detection.wiki

Microsoft-Windows-Ntfs › Event 156

Event ID 156 — VCB exclusive resource acquires.

Provider
Microsoft-Windows-Ntfs
Channel
Operational
Level
Informational
Opcode
Info

Description

VCB exclusive resource acquires.

Message #

VCB exclusive resource acquires:

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4

           Interval duration: %18

           Acquire count: %19
           Max wait duration: %20 ms
           Avg wait duration: %21 ms
           Max hold duration: %22 ms
           Avg hold duration: %23 ms
           Max combined duration: %24 ms
           Avg combined duration: %25 ms

           Device GUID: %5
           Device manufacturer: %7
           Device model: %9
           Device revision: %11
           Device serial number: %13
           Bus type: %14
           
           Adapter serial number: %16
           
           For more details see the details tab.

Fields #

NameDescription
VolumeCorrelationId GUID[VCB exclusive resource acquires] Volume Id.
VolumeNameLength UInt16
VolumeName UnicodeString[VCB exclusive resource acquires] Volume name.
IsBootVolume Boolean[VCB exclusive resource acquires] Is boot volume.
DeviceGuid GUID[VCB exclusive resource acquires] Device GUID.
VendorIdLength UInt16
VendorId UnicodeString[VCB exclusive resource acquires] Device manufacturer.
ProductIdLength UInt16
ProductId UnicodeString[VCB exclusive resource acquires] Device model.
ProductRevisionLength UInt16
ProductRevision UnicodeString[VCB exclusive resource acquires] Device revision.
DeviceSerialNumberLength UInt16
DeviceSerialNumber UnicodeString[VCB exclusive resource acquires] Device serial number.
BusType UInt32[VCB exclusive resource acquires] Bus type.
AdapterSerialNumberLength UInt16
AdapterSerialNumber UnicodeString[VCB exclusive resource acquires] Adapter serial number.
IntervalDurationMs UInt64
IntervalDurationStr UnicodeString[VCB exclusive resource acquires] Interval duration.
VcbExAcquireCount UInt32[VCB exclusive resource acquires] Acquire count.
VcbExMaxWaitDurationMs UInt64[VCB exclusive resource acquires] Max wait duration.
VcbExAvgWaitDurationMs UInt64[VCB exclusive resource acquires] Avg wait duration.
VcbExMaxHoldDurationMs UInt64[VCB exclusive resource acquires] Max hold duration.
VcbExAvgHoldDurationMs UInt64[VCB exclusive resource acquires] Avg hold duration.
VcbExMaxCombinedDurationMs UInt64[VCB exclusive resource acquires] Max combined duration.
VcbExAvgCombinedDurationMs UInt64[VCB exclusive resource acquires] Avg combined duration.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 156,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-06T01:32:12.811781+00:00",
    "event_record_id": 230,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 18088
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "IntervalDurationMs": 3602451,
    "IntervalDurationStr": "3602 s",
    "VcbExAcquireCount": 171,
    "VcbExMaxWaitDurationMs": 15210,
    "VcbExAvgWaitDurationMs": 90,
    "VcbExMaxHoldDurationMs": 18627,
    "VcbExAvgHoldDurationMs": 237,
    "VcbExMaxCombinedDurationMs": 18627,
    "VcbExAvgCombinedDurationMs": 327
  },
  "message": ""
}

References #