Event ID 10 — NTFS cached runs statistics.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

NTFS cached runs statistics.

Message #

NTFS cached runs statistics.

           Volume correlation Id: %1
           Volume name: %2
           Volume label: %3

           Device name: %4
           Device GUID: %5
           Device manufacturer: %6
           Device model: %7
           Device revision: %8
           Device serial number: %9
           Bus type: %10

           Adapter serial number: %11

           Media type: %12
           Runs cached: %13
           Longest run cached: %15
           Most populated bin Count: %16
           Most populated bin's minimum length: %18
           Most populated bin's maximum length: %20

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeId` UnicodeString	Volume name.
`VolumeLabel` UnicodeString	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorId` UnicodeString	Device manufacturer.
`ProductId` UnicodeString	Device model.
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`MediaType`	Capacity tier name.
`RunsCached`	Media type.
`LongestRunCached`	Runs cached.
`LongestRunCachedStr`	—
`MostPopulatedBinCount`	Longest run cached.
`MostPopulatedBinMinLength`	—
`MostPopulatedBinMinLengthStr`	—
`MostPopulatedBinMaxLength`	Most populated bin's minimum length.
`MostPopulatedBinMaxLengthStr`	—
`TotalCachedRuns`	Most populated bin's maximum length.
`CachedRunsLogged`	—
`CachedRunsAlignment`	—
`RunsInCachedRuns`	—
`LongestRunInCachedRuns`	—
`MostPopulatedBinCountInCachedRuns`	—
`MostPopulatedBinMinLengthInCachedRuns`	—
`MostPopulatedBinMaxLengthInCachedRuns`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 10,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-06T06:25:25.774232+00:00",
    "event_record_id": 150,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 108
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeId": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "VolumeLabel": "WINRE",
    "DeviceName": "\\Device\\HarddiskVolume1",
    "DeviceGuid": "33A0A150-7C6D-11EE-9369-806E6F6E6963",
    "VendorId": "VMware, ",
    "ProductId": "VMware Virtual S",
    "ProductRevision": "1.0 ",
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumber": "",
    "MediaType": 1,
    "RunsCached": 3,
    "LongestRunCached": 209448960,
    "LongestRunCachedStr": "199.75 MB",
    "MostPopulatedBinCount": 1,
    "MostPopulatedBinMinLength": 2363392,
    "MostPopulatedBinMinLengthStr": "2.26 MB",
    "MostPopulatedBinMaxLength": 2490368,
    "MostPopulatedBinMaxLengthStr": "2.38 MB",
    "TotalCachedRuns": 1,
    "CachedRunsLogged": 1,
    "CachedRunsAlignment": "1",
    "RunsInCachedRuns": "3",
    "LongestRunInCachedRuns": "209448960",
    "MostPopulatedBinCountInCachedRuns": "1",
    "MostPopulatedBinMinLengthInCachedRuns": "2363392",
    "MostPopulatedBinMaxLengthInCachedRuns": "2490368"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline