Event ID 4 — The NTFS volume has been successfully mounted.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Task: Volumemount

Description

The NTFS volume has been successfully mounted.

Message #

The NTFS volume has been successfully mounted.

           Volume GUID: %4
           Volume Name: %6
           Volume Label: %8
           Device Name: %3

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	Volume name.
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`Vcb` Pointer	—
`MountDurationUs` UInt64	—
`MountDuration` UnicodeString	Total mount duration.
`LongestStage` UInt64	—
`LongestStageDuration` UnicodeString	—
`LongestStagePercentage` UInt64	—
`SecondLongestStage` UInt64	—
`SecondLongestStageDuration` UnicodeString	—
`SecondLongestStagePercentage` UInt64	—
`RestartApplied` Boolean	Volume restart applied.
`IsBootVolume` Boolean	—
`Stage1DurationUs` UInt64	—
`Stage2DurationUs` UInt64	—
`Stage3DurationUs` UInt64	—
`Stage4DurationUs` UInt64	—
`Stage5DurationUs` UInt64	—
`Stage6DurationUs` UInt64	—
`Stage7DurationUs` UInt64	—
`Stage8DurationUs` UInt64	—
`Stage9DurationUs` UInt64	—
`Stage10DurationUs` UInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 4,
    "version": 1,
    "level": 4,
    "task": 6,
    "opcode": 0,
    "keywords": 4611967493404098592,
    "time_created": "2023-11-06T06:25:20.848685+00:00",
    "event_record_id": 147,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 96
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeIdLength": 48,
    "VolumeId": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "VolumeLabelLength": 5,
    "VolumeLabel": "WINRE",
    "DeviceNameLength": 23,
    "DeviceName": "\\Device\\HarddiskVolume1",
    "DeviceGuid": "33A0A150-7C6D-11EE-9369-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "Vcb": "0xffffa60dd18c01b0",
    "MountDurationUs": 32215,
    "MountDuration": "32 ms",
    "LongestStage": 5,
    "LongestStageDuration": "16 ms",
    "LongestStagePercentage": 50,
    "SecondLongestStage": 2,
    "SecondLongestStageDuration": "16 ms",
    "SecondLongestStagePercentage": 50,
    "RestartApplied": false,
    "IsBootVolume": false,
    "Stage1DurationUs": 0,
    "Stage2DurationUs": 16042,
    "Stage3DurationUs": 0,
    "Stage4DurationUs": 0,
    "Stage5DurationUs": 16172,
    "Stage6DurationUs": 0,
    "Stage7DurationUs": 0,
    "Stage8DurationUs": 0,
    "Stage9DurationUs": 0,
    "Stage10DurationUs": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline