Event ID 300 — NTFS volume dismount has started.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: Volumedismount
Opcode: Start

Description

NTFS volume dismount has started.

Message #

NTFS volume dismount has started.

           Volume GUID: %4
           Volume Name: %6
           Volume Label: %8

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	Volume name.
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`Vcb` Pointer	—
`ProcessId` UInt32	—
`ProcessName` AnsiString	—
`DismountReason` AnsiString	Reason.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 300,
    "version": 1,
    "level": 4,
    "task": 8,
    "opcode": 1,
    "keywords": 4611686018427387936,
    "time_created": "2022-03-04T08:48:15.493213+00:00",
    "event_record_id": 22,
    "correlation": {},
    "execution": {
      "process_id": 1460,
      "thread_id": 2636
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "1E9B06BD-0000-0000-0000-B0C208000000",
    "VolumeIdLength": 48,
    "VolumeId": "\\\\?\\Volume{1e9b06bd-0000-0000-0000-b0c208000000}",
    "VolumeLabelLength": 0,
    "VolumeLabel": "",
    "DeviceNameLength": 23,
    "DeviceName": "\\Device\\HarddiskVolume3",
    "DeviceGuid": "A86CEC8E-FB18-5AEC-6F31-C812511391BB",
    "VendorIdLength": 0,
    "VendorId": "",
    "ProductIdLength": 13,
    "ProductId": "VBOX HARDDISK",
    "ProductRevisionLength": 3,
    "ProductRevision": "1.0",
    "DeviceSerialNumberLength": 19,
    "DeviceSerialNumber": "VB8e57de8f-e08973f3",
    "BusType": 11,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "Vcb": "0xffffe706b34661b0",
    "ProcessId": 1460,
    "ProcessName": "vds.exe",
    "DismountReason": "Explicit lock"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline