Event ID 149 — In the past SecondsElapsed seconds we had high latency IOs and/or IO failures.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Warning
Opcode: Info

Description

In the past SecondsElapsed seconds we had high latency IOs and/or IO failures.

Message #

In the past %17 seconds we had high latency IOs and/or IO failures.

           High latency IO count: %18
           Failed writes: %19
           Failed reads: %20
           Bad clusters relocated: %21

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Device GUID: %5
           Device manufacturer: %7
           Device model: %9
           Device revision: %11
           Device serial number: %13
           Bus type: %14

           Adapter serial number: %16

Fields #

Name	Description
`VolumeCorrelationId` GUID	Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`IsBootVolume` Boolean	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`SecondsElapsed` UInt32	—
`HighLatencyCount` UInt32	High latency IO count.
`FailedWriteCount` UInt32	Failed writes.
`FailedReadCount` UInt32	Failed reads.
`BadClusterHotfixCount` UInt32	Bad clusters relocated.
`ValuesCount` UInt32	—
`HighLatencyArray` UInt32	—
`FailedWriteArray` UInt32	—
`FailedReadArray` UInt32	—
`BadClusterHotfixArray` UInt32	—
`StatusArray` HexInt32	—
`TableIndexArray` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 149,
    "version": 2,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 4611967493406195712,
    "time_created": "2023-11-06T01:32:12.814212+00:00",
    "event_record_id": 249,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 18088
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "SecondsElapsed": 3602,
    "HighLatencyCount": 4,
    "FailedWriteCount": 0,
    "FailedReadCount": 0,
    "BadClusterHotfixCount": 0,
    "ValuesCount": 3,
    "HighLatencyArray": 1,
    "FailedWriteArray": 0,
    "FailedReadArray": 0,
    "BadClusterHotfixArray": 0,
    "StatusArray": "0x0",
    "TableIndexArray": 3
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline