Event ID 158 — NTFS metadata statistics for volume.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

NTFS metadata statistics for volume.

Message #

NTFS metadata statistics for volume:

           Volume Id: %1
           Volume name: %3

           UserFileReads: %4
           UserFileReadBytes: %5
           UserDiskReads: %6
           UserFileWrites: %7
           UserFileWriteBytes: %8
           UserDiskWrites: %9

           MetaDataReads: %10
           MetaDataReadBytes: %11
           MetaDataDiskReads: %12
           MetaDataWrites: %13
           MetaDataWriteBytes: %14
           MetaDataDiskWrites: %15

           MftReads: %16
           MftReadBytes: %17
           MftWrites: %18
           MftWriteBytes: %19
           Mft2Writes: %20
           Mft2WriteBytes: %21
           RootIndexReads: %22
           RootIndexReadBytes: %23
           RootIndexWrites: %24
           RootIndexWriteBytes: %25
           BitmapReads: %26
           BitmapReadBytes: %27
           BitmapWrites: %28
           BitmapWriteBytes: %29
           MftBitmapReads: %30
           MftBitmapReadBytes: %31
           MftBitmapWrites: %32
           MftBitmapWriteBytes: %33
           UserIndexReads: %34
           UserIndexReadBytes: %35
           UserIndexWrites: %36
           UserIndexWriteBytes: %37
           LogFileReads: %38
           LogFileReadBytes: %39
           LogFileWrites: %40
           LogFileWriteBytes: %41
           LogFileFull: %42
           LogFileFullReasons:
                     LF_LOG_SPACE: %43
                     LF_DIRTY_PAGES: %44
                     LF_OPEN_ATTRIBUTES: %45
                     LF_TRANSACTION_DRAIN: %46
                     LF_FASTIO_CALLBACK: %47
                     LF_DEALLOCATED_CLUSTERS: %48
                     LF_DEALLOCATED_CLUSTERS_MEM: %49
                     LF_RECORD_STACK_CHECK: %50
                     LF_DISMOUNT: %51
                     LF_COMPRESSION: %52
                     LF_SNAPSHOT: %53
                     LF_MOUNT: %54
                     LF_SHUTDOWN: %55
                     LF_RECURSIVE_COMPRESSION: %56
                     LF_TESTING: %57

           DiskResourceFailure: %58
           VolumeTrimCount: %59
                     VolumeTrimTime (ms): %60
                     VolumeTrimSize (KB): %61
                     AvgVolumeTrimTime (ms): %62
                     AvgVolumeTrimSize (KB): %63
           VolumeTrimSkippedCount: %64
                     VolumeTrimSkippedSize (KB): %65
           FileLevelTrimCount: %66
                     FileLevelTrimTime (ms): %67
                     FileLevelTrimSize (KB): %68
                     AvgFileLevelTrimTime (ms): %69
                     AvgFileLevelTrimSize (KB): %70
           NtfsFillStatInfoFromMftRecordCalledCount: %71
           NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount: %72
           NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount: %73

Fields #

Name	Description
`VolumeCorrelationId` GUID	[NTFS metadata statistics for volume] Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	[NTFS metadata statistics for volume] Volume name.
`UserFileReads` UInt64	[NTFS metadata statistics for volume] UserFileReads.
`UserFileReadBytes` UInt64	[NTFS metadata statistics for volume] UserFileReadBytes.
`UserDiskReads` UInt64	[NTFS metadata statistics for volume] UserDiskReads.
`UserFileWrites` UInt64	[NTFS metadata statistics for volume] UserFileWrites.
`UserFileWriteBytes` UInt64	[NTFS metadata statistics for volume] UserFileWriteBytes.
`UserDiskWrites` UInt64	[NTFS metadata statistics for volume] UserDiskWrites.
`MetaDataReads` UInt64	[NTFS metadata statistics for volume] MetaDataReads.
`MetaDataReadBytes` UInt64	[NTFS metadata statistics for volume] MetaDataReadBytes.
`MetaDataDiskReads` UInt64	[NTFS metadata statistics for volume] MetaDataDiskReads.
`MetaDataWrites` UInt64	[NTFS metadata statistics for volume] MetaDataWrites.
`MetaDataWriteBytes` UInt64	[NTFS metadata statistics for volume] MetaDataWriteBytes.
`MetaDataDiskWrites` UInt64	[NTFS metadata statistics for volume] MetaDataDiskWrites.
`MftReads` UInt64	[NTFS metadata statistics for volume] MftReads.
`MftReadBytes` UInt64	[NTFS metadata statistics for volume] MftReadBytes.
`MftWrites` UInt64	[NTFS metadata statistics for volume] MftWrites.
`MftWriteBytes` UInt64	[NTFS metadata statistics for volume] MftWriteBytes.
`Mft2Writes` UInt64	[NTFS metadata statistics for volume] Mft2Writes.
`Mft2WriteBytes` UInt64	[NTFS metadata statistics for volume] Mft2WriteBytes.
`RootIndexReads` UInt64	[NTFS metadata statistics for volume] RootIndexReads.
`RootIndexReadBytes` UInt64	[NTFS metadata statistics for volume] RootIndexReadBytes.
`RootIndexWrites` UInt64	[NTFS metadata statistics for volume] RootIndexWrites.
`RootIndexWriteBytes` UInt64	[NTFS metadata statistics for volume] RootIndexWriteBytes.
`BitmapReads` UInt64	[NTFS metadata statistics for volume] BitmapReads.
`BitmapReadBytes` UInt64	[NTFS metadata statistics for volume] BitmapReadBytes.
`BitmapWrites` UInt64	[NTFS metadata statistics for volume] BitmapWrites.
`BitmapWriteBytes` UInt64	[NTFS metadata statistics for volume] BitmapWriteBytes.
`MftBitmapReads` UInt64	[NTFS metadata statistics for volume] MftBitmapReads.
`MftBitmapReadBytes` UInt64	[NTFS metadata statistics for volume] MftBitmapReadBytes.
`MftBitmapWrites` UInt64	[NTFS metadata statistics for volume] MftBitmapWrites.
`MftBitmapWriteBytes` UInt64	[NTFS metadata statistics for volume] MftBitmapWriteBytes.
`UserIndexReads` UInt64	[NTFS metadata statistics for volume] UserIndexReads.
`UserIndexReadBytes` UInt64	[NTFS metadata statistics for volume] UserIndexReadBytes.
`UserIndexWrites` UInt64	[NTFS metadata statistics for volume] UserIndexWrites.
`UserIndexWriteBytes` UInt64	[NTFS metadata statistics for volume] UserIndexWriteBytes.
`LogFileReads` UInt64	[NTFS metadata statistics for volume] LogFileReads.
`LogFileReadBytes` UInt64	[NTFS metadata statistics for volume] LogFileReadBytes.
`LogFileWrites` UInt64	[NTFS metadata statistics for volume] LogFileWrites.
`LogFileWriteBytes` UInt64	[NTFS metadata statistics for volume] LogFileWriteBytes.
`LogFileFull` UInt64	[NTFS metadata statistics for volume] LogFileFull.
`LogFileFullReasonBucket1` UInt64	[LogFileFullReasons] LF_LOG_SPACE.
`LogFileFullReasonBucket2` UInt64	[LogFileFullReasons] LF_DIRTY_PAGES.
`LogFileFullReasonBucket3` UInt64	[LogFileFullReasons] LF_OPEN_ATTRIBUTES.
`LogFileFullReasonBucket4` UInt64	[LogFileFullReasons] LF_TRANSACTION_DRAIN.
`LogFileFullReasonBucket5` UInt64	[LogFileFullReasons] LF_FASTIO_CALLBACK.
`LogFileFullReasonBucket6` UInt64	[LogFileFullReasons] LF_DEALLOCATED_CLUSTERS.
`LogFileFullReasonBucket7` UInt64	[LogFileFullReasons] LF_DEALLOCATED_CLUSTERS_MEM.
`LogFileFullReasonBucket8` UInt64	[LogFileFullReasons] LF_RECORD_STACK_CHECK.
`LogFileFullReasonBucket9` UInt64	[LogFileFullReasons] LF_DISMOUNT.
`LogFileFullReasonBucket10` UInt64	[LogFileFullReasons] LF_COMPRESSION.
`LogFileFullReasonBucket11` UInt64	[LogFileFullReasons] LF_SNAPSHOT.
`LogFileFullReasonBucket12` UInt64	[LogFileFullReasons] LF_MOUNT.
`LogFileFullReasonBucket13` UInt64	[LogFileFullReasons] LF_SHUTDOWN.
`LogFileFullReasonBucket14` UInt64	[LogFileFullReasons] LF_RECURSIVE_COMPRESSION.
`LogFileFullReasonBucket15` UInt64	[LogFileFullReasons] LF_TESTING.
`DiskResourceFailure` UInt64	[LogFileFullReasons] DiskResourceFailure.
`VolumeTrimCount` UInt64	—
`VolumeTrimTime` UInt64	[LogFileFullReasons] VolumeTrimTime (ms).
`VolumeTrimSize` UInt64	[LogFileFullReasons] VolumeTrimSize (KB).
`AvgVolumeTrimTime` UInt64	[LogFileFullReasons] AvgVolumeTrimTime (ms).
`AvgVolumeTrimSize` UInt64	[LogFileFullReasons] AvgVolumeTrimSize (KB).
`VolumeTrimSkippedCount` UInt64	[LogFileFullReasons] VolumeTrimSkippedCount.
`VolumeTrimSkippedSize` UInt64	[LogFileFullReasons] VolumeTrimSkippedSize (KB).
`FileLevelTrimCount` UInt64	[LogFileFullReasons] FileLevelTrimCount.
`FileLevelTrimTime` UInt64	[LogFileFullReasons] FileLevelTrimTime (ms).
`FileLevelTrimSize` UInt64	[LogFileFullReasons] FileLevelTrimSize (KB).
`AvgFileLevelTrimTime` UInt64	[LogFileFullReasons] AvgFileLevelTrimTime (ms).
`AvgFileLevelTrimSize` UInt64	[LogFileFullReasons] AvgFileLevelTrimSize (KB).
`NtfsFillStatInfoFromMftRecordCalledCount` UInt64	[LogFileFullReasons] NtfsFillStatInfoFromMftRecordCalledCount.
`NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount` UInt64	[LogFileFullReasons] NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount.
`NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount` UInt64	[LogFileFullReasons] NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 158,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-05T22:47:04.964890+00:00",
    "event_record_id": 183,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 52
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeNameLength": 48,
    "VolumeName": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "UserFileReads": 5,
    "UserFileReadBytes": 20480,
    "UserDiskReads": 5,
    "UserFileWrites": 0,
    "UserFileWriteBytes": 0,
    "UserDiskWrites": 0,
    "MetaDataReads": 12,
    "MetaDataReadBytes": 217088,
    "MetaDataDiskReads": 14,
    "MetaDataWrites": 1,
    "MetaDataWriteBytes": 8192,
    "MetaDataDiskWrites": 2,
    "MftReads": 6,
    "MftReadBytes": 53248,
    "MftWrites": 1,
    "MftWriteBytes": 8192,
    "Mft2Writes": 0,
    "Mft2WriteBytes": 0,
    "RootIndexReads": 0,
    "RootIndexReadBytes": 0,
    "RootIndexWrites": 0,
    "RootIndexWriteBytes": 0,
    "BitmapReads": 1,
    "BitmapReadBytes": 12288,
    "BitmapWrites": 0,
    "BitmapWriteBytes": 0,
    "MftBitmapReads": 1,
    "MftBitmapReadBytes": 8192,
    "MftBitmapWrites": 0,
    "MftBitmapWriteBytes": 0,
    "UserIndexReads": 1,
    "UserIndexReadBytes": 4096,
    "UserIndexWrites": 1,
    "UserIndexWriteBytes": 4096,
    "LogFileReads": 8,
    "LogFileReadBytes": 32768,
    "LogFileWrites": 16,
    "LogFileWriteBytes": 65536,
    "LogFileFull": 0,
    "LogFileFullReasonBucket1": 0,
    "LogFileFullReasonBucket2": 0,
    "LogFileFullReasonBucket3": 0,
    "LogFileFullReasonBucket4": 0,
    "LogFileFullReasonBucket5": 0,
    "LogFileFullReasonBucket6": 0,
    "LogFileFullReasonBucket7": 0,
    "LogFileFullReasonBucket8": 0,
    "LogFileFullReasonBucket9": 0,
    "LogFileFullReasonBucket10": 0,
    "LogFileFullReasonBucket11": 0,
    "LogFileFullReasonBucket12": 0,
    "LogFileFullReasonBucket13": 0,
    "LogFileFullReasonBucket14": 0,
    "LogFileFullReasonBucket15": 0,
    "DiskResourceFailure": 0,
    "VolumeTrimCount": 0,
    "VolumeTrimTime": 0,
    "VolumeTrimSize": 0,
    "AvgVolumeTrimTime": 0,
    "AvgVolumeTrimSize": 0,
    "VolumeTrimSkippedCount": 0,
    "VolumeTrimSkippedSize": 0,
    "FileLevelTrimCount": 0,
    "FileLevelTrimTime": 0,
    "FileLevelTrimSize": 0,
    "AvgFileLevelTrimTime": 0,
    "AvgFileLevelTrimSize": 0,
    "NtfsFillStatInfoFromMftRecordCalledCount": 0,
    "NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount": 0,
    "NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline