Event ID 9 — NTFS scanned entire volume bitmap.

Provider: Microsoft-Windows-Ntfs
Channel: Operational
Level: Informational
Opcode: Info

Description

NTFS scanned entire volume bitmap.

Message #

NTFS scanned entire volume bitmap.

           Volume correlation Id: %1
           Volume name: %3
           Volume label: %5

           Device name: %7
           Device GUID: %8
           Device manufacturer: %10
           Device model: %12
           Device revision: %14
           Device serial number: %16
           Bus type: %17

           Adapter serial number: %19

           Duration (micro seconds): %20
           InputFlags: %21
           Reason: %22
           Flags: %23

Fields #

Name	Description
`VolumeCorrelationId` GUID	—
`VolumeIdLength` UInt16	—
`VolumeId` UnicodeString	Volume name.
`VolumeLabelLength` UInt16	—
`VolumeLabel` UnicodeString	—
`DeviceNameLength` UInt16	—
`DeviceName` UnicodeString	—
`DeviceGuid` GUID	—
`VendorIdLength` UInt32	—
`VendorId` UnicodeString	Device manufacturer.
`ProductIdLength` UInt32	—
`ProductId` UnicodeString	Device model.
`ProductRevisionLength` UInt32	—
`ProductRevision` UnicodeString	Device revision.
`DeviceSerialNumberLength` UInt32	—
`DeviceSerialNumber` UnicodeString	—
`BusType` UInt32	—
`AdapterSerialNumberLength` UInt32	—
`AdapterSerialNumber` UnicodeString	—
`DurationUs` UInt32	Duration (micro seconds).
`InputFlags` HexInt32	—
`Reason` UInt32	—
`Flags` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Ntfs",
    "guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
    "event_source_name": "",
    "event_id": 9,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018429485056,
    "time_created": "2023-11-06T06:25:25.774221+00:00",
    "event_record_id": 149,
    "correlation": {
      "ActivityID": "405E6FE6-7C77-466B-8D93-5F354CA37E8C"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 108
    },
    "channel": "Microsoft-Windows-Ntfs/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeCorrelationId": "F8B2740A-2324-44DB-BBF8-80523FE5334B",
    "VolumeIdLength": 48,
    "VolumeId": "\\\\?\\Volume{f8b2740a-2324-44db-bbf8-80523fe5334b}",
    "VolumeLabelLength": 5,
    "VolumeLabel": "WINRE",
    "DeviceNameLength": 23,
    "DeviceName": "\\Device\\HarddiskVolume1",
    "DeviceGuid": "33A0A150-7C6D-11EE-9369-806E6F6E6963",
    "VendorIdLength": 8,
    "VendorId": "VMware, ",
    "ProductIdLength": 16,
    "ProductId": "VMware Virtual S",
    "ProductRevisionLength": 4,
    "ProductRevision": "1.0 ",
    "DeviceSerialNumberLength": 0,
    "DeviceSerialNumber": "",
    "BusType": 10,
    "AdapterSerialNumberLength": 0,
    "AdapterSerialNumber": "",
    "DurationUs": 49,
    "InputFlags": "0x10",
    "Reason": 7,
    "Flags": "0x10"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline