Event ID 159 — NTFS has successfully completed the VolumeSizeChangeRequestType request in CombinedDurationMs ms when trying to VolumeSizeChangeOperation the volume size from FromSize (MB) to ToSize (MB).

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: VolumeSizeChange

Description

NTFS has successfully completed the VolumeSizeChangeRequestType request in CombinedDurationMs ms when trying to VolumeSizeChangeOperation the volume size from FromSize (MB) to ToSize (MB).

Message #

NTFS has successfully completed the %19 request in %20 ms when trying to %18 the volume size from %4 (MB) to %5 (MB).

           Volume Id: %1
           Volume name: %3

           Device GUID: %6
           Device manufacturer: %8
           Device model: %10
           Device revision: %12
           Device serial number: %14
           Bus type: %15

           Adapter serial number: %17

           Operation: %18
                     Request Type: %19

           Stage Durations:
                     Stage 1. Verify input and calculate new volume size (ms): %21
                     Stage 2. Set boundary and allocate/deallocate cluster (ms): %22
                     Stage 3. Update bitmap (ms): %23

Fields #

Name	Description
`VolumeCorrelationId` GUID	Volume Id.
`VolumeNameLength` UInt32	—
`VolumeName` UnicodeString	—
`FromSize` UInt64	—
`ToSize` UInt64	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`VolumeSizeChangeOperation` UInt16	Operation.
`VolumeSizeChangeRequestType` UInt16	Request Type.
`CombinedDurationMs` UInt64	—
`Stage1DurationMs` UInt64	[Stage Durations] Stage 1. Verify input and calculate new volume size (ms).
`Stage2DurationMs` UInt64	[Stage Durations] Stage 2. Set boundary and allocate/deallocate cluster (ms).
`Stage3DurationMs` UInt64	[Stage Durations] Stage 3. Update bitmap (ms).

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 159,
    "version": 0,
    "level": 4,
    "task": 13,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2022-04-07T16:45:03.658483+00:00",
    "event_record_id": 8,
    "correlation": {},
    "execution": {
      "process_id": 4476,
      "thread_id": 4512
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "ADDC92DC-EB36-4896-AAEB-9547FEEB7B8C",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "FromSize": 102281,
    "ToSize": 101756,
    "DeviceGuid": "7B6F1752-BD95-6E22-E3A5-6EE8419ECAD7",
    "VendorIdLength": 0,
    "VendorId": "",
    "ProductIdLength": 24,
    "ProductId": "VMware Virtual NVMe Disk",
    "ProductRevisionLength": 3,
    "ProductRevision": "1.0",
    "DeviceSerialNumberLength": 16,
    "DeviceSerialNumber": "VMWare NVME_0000",
    "BusType": 17,
    "AdapterSerialNumberLength": 16,
    "AdapterSerialNumber": "VMWare NVME_0000",
    "VolumeSizeChangeOperation": 1,
    "VolumeSizeChangeRequestType": 2,
    "CombinedDurationMs": 62,
    "Stage1DurationMs": 0,
    "Stage2DurationMs": 0,
    "Stage3DurationMs": 62
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline