Event ID 142 — Summary of disk space usage, since last event.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

Summary of disk space usage, since last event.

Message #

Summary of disk space usage, since last event:

           Lowest free space in bytes: %4
           Highest free space in bytes: %5
           Page file size in bytes: 0
           Volume guid: %1
           Volume name: %3
           Is boot volume: %6

Fields #

Name	Description
`VolumeGuid` GUID	[Summary of disk space usage, since last event] Volume guid.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	[Summary of disk space usage, since last event] Volume name.
`IsBootVolume` Boolean	[Summary of disk space usage, since last event] Is boot volume.
`ElapsedSeconds` UInt64	[Summary of disk space usage, since last event] Elapsed seconds.
`AvailabeSpaceMinStr` UnicodeString	—
`AvailabeSpaceMaxStr` UnicodeString	—
`AvailabeSpaceDeltaStr` UnicodeString	[Summary of disk space usage, since last event] Change in available space.
`AvailableClustersMin` UInt64	[Summary of disk space usage, since last event] Available clusters were between.
`AvailableClustersMax` UInt64	—
`UnallocatedClustersMin` UInt64	—
`UnallocatedClustersMax` UInt64	—
`ReservedClustersMin` UInt64	[Summary of disk space usage, since last event] Reserved clusters were between.
`ReservedClustersMax` UInt64	—
`TxfAbortReservedClustersMin` UInt64	[Summary of disk space usage, since last event] Txf abort reserved clusters were between.
`TxfAbortReservedClustersMax` UInt64	—
`PageFileSizeInBytes` UInt64	—
`PageFileSizeStr` UnicodeString	[Summary of disk space usage, since last event] Pagefile size.
`VolumeSizeInBytes` UInt64	—
`VolumeSizeStr` UnicodeString	[Summary of disk space usage, since last event] Volume size.
`ClusterSize` UInt64	[Summary of disk space usage, since last event] Bytes per cluster.
`CachedRunsMissCountForMft` UInt32	—
`CachedRunsMissCountForMftZone` UInt32	[Summary of disk space usage, since last event] Slab size.
`CachedRunsMissCount` UInt32	[Summary of disk space usage, since last event] Slabs in use.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 142,
    "version": 3,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-06T06:25:25.734659+00:00",
    "event_record_id": 148,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 108
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeGuid": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeNameLength": 48,
    "VolumeName": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "IsBootVolume": false,
    "ElapsedSeconds": 0,
    "AvailabeSpaceMinStr": "287.18 MB",
    "AvailabeSpaceMaxStr": "291.18 MB",
    "AvailabeSpaceDeltaStr": "4 MB",
    "AvailableClustersMin": 73518,
    "AvailableClustersMax": 74542,
    "UnallocatedClustersMin": 74542,
    "UnallocatedClustersMax": 74542,
    "ReservedClustersMin": 0,
    "ReservedClustersMax": 0,
    "TxfAbortReservedClustersMin": 1024,
    "TxfAbortReservedClustersMax": 1024,
    "PageFileSizeInBytes": 0,
    "PageFileSizeStr": "0 Bytes",
    "VolumeSizeInBytes": 314568704,
    "VolumeSizeStr": "300 MB",
    "ClusterSize": 4096,
    "CachedRunsMissCountForMft": 0,
    "CachedRunsMissCountForMftZone": 0,
    "CachedRunsMissCount": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline