Event ID 301 — NTFS has sent volume dismount event notification and is waiting for the notifications to complete.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: Volumedismount
Opcode: Suspend

Description

NTFS has sent volume dismount event notification and is waiting for the notifications to complete.

Message #

NTFS has sent volume dismount event notification and is waiting for the notifications to complete.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 301,
    "version": 0,
    "level": 4,
    "task": 8,
    "opcode": 8,
    "keywords": 4611686018427387936,
    "time_created": "2022-03-04T08:48:15.535738+00:00",
    "event_record_id": 24,
    "correlation": {},
    "execution": {
      "process_id": 1460,
      "thread_id": 2636
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WIN-TKC15D7KHUR",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline