detection.wiki

Microsoft-Windows-Ntfs › Event 170

Event ID 170 — IO latency summary.

Provider
Microsoft-Windows-Ntfs
Channel
Operational
Level
Informational
Opcode
Info

Description

IO latency summary.

Message #

IO latency summary:

           Volume Id: %1
           Volume name: %3
           Is boot volume: %4
           
           IO type: %20
           
           Interval duration: %18
           
           Max Acceptable IO Latency: %22
           High Latency IOs: %23
           
           IO count: %24
           Avg IOPS: %25
           Avg latency: %27
           
           Latency buckets: [%28]
           IO count buckets: [%29, %30, %31, %32, %33, %34, %35, %36, %37, %38, %39, %40]
           Total time buckets (ns): [%41, %42, %43, %44, %45, %46, %47, %48, %49, %50, %51, %52]
           
           Device GUID: %5
           Device manufacturer: %7
           Device model: %9
           Device revision: %11
           Device serial number: %13
           Bus type: %14
           
           Adapter serial number: %16
           
           For more details see the details tab.

Fields #

NameDescription
VolumeCorrelationId GUID[IO latency summary] Volume Id.
VolumeNameLength UInt16
VolumeName UnicodeString[IO latency summary] Volume name.
IsBootVolume Boolean[IO latency summary] Is boot volume.
DeviceGuid GUID[IO latency summary] Device GUID.
VendorIdLength UInt16
VendorId UnicodeString[IO latency summary] Device manufacturer.
ProductIdLength UInt16
ProductId UnicodeString[IO latency summary] Device model.
ProductRevisionLength UInt16
ProductRevision UnicodeString[IO latency summary] Device revision.
DeviceSerialNumberLength UInt16
DeviceSerialNumber UnicodeString[IO latency summary] Device serial number.
BusType UInt32[IO latency summary] Bus type.
AdapterSerialNumberLength UInt16
AdapterSerialNumber UnicodeString[IO latency summary] Adapter serial number.
IntervalDurationMs UInt64
IntervalDurationStr UnicodeString[IO latency summary] Interval duration.
SummaryId UInt64
IoType UInt16
IoTypeStr UnicodeString[IO latency summary] IO type.
HighLatencyMs
HighLatencyStr[IO latency summary] Max Acceptable IO Latency.
HighLatencyIoCount UInt32[IO latency summary] High Latency IOs.
TotalIoCount UInt64[IO latency summary] IO count.
TotalIoTimeNs
AverageIops UInt64[IO latency summary] Avg IOPS.
AverageLatencyNs UInt64
AverageLatencyStr UnicodeString[IO latency summary] Avg latency.
MaxLatencyNs UInt64
MaxLatencyStr UnicodeString[IO latency summary] Max latency.
LatencyBuckets UnicodeString
IoCount0 UInt64
IoCount1 UInt64
IoCount2 UInt64
IoCount3 UInt64
IoCount4 UInt64
IoCount5 UInt64
IoCount6 UInt64
IoCount7 UInt64
IoCount8 UInt64
IoCount9 UInt64
IoCount10 UInt64
IoCount11 UInt64
IoCount12 UInt64
IoCount13 UInt64
IoCount14 UInt64
IoCount15 UInt64
TotalTimeNs0 UInt64
TotalTimeNs1 UInt64
TotalTimeNs2 UInt64
TotalTimeNs3 UInt64
TotalTimeNs4 UInt64
TotalTimeNs5 UInt64
TotalTimeNs6 UInt64
TotalTimeNs7 UInt64
TotalTimeNs8 UInt64
TotalTimeNs9 UInt64
TotalTimeNs10 UInt64
TotalTimeNs11 UInt64
TotalTimeNs12 UInt64
TotalTimeNs13 UInt64
TotalTimeNs14 UInt64
TotalTimeNs15 UInt64

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 170,
    "version": 4,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611967493406195712,
    "time_created": "2023-11-06T01:32:12.811964+00:00",
    "event_record_id": 248,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 18088
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
    "VolumeNameLength": 2,
    "VolumeName": "C:",
    "IsBootVolume": true,
    "DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "IntervalDurationMs": 3602451,
    "IntervalDurationStr": "3602 s",
    "SummaryId": 108174105061,
    "IoType": 29,
    "IoTypeStr": "Allocate clusters",
    "HighLatencyMs": 30000,
    "HighLatencyStr": "30 s",
    "HighLatencyIoCount": 0,
    "TotalIoCount": 48922,
    "TotalIoTimeNs": 14280377600,
    "AverageIops": 3426,
    "AverageLatencyNs": 291900,
    "AverageLatencyStr": "291 µs",
    "MaxLatencyNs": 5739679000,
    "MaxLatencyStr": "5 s",
    "LatencyBuckets": "128 µs, 256 µs, 512 µs, 1 ms, 4 ms, 16 ms, 64 ms, 128 ms, 256 ms, 512 ms, 1 s, 2 s, 10 s, 20 s, 30 s, > 30 s",
    "IoCount0": 44799,
    "IoCount1": 2533,
    "IoCount2": 735,
    "IoCount3": 442,
    "IoCount4": 247,
    "IoCount5": 80,
    "IoCount6": 68,
    "IoCount7": 9,
    "IoCount8": 7,
    "IoCount9": 1,
    "IoCount10": 0,
    "IoCount11": 0,
    "IoCount12": 1,
    "IoCount13": 0,
    "IoCount14": 0,
    "IoCount15": 0,
    "TotalTimeNs0": 1787444100,
    "TotalTimeNs1": 426448000,
    "TotalTimeNs2": 260123100,
    "TotalTimeNs3": 308442200,
    "TotalTimeNs4": 472092800,
    "TotalTimeNs5": 650878800,
    "TotalTimeNs6": 2032031400,
    "TotalTimeNs7": 839490800,
    "TotalTimeNs8": 1281500500,
    "TotalTimeNs9": 482246900,
    "TotalTimeNs10": 0,
    "TotalTimeNs11": 0,
    "TotalTimeNs12": 5739679000,
    "TotalTimeNs13": 0,
    "TotalTimeNs14": 0,
    "TotalTimeNs15": 0
  },
  "message": ""
}

References #