Event ID 147 — An IO took more than MaxLatencyMs ms to complete.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Warning
Opcode: Info

Description

An IO took more than MaxLatencyMs ms to complete.

Message #

An IO took more than %5 ms to complete:

           Process Id: %6
           Process name: %7
           File name: %9
           File offset: %12
           IO Type: %10
           IO Size: %11 bytes
           %15 cluster(s) starting at cluster %14
           Latency: %13 ms

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %16
           Device manufacturer: %18
           Device model: %20
           Device revision: %22
           Device serial number: %24
           Bus type: %25

           Adapter serial number: %27

Fields #

Name	Description
`VolumeCorrelationId` GUID	Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`MaxLatencyMs` UInt64	—
`ProcessId` UInt32	—
`ProcessName` AnsiString	—
`FileNameLength` UInt32	—
`FileName` UnicodeString	—
`FileIdHigh` HexInt64	—
`FileIdLow` HexInt64	—
`IoType` UInt16	—
`IoTypeStr` UnicodeString	IO Type.
`IoSize`	Latency.
`FileOffset`	Device GUID.
`LatencyMs` UInt64	—
`StartingLcn`	Device manufacturer.
`ClustersCount`	—
`DeviceGuid` GUID	Device model.
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device revision.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device serial number.
`ProductRevisionLength` UInt32	Bus type.
`ProductRevision` UnicodeString	—
`DeviceSerialNumberLength` UInt32	Adapter serial number.
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 147,
    "version": 4,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 4611967493406195712,
    "time_created": "2023-11-06T01:29:13.914837+00:00",
    "event_record_id": 229,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 17620
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "MaxLatencyMs": 30000,
    "ProcessId": 18984,
    "ProcessName": "MBAMService.ex",
    "FileNameLength": 74,
    "FileName": "\\ProgramData\\Malwarebytes\\MBAMService\\tmp\\cde8f2247c4311ee8e26000c293379ba",
    "FileIdHigh": "0x0",
    "FileIdLow": "0x200000004f2d1",
    "IoType": 5,
    "IoTypeStr": "Write: NonPaging, Cached, Sync",
    "IoSize": 23213552,
    "FileOffset": 0,
    "LatencyMs": 38428,
    "StartingLcn": 15120321,
    "ClustersCount": 5668,
    "DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": ""
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline