VolumeTrimTime` UInt64	[LogFileFullReasons] VolumeTrimTime (ms).
`VolumeTrimSize` UInt64	[LogFileFullReasons] VolumeTrimSize (KB).
`AvgVolumeTrimTime` UInt64	[LogFileFullReasons] AvgVolumeTrimTime (ms).
`AvgVolumeTrimSize` UInt64	[LogFileFullReasons] AvgVolumeTrimSize (KB).
`VolumeTrimSkippedCount` UInt64	[LogFileFullReasons] VolumeTrimSkippedCount.
`VolumeTrimSkippedSize` UInt64	[LogFileFullReasons] VolumeTrimSkippedSize (KB).
`FileLevelTrimCount` UInt64	[LogFileFullReasons] FileLevelTrimCount.
`FileLevelTrimTime` UInt64	[LogFileFullReasons] FileLevelTrimTime (ms).
`FileLevelTrimSize` UInt64	[LogFileFullReasons] FileLevelTrimSize (KB).
`AvgFileLevelTrimTime` UInt64	[LogFileFullReasons] AvgFileLevelTrimTime (ms).
`AvgFileLevelTrimSize` UInt64	[LogFileFullReasons] AvgFileLevelTrimSize (KB).
`NtfsFillStatInfoFromMftRecordCalledCount` UInt64	[LogFileFullReasons] NtfsFillStatInfoFromMftRecordCalledCount.
`NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount` UInt64	[LogFileFullReasons] NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount.
`NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount` UInt64	[LogFileFullReasons] NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 158,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-05T22:47:04.964890+00:00",
    "event_record_id": 183,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 52
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeNameLength": 48,
    "VolumeName": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "UserFileReads": 5,
    "UserFileReadBytes": 20480,
    "UserDiskReads": 5,
    "UserFileWrites": 0,
    "UserFileWriteBytes": 0,
    "UserDiskWrites": 0,
    "MetaDataReads": 12,
    "MetaDataReadBytes": 217088,
    "MetaDataDiskReads": 14,
    "MetaDataWrites": 1,
    "MetaDataWriteBytes": 8192,
    "MetaDataDiskWrites": 2,
    "MftReads": 6,
    "MftReadBytes": 53248,
    "MftWrites": 1,
    "MftWriteBytes": 8192,
    "Mft2Writes": 0,
    "Mft2WriteBytes": 0,
    "RootIndexReads": 0,
    "RootIndexReadBytes": 0,
    "RootIndexWrites": 0,
    "RootIndexWriteBytes": 0,
    "BitmapReads": 1,
    "BitmapReadBytes": 12288,
    "BitmapWrites": 0,
    "BitmapWriteBytes": 0,
    "MftBitmapReads": 1,
    "MftBitmapReadBytes": 8192,
    "MftBitmapWrites": 0,
    "MftBitmapWriteBytes": 0,
    "UserIndexReads": 1,
    "UserIndexReadBytes": 4096,
    "UserIndexWrites": 1,
    "UserIndexWriteBytes": 4096,
    "LogFileReads": 8,
    "LogFileReadBytes": 32768,
    "LogFileWrites": 16,
    "LogFileWriteBytes": 65536,
    "LogFileFull": 0,
    "LogFileFullReasonBucket1": 0,
    "LogFileFullReasonBucket2": 0,
    "LogFileFullReasonBucket3": 0,
    "LogFileFullReasonBucket4": 0,
    "LogFileFullReasonBucket5": 0,
    "LogFileFullReasonBucket6": 0,
    "LogFileFullReasonBucket7": 0,
    "LogFileFullReasonBucket8": 0,
    "LogFileFullReasonBucket9": 0,
    "LogFileFullReasonBucket10": 0,
    "LogFileFullReasonBucket11": 0,
    "LogFileFullReasonBucket12": 0,
    "LogFileFullReasonBucket13": 0,
    "LogFileFullReasonBucket14": 0,
    "LogFileFullReasonBucket15": 0,
    "DiskResourceFailure": 0,
    "VolumeTrimCount": 0,
    "VolumeTrimTime": 0,
    "VolumeTrimSize": 0,
    "AvgVolumeTrimTime": 0,
    "AvgVolumeTrimSize": 0,
    "VolumeTrimSkippedCount": 0,
    "VolumeTrimSkippedSize": 0,
    "FileLevelTrimCount": 0,
    "FileLevelTrimTime": 0,
    "FileLevelTrimSize": 0,
    "AvgFileLevelTrimTime": 0,
    "AvgFileLevelTrimSize": 0,
    "NtfsFillStatInfoFromMftRecordCalledCount": 0,
    "NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount": 0,
    "NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 159 — NTFS has successfully completed the VolumeSizeChangeRequestType request in CombinedDurationMs ms when trying to VolumeSizeChangeOperation the volume size from FromSize (MB) to ToSize (MB).

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: VolumeSizeChange

Description

NTFS has successfully completed the VolumeSizeChangeRequestType request in CombinedDurationMs ms when trying to VolumeSizeChangeOperation the volume size from FromSize (MB) to ToSize (MB).

Message #

NTFS has successfully completed the %19 request in %20 ms when trying to %18 the volume size from %4 (MB) to %5 (MB).

           Volume Id: %1
           Volume name: %3

           Device GUID: %6
           Device manufacturer: %8
           Device model: %10
           Device revision: %12
           Device serial number: %14
           Bus type: %15

           Adapter serial number: %17

           Operation: %18
                     Request Type: %19

           Stage Durations:
                     Stage 1. Verify input and calculate new volume size (ms): %21
                     Stage 2. Set boundary and allocate/deallocate cluster (ms): %22
                     Stage 3. Update bitmap (ms): %23

Fields #

Name	Description
`VolumeCorrelationId` GUID	Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`FromSize` UInt64	—
`ToSize` UInt64	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`VolumeSizeChangeOperation` UInt16	Operation.
`VolumeSizeChangeRequestType` UInt16	Request Type.
`CombinedDurationMs` UInt64	—
`Stage1DurationMs` UInt64	[Stage Durations] Stage 1. Verify input and calculate new volume size (ms).
`Stage2DurationMs` UInt64	[Stage Durations] Stage 2. Set boundary and allocate/deallocate cluster (ms).
`Stage3DurationMs` UInt64	[Stage Durations] Stage 3. Update bitmap (ms).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 159,
    "version": 0,
    "level": 4,
    "task": 13,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2022-04-07T16:45:03.658483+00:00",
    "event_record_id": 8,
    "correlation": {},
    "execution": {
      "process_id": 4476,
      "thread_id": 4512
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "ADDC92DC-EB36-4896-AAEB-9547FEEB7B8C",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "FromSize": 102281,
    "ToSize": 101756,
    "DeviceGuid": "7B6F1752-BD95-6E22-E3A5-6EE8419ECAD7",
    "VendorIdLength": 0,
    "VendorId": "",
    "ProductIdLength": 24,
    "ProductId": "VMware Virtual NVMe Disk",
    "ProductRevisionLength": 3,
    "ProductRevision": "1.0",
    "DeviceSerialNumberLength": 16,
    "DeviceSerialNumber": "VMWare NVME_0000",
    "BusType": 17,
    "AdapterSerialNumberLength": 16,
    "AdapterSerialNumber": "VMWare NVME_0000",
    "VolumeSizeChangeOperation": 1,
    "VolumeSizeChangeRequestType": 2,
    "CombinedDurationMs": 62,
    "Stage1DurationMs": 0,
    "Stage2DurationMs": 0,
    "Stage3DurationMs": 62
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 160 — NTFS has failed to complete the VolumeSizeChangeOperation request after VolumeSizeChangeRequestType ms when trying to AdapterSerialNumber the volume size from FromSize (MB) to ToSize (MB).

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Task: VolumeSizeChange
Opcode: Stop

Description

NTFS has failed to complete the VolumeSizeChangeOperation request after VolumeSizeChangeRequestType ms when trying to AdapterSerialNumber the volume size from FromSize (MB) to ToSize (MB).

Message #

NTFS has failed to complete the %19 request after %20 ms when trying to %18 the volume size from %4 (MB) to %5 (MB).

           Volume Id: %1
           Volume name: %3

           Device GUID: %6
           Device manufacturer: %8
           Device model: %10
           Device revision: %12
           Device serial number: %14
           Bus type: %15

           Adapter serial number: %17

           Operation: %18
                     Request Type: %19

           Stage Durations:
                     Stage 1. Verify input and calculate new volume size (ms): %21
                     Stage 2. Set boundary and allocate/deallocate cluster (ms): %22
                     Stage 3. Update bitmap (ms): %23

           Failure Stage: %24
           Status Code: %25
           Failure Reason: %26

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`FromSize` UInt64	—
`ToSize` UInt64	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`NativeNVMe` Boolean	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`VolumeSizeChangeOperation` UInt16	—
`VolumeSizeChangeRequestType` UInt16	—
`CombinedDurationMs` UInt64	—
`Stage1DurationMs` UInt64	—
`Stage2DurationMs` UInt64	—
`Stage3DurationMs` UInt64	—
`FailureStage` UInt16	—
`FailureStatusCode` UInt32	—
`FailureReason` HexInt32	— Known values `%%2304` An Error occured during Logon. `%%2305` The specified user account has expired. `%%2306` The NetLogon component is not active. `%%2307` Account locked out. `%%2308` The user has not been granted the requested logon type at this machine. `%%2309` The specified account's password has expired. `%%2310` Account currently disabled. `%%2311` Account logon time restriction violation. `%%2312` User not allowed to logon at this computer. `%%2313` Unknown user name or bad password. `%%2314` Domain sid inconsistent. `%%2315` Smartcard logon is required and was not used.

Event ID 161 — An operation has failed due to a file system limitation.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Opcode: Info

Description

An operation has failed due to a file system limitation.

Message #

An operation has failed due to a file system limitation.

           Reason: %1
           Volume Id: %3
           Volume Name: %4
           File Path: %5

Fields #

Name	Description
`Reason` UInt16	—
`Volume_Id`	—
`Volume_Name`	—
`File_Path`	—
`ReasonOrigin` UInt16	—
`VolumeCorrelationId` GUID	—
`VolumeName` UnicodeString	—
`FilePath` UnicodeString	—
`AdditionalInfo` UnicodeString	—

Event ID 162 — The data read from the storage does not match what was previously written or read.

Provider: Microsoft-Windows-Ntfs
Channel: System
Opcode: Info

Description

The data read from the storage does not match what was previously written or read.

Message #

The data read from the storage does not match what was previously written or read.

           Volume correlation Id: %1
           Volume name: %3
           Volume label: %5
           Device name: %7
           File reference: %8
           File name: %10
           Attribute type code: %11
           Attribute name: %13
           File offset: %14
           Volume offset: %15
           Length: %16
           Called from worker: %17
           Livedump worker status: %18

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	—
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`FileReference` UInt64	—
`FileNameLength` UInt16	—
`FileName` UnicodeString	—
`AttributeTypeCode` HexInt32	—
`AttributeNameLength` UInt16	—
`AttributeName` UnicodeString	—
`FileOffset` HexInt64	—
`VolumeOffset` HexInt64	—
`Length` HexInt32	—
`CalledFromWorker` Boolean	—
`WorkerStatus` HexInt32	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`NativeNVMe` Boolean	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`ReadDataValidOffset` UInt16	—
`ReadDataValidLength` UInt16	—
`ReadData` Binary	—
`PrevDataValidOffset` UInt16	—
`PrevDataValidLength` UInt16	—
`PrevData` Binary	—

Event ID 163 — MftBitmap is not big enough for MftData or does not have required allocations.

Provider: Microsoft-Windows-Ntfs
Channel: System
Opcode: Info

Description

MftBitmap is not big enough for MftData or does not have required allocations.

Message #

MftBitmap is not big enough for MftData or does not have required allocations.

           Volume correlation Id: %1
           Volume name: %3
           Volume label: %5
           Device name: %7
           Mft data allocation size: %20
           Mft data file size: %21
           Mft bitmap allocation size: %22
           Mft bitmap file size: %23
           Bytes per FRS: %24
           Mft data attribute allocation size: %25
           Mft data attribute file size: %26
           Mft bitmap attribute highest Vcn: %27
           Mft bitmap attribute allocation size: %28
           Mft bitmap attribute file size: %29
           Last data and bitmap attribute record in Mft are in same FRS: %30
           Called from worker: %31
           Livedump worker status: %32
           Major function: %33
           Minor function: %34
           Source tag: %35

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	—
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`NativeNVMe` Boolean	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`MftDataAllocationSize` HexInt64	—
`MftDataFileSize` HexInt64	—
`MftBitmapAllocationSize` HexInt64	—
`MftBitmapFileSize` HexInt64	—
`BytesPerFRS` HexInt32	—
`MftDataAttrAllocatedLength` HexInt64	—
`MftDataAttrFileSize` HexInt64	—
`MftBitmapAttrHighestVcn` HexInt64	—
`MftBitmapAttrAllocatedLength` HexInt64	—
`MftBitmapAttrFileSize` HexInt64	—
`MftLastDataAndBitmapInSameFrs` UInt8	—
`CalledFromWorker` Boolean	—
`WorkerStatus` HexInt32	—
`MajorFunction` UInt8	—
`MinorFunction` UInt8	—
`SourceTag` HexInt64	—

Event ID 170 — IO latency summary.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

IO latency summary.

Message #

IO latency summary:

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4
           
           IO type: %20
           
           Interval duration: %18
           
           Max Acceptable IO Latency: %22
           High Latency IOs: %23
           
           IO count: %24
           Avg IOPS: %25
           Avg latency: %27
           
           Latency buckets: [%28]
           IO count buckets: [%29, %30, %31, %32, %33, %34, %35, %36, %37, %38, %39, %40]
           Total time buckets (ns): [%41, %42, %43, %44, %45, %46, %47, %48, %49, %50, %51, %52]
           
           Device GUID: %5
           Device manufacturer: %7
           Device model: %9
           Device revision: %11
           Device serial number: %13
           Bus type: %14
           
           Adapter serial number: %16
           
           For more details see the details tab.

Fields #

Name	Description
`VolumeCorrelationId` GUID	[IO latency summary] Volume Id.
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	[IO latency summary] Volume name.
`IsBootVolume` Boolean	[IO latency summary] Is boot volume.
`DeviceGuid` GUID	[IO latency summary] Device GUID.
`VendorIdLength` UInt16	—
`VendorId` UnicodeString	[IO latency summary] Device manufacturer.
`ProductIdLength` UInt16	—
`ProductId` UnicodeString	[IO latency summary] Device model.
`ProductRevisionLength` UInt16	—
`ProductRevision` UnicodeString	[IO latency summary] Device revision.
`DeviceSerialNumberLength` UInt16	—
`DeviceSerialNumber` UnicodeString	[IO latency summary] Device serial number.
`BusType` UInt32	[IO latency summary] Bus type.
`AdapterSerialNumberLength` UInt16	—
`AdapterSerialNumber` UnicodeString	[IO latency summary] Adapter serial number.
`IntervalDurationMs` UInt64	—
`IntervalDurationStr` UnicodeString	[IO latency summary] Interval duration.
`SummaryId` UInt64	—
`IoType` UInt16	—
`IoTypeStr` UnicodeString	[IO latency summary] IO type.
`HighLatencyMs`	—
`HighLatencyStr`	[IO latency summary] Max Acceptable IO Latency.
`HighLatencyIoCount` UInt32	[IO latency summary] High Latency IOs.
`TotalIoCount` UInt64	[IO latency summary] IO count.
`TotalIoTimeNs`	—
`AverageIops` UInt64	[IO latency summary] Avg IOPS.
`AverageLatencyNs` UInt64	—
`AverageLatencyStr` UnicodeString	[IO latency summary] Avg latency.
`MaxLatencyNs` UInt64	—
`MaxLatencyStr` UnicodeString	[IO latency summary] Max latency.
`LatencyBuckets` UnicodeString	—
`IoCount0` UInt64	—
`IoCount1` UInt64	—
`IoCount2` UInt64	—
`IoCount3` UInt64	—
`IoCount4` UInt64	—
`IoCount5` UInt64	—
`IoCount6` UInt64	—
`IoCount7` UInt64	—
`IoCount8` UInt64	—
`IoCount9` UInt64	—
`IoCount10` UInt64	—
`IoCount11` UInt64	—
`IoCount12` UInt64	—
`IoCount13` UInt64	—
`IoCount14` UInt64	—
`IoCount15` UInt64	—
`TotalTimeNs0` UInt64	—
`TotalTimeNs1` UInt64	—
`TotalTimeNs2` UInt64	—
`TotalTimeNs3` UInt64	—
`TotalTimeNs4` UInt64	—
`TotalTimeNs5` UInt64	—
`TotalTimeNs6` UInt64	—
`TotalTimeNs7` UInt64	—
`TotalTimeNs8` UInt64	—
`TotalTimeNs9` UInt64	—
`TotalTimeNs10` UInt64	—
`TotalTimeNs11` UInt64	—
`TotalTimeNs12` UInt64	—
`TotalTimeNs13` UInt64	—
`TotalTimeNs14` UInt64	—
`TotalTimeNs15` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 170,
    "version": 4,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611967493406195712,
    "time_created": "2023-11-06T01:32:12.811964+00:00",
    "event_record_id": 248,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 18088
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "IntervalDurationMs": 3602451,
    "IntervalDurationStr": "3602 s",
    "SummaryId": 108174105061,
    "IoType": 29,
    "IoTypeStr": "Allocate clusters",
    "HighLatencyMs": 30000,
    "HighLatencyStr": "30 s",
    "HighLatencyIoCount": 0,
    "TotalIoCount": 48922,
    "TotalIoTimeNs": 14280377600,
    "AverageIops": 3426,
    "AverageLatencyNs": 291900,
    "AverageLatencyStr": "291 µs",
    "MaxLatencyNs": 5739679000,
    "MaxLatencyStr": "5 s",
    "LatencyBuckets": "128 µs, 256 µs, 512 µs, 1 ms, 4 ms, 16 ms, 64 ms, 128 ms, 256 ms, 512 ms, 1 s, 2 s, 10 s, 20 s, 30 s, > 30 s",
    "IoCount0": 44799,
    "IoCount1": 2533,
    "IoCount2": 735,
    "IoCount3": 442,
    "IoCount4": 247,
    "IoCount5": 80,
    "IoCount6": 68,
    "IoCount7": 9,
    "IoCount8": 7,
    "IoCount9": 1,
    "IoCount10": 0,
    "IoCount11": 0,
    "IoCount12": 1,
    "IoCount13": 0,
    "IoCount14": 0,
    "IoCount15": 0,
    "TotalTimeNs0": 1787444100,
    "TotalTimeNs1": 426448000,
    "TotalTimeNs2": 260123100,
    "TotalTimeNs3": 308442200,
    "TotalTimeNs4": 472092800,
    "TotalTimeNs5": 650878800,
    "TotalTimeNs6": 2032031400,
    "TotalTimeNs7": 839490800,
    "TotalTimeNs8": 1281500500,
    "TotalTimeNs9": 482246900,
    "TotalTimeNs10": 0,
    "TotalTimeNs11": 0,
    "TotalTimeNs12": 5739679000,
    "TotalTimeNs13": 0,
    "TotalTimeNs14": 0,
    "TotalTimeNs15": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 171 — File-Level Trim Summary.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

File-Level Trim Summary.

Message #

File-Level Trim Summary:

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4
           
           Period duration (us): %5
           
           Operation count: %6
           Reposted operation count: %7
           Failed operation count: %8
           Operation range count: %9
           Operation byte count: %10
           Operation long range byte count %11
           Unaligned range count: %12
           Bytes in unaligned ranges: %13
           Operation trim extent count: %14
           Non-blocking aligned trim byte count: %15
           Reclaimed byte count: %16
           
           Byte count bucket values: [%18]
           
           Operation counts: [%19, %20, %21, %22, %23, %24, %25, %26, %27, %28, %29, %30]
           Operation byte counts: [%31, %32, %33, %34, %35, %36, %37, %38, %39, %40, %41, %42]
           Operation bytes reclaimed: [%43, %44, %45, %46, %47, %48, %49, %50, %51, %52, %53, %54]
           Operation latency (us): [%55, %56, %57, %58, %59, %60, %61, %62, %63, %64, %65, %67]
           
           Latency bucket values: [%68]
           
           Operation latency count: [%69, %70, %71, %72, %73, %74, %75, %76, %77, %78, %79, %80, %81, %82, %83]
           
           Top failure status codes and instance counts:
               %84      %85
               %86      %87
               %88      %89
               %90      %91
               %92      %93

Fields #

Name	Description
`VolumeCorrelationId` GUID	[File-Level Trim Summary] Volume Id.
`VolumeNameLength` UInt16	—
`VolumeName` UnicodeString	[File-Level Trim Summary] Volume name.
`IsBootVolume` Boolean	[File-Level Trim Summary] Is boot volume.
`PeriodDurationMicrosSec` Int64	[File-Level Trim Summary] Period duration (us).
`OperationCount` UInt64	[File-Level Trim Summary] Operation count.
`RepostedOperationCount` UInt64	[File-Level Trim Summary] Reposted operation count.
`FailedOperationCount` UInt64	[File-Level Trim Summary] Failed operation count.
`OperationRangeCount` UInt64	[File-Level Trim Summary] Operation range count.
`OperationByteCount` UInt64	[File-Level Trim Summary] Operation byte count.
`OperationLongRangeByteCount` UInt64	—
`UnalignedRangeCount` UInt64	[File-Level Trim Summary] Unaligned range count.
`BytesInUnalignedRanges` UInt64	[File-Level Trim Summary] Bytes in unaligned ranges.
`OperationTrimExtentCount` UInt64	[File-Level Trim Summary] Operation trim extent count.
`NonBlockAlignedTrimByteCount` UInt64	[File-Level Trim Summary] Non-blocking aligned trim byte count.
`ReclaimedByteCount` UInt64	[File-Level Trim Summary] Reclaimed byte count.
`ByteCountLabelsLength` UInt16	—
`ByteCountLabels` UnicodeString	—
`OperationCountBuckets1` UInt64	—
`OperationCountBuckets2` UInt64	—
`OperationCountBuckets3` UInt64	—
`OperationCountBuckets4` UInt64	—
`OperationCountBuckets5` UInt64	—
`OperationCountBuckets6` UInt64	—
`OperationCountBuckets7` UInt64	—
`OperationCountBuckets8` UInt64	—
`OperationCountBuckets9` UInt64	—
`OperationCountBuckets10` UInt64	—
`OperationCountBuckets11` UInt64	—
`OperationCountBuckets12` UInt64	—
`OperationByteCountBuckets1` UInt64	—
`OperationByteCountBuckets2` UInt64	—
`OperationByteCountBuckets3` UInt64	—
`OperationByteCountBuckets4` UInt64	—
`OperationByteCountBuckets5` UInt64	—
`OperationByteCountBuckets6` UInt64	—
`OperationByteCountBuckets7` UInt64	—
`OperationByteCountBuckets8` UInt64	—
`OperationByteCountBuckets9` UInt64	—
`OperationByteCountBuckets10` UInt64	—
`OperationByteCountBuckets11` UInt64	—
`OperationByteCountBuckets12` UInt64	—
`OperationBytesReclaimedBuckets1` UInt64	—
`OperationBytesReclaimedBuckets2` UInt64	—
`OperationBytesReclaimedBuckets3` UInt64	—
`OperationBytesReclaimedBuckets4` UInt64	—
`OperationBytesReclaimedBuckets5` UInt64	—
`OperationBytesReclaimedBuckets6` UInt64	—
`OperationBytesReclaimedBuckets7` UInt64	—
`OperationBytesReclaimedBuckets8` UInt64	—
`OperationBytesReclaimedBuckets9` UInt64	—
`OperationBytesReclaimedBuckets10` UInt64	—
`OperationBytesReclaimedBuckets11` UInt64	—
`OperationBytesReclaimedBuckets12` UInt64	—
`OperationLatencyBuckets1` UInt64	—
`OperationLatencyBuckets2` UInt64	—
`OperationLatencyBuckets3` UInt64	—
`OperationLatencyBuckets4` UInt64	—
`OperationLatencyBuckets5` UInt64	—
`OperationLatencyBuckets6` UInt64	—
`OperationLatencyBuckets7` UInt64	—
`OperationLatencyBuckets8` UInt64	—
`OperationLatencyBuckets9` UInt64	—
`OperationLatencyBuckets10` UInt64	—
`OperationLatencyBuckets11` UInt64	—
`OperationLatencyBuckets12` UInt64	—
`LatencyBucketLabelsLength` UInt16	—
`LatencyBucketLabelsLabels` UnicodeString	—
`OperationCountLatencyBuckets1` UInt64	—
`OperationCountLatencyBuckets2` UInt64	—
`OperationCountLatencyBuckets3` UInt64	—
`OperationCountLatencyBuckets4` UInt64	—
`OperationCountLatencyBuckets5` UInt64	—
`OperationCountLatencyBuckets6` UInt64	—
`OperationCountLatencyBuckets7` UInt64	—
`OperationCountLatencyBuckets8` UInt64	—
`OperationCountLatencyBuckets9` UInt64	—
`OperationCountLatencyBuckets10` UInt64	—
`OperationCountLatencyBuckets11` UInt64	—
`OperationCountLatencyBuckets12` UInt64	—
`OperationCountLatencyBuckets13` UInt64	—
`OperationCountLatencyBuckets14` UInt64	—
`OperationCountLatencyBuckets15` UInt64	—
`OperationFailureStatusCode1` HexInt32	Top failure status codes and instance counts
`OperationFailureCount1` UInt64	—
`OperationFailureStatusCode2` HexInt32	—
`OperationFailureCount2` UInt64	—
`OperationFailureStatusCode3` HexInt32	—
`OperationFailureCount3` UInt64	—
`OperationFailureStatusCode4` HexInt32	—
`OperationFailureCount4` UInt64	—
`OperationFailureStatusCode5` HexInt32	—
`OperationFailureCount5` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 171,
    "version": 3,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611967493406195712,
    "time_created": "2023-11-05T22:47:04.962167+00:00",
    "event_record_id": 182,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 52
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "PeriodDurationMicrosSec": 899757629,
    "OperationCount": 2,
    "RepostedOperationCount": 0,
    "FailedOperationCount": 0,
    "OperationRangeCount": 2,
    "OperationByteCount": 0,
    "OperationLongRangeByteCount": 18446744073709551614,
    "UnalignedRangeCount": 0,
    "BytesInUnalignedRanges": 0,
    "OperationTrimExtentCount": 2,
    "NonBlockAlignedTrimByteCount": 0,
    "ReclaimedByteCount": 2030043136,
    "ByteCountLabelsLength": 80,
    "ByteCountLabels": "4 KB, 64 KB, 1 MB, 16 MB, 128 MB, 1 GB, 16 GB, 128 GB, 1 TB, 16 TB, 1 EB, 1+ EB",
    "OperationCountBuckets1": 0,
    "OperationCountBuckets2": 0,
    "OperationCountBuckets3": 0,
    "OperationCountBuckets4": 0,
    "OperationCountBuckets5": 0,
    "OperationCountBuckets6": 0,
    "OperationCountBuckets7": 0,
    "OperationCountBuckets8": 0,
    "OperationCountBuckets9": 0,
    "OperationCountBuckets10": 0,
    "OperationCountBuckets11": 0,
    "OperationCountBuckets12": 2,
    "OperationByteCountBuckets1": 0,
    "OperationByteCountBuckets2": 0,
    "OperationByteCountBuckets3": 0,
    "OperationByteCountBuckets4": 0,
    "OperationByteCountBuckets5": 0,
    "OperationByteCountBuckets6": 0,
    "OperationByteCountBuckets7": 0,
    "OperationByteCountBuckets8": 0,
    "OperationByteCountBuckets9": 0,
    "OperationByteCountBuckets10": 0,
    "OperationByteCountBuckets11": 0,
    "OperationByteCountBuckets12": 0,
    "OperationBytesReclaimedBuckets1": 0,
    "OperationBytesReclaimedBuckets2": 0,
    "OperationBytesReclaimedBuckets3": 0,
    "OperationBytesReclaimedBuckets4": 0,
    "OperationBytesReclaimedBuckets5": 54,
    "OperationBytesReclaimedBuckets6": 0,
    "OperationBytesReclaimedBuckets7": 70,
    "OperationBytesReclaimedBuckets8": 0,
    "OperationBytesReclaimedBuckets9": 0,
    "OperationBytesReclaimedBuckets10": 0,
    "OperationBytesReclaimedBuckets11": 0,
    "OperationBytesReclaimedBuckets12": 0,
    "OperationLatencyBuckets1": 0,
    "OperationLatencyBuckets2": 0,
    "OperationLatencyBuckets3": 0,
    "OperationLatencyBuckets4": 0,
    "OperationLatencyBuckets5": 0,
    "OperationLatencyBuckets6": 0,
    "OperationLatencyBuckets7": 0,
    "OperationLatencyBuckets8": 0,
    "OperationLatencyBuckets9": 0,
    "OperationLatencyBuckets10": 0,
    "OperationLatencyBuckets11": 0,
    "OperationLatencyBuckets12": 248,
    "LatencyBucketLabelsLength": 79,
    "LatencyBucketLabelsLabels": "256us, 1ms, 4ms, 16ms, 64ms, 128ms, 256ms, 2s, 6s, 10s, 20s, 1m, 5m, 15m, 15m+",
    "OperationCountLatencyBuckets1": 2,
    "OperationCountLatencyBuckets2": 0,
    "OperationCountLatencyBuckets3": 0,
    "OperationCountLatencyBuckets4": 0,
    "OperationCountLatencyBuckets5": 0,
    "OperationCountLatencyBuckets6": 0,
    "OperationCountLatencyBuckets7": 0,
    "OperationCountLatencyBuckets8": 0,
    "OperationCountLatencyBuckets9": 0,
    "OperationCountLatencyBuckets10": 0,
    "OperationCountLatencyBuckets11": 0,
    "OperationCountLatencyBuckets12": 0,
    "OperationCountLatencyBuckets13": 0,
    "OperationCountLatencyBuckets14": 0,
    "OperationCountLatencyBuckets15": 0,
    "OperationFailureStatusCode1": "0x0",
    "OperationFailureCount1": 0,
    "OperationFailureStatusCode2": "0x0",
    "OperationFailureCount2": 0,
    "OperationFailureStatusCode3": "0x0",
    "OperationFailureCount3": 0,
    "OperationFailureStatusCode4": "0x0",
    "OperationFailureCount4": 0,
    "OperationFailureStatusCode5": "0x0",
    "OperationFailureCount5": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 201 — NtfsLogFileFull VolumeId: NtfsLogFileFull_VolumeId, Reason: Reason.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: LogFileFull

Description

NtfsLogFileFull VolumeId: NtfsLogFileFull_VolumeId, Reason: Reason.

Message #

NtfsLogFileFull VolumeId: %1, Reason: %2

Fields #

Name	Description
`NtfsLogFileFull_VolumeId` Pointer	—
`Reason` UInt16	—
`Vcb` Pointer	—
`LogFileFullReason` UInt16	—

Event ID 202 — PeriodicCheckpointStart VolumeId: PeriodicCheckpointStart_VolumeId, Reason: Reason, Usage: Usage%.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: Checkpoint
Opcode: Start

Description

PeriodicCheckpointStart VolumeId: PeriodicCheckpointStart_VolumeId, Reason: Reason, Usage: Usage%.

Message #

PeriodicCheckpointStart VolumeId: %1, Reason: %2, Usage: %3%

Fields #

Name	Description
`PeriodicCheckpointStart_VolumeId` Pointer	—
`Reason` UInt16	—
`Usage` UInt16	—
`Vcb` Pointer	—
`LogFileFullReason` UInt16	—
`LogFileUsePercentage` UInt16	—

Event ID 203 — PeriodicCheckpointComplete VolumeId: PeriodicCheckpointComplete_VolumeId, DirtyMetaDataPages: DirtyMetaDataPages.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: Checkpoint
Opcode: Stop

Description

PeriodicCheckpointComplete VolumeId: PeriodicCheckpointComplete_VolumeId, DirtyMetaDataPages: DirtyMetaDataPages.

Message #

PeriodicCheckpointComplete VolumeId: %1, DirtyMetaDataPages: %2

Fields #

Name	Description
`PeriodicCheckpointComplete_VolumeId` Pointer	—
`DirtyMetaDataPages` UInt32	—
`Vcb` Pointer	—

Event ID 204 — CleanCheckpointStart VolumeId: CleanCheckpointStart_VolumeId, Reason: Reason, Usage: Usage%.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: Checkpoint
Opcode: Start

Description

CleanCheckpointStart VolumeId: CleanCheckpointStart_VolumeId, Reason: Reason, Usage: Usage%.

Message #

CleanCheckpointStart VolumeId: %1, Reason: %2, Usage: %3%

Fields #

Name	Description
`CleanCheckpointStart_VolumeId` Pointer	—
`Reason` UInt16	—
`Usage` UInt16	—
`Vcb` Pointer	—
`LogFileFullReason` UInt16	—
`LogFileUsePercentage` UInt16	—

Event ID 205 — CleanCheckpointComplete VolumeId: CleanCheckpointComplete_VolumeId, DirtyMetaDataPages: DirtyMetaDataPages.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: Checkpoint
Opcode: Stop

Description

CleanCheckpointComplete VolumeId: CleanCheckpointComplete_VolumeId, DirtyMetaDataPages: DirtyMetaDataPages.

Message #

CleanCheckpointComplete VolumeId: %1, DirtyMetaDataPages: %2

Fields #

Name	Description
`CleanCheckpointComplete_VolumeId` Pointer	—
`DirtyMetaDataPages` UInt32	—
`Vcb` Pointer	—

Event ID 206 — MftRecordRead VolumeId: MftRecordRead_VolumeId, BaseFileId: BaseFileId, FileId: FileId, CacheHit: CacheHit.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: MftRecordRead

Description

MftRecordRead VolumeId: MftRecordRead_VolumeId, BaseFileId: BaseFileId, FileId: FileId, CacheHit: CacheHit.

Message #

MftRecordRead VolumeId: %1, BaseFileId: %2, FileId: %3, CacheHit: %4

Fields #

Name	Description
`MftRecordRead_VolumeId` Pointer	—
`BaseFileId` HexInt32	—
`FileId` HexInt32	—
`CacheHit` Boolean	—
`Vcb` Pointer	—

Event ID 208 — MftRecordRead VolumeId: MftRecordRead_VolumeId, BaseFileId: BaseFileId, FileId: FileId.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: MftRecordWrite

Description

MftRecordRead VolumeId: MftRecordRead_VolumeId, BaseFileId: BaseFileId, FileId: FileId.

Message #

MftRecordRead VolumeId: %1, BaseFileId: %2, FileId: %3

Fields #

Name	Description
`MftRecordRead_VolumeId` Pointer	—
`BaseFileId` HexInt32	—
`FileId` HexInt32	—
`Vcb` Pointer	—

Event ID 210 — Thinly provisioned volume VolumeId (DeviceName).

Provider: Microsoft-Windows-Ntfs
Channel: System
Task: TPMapBitNotSet

Description

Thinly provisioned volume VolumeId (DeviceName).

Message #

Thinly provisioned volume %1 (%2)
were not being mapped between clusters %3 and %4.
It is now fixed.

Fields #

Name	Description
`VolumeId` UnicodeString	—
`DeviceName` UnicodeString	—
`Starting LCN` HexInt64	—
`Ending LCN` HexInt64	—
`StartingLCN` HexInt64	—
`EndingLCN` HexInt64	—

Event ID 211 — Thinly provisioned volume VolumeId (DeviceName).

Provider: Microsoft-Windows-Ntfs
Channel: System
Task: TPMapBitNotSet

Description

Thinly provisioned volume VolumeId (DeviceName).

Message #

Thinly provisioned volume %1 (%2)
were not being mapped between clusters %3 and %4.
Repair was unsucccessful.
Possibly out of available slabs.

Fields #

Name	Description
`VolumeId` UnicodeString	—
`DeviceName` UnicodeString	—
`Starting LCN` HexInt64	—
`Ending LCN` HexInt64	—
`StartingLCN` HexInt64	—
`EndingLCN` HexInt64	—

Event ID 230 — WorkItem queued, WorkItem: WorkItem_queued_WorkItem, Reason: Reason.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: WorkItem

Description

WorkItem queued, WorkItem: WorkItem_queued_WorkItem, Reason: Reason.

Message #

WorkItem queued, WorkItem: %1, Reason: %2

Fields #

Name	Description
`WorkItem_queued_WorkItem` Pointer	WorkItem queued, WorkItem.
`Reason` UInt32	—
`WorkItem` Pointer	—

Event ID 231 — WorkItem queue failed, WorkItem: WorkItem_queue_failed_WorkItem, Reason: Reason, Error: Error.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: WorkItem

Description

WorkItem queue failed, WorkItem: WorkItem_queue_failed_WorkItem, Reason: Reason, Error: Error.

Message #

WorkItem queue failed, WorkItem: %1, Reason: %2, Error: %3

Fields #

Name	Description
`WorkItem_queue_failed_WorkItem` Pointer	WorkItem queue failed, WorkItem.
`Reason` UInt32	—
`Error` HexInt32	—
`WorkItem` Pointer	—

Event ID 232 — WorkItem started, WorkItem: WorkItem_started_WorkItem, Reason: Reason.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: WorkItem
Opcode: Start

Description

WorkItem started, WorkItem: WorkItem_started_WorkItem, Reason: Reason.

Message #

WorkItem started, WorkItem: %1, Reason: %2

Fields #

Name	Description
`WorkItem_started_WorkItem` Pointer	WorkItem started, WorkItem.
`Reason` UInt32	—
`WorkItem` Pointer	—

Event ID 233 — WorkItem completed, WorkItem: WorkItem_completed_WorkItem, Reason: Reason.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: WorkItem
Opcode: Stop

Description

WorkItem completed, WorkItem: WorkItem_completed_WorkItem, Reason: Reason.

Message #

WorkItem completed, WorkItem: %1, Reason: %2

Fields #

Name	Description
`WorkItem_completed_WorkItem` Pointer	WorkItem completed, WorkItem.
`Reason` UInt32	—
`WorkItem` Pointer	—

Event ID 240 — File metadata optimization started.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: FileMetadataOptimization
Opcode: Start

Description

File metadata optimization started.

Message #

File metadata optimization started.

                    Volume guid: %1
                    Volume name: %3
                    File reference: %4

Fields #

Name	Description
`Volume_guid`	—
`Volume_name`	—
`File_reference`	—
`VolumeGuid` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`FileReference` UInt64	—

Event ID 241 — File metadata optimization completed.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: FileMetadataOptimization
Opcode: Stop

Description

File metadata optimization completed.

Message #

File metadata optimization completed.

                    Volume guid: %1
                    Volume name: %3
                    File reference: %4

Fields #

Name	Description
`Volume_guid`	—
`Volume_name`	—
`File_reference`	—
`VolumeGuid` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`FileReference` UInt64	—

Event ID 300 — NTFS volume dismount has started.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: Volumedismount
Opcode: Start

Description

NTFS volume dismount has started.

Message #

NTFS volume dismount has started.

           Volume GUID: %4
           Volume Name: %6
           Volume Label: %8

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	Volume name.
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`Vcb` Pointer	—
`ProcessId` UInt32	—
`ProcessName` AnsiString	—
`DismountReason` AnsiString	Reason.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 300,
    "version": 1,
    "level": 4,
    "task": 8,
    "opcode": 1,
    "keywords": 4611686018427387936,
    "time_created": "2022-03-04T08:48:15.493213+00:00",
    "event_record_id": 22,
    "correlation": {},
    "execution": {
      "process_id": 1460,
      "thread_id": 2636
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "1E9B06BD-0000-0000-0000-B0C208000000",
    "VolumeIdLength": 48,
    "VolumeId": "\\\\?\\Volume{1e9b06bd-0000-0000-0000-b0c208000000}",
    "VolumeLabelLength": 0,
    "VolumeLabel": "",
    "DeviceNameLength": 23,
    "DeviceName": "\\Device\\HarddiskVolume3",
    "DeviceGuid": "A86CEC8E-FB18-5AEC-6F31-C812511391BB",
    "VendorIdLength": 0,
    "VendorId": "",
    "ProductIdLength": 13,
    "ProductId": "VBOX HARDDISK",
    "ProductRevisionLength": 3,
    "ProductRevision": "1.0",
    "DeviceSerialNumberLength": 19,
    "DeviceSerialNumber": "VB8e57de8f-e08973f3",
    "BusType": 11,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "Vcb": "0xffffe706b34661b0",
    "ProcessId": 1460,
    "ProcessName": "vds.exe",
    "DismountReason": "Explicit lock"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 301 — NTFS has sent volume dismount event notification and is waiting for the notifications to complete.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: Volumedismount
Opcode: Suspend

Description

NTFS has sent volume dismount event notification and is waiting for the notifications to complete.

Message #

NTFS has sent volume dismount event notification and is waiting for the notifications to complete.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 301,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 8,
    "keywords": 4611686018427387936,
    "time_created": "2022-03-04T08:48:15.535738+00:00",
    "event_record_id": 24,
    "correlation": {},
    "execution": {
      "process_id": 1460,
      "thread_id": 2636
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 302 — The volume dismount event notification on the NTFS volume has completed.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: Volumedismount
Opcode: Resume

Description

The volume dismount event notification on the NTFS volume has completed.

Message #

The volume dismount event notification on the NTFS volume has completed.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 302,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 7,
    "keywords": 4611686018427387936,
    "time_created": "2022-03-04T08:48:15.936270+00:00",
    "event_record_id": 25,
    "correlation": {},
    "execution": {
      "process_id": 1460,
      "thread_id": 2636
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 303 — The NTFS volume has successfully dismounted.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: Volumedismount
Opcode: Stop

Description

The NTFS volume has successfully dismounted.

Message #

The NTFS volume has successfully dismounted.

           Volume GUID: %4
           Volume Name: %6
           Volume Label: %8

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	Volume name.
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`Vcb` Pointer	—
`ProcessId` UInt32	—
`ProcessName` AnsiString	—
`DismountReason` AnsiString	Reason.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 303,
    "version": 1,
    "level": 4,
    "task": 8,
    "opcode": 2,
    "keywords": 4611686018427387936,
    "time_created": "2022-03-04T08:48:15.535499+00:00",
    "event_record_id": 23,
    "correlation": {},
    "execution": {
      "process_id": 1460,
      "thread_id": 2636
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "1E9B06BD-0000-0000-0000-B0C208000000",
    "VolumeIdLength": 48,
    "VolumeId": "\\\\?\\Volume{1e9b06bd-0000-0000-0000-b0c208000000}",
    "VolumeLabelLength": 0,
    "VolumeLabel": "",
    "DeviceNameLength": 23,
    "DeviceName": "\\Device\\HarddiskVolume3",
    "DeviceGuid": "A86CEC8E-FB18-5AEC-6F31-C812511391BB",
    "VendorIdLength": 0,
    "VendorId": "",
    "ProductIdLength": 13,
    "ProductId": "VBOX HARDDISK",
    "ProductRevisionLength": 3,
    "ProductRevision": "1.0",
    "DeviceSerialNumberLength": 19,
    "DeviceSerialNumber": "VB8e57de8f-e08973f3",
    "BusType": 11,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "Vcb": "0xffffe706b34661b0",
    "ProcessId": 1460,
    "ProcessName": "vds.exe",
    "DismountReason": "Explicit lock"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 304 — The NTFS volume dismount failed.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Task: Volumedismount
Opcode: Stop

Description

The NTFS volume dismount failed.

Message #

The NTFS volume dismount failed.

           Error:%1

Fields #

Name	Description
`Error` HexInt32	Volume correlation Id.
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	—
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`NativeNVMe` Boolean	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`Vcb` Pointer	—

Event ID 305 — NTFS failed to mount the volume.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Task: Volumemount
Opcode: Stop

Description

NTFS failed to mount the volume.

Message #

NTFS failed to mount the volume.

           Error: %1
           Volume GUID: %2
           Volume Name: %4

Fields #

Name	Description
`Error` HexInt32	Volume correlation Id.
`Volume_GUID`	—
`Volume_Name`	—
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	—
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	—
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	—
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`DeviceNumber` UInt32	—
`IsBootVolume` Boolean	—
`NativeNVMe` Boolean	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`RestartApplied` Boolean	—
`MountStageSourceTag` HexInt64	—

Event ID 401 — Efs offloading initiated.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: EfsTest

Description

Efs offloading initiated.

Message #

Efs offloading initiated.

                    Volume serial: %1
                    File reference: %2
                    File name: %4

Fields #

Name	Description
`Volume_serial`	—
`File_reference`	—
`File_name`	—
`VolumeSerialNumber` Int64	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—

Event ID 402 — Efs offloading read regular file.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: EfsTest

Description

Efs offloading read regular file.

Message #

Efs offloading read regular file.

                    Volume serial: %1
                    File reference: %2
                    File name: %4

Fields #

Name	Description
`Volume_serial`	—
`File_reference`	—
`File_name`	—
`VolumeSerialNumber` Int64	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—

Event ID 403 — Efs offloading write regular file.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: EfsTest

Description

Efs offloading write regular file.

Message #

Efs offloading write regular file.

                    Volume serial: %1
                    File reference: %2
                    File name: %4

Fields #

Name	Description
`Volume_serial`	—
`File_reference`	—
`File_name`	—
`VolumeSerialNumber` Int64	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—

Event ID 404 — Efs legacy initiated.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: EfsTest

Description

Efs legacy initiated.

Message #

Efs legacy initiated.

                    Volume serial: %1
                    File reference: %2
                    File name: %4

Fields #

Name	Description
`Volume_serial`	—
`File_reference`	—
`File_name`	—
`VolumeSerialNumber` Int64	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—

Event ID 405 — Efs legacy read regular file.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: EfsTest

Description

Efs legacy read regular file.

Message #

Efs legacy read regular file.

                    Volume serial: %1
                    File reference: %2
                    File name: %4

Fields #

Name	Description
`Volume_serial`	—
`File_reference`	—
`File_name`	—
`VolumeSerialNumber` Int64	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—

Event ID 406 — Efs legacy write regular file.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: EfsTest

Description

Efs legacy write regular file.

Message #

Efs legacy write regular file.

                    Volume serial: %1
                    File reference: %2
                    File name: %4

Fields #

Name	Description
`Volume_serial`	—
`File_reference`	—
`File_name`	—
`VolumeSerialNumber` Int64	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—

Event ID 500 — A process has created a USN journal on a volume.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

A process has created a USN journal on a volume.

Message #

A process has created a USN journal on a volume.

           Process: %1
           Volume Id: %2
           Volume Name: %4
           Journal Id: %5
           Maximum Size: %6
           Allocation Delta: %7

Fields #

Name	Description
`ProcessName` AnsiString	Process.
`VolumeCorrelationId` GUID	Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`JournalId` HexInt64	—
`MaximumSize` HexInt64	—
`AllocationDelta` HexInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 500,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-10-26T04:16:37.820075+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 428,
      "thread_id": 432
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProcessName": "System",
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "JournalId": "0x1da07c336abde45",
    "MaximumSize": "0x2000000",
    "AllocationDelta": "0x800000"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 501 — A process has deleted a USN journal on a volume.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

A process has deleted a USN journal on a volume.

Message #

A process has deleted a USN journal on a volume.

           Process: %1
           Volume Id: %2
           Volume Name: %4
           Journal Id: %5
           Current USN: %6

Fields #

Name	Description
`ProcessName` AnsiString	Process.
`VolumeCorrelationId` GUID	Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`JournalId` HexInt64	—
`CurrentUsn` HexInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 501,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-06T06:25:51.720407+00:00",
    "event_record_id": 151,
    "correlation": {},
    "execution": {
      "process_id": 5004,
      "thread_id": 5064
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProcessName": "SearchIndexer.",
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "JournalId": "0x1da07c336abde45",
    "CurrentUsn": "0x0"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 502 — File has been opened by an isolated reader.

Provider: Microsoft-Windows-Ntfs
Channel: Performance
Task: TxF

Description

File has been opened by an isolated reader.

Message #

File has been opened by an isolated reader.

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`FileReference` UInt64	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—
`KtmTransaction` Pointer	—