Microsoft-Windows-NtfsLog

698 events across 1 channel

Event ID	Title	Channel
10	NtfsLookupRealAllocation: Vcn {A10_Vcn}!	Operational
11	NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:{A10_IrpContext}!	Operational
12	FileObject: {A10_FileObject}!	Operational
13	NtfsAddAllocation IC:{A10_IrpContext}!	Operational
14	Purge failed: Scb: {A10_Scb}!	Operational
15	Purge failed: Scb: {A10_Scb}!	Operational
16	NtfsGetLastVcnForNewMappingPairSize IC:{A10_IrpContext}!	Operational
17	Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference …	Operational
18	Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference …	Operational
19	NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List …	Operational
20	NtfsAddAttributeAllocation.	Operational
21	NtfsAddAttributeAllocation.	Operational
22	NtfsAddAttributeAllocation.	Operational
23	NtfsAddAttributeAllocation.	Operational
24	NtfsAddAttributeAllocation.	Operational
25	NtfsAddAttributeAllocation.	Operational
26	NtfsRestartRemoveAttribute FileRef:0x.	Operational
27	NtfsRestartChangeValue FileRef:0x.	Operational
28	AddToAttributeList.	Operational
29	DeleteFromAttributeList.	Operational
30	MakeRoomForAttribute Moving Mft's attribute IC:{A10_IrpContext}!	Operational
31	MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:{A10_IrpContext}!	Operational
32	MoveAttributeToOwnRecord IC:{A10_IrpContext}!	Operational
33	NtfsRestartZeroEndOfFileRecord FileRef:0x.	Operational
34	MergeFRS2(%1;%2): Scb %3; FileRef %4!	Operational
35	MergeFRS2(%1;%2): Scb %3; FileRef %4!	Operational
36	MergeFRS2(%1;%2): Scb %3; FileRef %4!	Operational
37	MergeFRS2.	Operational
38	MergeFRS2.	Operational
39	MergeFRS2.	Operational
40	MergeFRS2.	Operational
41	MergeFRS2.	Operational
42	MergeFRS2.	Operational
43	MergeFRS2.	Operational
44	MergeFRS2.	Operational
45	MergeFRS2.	Operational
46	MergeFRS2.	Operational
47	MergeFRS2.	Operational
48	RedoAttribute(%1;%2): Scb %3; FileRef %4!	Operational
49	RedoAttribute(%1;%2): Scb %3; FileRef %4!	Operational
50	NtfsConsolidateAllFileRecords: Invalid Vcb.	Operational
51	NtfsConsolidateAllFileRecords: Volume is locked.	Operational
52	NtfsConsolidateAllFileRecords.	Operational
53	NtfsConsolidateAllFileRecords.	Operational
54	NtfsConsolidateAllFileRecords.	Operational
55	NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!	Operational
56	NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!	Operational
57	NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!	Operational
58	NtfsConsolidateAllFileRecords.	Operational
59	NtfsConsolidateAllFileRecords.	Operational
60	NtfsConsolidateAllFileRecords.	Operational
61	NtfsConsolidateAllFileRecords.	Operational
62	NtfsConsolidateAllFileRecords.	Operational
63	NtfsConsolidateAllFileRecords.	Operational
64	NtfsConsolidateAllFileRecords.	Operational
65	NtfsConsolidateAllFileRecords.	Operational
66	UpdateLCS: Vcb {A10_Fcb->Vcb}!	Operational
67	NtfsAllocateClustersPriv IC: {A10_IrpContext}!	Operational
68	NtfsAllocateClustersPriv IC: {A10_IrpContext}!	Operational
69	NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.	Operational
70	NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.	Operational
71	NtfsAllocateClustersPriv IC: {A10_IrpContext}!	Operational
72	NtfsAllocateClustersPriv IC: {A10_IrpContext}!	Operational
73	NtfsDeallocateClusters IC: {A10_IrpContext}!	Operational
74	NtfsDeallocateClusters: Vcb {A10_Vcb}!	Operational
75	NtfsDeallocateClusters IC: {A10_IrpContext}!	Operational
76	NtfsDeallocateClusters: Vcb {A10_Vcb}!	Operational
77	NtfsDeallocateClusters: Vcb {A10_Vcb}!	Operational
78	NtfsDeallocateClusters: Vcb {A10_Vcb}!	Operational
79	NtfsDeallocateClusters: Decremented TotalAllocated by 0x.	Operational
80	NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.	Operational
81	NtfsDeallocateClusters: Vcb {A10_Vcb}!	Operational
82	NtfsDeallocateClusters IC: {A10_IrpContext}!	Operational
83	NtfsDeallocateClusters IC: {A10_IrpContext}!	Operational
84	NtfsModifyBitsInBitmap IC: {A10_IrpContext}!	Operational
85	NtfsModifyBitsInBitmap IC: {A10_IrpContext}!	Operational
86	NtfsAllocateBitmapRun IC: {A10_IrpContext}!	Operational
87	NtfsAllocateBitmapRun IC: {A10_IrpContext}!	Operational
88	NtfsRestartSetBitsInBitMap IC: {A10_IrpContext}!	Operational
89	NtfsFreeBitmapRun IC: {A10_IrpContext}!	Operational
90	NtfsFreeBitmapRun IC: {A10_IrpContext}!	Operational
91	NtfsRestartClearBitsInBitMap IC: {A10_IrpContext}!	Operational
92	NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!	Operational
93	NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!	Operational
94	NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!	Operational
95	System files not marked as in use in the MFT bitmap.	Operational
97	Length: {A10_Length}!	Operational
98	Length: {A10_Length}!	Operational
99	BinIndex: {A10_BinIndex}!	Operational
100	BinIndex: {A10_BinIndex}!	Operational
101	BinGroupShift: {A10_NtfsCachedRunBinGroupShift}!	Operational
102	BinIndex: {A10_BinIndex}!	Operational
103	Searched committed allocations but didnt find enough free space.	Operational
104	NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!	Operational
105	NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!	Operational
106	NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!	Operational
107	NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!	Operational
108	NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!	Operational
109	NtfsValidateTotalClustersCommitted.	Operational
110	Illegal MDL Complete for major code {A10_IrpContext->MajorFunction}!	Operational
111	Entering: Scb: {A10_Scb}!	Operational
112	RunEntry ==> {A10_RunIndex}!	Operational
114	Shrinking LengthInExtent.	Operational
115	Zeroing: StartingPhysicalAddr: 0x.	Operational
116	Exiting: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!	Operational
117	Entering: Scb: {A10_Scb}!	Operational
118	Dsm Ranges[.	Operational
119	RemainingClusterCount: 0x.	Operational
120	Dsm: TotalNumberOfRanges: {A10_DsmByteAddressRanges->TotalNumberOfRanges}!	Operational
121	DsmOut Ranges[.	Operational
122	Zeroing: StartingPhysicalAddr: 0x.	Operational
123	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational
124	Entering: Scb: {A10_Scb}!	Operational
125	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational
126	IrpContext: {A10_IrpContext}!	Operational
127	Return.	Operational
128	Unexpected open type received: {A10_TypeOfOpen}!	Operational
129	Raising STATUS_SUCCESS from NtfsCommonCleanup: {A10_Status}.	Operational
130	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational
131	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational
132	Irp: %1; IC: %2; Vcb: %3; FileObject: %4; RelatedFileObject: %5; FileIdBuffer: …	Operational
133	Irp: %1; IC: %2; Vcb: %3; FileObject: %4; RelatedFileObject: %5; Path: %6; …	Operational
134	NtfsCommonVolumeOpen: Invalid create disposition for volume open.	Operational
135	NtfsCommonVolumeOpen: Invalid create disposition for volume open.	Operational
136	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational
137	NtfsCommonVolumeOpen: Thread: %1; Vcb: %2; VolumeName: %3; VolumeLabel: %4; …	Operational
138	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational
139	NtfsCommonVolumeOpen: Conlicting file objects.	Operational
140	NtfsHandlePagingFile: Paging file already open; paging files can only be opened …	Operational
141	NtfsHandlePagingFile: Cannot open system file as paging file.	Operational
142	NtfsHandlePagingFile: Persisted paging file already exists.	Operational
143	NtfsOpenFcbById: Invalid system file access.	Operational
144	NtfsOpenExistingPrefixFcb: Can not directly open txf directory.	Operational
145	NtfsOpenExistingPrefixFcb: Invalid system file access.	Operational
146	NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system …	Operational
147	NtfsOpenFile: Invalid system file access.	Operational
148	NtfsOpenFile: Deny open when txf rm is active.	Operational
149	NtfsCreateNewFile: Deny creation in system directory (except root).	Operational
150	NtfsCreateNewFile: Unable to create Ea for the file.	Operational
151	NtfsCreateNewFile: Unable to create in the $txf directory.	Operational
152	NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.	Operational
153	NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.	Operational
154	NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.	Operational
155	NtfsOpenAttributeInExistingFile: Denying access for volume root directory.	Operational
156	NtfsCreateNewFile: Not allowed to create streams on system files.	Operational
157	NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging …	Operational
158	NtfsOverwriteAttr: Denying access due to user being Ea blind.	Operational
159	NtfsOverwriteAttr: Deny access due to encryption happening on the stream.	Operational
160	NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this …	Operational
161	NtfsCheckValidAttributeAccess: Deny access for protected system attributes.	Operational
162	NtfsCheckValidAttributeAccess: Deny access for protected system attributes.	Operational
163	NtfsOpenAttributeCheck: File already has user writable references.	Operational
164	NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.	Operational
165	NtfsOpenAttributeCheck: File was granted write access but has image section.	Operational
166	NtfsOpenAttribute: Denying write access on disallowed writes.	Operational
167	NtfsOpenAttribute: File already has user writable references.	Operational
168	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational
169	NtfsOpenAttribute: File already has user writable references.	Operational
170	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational
171	NtfsCheckExistingFile: Desired access conflicts with read-only state.	Operational
172	NtfsOpenExistingEncryptedStream: No encryption driver found.	Operational
173	NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on …	Operational
174	NtfsFindStartingNode: Opening not allowed for txf name when RM is active.	Operational
175	NtfsFindStartingNode: Opening not allowed for txf name when RM is active.	Operational
176	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
177	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
178	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
179	NtfsReCheckShareAccess: Does not meet allow open requirement.	Operational
180	%1:%2 Status: %3 ProcessName: %4.	Operational
181	%1:%2 Status: %3 ProcessName: %4.	Operational
182	%1:%2 Status: %3 ProcessName: %4.	Operational
183	NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!	Operational
184	NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!	Operational
185	NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!	Operational
186	NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!	Operational
187	NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!	Operational
188	NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!	Operational
189	NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!	Operational
190	NtfsTransferMaxDataSetRanges: Src {A10_Src}!	Operational
191	NtfsTransferMaxDataSetRanges: Src {A10_Src}!	Operational
192	NtfsTransferMaxDataSetRanges: Src {A10_Src}!	Operational
193	NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!	Operational
194	NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!	Operational
195	NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!	Operational
196	NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!	Operational
197	NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!	Operational
198	NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp {A10_Irp}!	Operational
199	NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!	Operational
200	NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!	Operational
201	NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!	Operational
202	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb {A10_Vcb}!	Operational
203	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
204	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
205	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
206	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
207	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
208	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
209	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
210	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
211	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
212	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!	Operational
213	NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!	Operational
214	NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!	Operational
215	NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!	Operational
216	NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!	Operational
217	NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!	Operational
218	NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!	Operational
219	NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!	Operational
220	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!	Operational
221	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!	Operational
222	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!	Operational
223	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb {A10_IrpContext->Vcb}!	Operational
224	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for …	Operational
225	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for …	Operational
226	NtfsCheckForTrimThrottling: Vcb {A10_Vcb}!	Operational
227	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
228	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
229	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
230	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
231	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
232	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
233	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
234	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
235	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
236	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
237	NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!	Operational
238	NtfsEvalSmartTrimState: Vcb {A10_Vcb}!	Operational
239	NtfsEvalSmartTrimState: Vcb {A10_Vcb}!	Operational
240	NtfsEvalSmartTrimState: Vcb {A10_Vcb}!	Operational
241	NtfsEvalSmartTrimState: Vcb {A10_Vcb}!	Operational
242	NtfsEvalSmartTrimState: Vcb {A10_Vcb}!	Operational
243	NtfsEvalSmartTrimState: Vcb {A10_Vcb}!	Operational
244	NtfsEvalSmartTrimState: Vcb {A10_Vcb}!	Operational
245	NtfsFlushAllTrimHintsSynchronous.	Operational
246	NtfsFlushAllTrimHintsSynchronous.	Operational
247	NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.	Operational
248	NtfsVolumeDasdIo: Data section blocking flush.	Operational
251	Writing to $Bitmap.	Operational
252	Writing to $Bitmap.	Operational
253	NTFS: Posting hotfix on file object: {A10_FileObject}!	Operational
254	NTFS: Freeing Bad Vcn: {A10_((ULONG)BadVcn)}!	Operational
255	NTFS: Retiring Bad Lcn: {A10_((ULONG)BadLcn)}!	Operational
257	IrpContext: {A10_IrpContext}!	Operational
258	IrpContext: {A10_IrpContext}!	Operational
259	Compression buffers are already big enough.	Operational
260		Operational
261	IrpContext: {A10_IrpContext}!	Operational
262	Compression buffers are already big enough.	Operational
263		Operational
264	NtfsDefragFileInternal: Vcb {A10_Vcb}!	Operational
265	NtfsDefragFileInternal: Vcb {A10_Vcb}!	Operational
266	NtfsDefragFileInternal: Vcb {A10_Vcb}!	Operational
267	NtfsDefragFileInternal.	Operational
268	NtfsDefragFileInternal.	Operational
269	NtfsDefragFileInternal.	Operational
270	NtfsDefragFileInternal.	Operational
271	NtfsDefragFileInternal.	Operational
272	NtfsDefragFileInternal.	Operational
273	NtfsDefragFileInternal.	Operational
274	NtfsDefragFile: Defrag is denied without manage volume access.	Operational
275	NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!	Operational
276	NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!	Operational
277	NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!	Operational
278	SCB: {A10_Scb}!	Operational
279	SCB: {A10_Scb}!	Operational
280	StartOff=0x.	Operational
281	RemainingClusterCount: 0x.	Operational
282	RemainingClusterCount: 0x.	Operational
283	STATUS_BUFFER_TOO_SMALL from FsLib.	Operational
284	Made an educated guess for remaining runs.	Operational
285	Made a wild guess for remaining runs.	Operational
286	NumberOfValidRuns: 0x.	Operational
287	BasePage: 0x.	Operational
288	About to zero range - ZeroStart: 0x.	Operational
289	Zeroed range - ZeroStart: 0x.	Operational
290	NtfsCommonQueryInformation: File information query not allowed as file was …	Operational
291	NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read …	Operational
292	NtfsQueryNameInfo: Name info query not allowed as file was opened without …	Operational
293	NtfsQueryLinksInfo: Link info query not allowed as file was opened without …	Operational
294	NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.	Operational
295	NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.	Operational
296	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
297	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
298	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened …	Operational
299	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
300	NtfsSetRenameInfo: Can not rename a file marked for deletion.	Operational
301	NtfsSetRenameInfo: Can not rename a txf directory.	Operational
302	NtfsSetRenameInfo: Can not rename a txf directory.	Operational
303	NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.	Operational
304	NtfsSetRenameInfo: Can not rename a directory into itself.	Operational
305	NtfsSetRenameInfo: The file should not have in-memory directory descendents.	Operational
306	NtfsSetRenameInfo: Child Scb mismatch.	Operational
307	NtfsSetLinkInfo: Set link info is not allowed on txf directory.	Operational
308	NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.	Operational
309	NtfsSetLinkInfo: Set link info failed due to caller not having …	Operational
310	NtfsSetLinkInfo: Creating a link in system directory is not allowed.	Operational
311	NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.	Operational
312	NtfsSetShortNameInfo: Can not set a short name on a deleted file.	Operational
313	NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF …	Operational
314	NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction …	Operational
315	NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.	Operational
316	NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!	Operational
317	NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!	Operational
318	NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!	Operational
319	NtfsFlushVolume: Thread: {A10_PsGetCurrentThread()}!	Operational
320	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: …	Operational
321	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: …	Operational
322	NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!	Operational
323	NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!	Operational
324	NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!	Operational
325	Irp: {A10_Irp}!	Operational
326	Irp: {A10_Irp}!	Operational
327	Irp: {A10_Irp}!	Operational
328	NtfsLockVolumeInternal: Cannot lock the volume.	Operational
329	NtfsLockVolumeInternal: Volume is already locked.	Operational
330	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational
331	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational
332	NtfsLockVolumeInternal: Outstanding user files open after flush and retry.	Operational
333	{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.	Operational
334	{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.	Operational
335	{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.	Operational
336	NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume …	Operational
337	NtfsDismountVolume: IC: %1; Vcb: %2; Label: %3; DeviceName: %4.	Operational
338	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational
339	NtfsDismountVolume: Cannot dismount volume due to volume being locked.	Operational
340	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational
341	NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage …	Operational
342	NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage …	Operational
343	NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage …	Operational
344	NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having …	Operational
345	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational
346	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational
347	NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage …	Operational
348	NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not …	Operational
349	NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage …	Operational
350	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege; backup …	Operational
351	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup …	Operational
352	NtfsZeroRange: User mode caller not allowed.	Operational
353	IC: {A10_IrpContext}!	Operational
354	NtfsZeroRange: User mode caller not allowed.	Operational
355	IC: {A10_IrpContext}!	Operational
356	IC: {A10_IrpContext}!	Operational
357	NtfsReadRawEncrypted: Caller does not have backup access or read data access.	Operational
358	NtfsWriteRawEncrypted: Caller does not have write data access or restore access.	Operational
359	NtfsWriteRawEncrypted: Caller not having manage volume privilege.	Operational
360	NtfsChangeVolumeSize.	Operational
361	NtfsChangeVolumeSize.	Operational
362	NtfsChangeVolumeSize.	Operational
363	NtfsChangeVolumeSize.	Operational
364	NtfsMarkHandle: Caller does not have a valid volume handle or manage volume …	Operational
365	NtfsMarkHandle: Caller not having manage volume privilege.	Operational
366	NtfsMarkHandle: Cannot deny defrag.	Operational
367	NtfsMarkHandle: Cannot deny Frs consolidation.	Operational
368	NtfsMarkHandle: Cannot filter metadata.	Operational
369	NtfsMarkHandle: Mark handle is not allowed on system files.	Operational
370	NtfsMarkHandle: File already has user writable references.	Operational
371	NtfsMarkHandle: File was granted write access previously but no oplocks were …	Operational
372	NtfsPrefetchFile: Caller not having manage volume privilege.	Operational
373	Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.	Operational
374	NtfsSetShortNameBehavior: Caller not having manage volume privilege.	Operational
375	Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.	Operational
376	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational
377	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational
378	Resetting Volsnap behavior for VCB = 0x.	Operational
379	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational
380	Resetting Volsnap behavior for VCB = 0x.	Operational
381	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational
382	Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.	Operational
383	Scb:{A10_Scb}!	Operational
384	Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.	Operational
385	Scb:{A10_Scb}!	Operational
386	Scrub SystemScbIndex: {A10_ScrubResumeContext.	Operational
387	NtfsScrubData: Caller not having manage volume privilege.	Operational
388	Scrub not supported for Txf file; Scb: {A10_Scb}!	Operational
389	Scb:{A10_Scb}!	Operational
390	Scb:{A10_Scb}!	Operational
391	Scb:{A10_Scb}!	Operational
392	InternalFileReference: {A10_InternalFileReference}!	Operational
393	InternalFileReference:{A10_InternalFileReference}!	Operational
394	Scb:{A10_Scb}!	Operational
395	Scb:{A10_Scb}!	Operational
396	Scb:{A10_Scb}!	Operational
397	Scb:{A10_Scb}!	Operational
398	Scb:{A10_Scb}!	Operational
399	Scb:{A10_Scb}!	Operational
400	Scb:{A10_Scb}!	Operational
401	Scb:{A10_Scb}!	Operational
402	Scb:{A10_Scb}!	Operational
403	Scrub found problems Scb: {A10_Scb}!	Operational
404	Scb:{A10_Scb}!	Operational
405	Scb:{A10_Scb}!	Operational
406	FSCTL_REPAIR_COPIES not supported for Txf file; Scb: {A10_Scb}!	Operational
407	Scb:%1 FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2).	Operational
408	Scb:%1 FSCTL_REPAIR_COPIES skipping resident attribute (%2).	Operational
409	Scb:{A10_Scb}!	Operational
410	Scb:{A10_Scb}!	Operational
411	Scb:{A10_Scb}!	Operational
412	Scb:{A10_Scb}!	Operational
413	Scb:{A10_Scb}!	Operational
414	Scb:{A10_Scb}!	Operational
415	Scb:{A10_Scb}!	Operational
416	Scb:{A10_Scb}!	Operational
417	Scb:{A10_Scb}!	Operational
418	NtfsQueryCachedRuns: Caller not having manage volume privilege.	Operational
419	NtfsQueryStorageClasses: Caller not having manage volume privilege.	Operational
420	NtfsQueryRegionInfo: Caller not having manage volume privilege.	Operational
421	NtfsUnloadFile: Caller not having manage volume privilege.	Operational
422	NtfsCheckForSection: File already has image section.	Operational
423	NtfsShuffleFile: User mode caller is not allowed.	Operational
424	NtfsShuffleFile: Denying access due to volume is locked.	Operational
425	NtfsShuffleFile: Defrag is denied.	Operational
426	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational
427	NtfsRearrangeFile: User mode caller is not allowed.	Operational
428	NtfsRearrangeFile: Denying access due to volume is locked.	Operational
429	NtfsRearrangeFile: Defrag is denied.	Operational
430	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational
431	NtfsSparseOverAllocate: Caller does not have appropriate write access.	Operational
432	NtfsInitiateFileMetadataOptimization: Only allowed on regular user …	Operational
433	NtfsQueryFileMetadataOptimization: Only allowed on regular user …	Operational
434	NtfsEnumOnMountToDeleteWorker.	Operational
435	NtfsEnumOnMountToDeleteWorker(%1;%2): Open status=0x%3; path='%4'.	Operational
436	NtfsEnumOnMountToDeleteWorker.	Operational
437	NtfsEnumOnMountToDeleteWorker.	Operational
438	NtfsEnumMountWorker.	Operational
439	NtfsEnumOnMountToDeleteWorker.	Operational
440	FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: …	Operational
441	SCB: {A10_Scb}!	Operational
442	FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: …	Operational
443	FsInputRangeIndex: {A10_FsInputRangeIndex}!	Operational
444	Scb: {A10_Scb}!	Operational
445	Scb: {A10_Scb}!	Operational
446	NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.	Operational
448	NtfsFindPrefixHashEntry: {Hash table: %1} {ParentScb: %2; '%3'} {RemainingName: …	Operational
450	NtfsFindPrefixHashEntry: {Lcb: %1; '%2'}.	Operational
452	Vcb {A10_Vcb}!	Operational
453	Vcb {A10_Vcb}!	Operational
454	Vcb {A10_Vcb}!	Operational
455	Vcb {A10_Vcb}!	Operational
456	Vcb {A10_Vcb}!	Operational
457	Vcb {A10_Vcb}!	Operational
458	Vcb {A10_Vcb}!	Operational
459	Vcb {A10_Vcb}!	Operational
460	Vcb {A10_Vcb}!	Operational
461	Vcb {A10_Vcb}!	Operational
462	Vcb {A10_Vcb}!	Operational
463	Vcb {A10_Vcb}!	Operational
464	Vcb {A10_Vcb}!	Operational
465	NtfsCommitCurrentTransaction IC: {A10_IrpContext}!	Operational
466	Vcb {A10_Vcb}!	Operational
467	Vcb {A10_Vcb}!	Operational
468	NtfsCommitCurrentTransaction IC: {A10_IrpContext}!	Operational
469	NtfsCommitCurrentTransaction IC: {A10_IrpContext}!	Operational
470	NtfsCommitCurrentTransaction.	Operational
471	NtfsCommitCurrentTransaction.	Operational
472	NtfsCommitCurrentTransaction.	Operational
473	NtfsCommitCurrentTransaction.	Operational
474	NtfsCommitCurrentTransaction.	Operational
475	NtfsCommitCurrentTransaction IC: {A10_IrpContext}!	Operational
476	NtfsCommitCurrentTransaction IC: {A10_IrpContext}!	Operational
477	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
478	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
479	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
480	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
481	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
482	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
483	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
484	Vcb: {A10_Vcb}!	Operational
485	NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: …	Operational
486	FsLibGroupSubExtentsByDanglingMdl failed: {A10_Status}.	Operational
487	FsLibAddBaseMcbEntryEx failed: {A10_Status}.	Operational
488	NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: …	Operational
489	NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: …	Operational
490	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
491	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
492	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
493	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
494	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
495	NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!	Operational
496	NtfsRemoveNtfsMcbEntry Scb: {A10_Mcb->Scb}!	Operational
497	NtfsRemoveNtfsMcbEntry Mcb: {A10_Mcb}!	Operational
498	NtfsAddNtfsMcbEntry Scb: {A10_Mcb->Scb}!	Operational
499	NtfsAddNtfsMcbEntry Mcb: {A10_Mcb}!	Operational
500	NtfsUnloadNtfsMcbRange Scb: {A10_Mcb->Scb}!	Operational
501	NtfsUnloadNtfsMcbRange Mcb: {A10_Mcb}!	Operational
502	Valid NTFS boot sector.	Operational
503	Not an NTFS boot sector.	Operational
504	NtfsMountVolume: Vcb:{A10_Vcb}!	Operational
505	NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!	Operational
506	Mounting DAX partition.	Operational
507	DAX volume mounted without DAX support because storage is not DAX capable.	Operational
508	NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!	Operational
509	NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!	Operational
510	NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!	Operational
511	Unexpected exception code of 0x.	Operational
512	Exception code of 0x.	Operational
513	Unexpected exception code of 0x.	Operational
514	LogFileFull {A10_IrpContext->LogFullReason} BackTrace: ln {A11_BackTrace[0]}!	Operational
515	Unexpected raise of 0x.	Operational
516	NtfsProcessException IC: {A10_IrpContext}!	Operational
517	NtfsProcessException IC: {A10_IrpContext}!	Operational
518	Failed to abort - IrpContext {A10_IrpContext}!	Operational
519	Failed to abort - IrpContext {A10_IrpContext}!	Operational
520	Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x.	Operational
521	Setting 0x.	Operational
522	[.	Operational
523	[.	Operational
524	Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!	Operational
525	[.	Operational
526	Updating NtfsMinTrimTotalSize to {A10_MinTrimTotalSize}!	Operational
527	Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!	Operational
528	{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.	Operational
529	Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!	Operational
530	NtfsSetObjectId: Caller does not have restore access.	Operational
531	{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.	Operational
532	NtfsDeleteObjectId: Caller does not have write access.	Operational
533	{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.	Operational
534	Unexpected Paging-Read on DAX mappable stream; Scb=.	Operational
535	NtfsAbortTransaction IC: {A10_IrpContext}!	Operational
536	NtfsAbortTransaction IC: {A10_IrpContext}!	Operational
537	DoAction::InitializeFRS IC:{A10_IrpContext}!	Operational
538	NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling …	Operational
539	NtfsReleaseVcbCheckDelete - deleted Vcb: {A10_Vcb}!	Operational
540	NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: …	Operational
541	NtfsAbortTransaction IC: {A10_IrpContext}!	Operational
542	NtfsAbortTransaction IC: {A10_IrpContext}!	Operational
543	DoAction::InitializeFRS IC:{A10_IrpContext}!	Operational
544	DoAction::DeallocateFRS IC:{A10_IrpContext}!	Operational
545	DoAction::WriteEndOfFRS IC:{A10_IrpContext}!	Operational
546	DoAction::CreateAttribute IC:{A10_IrpContext}!	Operational
547	NtfsRestartChangeValue IC:{A10_IrpContext}!	Operational
548	DoAction::SetNewAttributeSizes IC:{A10_IrpContext}!	Operational
549	DoAction(SetBitsInNonresidentBitMap) IC: {A10_IrpContext}!	Operational
550	DoAction(ClearBitsInNonresidentBitMap) IC: {A10_IrpContext}!	Operational
551	NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.	Operational
552	NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.	Operational
553	NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to …	Operational
554	NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.	Operational
555	NtfsCheckFileForDelete: Denying access due to superseding view indexes are not …	Operational
556	NtfsCheckFileForDelete: Denying access due to non-posix delete of target …	Operational
557	NtfsCheckFileForDelete: Denying access due to file is not deleteable.	Operational
558	NtfsCheckFileForDelete: Denying access due to target file is read only.	Operational
559	NtfsCheckFileForDelete: Caller does not have write attributes access …	Operational
560	NtfsCheckFileForDelete: Denying access due to failing to remove image section.	Operational
561	NtfsGlobalSdUpdate: Caller does not have manage volume privilege.	Operational
562	NtfsRepairItem: Denying access due to volume is locked.	Operational
563	NtfsSetRepairState: Caller does not have manage volume privilege.	Operational
564	NtfsInitiateRepair: Caller does not have manage volume privilege.	Operational
566	NtfsDefineStorageReserve: Caller does not have manage volume privilege.	Operational
567	NtfsDeleteStorageReserve: Caller does not have manage volume privilege.	Operational
568	Failed to get a non-volatile token for Vcb: {A10_Vcb}!	Operational
569	Failed to free non-volatile token for Vcb: {A10_Vcb}!	Operational
570	NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!	Operational
571	NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: …	Operational
572	ClustersLinkAsHead: {A10_ClustersLinkAsHead}!	Operational
573	Clusters: {A10_Clusters}!	Operational
574	Failed to get a non-volatile token for Vcb: {A10_Vcb}!	Operational
575	Failed to free non-volatile token for Vcb: {A10_Vcb}!	Operational
576	NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!	Operational
577	NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: …	Operational
578	ClustersLinkAsHead: {A10_ClustersLinkAsHead}!	Operational
579	Clusters: {A10_Clusters}!	Operational
580	Matching cluster: {A10_Clusters}!	Operational
581	Clusters: {A10_Clusters}!	Operational
582	Need to add Range.	Operational
583	Need to add Range.	Operational
584	Added range.	Operational
585	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
586	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
587	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.	Operational
588	{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt.	Operational
589	{A10___FUNCTION__}: from {A11_CallerFunction}!	Operational
590	{A10___FUNCTION__}: from {A11_CallerFunction}!	Operational
591	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
592	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
593	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.	Operational
594	{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt.	Operational
595	{A10___FUNCTION__}: TxfStartRm reports RM will be reset: TM could not be …	Operational
596	{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM log corrupt.	Operational
597	{A10___FUNCTION__}: TxfStartRm reports RM will be reset: log version changed.	Operational
598	{A10___FUNCTION__}: TxfStartRm reports RM will be reset: dedicated log found; …	Operational
599	{A10___FUNCTION__}: TxfStartRm reports RM will be reset: multiplexed log found; …	Operational
600	{A10___FUNCTION__}: TxfStartRm reports RM will be reset: CLFS log metadata …	Operational
601	{A10___FUNCTION__}: TxfStartRm reports RM will be reset: 0x{A11_FailureStatus}!	Operational
602	{A10___FUNCTION__}: RM did not start and WILL NOT be reset; status code is …	Operational
603	{A10___FUNCTION__}: Could not initialize IrpContext: 0x{A11_Status}!	Operational
604	{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
605	{A10___FUNCTION__}: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x{A11_TempStatus}!	Operational
606	{A10___FUNCTION__}: Exception code 0x{A11_GetExceptionCode()}!	Operational
607	{A10___FUNCTION__}: Couldn't reset default RM on VCB at 0x{A11_(PVOID)Vcb}!	Operational
608	{A10___FUNCTION__}: Exception 0x{A11_GetExceptionCode()}!	Operational
609	{A10___FUNCTION__}: {A11_.	Operational
610	{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
611	{A10___FUNCTION__}: Volume too small to start RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
612	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
613	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
614	{A10___FUNCTION__}: Raising to reset RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
615	{A10___FUNCTION__}: Got {A11_Status}!	Operational
616	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
617	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
618	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
619	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
620	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
621	{A10___FUNCTION__}: Got {A11_Status}!	Operational
622	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
623	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
624	{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
625	{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
626	{A10___FUNCTION__}: Shutting down {A11_.	Operational
627	{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
628	(.	Operational
629	(.	Operational
630	{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
631	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
632	{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
633	TxfFsctlWriteBackupInformation: Denying access due RM is active.	Operational
634	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
635	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
636	{A10___FUNCTION__}: Error Setting Delete Disposition: 0x{A11_Status}!	Operational
637	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
638	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
639	{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at …	Operational
640	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
641	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
642	{A10___FUNCTION__}: Commit.	Operational
643	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
644	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
645	{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at …	Operational
646	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
647	{A10___FUNCTION__}: Aborting call stack: 0x{A11_CallStack[0]}!	Operational
648	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
649	{A10___FUNCTION__}: 0x{A11_Status}!	Operational
650	{A10___FUNCTION__}: 0x{A11_Status}!	Operational
651	{A10___FUNCTION__}: About to force aborts on RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
652	{A10___FUNCTION__}: BaseLsn is greater than TargetLsn on RM at …	Operational
653	{A10___FUNCTION__}: No transactions remain on RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
654	{A10___FUNCTION__}: Transaction's first undo LSN greater than TargetLsn on RM at …	Operational
655	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
656	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
657	{A10___FUNCTION__}: Inactive RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
658	{A10___FUNCTION__}: Log is pinned on RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
659	{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
660	{A10___FUNCTION__}: Log pinned trying to advance RestartLsn on RM at …	Operational
661	{A10___FUNCTION__}: Log pinned by doomed transaction on RM at …	Operational
662	{A10___FUNCTION__}: Reporting 0x{A11_PinnedStatus}!	Operational
663	{A10___FUNCTION__}: Done forcing aborts on RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
664	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
665	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
666	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
667	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
668	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
669	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
670	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
671	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
672	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
673	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
674	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
675	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
676	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
677	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
678	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
679	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
680	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
681	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
682	{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!	Operational
683	TrimUsnJournal.	Operational
684	TrimUsnJournal.	Operational
685	TrimUsnJournal.	Operational
686	TrimUsnJournal.	Operational
687	TrimUsnJournal.	Operational
688	TrimUsnJournal.	Operational
689	TrimUsnJournal.	Operational
690	OfsSetLength.	Operational
691	OfsSetLength.	Operational
692	NtOfsPostNewLength.	Operational
693	NtfsIsRegionDangling: RemainingClusterCount: 0x.	Operational
694	OfsSetLength.	Operational
695	OfsSetLength.	Operational
696	OfsSetLength.	Operational
697	OfsSetLength.	Operational
698	NtOfsPostNewLength.	Operational
699	NtfsIsRegionDangling: RemainingClusterCount: 0x.	Operational
700	Vcb {A10_Vcb}!	Operational
701	Vcb {A10_Vcb}!	Operational
702	Vcb {A10_Vcb}!	Operational
703	NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!	Operational
704	NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!	Operational
705	NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!	Operational
706	NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!	Operational
707	Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb=.	Operational
708	NtfsPostVcbIsCorrupt.	Operational
709	NtfsPostVcbIsCorrupt: Marking volume dirty.	Operational
710	Truncating write from 0x.	Operational
711	Succeeding log write @ 0x.	Operational
712	Succeeding log write @ 0x.	Operational
713	Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb=.	Operational
714	Ignoring write to 0x.	Operational
715	Ignoring write to 0x.	Operational
716	Truncating write from 0x.	Operational

Event ID 10 — NtfsLookupRealAllocation: Vcn {A10_Vcn}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsLookupRealAllocation: Vcn {A10_Vcn}!I64x!; LowestVcn {A11_Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A12_Attribute->Form.Nonresident.HighestVcn}!I64x!; AllocationClusters {A13_AllocationClusters}!I64x!

Fields

Name	Description
`A10_Vcn`	—
`A13_AllocationClusters`	—

Event ID 11 — NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:{A10_IrpContext}!p!; Scb:{A11_Scb}!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—

Event ID 12 — FileObject: {A10_FileObject}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

FileObject: {A10_FileObject}!p!; Scb: {A11_Scb}!p!; StaringVcn: {A12_StartingVcn}!I64x!; ClusterCount: {A13_ClusterCount}!I64x!; Flags: {A14_Flags}!08x!; CcbForWriteExtend: {A15_CcbForWriteExtend}!p!

Fields

Name	Description
`A10_FileObject`	—
`A11_Scb`	—
`A12_StartingVcn`	—
`A13_ClusterCount`	—
`A14_Flags`	—
`A15_CcbForWriteExtend`	—

Event ID 13 — NtfsAddAllocation IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddAllocation IC:{A10_IrpContext}!p!; FileObject:{A11_FileObject}!p!; Scb:{A12_Scb}!p!; StaringVcn:{A13_StartingVcn}!I64x!; ClusterCount:{A14_ClusterCount}!I64x!; Flags:{A15_Flags}!08x!; CcbForWriteExtend:{A16_CcbForWriteExtend}!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileObject`	—
`A12_Scb`	—
`A13_StartingVcn`	—
`A14_ClusterCount`	—
`A15_Flags`	—
`A16_CcbForWriteExtend`	—

Event ID 14 — Purge failed: Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Purge failed: Scb: {A10_Scb}!p!; PurgeOffset: 0x{A11_PurgeOffset}!016I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_PurgeOffset`	—

Event ID 15 — Purge failed: Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Purge failed: Scb: {A10_Scb}!p!; PurgeOffset: 0x{A11_PurgeOffset}!016I64x!; PurgeChunkLength: 0x{A12_PurgeChunkLength}!x!

Fields

Name	Description
`A10_Scb`	—
`A11_PurgeOffset`	—
`A12_PurgeChunkLength`	—

Event ID 16 — NtfsGetLastVcnForNewMappingPairSize IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGetLastVcnForNewMappingPairSize IC:{A10_IrpContext}!p!; Using LastVcn:{A11_*LastVcn}!4I64x!; InstanceId:{A12_Attribute->Instance}!x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 17 — Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!I64x!

Event ID 18 — Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!I64x!

Event ID 19 — NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:{A10_IrpContext}!p!ValueLength:{A11_ValueLength}!x!; AttrFlags={A12_AttributeFlags}!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ValueLength`	—
`A12_AttributeFlags`	—

Event ID 20 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LastVcn {A14_LastVcn}!I64x!; NewHighestVcn {A15_NewHighestVcn}!I64x!; PassCount {A16_PassCount}!x! - step 6

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A14_LastVcn`	—
`A15_NewHighestVcn`	—
`A16_PassCount`	—

Event ID 21 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LowestVcn {A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn}!I64x!; ALE.LowestVcn {A16_Context->AttributeList.Entry->LowestVcn}!I64x! - try to merge backward

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—

Event ID 22 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LowestVcn {A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn}!I64x!; ALE.LowestVcn {A16_Context->AttributeList.Entry->LowestVcn}!I64x! - after merge backward

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—

Event ID 23 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LowestVcn {A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn}!I64x!; ALE.LowestVcn {A16_Context->AttributeList.Entry->LowestVcn}!I64x!; PassCount {A17_PassCount}!x! - before last merge after step 6

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A17_PassCount`	—

Event ID 24 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LowestVcn {A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn}!I64x!; ALE.LowestVcn {A16_Context->AttributeList.Entry->LowestVcn}!I64x! - after last merge after step 6

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—

Event ID 25 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; MergeSkipCt {A14_NtfsFrsConsolidationStatistics.MergeSkipCount}!x! - done

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—

Event ID 26 — NtfsRestartRemoveAttribute FileRef:0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRestartRemoveAttribute FileRef:0x{A10_FileRecord->SegmentNumberHighPart}!04x!_{A11_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Attrib:0x{A13_Attribute->TypeCode}!x!

Event ID 27 — NtfsRestartChangeValue FileRef:0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRestartChangeValue FileRef:0x{A10_FileRecord->SegmentNumberHighPart}!04x!_{A11_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Attrib:0x{A13_Attribute->TypeCode}!x!

Event ID 28 — AddToAttributeList.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

AddToAttributeList({A10_Fcb->Vcb}!p!;{A11_IrpContext}!p!): FRef {A12_*(PULONGLONG)_Fcb->FileReference}!I64x!; OldSig {A13_StdInfoAttrListEntry->Signature}!x!; OldLCS {A14_StdInfoAttrListEntry->LastCompactedSize}!x!; NewLCS {A15_CurrentAttributeListSize}!x!

Fields

Name	Description
`A11_IrpContext`	—
`A15_CurrentAttributeListSize`	—

Event ID 29 — DeleteFromAttributeList.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DeleteFromAttributeList({A10_Fcb->Vcb}!p!;{A11_IrpContext}!p!): FRef {A12_*(PULONGLONG)_Fcb->FileReference}!I64x!; OldSig {A13_StdInfoAttrListEntry->Signature}!x!; OldLCS {A14_StdInfoAttrListEntry->LastCompactedSize}!x!; NewLCS {A15_NewStdInfoAttrListEntry.LastCompactedSize}!x!

Fields

Name	Description
`A11_IrpContext`	—

Event ID 30 — MakeRoomForAttribute Moving Mft's attribute IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MakeRoomForAttribute Moving Mft's attribute IC:{A10_IrpContext}!p!; Moving Attrib {A11_i}!x!/{A12_MAX_MOVEABLE_ATTRIBUTES}!x!; Type={A13_Attribute->TypeCode}!x!; RecLengh={A14_Attribute->RecordLength}!x!; Instance:{A15_Attribute->Instance}!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_i`	—
`A12_MAX_MOVEABLE_ATTRIBUTES`	—

Event ID 31 — MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:{A10_IrpContext}!p!; SizeNeeded:{A11_SizeNeeded}!x!; TypeCode:{A12_Attribute->TypeCode}!x!; RecLen:{A13_Attribute->RecordLength}!x!; Form:{A14_Attribute->FormCode}!x!; Instance:{A15_Attribute->Instance}!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_SizeNeeded`	—

Event ID 32 — MoveAttributeToOwnRecord IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MoveAttributeToOwnRecord IC:{A10_IrpContext}!p!; SizeNeeded:{A11_SizeNeeded}!x!; Bytes2Free:{A12_BytesToFree}!x!; OldMappingSize:{A13_MappingPairSize}!x!; NewMappingSize:{A14_NewMappingPairSize}!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_SizeNeeded`	—
`A12_BytesToFree`	—
`A13_MappingPairSize`	—
`A14_NewMappingPairSize`	—

Event ID 33 — NtfsRestartZeroEndOfFileRecord FileRef:0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRestartZeroEndOfFileRecord FileRef:0x{A10_FileRecord->SegmentNumberHighPart}!04x!_{A11_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Start:0x{A13_StartZero}!x!; Len:0x{A14_ZeroLength}!x!

Fields

Name	Description
`A13_StartZero`	—
`A14_ZeroLength`	—

Event ID 34 — MergeFRS2(%1;%2): Scb %3; FileRef %4!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; LowVcn %7!I64x!; HalfWayVcn %8!I64x!; FinalVcn %9!I64x!; PackedMode %10!x!; TryPrior %11!x! - about to merge

Event ID 35 — MergeFRS2(%1;%2): Scb %3; FileRef %4!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; DeleteFileRef %7!x!0000%8!08x!; LowVcn %9!I64x!; LastVcn %10!I64x!; FinalVcn %11!I64x! - all fit in one so get rid of the second one

Event ID 36 — MergeFRS2(%1;%2): Scb %3; FileRef %4!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; DeleteFileRef %7!x!0000%8!08x!; LowVcn %9!I64x!; LastVcn %10!I64x!; FinalVcn %11!I64x! - should all fit into one so get rid of the second one FIRST

Event ID 37 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; Vcn {A14_NewFinalVcn}!I64x! - initial RangePtr query

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NewFinalVcn`	—

Event ID 38 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; Vcn {A14_NewHalfWayVcn}!I64x!; Rptr {A15_RangePtr}!p! - secondary RangePtr query

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NewHalfWayVcn`	—
`A15_RangePtr`	—

Event ID 39 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; Vcn {A14_NewHalfWayVcn}!I64x!; Rptr {A15_RangePtr}!p! - calling lookup runs range

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NewHalfWayVcn`	—
`A15_RangePtr`	—

Event ID 40 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; McbArray {A14_NtfsMcbArray}!p! ({A15_NtfsMcbArray->StartingVcn}!I64x!; {A16_NtfsMcbArray->EndingVcn}!I64x!) - current McbArray

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NtfsMcbArray`	—

Event ID 41 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; McbArray {A14_NtfsMcbArray}!p! ({A15_NtfsMcbArray->StartingVcn}!I64x!; {A16_NtfsMcbArray->EndingVcn}!I64x!) - previous McbArray

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NtfsMcbArray`	—

Event ID 42 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; McbArray {A14_NtfsMcbArray}!p! ({A15_NtfsMcbArray->StartingVcn}!I64x!; {A16_NtfsMcbArray->EndingVcn}!I64x!) - prev prev McbArray

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NtfsMcbArray`	—

Event ID 43 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; McbArray {A14_NtfsMcbArray}!p! ({A15_NtfsMcbArray->StartingVcn}!I64x!; {A16_NtfsMcbArray->EndingVcn}!I64x!) - next McbArray

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NtfsMcbArray`	—

Event ID 44 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; NewFinalVcnInMcb {A14_NewFinalVcnInMcb}!I64x! > NewFinalVcn {A15_NewFinalVcn}!I64x! - NewFinalVcn is smaller

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NewFinalVcnInMcb`	—
`A15_NewFinalVcn`	—

Event ID 45 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; NewStartVcn {A14_NewStartVcn}!I64x!; LastVcn {A15_LastVcn}!I64x!; NewFinalVcn {A16_NewFinalVcn}!I64x!; NewFinalVcnInMcb {A17_NewFinalVcnInMcb}!I64x!; #Ranges {A18_NumberOfRanges}!x!; DeletedNextAttribute {A10_Scb->Vcb}0!x!; Mcb1({A10_Scb->Vcb}1!x!;{A10_Scb->Vcb}2!x!); Mcb2({A10_Scb->Vcb}3!x!;{A10_Scb->Vcb}4!x!); McbArraySizeInUseChange {A10_Scb->Vcb}5!d! - final vcn in mcb

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NewStartVcn`	—
`A15_LastVcn`	—
`A16_NewFinalVcn`	—
`A17_NewFinalVcnInMcb`	—
`A18_NumberOfRanges`	—

Event ID 46 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; StartingVcn {A14_NewStartVcn}!I64x!; EndingVcn {A15_DeletedNextAttribute ? NewFinalVcnInMcb : (LastVcn-1)}!I64x! - redefined mcb range1

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_NewStartVcn`	—

Event ID 47 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; StartingVcn {A14_LastVcn}!I64x!; EndingVcn {A15_NewFinalVcnInMcb}!I64x! - redefined mcb range2

Fields

Name	Description
`A11_IrpContext`	—
`A12_Scb`	—
`A14_LastVcn`	—
`A15_NewFinalVcnInMcb`	—

Event ID 48 — RedoAttribute(%1;%2): Scb %3; FileRef %4!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

RedoAttribute(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; FileRef %7!I64x!; OldLowVcn %8!I64x!; NewLowVcn %9!I64x!; Instance %10!x! - updating LowestVcn in attribute list entry

Event ID 49 — RedoAttribute(%1;%2): Scb %3; FileRef %4!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

RedoAttribute(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; OldLowVcn %7!I64x!; NewLowVcn %8!I64x!; OldHighVcn %9!I64x!; NewHighVcn %10!I64x!; ChildRef %11!x!0000%12!08x! - done

Event ID 50 — NtfsConsolidateAllFileRecords: Invalid Vcb.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: {A10_PsGetCurrentThread()}!p!.

Event ID 51 — NtfsConsolidateAllFileRecords: Volume is locked.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords: Volume is locked. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Volume Id: %5!S!; Vcb State: 0x%6!08x!.

Event ID 52 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x!; FirstRequest {A14_AllFlags.FirstRequest}!x! - opened fcb

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—

Event ID 53 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - already in progress so get out

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—

Event ID 54 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - set in progress flag

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—

Event ID 55 — NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!;%2!p!): Fcb %3!p!; FileRef %4!I64x!; RstrTypeCode %5!x!; RstrAttrName %6!S!; RstrVcn %7!I64x!; RstrAttrListEntryOffset %8!x!; AttrListEntryOffset %9!x!; AttrListLength %10!I64x!; AttrListGrowBy %11!x!(%12!d!) - adjust FinalCompactedSizeDeduction

Event ID 56 — NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!;%2!p!): Fcb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; Vcn %7!I64x!; Instance %8!x!; RstrAttrListEntryOffset %9!x!; AttrListLength %10!I64x! - breaking up 1

Event ID 57 — NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!;%2!p!): Fcb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; Vcn %7!I64x!; Instance %8!x!; RstrAttrListEntryOffset %9!x!; AttrListLength %10!I64x! - breaking up 2

Event ID 58 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x!; Scb {A14_Scb}!p! - completed this Scb

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A14_Scb`	—

Event ID 59 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - going into finally

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—

Event ID 60 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): FileRef {A12_*(PULONGLONG)_FrsConsolidationContext->FileReference}!I64x!; Status {A13_IrpContext->ExceptionStatus}!x! - Abnormal Termination

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 61 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - decremented close counts

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—

Event ID 62 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - clearing in progress flag

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—

Event ID 63 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_FileRef}!I64x!; ExceptionStatus {A14_ExceptionStatus}!x!- released

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_FileRef`	—
`A14_ExceptionStatus`	—

Event ID 64 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_FileRef}!I64x!; RemovedFcb {A14_RemovedFcb}!x!; AllFlags.FcbAcquired {A15_AllFlags.FcbAcquired}!x!; TransId {A16_IrpContext->TransactionId}!x! - no release

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_FileRef`	—
`A14_RemovedFcb`	—

Event ID 65 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): DeltaTime {A12_(EndTime.QuadPart*1000)/NtfsPerformanceFrequency.QuadPart}!I64d! (ms); TotalTime {A13_(FrsConsolidationContext->TotalTime*1000)/NtfsPerformanceFrequency.QuadPart}!I64d! (ms)

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 66 — UpdateLCS: Vcb {A10_Fcb->Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

UpdateLCS: Vcb {A10_Fcb->Vcb}!p!; IC {A11_IrpContext}!p!; FRef {A12_*(PULONGLONG)_Fcb->FileReference}!I64x!; OldSig {A13_StdInfoAttrListEntry->Signature}!x!; OldLCS {A14_StdInfoAttrListEntry->LastCompactedSize}!x!; NewLCS {A15_AttributeListSize}!x!

Fields

Name	Description
`A11_IrpContext`	—
`A15_AttributeListSize`	—

Event ID 67 — NtfsAllocateClustersPriv IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; Vcn: 0x{A14_OriginalStartingVcn}!I64x!; Length: 0x{A15_ClusterCount}!I64x!; AllocateAll: {A16_AllocateAll}!S!; TargetLcn: 0x{A17_(TargetLcn != NULL) ? *TargetLcn : (ULONGLONG)-1}!I64x!; PreAllocated: {A18_PreAllocated}!S!; DelayedAllocation: {A10_IrpContext}0!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A14_OriginalStartingVcn`	—
`A15_ClusterCount`	—
`A16_AllocateAll`	—
`A18_PreAllocated`	—

Event ID 68 — NtfsAllocateClustersPriv IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; Vcn: 0x{A14_OriginalStartingVcn}!I64x!; Length: 0x{A15_ClusterCount}!I64x!; AllocateAll: {A16_AllocateAll}!S!; TargetLcn: 0x{A17_(TargetLcn != NULL) ? *TargetLcn : (ULONGLONG)-1}!I64x!; PreAllocated: {A18_PreAllocated}!S!; DelayedAllocation: {A10_IrpContext}0!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A14_OriginalStartingVcn`	—
`A15_ClusterCount`	—
`A16_AllocateAll`	—
`A18_PreAllocated`	—

Event ID 69 — NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x{A10_FoundClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!; TotalAllocated: 0x{A12_Scb->TotalAllocated}!I64x!

Fields

Name	Description
`A10_FoundClusterCount`	—
`A11_Scb`	—

Event ID 70 — NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x{A10_FoundClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!; TotalAllocated: 0x{A12_Scb->TotalAllocated}!I64x!ScbState: {A13_Scb->State}!08x!; IrpContextState2: {A14_IrpContext->State2}!08x!; AllocateWithNoHole: {A15_AllocateWithNoHole}!d!

Fields

Name	Description
`A10_FoundClusterCount`	—
`A11_Scb`	—
`A15_AllocateWithNoHole`	—

Event ID 71 — NtfsAllocateClustersPriv IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; ClustersAllocated: {A11_ClustersAllocated}!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersAllocated`	—

Event ID 72 — NtfsAllocateClustersPriv IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; ClustersAllocated: {A11_ClustersAllocated}!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersAllocated`	—

Event ID 73 — NtfsDeallocateClusters IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; StartVcn: 0x{A14_StartingVcn}!I64x!; EndVcn: 0x{A15_EndingVcn}!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A14_StartingVcn`	—
`A15_EndingVcn`	—

Event ID 74 — NtfsDeallocateClusters: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - deleting FR {A11_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x! from clusters {A12_StartingVcn}!I64x! to {A13_EndingVcn}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A12_StartingVcn`	—
`A13_EndingVcn`	—

Event ID 75 — NtfsDeallocateClusters IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; StartVcn: 0x{A14_StartingVcn}!I64x!; EndVcn: 0x{A15_EndingVcn}!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A14_StartingVcn`	—
`A15_EndingVcn`	—

Event ID 76 — NtfsDeallocateClusters: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - deleting FR {A11_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x! starting at {A12_AdjLcn}!I64x! for {A13_AdjClusterCount}!I64x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A12_AdjLcn`	—
`A13_AdjClusterCount`	—

Event ID 77 — NtfsDeallocateClusters: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - raising logfile full

Fields

Name	Description
`A10_Vcb`	—

Event ID 78 — NtfsDeallocateClusters: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - adding clusters to DeallocatedClusters: {A11_DeallocatedClusters}!p! ==> Lsn: {A12_DeallocatedClusters->Lsn.QuadPart}!I64x!; ClusterCount: {A13_DeallocatedClusters->ClusterCount}!I64x!; Flags: {A14_DeallocatedClusters->Flags}!08x!; Vcb's DeallocatedClustersCount old: {A15_Vcb->DeallocatedClusters}!I64x! new: {A16_Vcb->DeallocatedClusters + AdjClusterCount}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 79 — NtfsDeallocateClusters: Decremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters: Decremented TotalAllocated by 0x{A10_ClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!; TotalAllocated: 0x{A12_*TotalAllocated}!I64x!Addr(TotalAllocated): {A13_TotalAllocated}!p!

Fields

Name	Description
`A10_ClusterCount`	—
`A11_Scb`	—
`A13_TotalAllocated`	—

Event ID 80 — NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x{A10_ClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!Addr(TotalAllocated): {A12_TotalAllocated}!p!; ScbState: {A13_Scb->State}!08x!; IrpContextState2: {A14_IrpContext->State2}!08x!

Fields

Name	Description
`A10_ClusterCount`	—
`A11_Scb`	—
`A12_TotalAllocated`	—

Event ID 81 — NtfsDeallocateClusters: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - Undoing some changes to DeallocatedClustersCount from {A11_Vcb->DeallocatedClusters}!I64x! to {A12_Vcb->DeallocatedClusters-ClustersRemoved}!I64x!

Fields

Name	Description
`A10_Vcb`	—

Event ID 82 — NtfsDeallocateClusters IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; ClustersDeallocated: {A11_ClustersDeallocated}!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersDeallocated`	—

Event ID 83 — NtfsDeallocateClusters IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; ClustersDeallocated: {A11_ClustersDeallocated}!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersDeallocated`	—

Event ID 84 — NtfsModifyBitsInBitmap IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsModifyBitsInBitmap IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; FirstBit: 0x{A12_FirstBit}!I64x!; BeyondLastBit: 0x{A13_BeyondFinalBit}!I64x!; Redo: 0x{A14_RedoOperation}!x!; Undo: 0x{A15_UndoOperation}!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_FirstBit`	—
`A13_BeyondFinalBit`	—
`A14_RedoOperation`	—
`A15_UndoOperation`	—

Event ID 85 — NtfsModifyBitsInBitmap IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsModifyBitsInBitmap IC: {A10_IrpContext}!p!; Bitmap: {A11__Bitmap}!p!; BaseLcn: 0x{A12_BaseLcn}!I64x!; CurrentLcn: 0x{A13_CurrentLcn}!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11__Bitmap`	—
`A12_BaseLcn`	—
`A13_CurrentLcn`	—

Event ID 86 — NtfsAllocateBitmapRun IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAllocateBitmapRun IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; StartingLcn: 0x{A12_StartingLcn}!I64x!; ClusterCount: 0x{A13_ClusterCount}!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_StartingLcn`	—
`A13_ClusterCount`	—

Event ID 87 — NtfsAllocateBitmapRun IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAllocateBitmapRun IC: {A10_IrpContext}!p!; Bitmap: {A11__Bitmap}!p!; BaseLcn: 0x{A12_BaseLcn}!I64x!; StartingLcn: 0x{A13_StartingLcn}!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11__Bitmap`	—
`A12_BaseLcn`	—
`A13_StartingLcn`	—

Event ID 88 — NtfsRestartSetBitsInBitMap IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRestartSetBitsInBitMap IC: {A10_IrpContext}!p!; Bitmap: {A11_Bitmap}!p!; BitMapOffset: 0x{A12_BitMapOffset}!08x!; NumBits: 0x{A13_NumberOfBits}!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Bitmap`	—
`A12_BitMapOffset`	—
`A13_NumberOfBits`	—

Event ID 89 — NtfsFreeBitmapRun IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeBitmapRun IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; StartingLcn: 0x{A12_StartingLcn}!I64x!; ClusterCount: 0x{A13_*ClusterCount}!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_StartingLcn`	—

Event ID 90 — NtfsFreeBitmapRun IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeBitmapRun IC: {A10_IrpContext}!p!; Bitmap: {A11__Bitmap}!p!; BaseLcn: 0x{A12_BaseLcn}!I64x!; StartingLcn: 0x{A13_StartingLcn}!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11__Bitmap`	—
`A12_BaseLcn`	—
`A13_StartingLcn`	—

Event ID 91 — NtfsRestartClearBitsInBitMap IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRestartClearBitsInBitMap IC: {A10_IrpContext}!p!; Bitmap: {A11_Bitmap}!p!; BitMapOffset: 0x{A12_BitMapOffset}!08x!; NumBits: 0x{A13_NumberOfBits}!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Bitmap`	—
`A12_BitMapOffset`	—
`A13_NumberOfBits`	—

Event ID 92 — NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Bitmap: {A12_Bitmap}!p!; StartingBitmapLcn: 0x{A13_StartingBitmapLcn}!I64x!; SetBits: {A14_SetBits}!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Bitmap`	—
`A13_StartingBitmapLcn`	—
`A14_SetBits`	—

Event ID 93 — NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!p!; Bitmap: {A11_Bitmap}!p!; StartLcn: 0x{A12_StartingBit}!I64x!; EndLcn: 0x{A13_EndingBit}!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Bitmap`	—
`A12_StartingBit`	—
`A13_EndingBit`	—

Event ID 94 — NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!p!; Result: {A11_Results}!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Results`	—

Event ID 95 — System files not marked as in use in the MFT bitmap.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

System files not marked as in use in the MFT bitmap.  DWord offset {A10_i}!x!; value {A11_OriginalSystemBitmap[i / sizeof( OriginalSystemBitmap[0] )]}!x!.

Fields

Name	Description
`A10_i`	—

Event ID 97 — Length: {A10_Length}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Length: {A10_Length}!8I64d! --> BinIndex : {A11_BinIndex}!8u!    - Key: {A12_Key}!u!; BitPosition: {A13_BitPosition}!ld!; GroupIndex: {A14_GroupIndex}!ld!; GroupShiftFactor: {A15_GroupShiftFactor}!ld!

Fields

Name	Description
`A10_Length`	—
`A11_BinIndex`	—
`A12_Key`	—
`A13_BitPosition`	—
`A14_GroupIndex`	—
`A15_GroupShiftFactor`	—

Event ID 98 — Length: {A10_Length}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Length: {A10_Length}!8I64d! --> BinIndex : {A11_BinIndex}!8u!    - BinIndex was beyond TotalBins: {A12_TotalBins}!u! hence brought down

Fields

Name	Description
`A10_Length`	—
`A11_BinIndex`	—
`A12_TotalBins`	—

Event ID 99 — BinIndex: {A10_BinIndex}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

BinIndex: {A10_BinIndex}!8u! --> MaxLength: {A11_MAXLONGLONG}!8I64d!  - BinIndex is set to last bin or beyond; TotalBins: {A12_TotalBins}!u!

Fields

Name	Description
`A10_BinIndex`	—
`A11_MAXLONGLONG`	—
`A12_TotalBins`	—

Event ID 100 — BinIndex: {A10_BinIndex}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

BinIndex: {A10_BinIndex}!8u! --> MaxLength: {A11_MaxLength}!8I64d!  - GroupIndex: {A12_GroupIndex}!ld!; RelativeBinIndex: {A13_RelativeBinIndex}!ld!; MaxKey: {A14_MaxKey}!u!

Fields

Name	Description
`A10_BinIndex`	—
`A11_MaxLength`	—
`A12_GroupIndex`	—
`A13_RelativeBinIndex`	—
`A14_MaxKey`	—

Event ID 101 — BinGroupShift: {A10_NtfsCachedRunBinGroupShift}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

BinGroupShift: {A10_NtfsCachedRunBinGroupShift}!8ld!; BinGroupSize: {A11_NtfsCachedRunBinGroupSize}!8u!; BinGroupMask: {A12_NtfsCachedRunBinGroupMask}!8x!

Fields

Name	Description
`A10_NtfsCachedRunBinGroupShift`	—
`A11_NtfsCachedRunBinGroupSize`	—
`A12_NtfsCachedRunBinGroupMask`	—

Event ID 102 — BinIndex: {A10_BinIndex}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

BinIndex: {A10_BinIndex}!8u! --> MaxLength: {A11_MaxLength}!8I64u! (0x{A12_MaxLength}!8I64x!)

Fields

Name	Description
`A10_BinIndex`	—
`A11_MaxLength`	—
`A12_MaxLength`	—

Event ID 103 — Searched committed allocations but didnt find enough free space.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Searched committed allocations but didnt find enough free space.  StartingCluster {A10_StartingCluster}!I64x!; ClusterCount {A11_ClusterCount}!I64x!; Committed {A12_Vcb->TotalClustersCommitted}!I64x!; Total {A13_Vcb->TotalClusters}!I64x!; Free {A14_Vcb->FreeClusters}!I64x!

Fields

Name	Description
`A10_StartingCluster`	—
`A11_ClusterCount`	—

Event ID 104 — NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): first bit 0x{A11_FirstBitToClear}!X!; last bit 0x{A12_BeyondLastBitToClear - 1}!X!

Fields

Name	Description
`A10_Vcb`	—
`A11_FirstBitToClear`	—

Event ID 105 — NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): no leading partial slab

Fields

Name	Description
`A10_Vcb`	—

Event ID 106 — NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): leading partial slab returned - LCN {A11_*FreeClusterBase1}!I64X!; len {A12_*FreeClusterCount1}!I64X!

Fields

Name	Description
`A10_Vcb`	—

Event ID 107 — NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): no trailing partial slab

Fields

Name	Description
`A10_Vcb`	—

Event ID 108 — NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): trailing partial slab returned - lcn {A11_*FreeClusterBase2}!I64X!; len {A12_*FreeClusterCount2}!I64X!

Fields

Name	Description
`A10_Vcb`	—

Event ID 109 — NtfsValidateTotalClustersCommitted.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsValidateTotalClustersCommitted({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): TCC {A12_Vcb->TotalClustersCommitted}!I64x!; TC {A13_Vcb->TotalClusters}!I64x!; BMSize {A14_Vcb->TPMap.SizeOfBitMap}!x!

Fields

Name	Description
`A10_Vcb`	—

Event ID 110 — Illegal MDL Complete for major code {A10_IrpContext->MajorFunction}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Illegal MDL Complete for major code {A10_IrpContext->MajorFunction}!u!

Event ID 111 — Entering: Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Entering: Scb: {A10_Scb}!p!; StartingZero: 0x{A11_StartingZero}!016I64x!; ByteCount: 0x{A12_ByteCount}!016I64x!; ExtentsDescriptor: {A13_ExtentsDescriptor}!p!; ExtentsDescriptorIndex: {A14_*ExtentsDescriptorIndex}!d!; ExtentsDescriptorStartOffset: 0x{A15_*ExtentsDescriptorStartOffset}!016I64x!; Offset: 0x{A16_Offset}!016I64x!; MaxRuns: {A17_MaxRuns}!d!;

Fields

Name	Description
`A10_Scb`	—
`A11_StartingZero`	—
`A12_ByteCount`	—
`A13_ExtentsDescriptor`	—
`A16_Offset`	—
`A17_MaxRuns`	—

Event ID 112 — RunEntry ==> {A10_RunIndex}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

RunEntry ==> {A10_RunIndex}!4d!: [0x{A11_ExtentsDescriptor->Run[RunIndex].BasePage}!016I64x!; 0x{A12_ExtentsDescriptor->Run[RunIndex].PageCount}!016I64x!]; ExtentLength: 0x{A13_ExtentLength}!016I64x!; Offset: 0x{A14_Offset}!016I64x!; RunIndexStartOffset: 0x{A15_RunIndexStartOffset}!016I64x!

Fields

Name	Description
`A10_RunIndex`	—
`A13_ExtentLength`	—
`A14_Offset`	—
`A15_RunIndexStartOffset`	—

Event ID 114 — Shrinking LengthInExtent.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Shrinking LengthInExtent (0x{A10_LengthInExtent}!016I64x!) to ByteCount (0x{A11_ByteCount}!016I64x!) that we have to zero

Fields

Name	Description
`A10_LengthInExtent`	—
`A11_ByteCount`	—

Event ID 115 — Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Zeroing: StartingPhysicalAddr: 0x{A10_StartingPhysicalAddr.QuadPart}!016I64x!; LengthInExtent: 0x{A11_LengthInExtent}!016I64x!

Fields

Name	Description
`A11_LengthInExtent`	—

Event ID 116 — Exiting: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Exiting: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!d! ExtentsDescriptorStartOffset: 0x{A11_*ExtentsDescriptorStartOffset}!016I64x!

Event ID 117 — Entering: Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Entering: Scb: {A10_Scb}!p!; StartingZero: 0x{A11_StartingOffset}!016I64x!; BeyondEndOffset: 0x{A12_BeyondEndOffset}!016I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingOffset`	—
`A12_BeyondEndOffset`	—

Event ID 118 — Dsm Ranges[.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Dsm Ranges[{A10_DataSetRangeIndex}!d!]: StartingOffset: 0x{A11_DsmBuffer->DataSetRanges[DataSetRangeIndex].StartingOffset}!016I64x!; LengthInBytes: 0x{A12_DsmBuffer->DataSetRanges[DataSetRangeIndex].LengthInBytes}!016I64x!

Fields

Name	Description
`A10_DataSetRangeIndex`	—

Event ID 119 — RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; DataSetRangeIndex: {A11_DataSetRangeIndex}!d!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_DataSetRangeIndex`	—

Event ID 120 — Dsm: TotalNumberOfRanges: {A10_DsmByteAddressRanges->TotalNumberOfRanges}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Dsm: TotalNumberOfRanges: {A10_DsmByteAddressRanges->TotalNumberOfRanges}!d!; NumberOfRangesReturned: {A11_DsmByteAddressRanges->NumberOfRangesReturned}!d!

Event ID 121 — DsmOut Ranges[.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DsmOut Ranges[{A10_Index}!d!]: StartingAddress: 0x{A11_DsmByteAddressRanges->Ranges[Index].StartAddress}!016I64x!; LengthInBytes: 0x{A12_DsmByteAddressRanges->Ranges[Index].LengthInBytes}!016I64x!

Fields

Name	Description
`A10_Index`	—

Event ID 122 — Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Zeroing: StartingPhysicalAddr: 0x{A10_StartingPhysicalAddr.QuadPart}!016I64x!; LengthInExtent: 0x{A11_LengthInExtent}!016I64x!

Fields

Name	Description
`A11_LengthInExtent`	—

Event ID 123 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!d!; ExtentsDescriptorStartOffset: 0x{A11_*ExtentsDescriptorStartOffset}!016I64x!

Event ID 124 — Entering: Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Entering: Scb: {A10_Scb}!p!; StartingZero: 0x{A11_StartingZero}!016I64x!; BeyondEndOffset: 0x{A12_BeyondEndOffset}!016I64x!; ByteCount: 0x{A13_ByteCount}!016I64x!; ExtentsDescriptor: {A14_ExtentsDescriptor}!p!; ExtentsDescriptorIndex: {A15_ExtentsDescriptorIndex ? *ExtentsDescriptorIndex : 0}!d!; ExtentsDescriptorStartOffset: 0x{A16_ExtentsDescriptorStartOffset ? *ExtentsDescriptorStartOffset : 0}!016I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingZero`	—
`A12_BeyondEndOffset`	—
`A13_ByteCount`	—
`A14_ExtentsDescriptor`	—

Event ID 125 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!d!; ExtentsDescriptorStartOffset: 0x{A11_*ExtentsDescriptorStartOffset}!016I64x!

Event ID 126 — IrpContext: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

IrpContext: {A10_IrpContext}!p!; Scb: {A11_Scb}!p!; StartOffset: 0x{A12_StartOffset}!I64x!; ByteCount: 0x{A13_ByteCount}!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—
`A12_StartOffset`	—
`A13_ByteCount`	—

Event ID 127 — Return.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Return. IrpContext: {A10_IrpContext}!p!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 128 — Unexpected open type received: {A10_TypeOfOpen}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Unexpected open type received: {A10_TypeOfOpen}!u!

Fields

Name	Description
`A10_TypeOfOpen`	—

Event ID 129 — Raising STATUS_SUCCESS from NtfsCommonCleanup: {A10_Status}.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Raising STATUS_SUCCESS from NtfsCommonCleanup: {A10_Status}

Fields

Name	Description
`A10_Status`	—

Event ID 130 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x{A10_Status}!X!

Fields

Name	Description
`A10_Status`	—

Event ID 131 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x{A10_Status}!X!

Fields

Name	Description
`A10_Status`	—

Event ID 132 — Irp: %1; IC: %2; Vcb: %3; FileObject: %4; RelatedFileObject: %5; FileIdBuffer: %6; Options: 0x%7!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Irp: %1!p!; IC: %2!p!; Vcb: %3!p!; FileObject: %4!p!; RelatedFileObject: %5!p!; FileIdBuffer: %6!S!; Options: 0x%7!08x!; FileAttributes: 0x%8!04x!; ShareAccess: 0x%9!04x!; EaLength: 0x%10!08x!

Event ID 133 — Irp: %1; IC: %2; Vcb: %3; FileObject: %4; RelatedFileObject: %5; Path: %6; Options: 0x%7!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Irp: %1!p!; IC: %2!p!; Vcb: %3!p!; FileObject: %4!p!; RelatedFileObject: %5!p!; Path: %6!S!; Options: 0x%7!08x!; FileAttributes: 0x%8!04x!; ShareAccess: 0x%9!04x!; EaLength: 0x%10!08x!

Event ID 134 — NtfsCommonVolumeOpen: Invalid create disposition for volume open.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: {A10_PsGetCurrentThread()}!p!; CreateDisposition: 0x{A11_CreateDisposition}!x!.

Fields

Name	Description
`A11_CreateDisposition`	—

Event ID 135 — NtfsCommonVolumeOpen: Invalid create disposition for volume open.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: {A10_PsGetCurrentThread()}!p!; CreateDisposition: 0x{A11_CreateDisposition}!x!.

Fields

Name	Description
`A11_CreateDisposition`	—

Event ID 136 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Vcb State: 0x%5!08x!.

Event ID 137 — NtfsCommonVolumeOpen: Thread: %1; Vcb: %2; VolumeName: %3; VolumeLabel: %4; Requested ShareAccess: 0x%5!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommonVolumeOpen: Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Requested ShareAccess: 0x%5!08x!; Vcb->CleanupCount: %6!d!; BiasedCleanupCount: %7!d!.

Event ID 138 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Vcb State: 0x%5!08x!.

Event ID 139 — NtfsCommonVolumeOpen: Conlicting file objects.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommonVolumeOpen: Conlicting file objects. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Requested ShareAccess: 0x%5!08x!; Vcb->ReadOnlyCloseCount: %6!d!; Vcb->CloseCount: %7!d!; Vcb->SystemFileCloseCount: %8!d!.

Event ID 140 — NtfsHandlePagingFile: Paging file already open; paging files can only be opened once.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsHandlePagingFile: Paging file already open; paging files can only be opened once. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Fcb->CleanupCount: %7!d!; Fcb->FcbState: 0x%8!08x!; IrpSp->Flags: 0x%9!08x!.

Event ID 141 — NtfsHandlePagingFile: Cannot open system file as paging file.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Fcb->FcbState: 0x%7!08x!; IrpSp->Flags: 0x%8!08x!.

Event ID 142 — NtfsHandlePagingFile: Persisted paging file already exists.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsHandlePagingFile: Persisted paging file already exists. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; IrpContext->State: 0x%7!08x!; IrpSp->Flags: 0x%8!08x!.

Event ID 143 — NtfsOpenFcbById: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenFcbById: Invalid system file access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; CreateDisposition: 0x%8!08x!; DesiredAccess: 0x%9!08x!.

Event ID 144 — NtfsOpenExistingPrefixFcb: Can not directly open txf directory.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; Rmstate: 0x%8!08x!.

Event ID 145 — NtfsOpenExistingPrefixFcb: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenExistingPrefixFcb: Invalid system file access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; CreateDisposition: 0x%8!08x!; DesiredAccess: 0x%9!08x!.

Event ID 146 — NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!.

Event ID 147 — NtfsOpenFile: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenFile: Invalid system file access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; CreateDisposition: 0x%8!08x!; DesiredAccess: 0x%9!08x!.

Event ID 148 — NtfsOpenFile: Deny open when txf rm is active.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenFile: Deny open when txf rm is active. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; TxfRmcb Rmstate: 0x%7!08x!.

Event ID 149 — NtfsCreateNewFile: Deny creation in system directory (except root).

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCreateNewFile: Deny creation in system directory (except root). Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; (Parent Fcb): Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; TxfRmcb state: 0x%8!08x!; AttrTypeCode: 0x%9!x!.

Event ID 150 — NtfsCreateNewFile: Unable to create Ea for the file.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCreateNewFile: Unable to create Ea for the file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Create options: 0x%7!08x!; Ccb flags: 0x%8!08x!.

Event ID 151 — NtfsCreateNewFile: Unable to create in the $txf directory.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCreateNewFile: Unable to create in the $txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; (Parent Fcb) Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; TxfRmcb state: 0x%8!08x!.

Event ID 152 — NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; TxfRmcb state: 0x%7!08x!.

Event ID 153 — NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; NeedEaCount: %7!d!; CreateOptions: 0x%8!08x!; CcbFlags: 0x%9!08x!.

Event ID 154 — NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; AttrTypeCode to create: 0x%7!x!; CreateDisposition: 0x%8!08x!.

Event ID 155 — NtfsOpenAttributeInExistingFile: Denying access for volume root directory.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; CreateDisposition: 0x%7!08x!.

Event ID 156 — NtfsCreateNewFile: Not allowed to create streams on system files.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; AttrTypeCode: 0x%8!x!.

Event ID 157 — NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; DuplicateInfo attributes: 0x%7!08x!; FileAttributes: 0x%8!08x!.

Event ID 158 — NtfsOverwriteAttr: Denying access due to user being Ea blind.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Create options: 0x%7!08x!.

Event ID 159 — NtfsOverwriteAttr: Deny access due to encryption happening on the stream.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; AttributeTypeCode: 0x%7!x!; Scb state: 0x%8!08x!; Scb HighWaterMark: %9!I64d!.

Event ID 160 — NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; AttributeTypeCode: 0x%5!x!; CreateDisposition: 0x%6!08x!.

Event ID 161 — NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: {A10_PsGetCurrentThread()}!p!; AttributeTypeCode: {A11_*AttrCode}!x!.

Event ID 162 — NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: {A10_PsGetCurrentThread()}!p!; AttributeTypeCode: {A11_*AttrCode}!x!.

Event ID 163 — NtfsOpenAttributeCheck: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttributeCheck: File already has user writable references. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Requested ShareAccess: 0x%10!08x!; Previously granted access: 0x%11!08x!.

Event ID 164 — NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; AttributeTypeCode: 0x%8!x!; Attribute Name: %9!S!.

Event ID 165 — NtfsOpenAttributeCheck: File was granted write access but has image section.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttributeCheck: File was granted write access but has image section. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Previously granted access: 0x%10!08x!.

Event ID 166 — NtfsOpenAttribute: Denying write access on disallowed writes.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttribute: Denying write access on disallowed writes. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Disallow write count: %8!d!; Desired Access: 0x%9!08x!.

Event ID 167 — NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Requested ShareAccess: 0x%10!08x!; Previously granted access: 0x%11!08x!.

Event ID 168 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Requested share access: 0x%7!08x!; FO flags: 0x%8!08x!.

Event ID 169 — NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Requested ShareAccess: 0x%10!08x!; Previously granted access: 0x%11!08x!.

Event ID 170 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Requested share access: 0x%7!08x!; FO flags: 0x%8!08x!.

Event ID 171 — NtfsCheckExistingFile: Desired access conflicts with read-only state.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Desired Access: 0x%7!08x!; FileAttributes: 0x%8!08x!; SL control flags: 0x%9!08x!.

Event ID 172 — NtfsOpenExistingEncryptedStream: No encryption driver found.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; NtfsData flags: 0x%8!08x!.

Event ID 173 — NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; Stream attribute flags: 0x%8!08x!.

Event ID 174 — NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: {A10_PsGetCurrentThread()}!p!; Fcb: {A11_CurrentFcb}!p!; FileRef: 0x{A12_NtfsFullFileRefNumber( _CurrentFcb->FileReference )}!I64x!; TxfRmcb RM state: {A13_CurrentFcb->TxfRmcb->RmState}!x!.

Fields

Name	Description
`A11_CurrentFcb`	—

Event ID 175 — NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: {A10_PsGetCurrentThread()}!p!; Fcb: {A11_CurrentFcb}!p!; FileRef: 0x{A12_NtfsFullFileRefNumber( _CurrentFcb->FileReference )}!I64x!; TxfRmcb RM state: {A13_CurrentFcb->TxfRmcb->RmState}!x!.

Fields

Name	Description
`A11_CurrentFcb`	—

Event ID 176 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Link Name: %7!S!; DesiredAccess: 0x%8!08x!; DesiredShareAccess: 0x%9!08x!; IoShareAccessFlags: 0x%10!08x!; LinkShareAccess->OpenCount: %11!d!; LinkShareAccess->Deleters: %12!d!; LinkShareAccess->SharedDelete: %13!d!.

Event ID 177 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb Type Code: 0x%7!x!; Scb Name: %8!S!; DesiredAccess: 0x%9!08x!; DesiredShareAccess: 0x%10!08x!; IoShareAccessFlags: 0x%11!08x!; ShareAccess->OpenCount: %12!d!; ShareAccess->Readers: %13!d!; ShareAccess->Writers: %14!d!; ShareAccess->->Deleters: %15!d!; ShareAccess->SharedRead: %16!d!; ShareAccess->SharedWrite: %17!d!; ShareAccess->SharedDelete: %18!d!.

Event ID 178 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb Type Code: 0x%7!x!; Scb Name: %8!S!; Link Name: %9!S!; DesiredAccess: 0x%10!08x!; DesiredShareAccess: 0x%11!08x!; IoShareAccessFlags: 0x%12!08x!; ShareAccess->OpenCount: %13!d!; ShareAccess->Readers: %14!d!; ShareAccess->Writers: %15!d!; ShareAccess->->Deleters: %16!d!; ShareAccess->SharedRead: %17!d!; ShareAccess->SharedWrite: %18!d!; ShareAccess->SharedDelete: %19!d!; LinkShareAccess->OpenCount: %20!d!; LinkShareAccess->Deleters: %21!d!; LinkShareAccess->SharedDelete: %22!d!.

Event ID 179 — NtfsReCheckShareAccess: Does not meet allow open requirement.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsReCheckShareAccess: Does not meet allow open requirement. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb Type Code: 0x%7!x!; Scb Name: %8!S!; Link Name: %9!S!; Previously granted access: 0x%10!08x!; AccessState->Flags: 0x%11!08x!; DesiredShareAccess: 0x%12!08x!; CreateDisposition: 0x%13!08x!; OpenCount: %14!d!; Readers: %15!d!; Writers: %16!d!; Deleters: %17!d!; SharedRead: %18!d!; Lcb Deleters: %19!d!.

Event ID 180 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 181 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 182 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 183 — NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Will tell storage we are freeing at {A11_StartingCluster}!I64x! for {A12_RunLength}!x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingCluster`	—
`A12_RunLength`	—

Event ID 184 — NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Flush requested

Fields

Name	Description
`A10_Vcb`	—

Event ID 185 — NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! -  Created new MarkUnusedContext {A11_*MarkUnusedContext}!p!; DEALLOCATED_CLUSTERS {A12_(*MarkUnusedContext)->DeallocatedClusters}!p!; MCB {A13__(*MarkUnusedContext)->DeallocatedClusters->Mcb}!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 186 — NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Successfully added clusters starting at {A11_StartingCluster}!I64x! for {A12_RunLength}!x! into MCB {A13__(*MarkUnusedContext)->DeallocatedClusters->Mcb}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingCluster`	—
`A12_RunLength`	—

Event ID 187 — NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - MCB {A11__(*MarkUnusedContext)->DeallocatedClusters->Mcb}!p! is full

Fields

Name	Description
`A10_Vcb`	—

Event ID 188 — NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Queuing request to IC pre-trim list; MUC {A11_*MarkUnusedContext}!p!; IC {A12_IrpContext}!p!

Fields

Name	Description
`A10_Vcb`	—
`A12_IrpContext`	—

Event ID 189 — NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! -  Failed to allocate/initial MarkUnusedContext

Fields

Name	Description
`A10_Vcb`	—

Event ID 190 — NtfsTransferMaxDataSetRanges: Src {A10_Src}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsTransferMaxDataSetRanges: Src {A10_Src}!p!; Dst {A11_Dst}!p!; SrcRemainClusCt {A12_Src->ClustersCount}!I64x!; SrcOrigClusCt {A13_Src->DeallocatedClusters->ClusterCount}!I64x!; SrcDSRL {A14_SrcDsmAttr->DataSetRangesLength}!x! - Entering

Fields

Name	Description
`A10_Src`	—
`A11_Dst`	—

Event ID 191 — NtfsTransferMaxDataSetRanges: Src {A10_Src}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsTransferMaxDataSetRanges: Src {A10_Src}!p!; Dst {A11_Dst}!p!; SrcRemainClusCt {A12_Src->ClustersCount}!I64x!; DstClusCt {A13_Dst->ClustersCount}!I64x!; DstDSRL {A14_DstDsmAttr->DataSetRangesLength}!x!; DstLIB {A15_DstFirstDataSetRangePtr->LengthInBytes}!I64x!; DstSOff {A16_DstFirstDataSetRangePtr->StartingOffset}!I64x! - Leaving

Fields

Name	Description
`A10_Src`	—
`A11_Dst`	—

Event ID 192 — NtfsTransferMaxDataSetRanges: Src {A10_Src}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsTransferMaxDataSetRanges: Src {A10_Src}!p!; Dst {A11_Dst}!p!; SrcRemainClusCt {A12_Src->ClustersCount}!I64x!; DstClusCt {A13_Dst->ClustersCount}!I64x!; DstDSRL {A14_DstDsmAttr->DataSetRangesLength}!x!; DstLIB {A15_DstFirstDataSetRangePtr->LengthInBytes}!I64x!; DstSOff {A16_DstFirstDataSetRangePtr->StartingOffset}!I64x! - Leaving

Fields

Name	Description
`A10_Src`	—
`A11_Dst`	—

Event ID 193 — NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - DC {A12_Vcb->DeallocatedClusters}!I64x!; DCIT {A13_Vcb->DeallocatedClustersListLengthInTrim}!x!; DCTD {A14_Vcb->DeallocatedClustersListLengthToDrain}!x!; CC {A15_Clusters->ClusterCount}!I64x!; IR {A16_InitialRanges}!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A16_InitialRanges`	—

Event ID 194 — NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - Removed interior slab(s) from TP map - [LCN {A12_StartingLcn}!I64X!; len {A13_ClusterCount}!I64X!] => [LCN {A14_FreeClusterBase1}!I64X!; len {A15_FreeClusterCount1}!I64X!]; [LCN {A16_FreeClusterBase2}!I64X!; len {A17_FreeClusterCount2}!I64X!]

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_StartingLcn`	—
`A13_ClusterCount`	—
`A14_FreeClusterBase1`	—
`A15_FreeClusterCount1`	—
`A16_FreeClusterBase2`	—
`A17_FreeClusterCount2`	—

Event ID 195 — NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p! - Releasing bitmap

Fields

Name	Description
`A10_Vcb`	—

Event ID 196 — NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p! - CloseCount {A11_Vcb->CloseCount}!x!

Fields

Name	Description
`A10_Vcb`	—

Event ID 197 — NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p! - CloseCount {A11_Vcb->CloseCount}!x!

Fields

Name	Description
`A10_Vcb`	—

Event ID 198 — NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp {A10_Irp}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp {A10_Irp}!p!

Fields

Name	Description
`A10_Irp`	—

Event ID 199 — NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!p!; IC {A11_IrpContext}!p! - Entering

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 200 — NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!p! - Kicked off DelayedWorkQueue

Fields

Name	Description
`A10_Vcb`	—

Event ID 201 — NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 202 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb {A10_Vcb}!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 203 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Small MUC {A11_SmallMarkUnusedContext}!p! instead of MUC {A12_MarkUnusedContext}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_SmallMarkUnusedContext`	—
`A12_MarkUnusedContext`	—

Event ID 204 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Failed to allocate small MUC so use MUC {A11_MarkUnusedContext}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 205 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Sending storage ioctl down.  MUC {A11_MarkUnusedContext}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 206 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - [{A12_TrimEntryCount++}!x!] Offset {A13_DataSetRangePtr->StartingOffset}!I64x!; Length {A14_DataSetRangePtr->LengthInBytes}!I64x! - trim entry

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 207 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p!; Irp {A12_IrpUsed}!p! - Completed

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_IrpUsed`	—

Event ID 208 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - {A12_Status}!x! - failed to send

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_Status`	—

Event ID 209 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Add MUC {A11_MarkUnusedContext}!p! to post trim list

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 210 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Free small MUC {A11_MarkUnusedContext}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 211 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Sending storage ioctl down failed with {A11_Status}!x!.  MUC {A12_MarkUnusedContext}!p!; Count {A13_((MarkUnusedContext != NULL) __ (MarkUnusedContext->DeallocatedClusters != NULL)) ? MarkUnusedContext->DeallocatedClusters->ClusterCount : -1LL}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—
`A12_MarkUnusedContext`	—

Event ID 212 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Sending storage ioctl down failed with {A11_Status}!x!.  MUC {A12_MarkUnusedContext}!p!; Count {A13_((MarkUnusedContext != NULL) __ (MarkUnusedContext->DeallocatedClusters != NULL)) ? MarkUnusedContext->DeallocatedClusters->ClusterCount : -1LL}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—
`A12_MarkUnusedContext`	—

Event ID 213 — NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!p! - There are waiters for DC {A11_DeallocatedClusters}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 214 — NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!p! - Waking up waiter for DC {A11_DeallocatedClusters}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 215 — NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!p! - Done waking up DC {A11_DeallocatedClusters}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 216 — NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p!; All {A11_All}!x! - Entering

Fields

Name	Description
`A10_Vcb`	—
`A11_All`	—

Event ID 217 — NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Waiting to drain

Fields

Name	Description
`A10_Vcb`	—

Event ID 218 — NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Waiting for partial drain

Fields

Name	Description
`A10_Vcb`	—

Event ID 219 — NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 220 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Entering

Fields

Name	Description
`A10_Vcb`	—

Event ID 221 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Inserted {A11_DeallocatedClustersToWaitFor->DeallocatedClusters}!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 222 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 223 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb {A10_IrpContext->Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb {A10_IrpContext->Vcb}!p! - Wait for DC {A11_DeallocatedClustersToWaitFor->DeallocatedClusters}!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 224 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for {A10_WaitInSeconds}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for {A10_WaitInSeconds}!d! (s); Exceeded by {A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ?                                     (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)}!d! (s); IC {A12_IrpContext}!p!; Vcb {A13_IrpContext->Vcb}!p!; DC {A14_DeallocatedClusters}!p!

Fields

Name	Description
`A10_WaitInSeconds`	—
`A12_IrpContext`	—
`A14_DeallocatedClusters`	—

Event ID 225 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for {A10_WaitInSeconds}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for {A10_WaitInSeconds}!d! (s); Exceeded by {A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ?                                  (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)}!d! (s); IC {A12_IrpContext}!p!; Vcb {A13_IrpContext->Vcb}!p!; DC {A14_DeallocatedClusters}!p!

Fields

Name	Description
`A10_WaitInSeconds`	—
`A12_IrpContext`	—
`A14_DeallocatedClusters`	—

Event ID 226 — NtfsCheckForTrimThrottling: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckForTrimThrottling: Vcb {A10_Vcb}!p! - hitting trim threshold {A11_Vcb->DeallocatedClustersListLengthInTrim}!d!

Fields

Name	Description
`A10_Vcb`	—

Event ID 227 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Entering

Fields

Name	Description
`A10_Vcb`	—

Event ID 228 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed

Fields

Name	Description
`A10_Vcb`	—

Event ID 229 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed; AcquiredSyncResource {A11_AcquiredVcb}!u!

Fields

Name	Description
`A10_Vcb`	—
`A11_AcquiredVcb`	—

Event ID 230 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - Skipping deallocated clusters gen'd by smart trim

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 231 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - MCB run {A12_RunIndex}!u!; offs 0x{A13_StartingOffset}!I64X!; len 0x{A14_LengthInBytes}!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_RunIndex`	—
`A13_StartingOffset`	—
`A14_LengthInBytes`	—

Event ID 232 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - MUC {A11_MarkUnusedContext}!p!; DSR count {A12_DataSetRangeCount}!u!; MCB count {A13_McbRunCount}!u!; ST free slots {A14_SmartTrimFreeRangeCount}!u!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_DataSetRangeCount`	—
`A13_McbRunCount`	—
`A14_SmartTrimFreeRangeCount`	—

Event ID 233 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - DSR range {A12_RunIndex}!u!; offs 0x{A13_DataSetRange->StartingOffset}!I64X!; len 0x{A14_DataSetRange->LengthInBytes}!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_RunIndex`	—

Event ID 234 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - MCB lcn {A11_StartingLcn}!I64X! len {A12_ClusterCount}!I64X! maps to TP map bits [0x{A13_FirstTpMapBit}!X!; 0x{A14_LastTpMapBit}!X!]

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingLcn`	—
`A12_ClusterCount`	—
`A13_FirstTpMapBit`	—
`A14_LastTpMapBit`	—

Event ID 235 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Smart trim state on exit; {A11_SmartTrimState->SlabRangesCount}!u! ranges:

Fields

Name	Description
`A10_Vcb`	—

Event ID 236 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Range {A11_SlabRangeIndex}!u!: FirstTPMapBit 0x{A12_SlabRange->FirstTPMapBit}!X!; LastTPMapBit 0x{A13_SlabRange->LastTPMapBit}!X!

Fields

Name	Description
`A10_Vcb`	—
`A11_SlabRangeIndex`	—

Event ID 237 — NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 238 — NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Entering

Fields

Name	Description
`A10_Vcb`	—

Event ID 239 — NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed

Fields

Name	Description
`A10_Vcb`	—

Event ID 240 — NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed; AcquiredBitmap {A11_AcquiredBitmap}!u!

Fields

Name	Description
`A10_Vcb`	—
`A11_AcquiredBitmap`	—

Event ID 241 — NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Checking slab 0x{A11_TpMapBit}!X! for allocations

Fields

Name	Description
`A10_Vcb`	—
`A11_TpMapBit`	—

Event ID 242 — NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Slab 0x{A11_TpMapBit}!X! has allocations; will not trim

Fields

Name	Description
`A10_Vcb`	—
`A11_TpMapBit`	—

Event ID 243 — NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Free slab found - TP map bit 0x{A11_TpMapBit}!X!; lcn {A12_SlabBaseLcn}!I64X!; len {A13_SlabLengthInClusters}!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_TpMapBit`	—
`A12_SlabBaseLcn`	—
`A13_SlabLengthInClusters`	—

Event ID 244 — NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 245 — NtfsFlushAllTrimHintsSynchronous.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushAllTrimHintsSynchronous ({A10_Vcb}!p!): Calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 246 — NtfsFlushAllTrimHintsSynchronous.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushAllTrimHintsSynchronous ({A10_Vcb}!p!): Done calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 247 — NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; VcbState: 0x%5!08x!; SL control flags: 0x%6!08x!.

Event ID 248 — NtfsVolumeDasdIo: Data section blocking flush.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsVolumeDasdIo: Data section blocking flush. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Flush status: %5!S!.

Event ID 251 — Writing to $Bitmap.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Writing to $Bitmap. Vcb: {A10_Scb->Vcb}!p!; Offset: 0x{A11_StartingVbo}!I64x!; Length: 0x{A12_ByteCount}!x!

Fields

Name	Description
`A11_StartingVbo`	—
`A12_ByteCount`	—

Event ID 252 — Writing to $Bitmap.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Writing to $Bitmap. Vcb: {A10_Scb->Vcb}!p!; Offset: 0x{A11_StartingVbo}!I64x!; Length: 0x{A12_ByteCount}!x!

Fields

Name	Description
`A11_StartingVbo`	—
`A12_ByteCount`	—

Event ID 253 — NTFS: Posting hotfix on file object: {A10_FileObject}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NTFS: Posting hotfix on file object: {A10_FileObject}!p!

Fields

Name	Description
`A10_FileObject`	—

Event ID 254 — NTFS: Freeing Bad Vcn: {A10_((ULONG)BadVcn)}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NTFS:     Freeing Bad Vcn: {A10_((ULONG)BadVcn)}!08x!; {A11_((PLARGE_INTEGER)_BadVcn)->HighPart}!08x!

Event ID 255 — NTFS: Retiring Bad Lcn: {A10_((ULONG)BadLcn)}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NTFS:     Retiring Bad Lcn: {A10_((ULONG)BadLcn)}!08x!; {A11_((PLARGE_INTEGER)_BadLcn)->HighPart}!08x!

Event ID 257 — IrpContext: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

IrpContext: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; NewBufferSize: 0x{A12_NewBufferSize}!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_NewBufferSize`	—

Event ID 258 — IrpContext: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

IrpContext: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; NewBufferSize: 0x{A12_NewBufferSize}!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_NewBufferSize`	—

Event ID 259 — Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Compression buffers are already big enough. NewBufferSize: 0x{A10_NewBufferSize}!08x!; ExistingBufferSize: 0x{A11_NtfsGetCompressionBufferSize()}!08x!

Fields

Name	Description
`A10_NewBufferSize`	—

Event ID 260 —

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10_Status}

Fields

Name	Description
`A10_Status`	—

Event ID 261 — IrpContext: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

IrpContext: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; NewBufferSize: 0x{A12_NewBufferSize}!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_NewBufferSize`	—

Event ID 262 — Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Compression buffers are already big enough. NewBufferSize: 0x{A10_NewBufferSize}!08x!; ExistingBufferSize: 0x{A11_NtfsGetUsaBufferSize( Vcb )}!08x!

Fields

Name	Description
`A10_NewBufferSize`	—

Event ID 263 —

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10_Status}

Fields

Name	Description
`A10_Status`	—

Event ID 264 — NtfsDefragFileInternal: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal: Vcb {A10_Vcb}!p! - Calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 265 — NtfsDefragFileInternal: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal: Vcb {A10_Vcb}!p! - Calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 266 — NtfsDefragFileInternal: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal: Vcb {A10_Vcb}!p! - Done calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 267 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x!; CurrLcn {A16_Lcn}!I64x!; NewLcn {A17_MoveData->StartingLcn.QuadPart}!I64x!; Len {A18_CopyLength}!x!; DA {A10_Vcb}0!d!; Status {A10_Vcb}1!x! - copy offload

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A15_TransferClusters`	—
`A16_Lcn`	—
`A18_CopyLength`	—

Event ID 268 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x!; CurrLcn {A16_Lcn}!I64x!; NewLcn {A17_MoveData->StartingLcn.QuadPart}!I64x!; Len {A18_CopyLength}!x!; DA {A10_Vcb}0!d!; Status {A10_Vcb}1!x! - copy offload

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A15_TransferClusters`	—
`A16_Lcn`	—
`A18_CopyLength`	—

Event ID 269 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x!; CurrLcn {A16_Lcn}!I64x!; NewLcn {A17_MoveData->StartingLcn.QuadPart}!I64x!; Len {A18_CopyLength}!x!; DA {A10_Vcb}0!d!; Status {A10_Vcb}1!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A15_TransferClusters`	—
`A16_Lcn`	—
`A18_CopyLength`	—

Event ID 270 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; CurrLcn {A14_Lcn}!I64x!; Len {A15_CopyLength}!x!; Status {A16_MyStatus}!x! - read completed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A14_Lcn`	—
`A15_CopyLength`	—
`A16_MyStatus`	—

Event ID 271 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; NewLcn {A14_MoveData->StartingLcn.QuadPart}!I64x!; Len {A15_CopyLength}!x!; Status {A16_MyStatus}!x! - write completed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A15_CopyLength`	—
`A16_MyStatus`	—

Event ID 272 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x!; CurrLcn {A16_Lcn}!I64x!; NewLcn {A17_MoveData->StartingLcn.QuadPart}!I64x!; DA {A18_Flags.UseDelayedAllocation}!d!; ValidClusters {A10_Vcb}0!I64x! - beyond VDL

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A15_TransferClusters`	—
`A16_Lcn`	—

Event ID 273 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x! - committed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A15_TransferClusters`	—

Event ID 274 — NtfsDefragFile: Defrag is denied without manage volume access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefragFile: Defrag is denied without manage volume access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb flags: 0x%7!08x!.

Event ID 275 — NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!p! - Calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 276 — NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!p! - Calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 277 — NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!p! - Done calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 278 — SCB: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

SCB: {A10_Scb}!p!; VDL=0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x!; FS=0x{A12_Scb->Header.FileSize.QuadPart}!I64x!; StartOff=0x{A13_QueryDaxExtents->FileOffset}!I64x!; StartVcn=0x{A14_StartingVcn}!I64x!; Length=0x{A15_QueryDaxExtents->Length}!I64x!

Fields

Name	Description
`A10_Scb`	—
`A14_StartingVcn`	—

Event ID 279 — SCB: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

SCB: {A10_Scb}!p!; VDL=0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x!; FS=0x{A12_Scb->Header.FileSize.QuadPart}!I64x!; StartOff=0x{A13_QueryDaxExtents->FileOffset}!I64x!; StartVcn=0x{A14_StartingVcn}!I64x!; Length=0x{A15_QueryDaxExtents->Length}!I64x!

Fields

Name	Description
`A10_Scb`	—
`A14_StartingVcn`	—

Event ID 280 — StartOff=0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

StartOff=0x{A10_QueryDaxExtents->FileOffset}!I64x!; Length=0x{A11_QueryDaxExtents->Length}!I64x!; EffectiveLength=0x{A12_EffectiveInputFileRegionLength}!I64x! StartVcn=0x{A13_StartingVcn}!I64x!; BeyondEndVcn=0x{A14_BeyondEndVcn}!I64x!; Clusters=0x{A15_RemainingClusterCount}!I64x!; LastVcnInFile=0x{A16_LastVcnInFile}!I64x!

Fields

Name	Description
`A12_EffectiveInputFileRegionLength`	—
`A13_StartingVcn`	—
`A14_BeyondEndVcn`	—
`A15_RemainingClusterCount`	—
`A16_LastVcnInFile`	—

Event ID 281 — RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; DataSetRangeIndex: {A11_DataSetRangeIndex}!d!; OutputBufferLength: 0x{A12_OutputBufferLength}!d!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_DataSetRangeIndex`	—
`A12_OutputBufferLength`	—

Event ID 282 — RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; DataSetRangeIndex: {A11_DataSetRangeIndex}!d!; OutputBufferLength: 0x{A12_OutputBufferLength}!d!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_DataSetRangeIndex`	—
`A12_OutputBufferLength`	—

Event ID 283 — STATUS_BUFFER_TOO_SMALL from FsLib.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0x{A10_ExtentsDescriptor->NumberOfValidRuns}!x!; MaxRuns: 0x{A11_MaxRuns}!x!; BytesReturned: 0x{A12_*BytesReturned}!I64x!

Fields

Name	Description
`A11_MaxRuns`	—

Event ID 284 — Made an educated guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Made an educated guess for remaining runs. RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; NumberOfValidRuns: 0x{A11_ExtentsDescriptor->NumberOfValidRuns}!x!

Fields

Name	Description
`A10_RemainingClusterCount`	—

Event ID 285 — Made a wild guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Made a wild guess for remaining runs. RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; NumberOfValidRuns: 0x{A11_ExtentsDescriptor->NumberOfValidRuns}!x!

Fields

Name	Description
`A10_RemainingClusterCount`	—

Event ID 286 — NumberOfValidRuns: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NumberOfValidRuns: 0x{A10_ExtentsDescriptor->NumberOfValidRuns}!08x!; MaxRuns: 0x{A11_MaxRuns}!08x!; Status: 0x{A12_Status}!08x!; BytesReturned: 0x{A13_*BytesReturned}!I64x!

Fields

Name	Description
`A11_MaxRuns`	—
`A12_Status`	—

Event ID 287 — BasePage: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

BasePage: 0x{A10_ExtentsDescriptor->Run[Index].BasePage}!-16I64x!; PageCount: 0x{A11_ExtentsDescriptor->Run[Index].PageCount}!-16I64x!

Fields

Name	Description
`A10_ZeroStart`	—
`A11_ZeroEnd`	—

Event ID 288 — About to zero range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

About to zero range - ZeroStart: 0x{A10_ZeroStart}!016I64x!; ZeroEnd: 0x{A11_ZeroEnd}!016I64x!

Fields

Name	Description
`A10_ZeroStart`	—
`A11_ZeroEnd`	—

Event ID 289 — Zeroed range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Zeroed range - ZeroStart: 0x{A10_ZeroStart}!016I64x!; ZeroEnd: 0x{A11_ZeroEnd}!016I64x!

Fields

Name	Description
`A10_ZeroStart`	—
`A11_ZeroEnd`	—

Event ID 290 — NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Ccb flags: 0x%10!08x!.

Event ID 291 — NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Ccb access flags: 0x%10!08x!; Granted access: 0x%11!08x!.

Event ID 292 — NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Ccb flags: 0x%10!08x!.

Event ID 293 — NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb flags: 0x%7!08x!.

Event ID 294 — NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Device Object flags: 0x%10!08x!.

Event ID 295 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Fcb state: %7!x!.

Event ID 296 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; TxfNumWriters count: %7!d!.

Event ID 297 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Lcb: %7!p!; Link name: %8!S!; TxfNumWriters count: %9!d!.

Event ID 298 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Cleanup count: %7!d!.

Event ID 299 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Lcb: %7!p!; Link name: %8!S!; Link cleanup count: %9!d!; SplitPrimaryLcb: %10!p!; Split link name: %11!S!; Split link cleanup count: %12!d!.

Event ID 300 — NtfsSetRenameInfo: Can not rename a file marked for deletion.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Fcb state: 0x%7!08x!; Lcb: %8!p!; link name: %9!S!; link name flag: 0x%10!08x!; link state: 0x%11!08x!.

Event ID 301 — NtfsSetRenameInfo: Can not rename a txf directory.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; File attributes: 0x%7!08x!.

Event ID 302 — NtfsSetRenameInfo: Can not rename a txf directory.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!.

Event ID 303 — NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; Rmstate: 0x%8!08x!.

Event ID 304 — NtfsSetRenameInfo: Can not rename a directory into itself.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a directory into itself. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!.

Event ID 305 — NtfsSetRenameInfo: The file should not have in-memory directory descendents.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!.

Event ID 306 — NtfsSetRenameInfo: Child Scb mismatch.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetRenameInfo: Child Scb mismatch. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Potential child FileRef: %7!I64x!.

Event ID 307 — NtfsSetLinkInfo: Set link info is not allowed on txf directory.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileName: %7!S!.

Event ID 308 — NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileName: %7!S!; TxfVisibleLinks: %8!d!.

Event ID 309 — NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileName: %7!S!; SeAccessCheck status: %8!S!.

Event ID 310 — NtfsSetLinkInfo: Creating a link in system directory is not allowed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; NewLinkName: %7!S!.

Event ID 311 — NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; NewLinkName: %7!S!; Target RM state: %8!x!.

Event ID 312 — NtfsSetShortNameInfo: Can not set a short name on a deleted file.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Lcb: %7!p!; Link Name: %8!S!.

Event ID 313 — NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Lcb: %7!p!; Link Name: %8!S!; Parent FileRef: %9!I64x!.

Event ID 314 — NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Stream cleanup count: %7!d!.

Event ID 315 — NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; ByID opens: %7!d!; Stream cleanup count: %8!d!.

Event ID 316 — NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!p!; Vcb: {A11_Vcb}!p!; Fcb: {A12_Fcb}!p!; LocalFlags: {A13_LocalFlags->EntireFlags}!#08x!

Fields

Name	Description
`A11_Vcb`	—
`A12_Fcb`	—

Event ID 317 — NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!p!; Vcb: {A11_Vcb}!p!; Fcb: {A12_Fcb}!p!; LocalFlags: {A13_LocalFlags->EntireFlags}!#08x!

Fields

Name	Description
`A11_Vcb`	—
`A12_Fcb`	—

Event ID 318 — NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!p!; Scb: {A11_Scb}!p!

Fields

Name	Description
`A11_Scb`	—

Event ID 319 — NtfsFlushVolume: Thread: {A10_PsGetCurrentThread()}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushVolume: Thread: {A10_PsGetCurrentThread()}!p!; Vcb: {A11_Vcb}!p!; LocalFlags: {A12_LocalFlags.EntireFlags}!#08x!

Fields

Name	Description
`A11_Vcb`	—

Event ID 320 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: {A10_Vcb->BitmapScb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: {A10_Vcb->BitmapScb}!p! Vcb: {A11_Vcb}!p!

Fields

Name	Description
`A11_Vcb`	—

Event ID 321 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: {A10_Vcb->MftScb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: {A10_Vcb->MftScb}!p! Vcb: {A11_Vcb}!p!

Fields

Name	Description
`A11_Vcb`	—

Event ID 322 — NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!p! - Add context {A11_Context}!p! into completion queue

Fields

Name	Description
`A11_Context`	—

Event ID 323 — NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!p! - Add context {A11_Context}!p! into WorkQueue - Flink {A12_NtfsData.DiskFlushContextCompletedWorkItem.List.Flink}!p!

Fields

Name	Description
`A11_Context`	—

Event ID 324 — NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!p! - Add context {A11_Context}!p! into WorkQueue - Flink {A12_NtfsData.DiskFlushContextCompletedWorkItem.List.Flink}!p!

Fields

Name	Description
`A11_Context`	—

Event ID 325 — Irp: {A10_Irp}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Irp: {A10_Irp}!p!; IC: {A11_IrpContext}!p!; Vcb: {A12_IrpContext->Vcb}!p!; MinorCode: {A13_IrpSp->MinorFunction}!02x!; FsControlCode: 0x{A14_FsControlCode}!08x!

Fields

Name	Description
`A10_Irp`	—
`A11_IrpContext`	—
`A14_FsControlCode`	—

Event ID 326 — Irp: {A10_Irp}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Irp: {A10_Irp}!p!; IC: {A11_IrpContext}!p!; Vcb: {A12_IrpContext->Vcb}!p!; MinorCode: {A13_IrpSp->MinorFunction}!02x!; FsControlCode: 0x{A14_FsControlCode}!08x!

Fields

Name	Description
`A10_Irp`	—
`A11_IrpContext`	—
`A14_FsControlCode`	—

Event ID 327 — Irp: {A10_Irp}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Irp: {A10_Irp}!p!; IC: {A11_IrpContext}!p!; Vcb: {A12_IrpContext->Vcb}!p!; MinorCode: {A13_IrpSp->MinorFunction}!02x!; FsControlCode: 0x{A14_FsControlCode}!08x!

Fields

Name	Description
`A10_Irp`	—
`A11_IrpContext`	—
`A14_FsControlCode`	—

Event ID 328 — NtfsLockVolumeInternal: Cannot lock the volume.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsLockVolumeInternal: Cannot lock the volume. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Vcb State: 0x%5!08x!; DisallowDismountCount: %6!d!; ExplicitLock: %7!d!; Volume CleanupCount: %8!d!; Handle count: %9!d!.

Event ID 329 — NtfsLockVolumeInternal: Volume is already locked.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsLockVolumeInternal: Volume is already locked.Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Vcb State: 0x%5!08x!.

Event ID 330 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Flush Status: %5!S!.

Event ID 331 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Flush Status: %5!S!.

Event ID 332 — NtfsLockVolumeInternal: Outstanding user files open after flush and retry.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Volume close count: %5!d!; System file close count: %6!d!; User handle count: %7!d!.

Event ID 333 — {A10_FUNCTION}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12_(Vcb->TxfVcb.DefaultRm != NULL) ?                                  _Vcb->TxfVcb.DefaultRm->RmId :                                  NULL}!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 334 — {A10_FUNCTION}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12_(Vcb->TxfVcb.DefaultRm != NULL) ?                                  _Vcb->TxfVcb.DefaultRm->RmId :                                  NULL}!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 335 — {A10_FUNCTION}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12_(Vcb->TxfVcb.DefaultRm != NULL) ?                                  _Vcb->TxfVcb.DefaultRm->RmId :                                  NULL}!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 336 — NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 337 — NtfsDismountVolume: IC: %1; Vcb: %2; Label: %3; DeviceName: %4.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDismountVolume: IC: %1!p!; Vcb: %2!p!; Label: %3!S!; DeviceName: %4!S!

Event ID 338 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 339 — NtfsDismountVolume: Cannot dismount volume due to volume being locked.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; VcbState: 0x%5!08x!.

Event ID 340 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; VcbState: 0x%5!08x!; ReadOnlyCloseCount: %6!d!; CloseCount: %7!d!; SystemFileCloseCount: %8!d!.

Event ID 341 — NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 342 — NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 343 — NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 344 — NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 345 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 346 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!; TypeOfOpen: %6!d!.

Event ID 347 — NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!; Irp Request Mode: %6!d!.

Event ID 348 — NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 349 — NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 350 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege; backup access or can bypass traverse checks.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege; backup access or can bypass traverse checks. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!; Ccb flags: 0x%6!08x!.

Event ID 351 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!; Ccb flags: 0x%6!08x!; CallerId: %7!d!; Context owner ID: %8!d!.

Event ID 352 — NtfsZeroRange: User mode caller not allowed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsZeroRange: User mode caller not allowed. Thread: {A10_PsGetCurrentThread()}!p!; Zero flags: 0x{A11_ZeroFlags}!08x!; Irp Requestor Mode: {A12_Irp->RequestorMode}!d!.

Fields

Name	Description
`A11_ZeroFlags`	—

Event ID 353 — IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

IC: {A10_IrpContext}!p!; Scb: {A11_Scb}!p!; FileObject: {A12_IrpSp->FileObject}!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—

Event ID 354 — NtfsZeroRange: User mode caller not allowed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsZeroRange: User mode caller not allowed. Thread: {A10_PsGetCurrentThread()}!p!; Zero flags: 0x{A11_ZeroFlags}!08x!; Irp Requestor Mode: {A12_Irp->RequestorMode}!d!.

Fields

Name	Description
`A11_ZeroFlags`	—

Event ID 355 — IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

IC: {A10_IrpContext}!p!; Scb: {A11_Scb}!p!; FileObject: {A12_IrpSp->FileObject}!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—

Event ID 356 — IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

IC: {A10_IrpContext}!p!; EncryptionOperation: 0x{A11_EncryptionOperation}!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_EncryptionOperation`	—

Event ID 357 — NtfsReadRawEncrypted: Caller does not have backup access or read data access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 358 — NtfsWriteRawEncrypted: Caller does not have write data access or restore access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 359 — NtfsWriteRawEncrypted: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 360 — NtfsChangeVolumeSize.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsChangeVolumeSize ({A10_Vcb}!p!): Calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 361 — NtfsChangeVolumeSize.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsChangeVolumeSize ({A10_Vcb}!p!): Done calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 362 — NtfsChangeVolumeSize.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsChangeVolumeSize ({A10_Vcb}!p!): Calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 363 — NtfsChangeVolumeSize.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsChangeVolumeSize ({A10_Vcb}!p!): Done calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 364 — NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FullFileName: %7!S!; Ccb access flags: 0x%8!08x!; HandleInfo flags: 0x%9!08x!; Irp Requestor Mode: %10!d!.

Event ID 365 — NtfsMarkHandle: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkHandle: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 366 — NtfsMarkHandle: Cannot deny defrag.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkHandle: Cannot deny defrag. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Persist flags: 0x%10!08x!; HandleInfo flags: 0x%11!08x!.

Event ID 367 — NtfsMarkHandle: Cannot deny Frs consolidation.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkHandle: Cannot deny Frs consolidation. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState2: 0x%7!08x!; Scb: %8!p!; Scb Type Code: 0x%9!x!; Scb Name: %10!S!; Persist flags: 0x%11!08x!; HandleInfo flags: 0x%12!08x!.

Event ID 368 — NtfsMarkHandle: Cannot filter metadata.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkHandle: Cannot filter metadata. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; Scb: %8!p!; Scb Type Code: 0x%9!x!; Scb Name: %10!S!; Persist flags: 0x%11!08x!; HandleInfo flags: 0x%12!08x!; Irp RequestorMode: %13!d!.

Event ID 369 — NtfsMarkHandle: Mark handle is not allowed on system files.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; HandleInfo flags: %8!x!.

Event ID 370 — NtfsMarkHandle: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkHandle: File already has user writable references. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; HandleInfo: 0x%10!08x!.

Event ID 371 — NtfsMarkHandle: File was granted write access previously but no oplocks were broken.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Writers: %10!d!.

Event ID 372 — NtfsPrefetchFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPrefetchFile: Caller not having manage volume privilege. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 373 — Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x{A10_(PVOID)Vcb}!p! to {A11_InputParameter}!u!.

Fields

Name	Description
`A11_InputParameter`	—

Event ID 374 — NtfsSetShortNameBehavior: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 375 — Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x{A10_(PVOID)Vcb}!p! to {A11_InputParameter}!u!.

Fields

Name	Description
`A11_InputParameter`	—

Event ID 376 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 377 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 378 — Resetting Volsnap behavior for VCB = 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Resetting Volsnap behavior for VCB = 0x{A10_Vcb}!p!.  New state is 0x{A11_Vcb->VcbState}!x!.

Fields

Name	Description
`A10_Vcb`	—

Event ID 379 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 380 — Resetting Volsnap behavior for VCB = 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Resetting Volsnap behavior for VCB = 0x{A10_Vcb}!p!.  New state is 0x{A11_Vcb->VcbState}!x!.

Fields

Name	Description
`A10_Vcb`	—

Event ID 381 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 382 — Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.SystemScbIndex}!u! Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Event ID 383 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! Scrub resume from Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Fields

Name	Description
`A10_Scb`	—

Event ID 384 — Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.SystemScbIndex}!u! Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Event ID 385 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! Scrub resume from Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Fields

Name	Description
`A10_Scb`	—

Event ID 386 — Scrub SystemScbIndex: {A10_ScrubResumeContext.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scrub SystemScbIndex: {A10_ScrubResumeContext.SystemScbIndex}!u!

Fields

Name	Description
`A10_Scb`	—

Event ID 387 — NtfsScrubData: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsScrubData: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 388 — Scrub not supported for Txf file; Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scrub not supported for Txf file; Scb: {A10_Scb}!p!; TxfScb: {A11_Scb->TxfScb}!p!

Fields

Name	Description
`A10_Scb`	—

Event ID 389 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! ScrubInternal Status: {A11_Status}!S! Repaired: {A12_ScrubContext.NumberOfBytesRepaired}!#I64x! Failed: {A13_ScrubContext.NumberOfBytesFailed}!#I64x! ParityExtentCount: {A14_ScrubContext.ParityExtentData->NumberOfParityExtents}!u!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 390 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! ScrubInternal OperationStatus: {A11_ScrubContext.OperationStatus}!S! Repaired: {A12_ScrubContext.NumberOfBytesRepaired}!#I64x! Failed: {A13_ScrubContext.NumberOfBytesFailed}!#I64x! FileOffset: {A14_ScrubContext.ErrorFileOffset}!#I64x! Length: {A15_ScrubContext.ErrorLength}!#I64x! ParityExtentCount: {A16_ScrubContext.ParityExtentData->NumberOfParityExtents}!u!

Fields

Name	Description
`A10_Scb`	—

Event ID 391 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! ScrubInternal Status: {A11_Status}!S! Repaired: {A12_ScrubContext.NumberOfBytesRepaired}!#I64x! Failed: {A13_ScrubContext.NumberOfBytesFailed}!#I64x! ParityExtentCount: {A14_ScrubContext.ParityExtentData->NumberOfParityExtents}!u!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 392 — InternalFileReference: {A10_InternalFileReference}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

InternalFileReference: {A10_InternalFileReference}!u!

Fields

Name	Description
`A10_InternalFileReference`	—

Event ID 393 — InternalFileReference:{A10_InternalFileReference}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

InternalFileReference:{A10_InternalFileReference}!u!

Fields

Name	Description
`A10_InternalFileReference`	—

Event ID 394 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! Incomplete IoCount:{A11_ScrubIoCount}!u! Cancel:{A12_Irp->Cancel}!u! ParityExtentCount:{A13_ScrubContext.ParityExtentData->NumberOfParityExtents}!u!

Fields

Name	Description
`A10_Scb`	—
`A11_ScrubIoCount`	—

Event ID 395 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! Scrub StartingVcn({A11_StartingVcn}!#I64d!) is negative

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 396 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! Scrub starting vcn is beyond VDL (FileOffset: {A11_FileScrubOffset}!#I64x!; SectorAlignedVdl: {A12_SectorAlignedVdl}!#I64x!)

Fields

Name	Description
`A10_Scb`	—
`A11_FileScrubOffset`	—
`A12_SectorAlignedVdl`	—

Event ID 397 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! Scrub StartingVcn({A11_StartingVcn}!#I64d!) is negative

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 398 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! Scrub starting vcn is beyond VDL (FileOffset: {A11_FileScrubOffset}!#I64x!; SectorAlignedVdl: {A12_SectorAlignedVdl}!#I64x!)

Fields

Name	Description
`A10_Scb`	—
`A11_FileScrubOffset`	—
`A12_SectorAlignedVdl`	—

Event ID 399 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! Scrub no more Mcb entries from StartingVcn:{A11_StartingVcn}!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 400 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! Scrub skipping UNUSED_LCN Vcn: {A11_StartingVcn}!#I64x!; ClusterCount: {A12_ClusterCount}!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—
`A12_ClusterCount`	—

Event ID 401 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! StartingVcn:{A11_StartingVcn}!#I64x! is beyond Vdl

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 402 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! ScrubDsmRange [{A11_DsmRange.StartingOffset}!#I64x!;{A12_DsmRange.StartingOffset + DsmRange.LengthInBytes}!#I64x!) Length:{A13_DsmRange.LengthInBytes}!#I64x! (Bytes) StartingVcn:{A14_StartingVcn}!#I64x! + {A15_StartingVcnOffset}!#x! SectorAlignedVdl:{A16_SectorAlignedVdl}!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A14_StartingVcn`	—
`A15_StartingVcnOffset`	—
`A16_SectorAlignedVdl`	—

Event ID 403 — Scrub found problems Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scrub found problems Scb: {A10_Scb}!p! Vcn {A11_StartingVcn}!#I64x! FileOffset: {A12_ScrubContext->ErrorFileOffset}!#I64x! Length: {A13_ScrubbedLength}!#I64x! Status: {A14_ScrubContext->OperationStatus}!S! BytesFailed: {A15_ScrubContext->NumberOfBytesFailed}!#I64x! BytesRepaired: {A16_ScrubContext->NumberOfBytesRepaired}!#I64x! NewParityExtents: {A17_NewParityExtentCount}!u!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—
`A13_ScrubbedLength`	—
`A17_NewParityExtentCount`	—

Event ID 404 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! DsmAction_Scrub call failed; Status: {A11_Status}!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 405 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! DsmAction_Scrub operation failed; Status: {A11_Status}!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 406 — FSCTL_REPAIR_COPIES not supported for Txf file; Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

FSCTL_REPAIR_COPIES not supported for Txf file; Scb: {A10_Scb}!p!; TxfScb: {A11_Scb->TxfScb}!p!

Fields

Name	Description
`A10_Scb`	—

Event ID 407 — Scb:%1 FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2).

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2!S!)

Event ID 408 — Scb:%1 FSCTL_REPAIR_COPIES skipping resident attribute (%2).

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (%2!S!)

Event ID 409 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:{A11_StartingVcn}!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 410 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:{A11_StartingVcn}!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 411 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:{A11_StartingVcn}!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 412 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:{A11_StartingVcn}!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 413 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: {A11_StartingVcn}!#I64x!; ClusterCount: {A12_ClusterCount}!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—
`A12_ClusterCount`	—

Event ID 414 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! RepairDsmRange [{A11_RepairDataSetRange->StartingOffset}!#I64x!;{A12_RepairDataSetRange->StartingOffset +                         RepairDataSetRange->LengthInBytes}!#I64x!) Length:{A13_RepairDataSetRange->LengthInBytes}!#I64x! (Bytes) FileOffset: {A14_RepairFileOffset}!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A14_RepairFileOffset`	—

Event ID 415 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! DsmAction_Repair call failed; Status: {A11_Status}!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 416 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! DsmAction_Repair operation failed; Status: {A11_IrpStatus}!S!

Fields

Name	Description
`A10_Scb`	—
`A11_IrpStatus`	—

Event ID 417 — Scb:{A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb:{A10_Scb}!p! DsmAction_Repair completed; IrpStatus: {A11_RepairCopiesOutput->Status}!S!

Fields

Name	Description
`A10_Scb`	—

Event ID 418 — NtfsQueryCachedRuns: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 419 — NtfsQueryStorageClasses: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 420 — NtfsQueryRegionInfo: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 421 — NtfsUnloadFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUnloadFile: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 422 — NtfsCheckForSection: File already has image section.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckForSection: File already has image section. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!.

Event ID 423 — NtfsShuffleFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsShuffleFile: User mode caller is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Irp RequestorMode: %9!d!.

Event ID 424 — NtfsShuffleFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsShuffleFile: Denying access due to volume is locked. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: %7!I64x!; Ccb FullFileName: %8!S!; VcbState: 0x%9!08x!.

Event ID 425 — NtfsShuffleFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsShuffleFile: Defrag is denied. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Persist flags: 0x%10!08x!; Ccb flags: 0x%11!08x!.

Event ID 426 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; SL control flags: 0x%8!08x!.

Event ID 427 — NtfsRearrangeFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRearrangeFile: User mode caller is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb FullFileName: %7!S!; Irp RequestorMode: %8!d!.

Event ID 428 — NtfsRearrangeFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRearrangeFile: Denying access due to volume is locked. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb FullFileName: %7!S!; VcbState: 0x%8!08x!.

Event ID 429 — NtfsRearrangeFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRearrangeFile: Defrag is denied. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Persist flags: 0x%10!08x!; Ccb flags: 0x%11!08x!.

Event ID 430 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; SL control flags: 0x%8!08x!.

Event ID 431 — NtfsSparseOverAllocate: Caller does not have appropriate write access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; FileRef: %5!I64x!; FullFileName: %6!S!; Ccb access flags: %7!x!.

Event ID 432 — NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: %7!I64x!; Scb AttributeTypeCode: %8!x!; FcbState2: %9!x!; Ccb FullFileName: %10!S!; Ccb Access flags: %11!x!; Ccb Flags2: %12!x!.

Event ID 433 — NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Scb AttributeTypeCode: 0x%8!x!; Ccb FullFileName: %9!S!; Ccb Access flags: 0x%10!08x!.

Event ID 434 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Enumerate status=0x{A12_Status}!x!

Fields

Name	Description
`A10_Vcb`	—
`A12_Status`	—

Event ID 435 — NtfsEnumOnMountToDeleteWorker(%1;%2): Open status=0x%3; path='%4'.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker(%1!p!;%2!p!): Open status=0x%3!x!; path='%4!S!'

Event ID 436 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Enumerate status=0x{A12_Status}!x!

Fields

Name	Description
`A10_Vcb`	—
`A12_Status`	—

Event ID 437 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Close dir status=0x{A12_Status}!x!

Fields

Name	Description
`A10_Vcb`	—
`A12_Status`	—

Event ID 438 — NtfsEnumMountWorker.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEnumMountWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Close status=0x{A12_Status}!x!

Fields

Name	Description
`A10_Vcb`	—
`A12_Status`	—

Event ID 439 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Close dir status=0x{A12_Status}!x!

Fields

Name	Description
`A10_Vcb`	—
`A12_Status`	—

Event ID 440 — FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!x!

Fields

Name	Description
`A10_Status`	—

Event ID 441 — SCB: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

SCB: {A10_Scb}!p!; StartOffset: 0x{A11_StartOffset}!I64x!; Length: 0x{A12_Length}!I64x!; StartVcn=0x{A13_StartVcn}!I64x!; BeyondEndVcn=0x{A14_BeyondEndVcn}!I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartOffset`	—
`A12_Length`	—
`A13_StartVcn`	—
`A14_BeyondEndVcn`	—

Event ID 442 — FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!x!

Fields

Name	Description
`A10_Status`	—

Event ID 443 — FsInputRangeIndex: {A10_FsInputRangeIndex}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

FsInputRangeIndex: {A10_FsInputRangeIndex}!u!; FileOffset: 0x{A11_FsInputRanges[FsInputRangeIndex].FileOffset}!I64x!; VolumeOffset: 0x{A12_FsInputRanges[FsInputRangeIndex].VolumeOffset}!I64x!; LengthInBytes: 0x{A13_FsInputRanges[FsInputRangeIndex].LengthInBytes}!I64x!

Fields

Name	Description
`A10_FsInputRangeIndex`	—

Event ID 444 — Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb: {A10_Scb}!p!; Status: {A11_Status}!S!; AbnormalTermination: {A12_(BOOLEAN)AbnormalTermination()}!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 445 — Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Scb: {A10_Scb}!p!; Status: {A11_Status}!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 446 — NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!.

Event ID 448 — NtfsFindPrefixHashEntry: {Hash table: %1} {ParentScb: %2; '%3'} {RemainingName: '%4'}.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Hash table: %1!p!} {ParentScb: %2!p!; '%3!S!'} {RemainingName: '%4!S!'}

Event ID 450 — NtfsFindPrefixHashEntry: {Lcb: %1; '%2'}.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Lcb: %1!p!; '%2!S!'}

Event ID 452 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Checkpoint injection.  Count {A11_Vcb->CheckpointInjectionCount}!d!

Fields

Name	Description
`A10_Vcb`	—

Event ID 453 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Log {A11_PercentFull}!d!%!PCT! full.  Wait for CC to flush metadata first. Count {A12_Vcb->WaitForCcLoggedDataActivityCount}!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_PercentFull`	—

Event ID 454 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Checkpoint injection.  Count {A11_Vcb->CheckpointInjectionCount}!d!

Fields

Name	Description
`A10_Vcb`	—

Event ID 455 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Log {A11_PercentFull}!d!%!PCT! full.  Wait for CC to flush metadata first. Count {A12_Vcb->WaitForCcLoggedDataActivityCount}!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_PercentFull`	—

Event ID 456 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Done waiting for CC to flush metadata

Fields

Name	Description
`A10_Vcb`	—

Event ID 457 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Injected checkpoint.

Fields

Name	Description
`A10_Vcb`	—

Event ID 458 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Start of checkpoint

Fields

Name	Description
`A10_Vcb`	—

Event ID 459 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Clean checkpoint. Count {A11_Vcb->CleanCheckpointCount}!d!

Fields

Name	Description
`A10_Vcb`	—

Event ID 460 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Overflowed DPT. Count {A11_Vcb->OverflowedDPTCount}!d!

Fields

Name	Description
`A10_Vcb`	—

Event ID 461 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Fuzzy checkpoint. Count {A11_Vcb->FuzzyCheckpointCount}!d!

Fields

Name	Description
`A10_Vcb`	—

Event ID 462 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Flush oldest FO.  Count {A11_Vcb->FlushOldestFOCount}!d!

Fields

Name	Description
`A10_Vcb`	—

Event ID 463 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Flush starts with FRef {A11_NtfsFullSegmentNumber( _Scb->Fcb->FileReference )}!I64x!

Fields

Name	Description
`A10_Vcb`	—

Event ID 464 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Flush ends.  FO {A11_DirtyPageContext.OldestFileObject}!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 465 — NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 466 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Checkpoint completed.

Fields

Name	Description
`A10_Vcb`	—

Event ID 467 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p!.  Leaving NtfsCheckpointVolume.

Fields

Name	Description
`A10_Vcb`	—

Event ID 468 — NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 469 — NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 470 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Pre NtfsWriteLog failure {A13_IrpContext->ExceptionStatus}!x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 471 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Post NtfsWriteLog failure {A13_IrpContext->ExceptionStatus}!x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 472 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): LfsFlushToLsn failure {A13_IrpContext->ExceptionStatus}!x! Count {A14_FailedFlushCount}!d!

Fields

Name	Description
`A10_IrpContext`	—
`A14_FailedFlushCount`	—

Event ID 473 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Pre NtfsProcessNewLengthQueue failure {A13_IrpContext->ExceptionStatus}!x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 474 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Post NtfsProcessNewLengthQueue failure {A13_IrpContext->ExceptionStatus}!x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 475 — NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x! Completed

Fields

Name	Description
`A10_IrpContext`	—

Event ID 476 — NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x! Completed

Fields

Name	Description
`A10_IrpContext`	—

Event ID 477 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Entering - ActiveLsn: {A11_ActiveLsn->QuadPart}!I64x!; ClearAll: {A12_ClearAll}!S!

Fields

Name	Description
`A10_Vcb`	—
`A12_ClearAll`	—

Event ID 478 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! empty list - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 479 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! empty list  - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 480 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Found frozen deallocated clusters with {A11_Clusters->ClusterCount}!I64x! clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 481 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - No actionable deallocated clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 482 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - No actionable deallocated clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 483 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Found a deallocated clusters {A11_Clusters}!p! with {A12_Clusters->ClusterCount}!I64x! clusters; Lsn: {A13_Clusters->Lsn.QuadPart}!I64x!; Flags: {A14_Clusters->Flags}!08x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Clusters`	—

Event ID 484 — Vcb: {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb: {A10_Vcb}!p!; Processing range. DeallocatedClusters: {A11_Clusters}!p!; RunIndex: {A12_i}!d!; StartingLcn: {A13_StartingLcn}!I64x!; ClusterCount: {A14_ClusterCount}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Clusters`	—
`A12_i`	—
`A13_StartingLcn`	—
`A14_ClusterCount`	—

Event ID 485 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}

Fields

Name	Description
`A10_Status`	—

Event ID 486 — FsLibGroupSubExtentsByDanglingMdl failed: {A10_Status}.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

FsLibGroupSubExtentsByDanglingMdl failed: {A10_Status}

Fields

Name	Description
`A10_Status`	—

Event ID 487 — FsLibAddBaseMcbEntryEx failed: {A10_Status}.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

FsLibAddBaseMcbEntryEx failed: {A10_Status}

Fields

Name	Description
`A10_Status`	—

Event ID 488 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}

Fields

Name	Description
`A10_Status`	—

Event ID 489 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: {A10_Status}.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: {A10_Status}

Fields

Name	Description
`A10_Status`	—

Event ID 490 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Got error 0x{A11_Status}!x! from below

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 491 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Telling volsnap freeing at {A11_StartingLcn}!I64x! for {A12_(ULONG)ClusterCount}!x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingLcn`	—

Event ID 492 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Volsnap responsed with freeing at {A11_StartingLcn + StartingIndex}!I64x! for {A12_runLength}!x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A12_runLength`	—

Event ID 493 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Got error 0x{A11_Status}!x! from below

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 494 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Deleting MarkUnusedContext {A11_MarkUnusedContext}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 495 — NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 496 — NtfsRemoveNtfsMcbEntry Scb: {A10_Mcb->Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveNtfsMcbEntry Scb: {A10_Mcb->Scb}!p!; Mcb: {A11_Mcb}!p!; Vcn: 0x{A12_StartingVcn}!I64x!; Length: 0x{A13_Count}!I64x!

Fields

Name	Description
`A11_Mcb`	—
`A12_StartingVcn`	—
`A13_Count`	—

Event ID 497 — NtfsRemoveNtfsMcbEntry Mcb: {A10_Mcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRemoveNtfsMcbEntry Mcb: {A10_Mcb}!p! Completed.

Fields

Name	Description
`A10_Mcb`	—

Event ID 498 — NtfsAddNtfsMcbEntry Scb: {A10_Mcb->Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddNtfsMcbEntry Scb: {A10_Mcb->Scb}!p!; Mcb: {A11_Mcb}!p!; Vcn: 0x{A12_Vcn}!I64x!; Lcn: 0x{A13_Lcn}!I64x!; Length: 0x{A14_RunCount}!I64x!

Fields

Name	Description
`A11_Mcb`	—
`A12_Vcn`	—
`A13_Lcn`	—
`A14_RunCount`	—

Event ID 499 — NtfsAddNtfsMcbEntry Mcb: {A10_Mcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAddNtfsMcbEntry Mcb: {A10_Mcb}!p!; Result: {A11_Result}!S!

Fields

Name	Description
`A10_Mcb`	—
`A11_Result`	—

Event ID 500 — NtfsUnloadNtfsMcbRange Scb: {A10_Mcb->Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUnloadNtfsMcbRange Scb: {A10_Mcb->Scb}!p!; Mcb: {A11_Mcb}!p!; StartVcn: 0x{A12_StartingVcn}!I64x!; EndVcn: 0x{A13_EndingVcn}!I64x!; TruncateOnly: {A14_TruncateOnly}!S!

Fields

Name	Description
`A11_Mcb`	—
`A12_StartingVcn`	—
`A13_EndingVcn`	—
`A14_TruncateOnly`	—

Event ID 501 — NtfsUnloadNtfsMcbRange Mcb: {A10_Mcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsUnloadNtfsMcbRange Mcb: {A10_Mcb}!p! Completed.

Fields

Name	Description
`A10_Mcb`	—

Event ID 502 — Valid NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Valid NTFS boot sector. Vcb: {A10_Vcb}!p!; BootSector: {A11_BootSector}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_BootSector`	—

Event ID 503 — Not an NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Not an NTFS boot sector. Vcb: {A10_Vcb}!p!; BootSector: {A11_BootSector}!p!; CheckNumber: {A12_CheckNumber}!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_BootSector`	—
`A12_CheckNumber`	—

Event ID 504 — NtfsMountVolume: Vcb:{A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsMountVolume: Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p!; Growing allocation for Mft's Attribute List failed with exception:0x{A12_IrpContext->ExceptionStatus}!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 505 — NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p! Mft AttributeList not found; skipping growth

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 506 — Mounting DAX partition.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Mounting DAX partition. Vcb: {A10_Vcb}!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 507 — DAX volume mounted without DAX support because storage is not DAX capable.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: {A10_Vcb}!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 508 — NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p! Mft AttributeList not found; skipping growth

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 509 — NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p! Converting Resident AttributeList(size:0x{A12_AttrListAllocationSize}!I64x!) to NonResident

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_AttrListAllocationSize`	—

Event ID 510 — NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p!; AttrListScb:{A12_Scb}!p! Added Allocation for NonResident AttributeList (old size:0x{A13_AttrListAllocationSize}!I64x!)

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_AttrListAllocationSize`	—

Event ID 511 — Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Unexpected exception code of 0x{A10_ExceptionCode}!x! received

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 512 — Exception code of 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Exception code of 0x{A10_ExceptionCode}!x! received during mount.

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 513 — Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Unexpected exception code of 0x{A10_ExceptionCode}!x! received.

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 514 — LogFileFull {A10_IrpContext->LogFullReason} BackTrace: ln {A11_BackTrace[0]}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

LogFileFull {A10_IrpContext->LogFullReason} BackTrace: ln {A11_BackTrace[0]}!p!; ln {A12_BackTrace[1]}!p!; ln {A13_BackTrace[2]}!p!; ln {A14_BackTrace[3]}!p!; ln {A15_BackTrace[4]}!p!; ln {A16_BackTrace[5]}!p!; ln {A17_BackTrace[6]}!p!; ln {A18_BackTrace[7]}!p!; ln {A10_IrpContext->LogFullReason}0!p!; ln {A10_IrpContext->LogFullReason}1!p!; ln {A10_IrpContext->LogFullReason}2!p!; ln {A10_IrpContext->LogFullReason}3!p!; ln {A10_IrpContext->LogFullReason}4!p!; ln {A10_IrpContext->LogFullReason}5!p!; ln {A10_IrpContext->LogFullReason}6!p!; ln {A10_IrpContext->LogFullReason}7!p!; ln {A10_IrpContext->LogFullReason}8!p!; ln {A10_IrpContext->LogFullReason}9!p!; ln {A11_BackTrace[0]}0!p!; ln {A11_BackTrace[0]}1!p!;

Fields

Name	Description
`A11_BackTrace[0]`	—
`A12_BackTrace[1]`	—
`A13_BackTrace[2]`	—
`A14_BackTrace[3]`	—
`A15_BackTrace[4]`	—
`A16_BackTrace[5]`	—
`A17_BackTrace[6]`	—
`A18_BackTrace[7]`	—

Event ID 515 — Unexpected raise of 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Unexpected raise of 0x{A10_ExceptionCode}!x! during critical non-raise code

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 516 — NtfsProcessException IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsProcessException IC: {A10_IrpContext}!p!; ExceptionCode: 0x{A11_ExceptionCode}!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ExceptionCode`	—

Event ID 517 — NtfsProcessException IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsProcessException IC: {A10_IrpContext}!p!; ExceptionCode: 0x{A11_ExceptionCode}!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ExceptionCode`	—

Event ID 518 — Failed to abort - IrpContext {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Failed to abort - IrpContext {A10_IrpContext}!p!; Irp {A11_Irp}!p!; Vcb {A12_IrpContext->Vcb}!p!; Count {A13_NtfsFailedAborts}!x!; Status {A14_GetExceptionCode()}!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Irp`	—
`A13_NtfsFailedAborts`	—

Event ID 519 — Failed to abort - IrpContext {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Failed to abort - IrpContext {A10_IrpContext}!p!; Irp {A11_Irp}!p!; Vcb {A12_IrpContext->Vcb}!p!; Scb {A13_NextScb}!p!; FileRef {A14_*(PULONGLONG)_NextScb->Fcb->FileReference}!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Irp`	—
`A13_NextScb`	—

Event ID 520 — Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x{A10_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A11_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Irp`	—
`A13_NtfsFailedAborts`	—

Event ID 521 — Setting 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Setting 0x{A10_ExceptionCode}!x! in top-level exception status for write @ 0x{A11_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A12_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x!

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 522 — [.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

[{A10_IrpSp->MajorFunction}; {A11_IrpSp->MinorFunction}!02x!]: Irp: {A12_Irp}!p!; IC: {A13_IrpContext}!p!; Status: {A14_Status}!S!

Fields

Name	Description
`A12_Irp`	—
`A13_IrpContext`	—
`A14_Status`	—

Event ID 523 — [.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

[{A10_IrpSp->MajorFunction}; {A11_IrpSp->MinorFunction}!02x!]: Irp: {A12_Irp}!p!; IC: {A13_IrpContext}!p!; Status: {A14_Status}!S!

Fields

Name	Description
`A12_Irp`	—
`A13_IrpContext`	—
`A14_Status`	—

Event ID 524 — Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!x!.

Fields

Name	Description
`A10_MaxTrimTotalSize`	—

Event ID 525 — [.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

[{A10_IrpSp->MajorFunction}; {A11_IrpSp->MinorFunction}!02x!]: Irp: {A12_Irp}!p!; IC: {A13_IrpContext}!p!; Status: {A14_Status}!S!

Fields

Name	Description
`A12_Irp`	—
`A13_IrpContext`	—
`A14_Status`	—

Event ID 526 — Updating NtfsMinTrimTotalSize to {A10_MinTrimTotalSize}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Updating NtfsMinTrimTotalSize to {A10_MinTrimTotalSize}!x!.

Fields

Name	Description
`A10_MinTrimTotalSize`	—

Event ID 527 — Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!x!.

Fields

Name	Description
`A10_MaxTrimTotalSize`	—

Event ID 528 — {A10_FUNCTION}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12__Vcb->TxfVcb.DefaultRm->RmId}!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 529 — Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!x!.

Fields

Name	Description
`A10_MaxTrimTotalSize`	—

Event ID 530 — NtfsSetObjectId: Caller does not have restore access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetObjectId: Caller does not have restore access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!; Irp Minor Function: 0x%9!08x!.

Event ID 531 — {A10_FUNCTION}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12__Vcb->TxfVcb.DefaultRm->RmId}!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 532 — NtfsDeleteObjectId: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeleteObjectId: Caller does not have write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!; Irp Minor Function: 0x%9!08x!.

Event ID 533 — {A10_FUNCTION}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12__Vcb->TxfVcb.DefaultRm->RmId}!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 534 — Unexpected Paging-Read on DAX mappable stream; Scb=.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Unexpected Paging-Read on DAX mappable stream; Scb={A10_Scb}!p!

Fields

Name	Description
`A10_Scb`	—

Event ID 535 — NtfsAbortTransaction IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 536 — NtfsAbortTransaction IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 537 — DoAction::InitializeFRS IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DoAction::InitializeFRS IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 538 — NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: {A10_Vcb}!p!; Vcb->LogFileObject: {A11_Vcb->LogFileObject}!p!; IC: {A12_IrpContext}!p!

Fields

Name	Description
`A10_Vcb`	—
`A12_IrpContext`	—

Event ID 539 — NtfsReleaseVcbCheckDelete - deleted Vcb: {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsReleaseVcbCheckDelete - deleted Vcb: {A10_Vcb}!p!; IC: {A11_IrpContext}!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 540 — NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: {A10_Vcb}!p!; Vcb->LogFileObject: {A11_Vcb->LogFileObject}!p!; IC: {A12_IrpContext}!p!

Fields

Name	Description
`A10_Vcb`	—
`A12_IrpContext`	—

Event ID 541 — NtfsAbortTransaction IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 542 — NtfsAbortTransaction IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 543 — DoAction::InitializeFRS IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DoAction::InitializeFRS IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 544 — DoAction::DeallocateFRS IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DoAction::DeallocateFRS IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 545 — DoAction::WriteEndOfFRS IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DoAction::WriteEndOfFRS IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Attrib:0x{A14_Attribute->TypeCode}!x! Off:0x{A15_LogRecord->RecordOffset}!x!; Len:0x{A16_Length}!x!

Fields

Name	Description
`A10_IrpContext`	—
`A16_Length`	—

Event ID 546 — DoAction::CreateAttribute IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DoAction::CreateAttribute IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Attrib:0x{A14_((PATTRIBUTE_RECORD_HEADER)Data)->TypeCode}!x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 547 — NtfsRestartChangeValue IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRestartChangeValue IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; FileRef:0x{A14_NtfsFullSegmentNumber( _FileReference )}!I64x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 548 — DoAction::SetNewAttributeSizes IC:{A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DoAction::SetNewAttributeSizes IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x! OLD: Alloc:{A14_Attribute->Form.Nonresident.AllocatedLength}!I64x!; FileSize:{A15_Attribute->Form.Nonresident.FileSize}!I64x!; VDL:{A16_Attribute->Form.Nonresident.ValidDataLength}!I64x!; TotalAlloc:{A17_Attribute->Form.Nonresident.TotalAllocated}!I64x! NEW: Alloc:{A18_Sizes->AllocationSize}!I64x!; FileSize:{A10_IrpContext}0!I64x!; VDL:{A10_IrpContext}1!I64x!; TotalAlloc:{A10_IrpContext}2!I64x!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 549 — DoAction(SetBitsInNonresidentBitMap) IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DoAction(SetBitsInNonresidentBitMap) IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Bitmap: {A12__Bitmap}!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12__Bitmap`	—

Event ID 550 — DoAction(ClearBitsInNonresidentBitMap) IC: {A10_IrpContext}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

DoAction(ClearBitsInNonresidentBitMap) IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Bitmap: {A12__Bitmap}!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12__Bitmap`	—

Event ID 551 — NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!; Ccb Access flags: 0x%8!08x!.

Event ID 552 — NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!.

Event ID 553 — NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Txf Writers Count: %7!d!.

Event ID 554 — NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Original status: %7!S!.

Event ID 555 — NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; File Attributes: 0x%7!08x!.

Event ID 556 — NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; File Attributes: 0x%7!08x!.

Event ID 557 — NtfsCheckFileForDelete: Denying access due to file is not deleteable.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!.

Event ID 558 — NtfsCheckFileForDelete: Denying access due to target file is read only.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to target file is read only. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; File Attributes: 0x%7!08x!; IrpSp->Flags: 0x%8!08x!.

Event ID 559 — NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed).

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed). Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb AccessFlags: 0x%7!08x!; TxfAccessCheck access status: %8!S!.

Event ID 560 — NtfsCheckFileForDelete: Denying access due to failing to remove image section.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to failing to remove image section. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Scb: %7!p!; AttributeTypeCode: 0x%8!x!; Attribute Name: %9!S!.

Event ID 561 — NtfsGlobalSdUpdate: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 562 — NtfsRepairItem: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRepairItem: Denying access due to volume is locked. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; VcbState: 0x%5!08x!.

Event ID 563 — NtfsSetRepairState: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 564 — NtfsInitiateRepair: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 566 — NtfsDefineStorageReserve: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDefineStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: %7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 567 — NtfsDeleteStorageReserve: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsDeleteStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: %7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 568 — Failed to get a non-volatile token for Vcb: {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Failed to get a non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 569 — Failed to free non-volatile token for Vcb: {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Failed to free non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 570 — NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!p!; TotalAllocated: 0x{A11_Scb->TotalAllocated}!I64x!

Fields

Name	Description
`A10_Scb`	—

Event ID 571 — NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!p!; Lsn: {A11_CurrentClusters->Lsn.QuadPart}!I64x!

Fields

Name	Description
`A10_CurrentClusters`	—

Event ID 572 — ClustersLinkAsHead: {A10_ClustersLinkAsHead}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

ClustersLinkAsHead: {A10_ClustersLinkAsHead}!p!; FlagsToMatch: 0x{A11_FlagsToMatch}!x!; InsertAfter: {A12_InsertAfter}!S!

Fields

Name	Description
`A10_ClustersLinkAsHead`	—
`A11_FlagsToMatch`	—
`A12_InsertAfter`	—

Event ID 573 — Clusters: {A10_Clusters}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Clusters: {A10_Clusters}!p!; Flags: 0x{A11_Clusters->Flags}!x!

Fields

Name	Description
`A10_Clusters`	—

Event ID 574 — Failed to get a non-volatile token for Vcb: {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Failed to get a non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 575 — Failed to free non-volatile token for Vcb: {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Failed to free non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 576 — NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!p!; TotalAllocated: 0x{A11_Scb->TotalAllocated}!I64x!

Fields

Name	Description
`A10_Scb`	—

Event ID 577 — NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!p!; Lsn: {A11_CurrentClusters->Lsn.QuadPart}!I64x!

Fields

Name	Description
`A10_CurrentClusters`	—

Event ID 578 — ClustersLinkAsHead: {A10_ClustersLinkAsHead}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

ClustersLinkAsHead: {A10_ClustersLinkAsHead}!p!; FlagsToMatch: 0x{A11_FlagsToMatch}!x!; InsertAfter: {A12_InsertAfter}!S!

Fields

Name	Description
`A10_ClustersLinkAsHead`	—
`A11_FlagsToMatch`	—
`A12_InsertAfter`	—

Event ID 579 — Clusters: {A10_Clusters}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Clusters: {A10_Clusters}!p!; Flags: 0x{A11_Clusters->Flags}!x!

Fields

Name	Description
`A10_Clusters`	—

Event ID 580 — Matching cluster: {A10_Clusters}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Matching cluster: {A10_Clusters}!p!; NumberOfRuns: 0x{A11_NumberOfRuns}!x!

Fields

Name	Description
`A10_Clusters`	—
`A11_NumberOfRuns`	—

Event ID 581 — Clusters: {A10_Clusters}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Clusters: {A10_Clusters}!p!

Fields

Name	Description
`A10_Clusters`	—

Event ID 582 — Need to add Range.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Need to add Range. DanglingMdl: {A10_!FlagOn( Clusters->Flags; DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL )}; DeallocatedClusters: {A11_Clusters}!p!; Lcn: {A12_Lcn}!I64x!; ClusterCount: {A13_ClusterCount}!I64x!

Fields

Name	Description
`A11_Clusters`	—
`A12_Lcn`	—
`A13_ClusterCount`	—

Event ID 583 — Need to add Range.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Need to add Range. DanglingMdl: {A10_!FlagOn( Clusters->Flags; DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL )}; DeallocatedClusters: {A11_Clusters}!p!; Lcn: {A12_Lcn}!I64x!; ClusterCount: {A13_ClusterCount}!I64x!

Fields

Name	Description
`A11_Clusters`	—
`A12_Lcn`	—
`A13_ClusterCount`	—

Event ID 584 — Added range.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Added range. DanglingMdl: {A10_!FlagOn( Clusters->Flags; DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL )}; DeallocatedClusters: {A11_Clusters}!p!; Lcn: {A12_Lcn}!I64x!; ClusterCount: {A13_ClusterCount}!I64x!

Fields

Name	Description
`A11_Clusters`	—
`A12_Lcn`	—
`A13_ClusterCount`	—

Event ID 585 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_TxfTrans`	—

Event ID 586 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_TxfTrans`	—

Event ID 587 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.TxfRmcb}!p! {{A12__CalloutParameters->TxfFlush.TxfRmcb->RmId}!S!}: Unexpected exception code of 0x{A13_GetExceptionCode()}!x! received.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 588 — {A10_FUNCTION}: TxfStartRm reports RM will be reset: RM metadata corrupt.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 589 — {A10_FUNCTION}: from {A11_CallerFunction}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: from {A11_CallerFunction}!S! ({A12_CallerFile}!S!:{A13_CallerLineNumber}!d!) RM at 0x{A14_(PVOID)TxfRmcb}!p! {{A15__TxfRmcb->RmId}!S!}; Tx at 0x{A16_(PVOID)TxfTrans}!p! {{A17__TxfTrans->KtmUow}!S!}; Status was 0x{A18_AbortReasonStatus}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_CallerFunction`	—
`A12_CallerFile`	—
`A13_CallerLineNumber`	—
`A18_AbortReasonStatus`	—

Event ID 590 — {A10_FUNCTION}: from {A11_CallerFunction}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: from {A11_CallerFunction}!S! ({A12_CallerFile}!S!:{A13_CallerLineNumber}!d!) RM at 0x{A14_(PVOID)TxfRmcb}!p! {{A15__TxfRmcb->RmId}!S!}; Tx at 0x{A16_(PVOID)TxfTrans}!p! {{A17__TxfTrans->KtmUow}!S!}; Status was 0x{A18_Status}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_CallerFunction`	—
`A12_CallerFile`	—
`A13_CallerLineNumber`	—
`A18_Status`	—

Event ID 591 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_TxfTrans`	—

Event ID 592 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_TxfTrans`	—

Event ID 593 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.TxfRmcb}!p! {{A12__CalloutParameters->TxfFlush.TxfRmcb->RmId}!S!}: Unexpected exception code of 0x{A13_GetExceptionCode()}!x! received.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 594 — {A10_FUNCTION}: TxfStartRm reports RM will be reset: RM metadata corrupt.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 595 — {A10_FUNCTION}: TxfStartRm reports RM will be reset: TM could not be initialized.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: TM could not be initialized

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 596 — {A10_FUNCTION}: TxfStartRm reports RM will be reset: RM log corrupt.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM log corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 597 — {A10_FUNCTION}: TxfStartRm reports RM will be reset: log version changed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: log version changed

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 598 — {A10_FUNCTION}: TxfStartRm reports RM will be reset: dedicated log found; need multiplexed.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: dedicated log found; need multiplexed

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 599 — {A10_FUNCTION}: TxfStartRm reports RM will be reset: multiplexed log found; need dedicated.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: multiplexed log found; need dedicated

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 600 — {A10_FUNCTION}: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: CLFS log metadata corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 601 — {A10_FUNCTION}: TxfStartRm reports RM will be reset: 0x{A11_FailureStatus}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: 0x{A11_FailureStatus}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_FailureStatus`	—

Event ID 602 — {A10_FUNCTION}: RM did not start and WILL NOT be reset; status code is 0x{A11_FailureStatus}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM did not start and WILL NOT be reset; status code is 0x{A11_FailureStatus}!x!!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_FailureStatus`	—

Event ID 603 — {A10_FUNCTION}: Could not initialize IrpContext: 0x{A11_Status}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Could not initialize IrpContext: 0x{A11_Status}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—

Event ID 604 — {A10_FUNCTION}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!})

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 605 — {A10_FUNCTION}: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x{A11_TempStatus}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x{A11_TempStatus}!x! for default RM on VCB at 0x{A12_(PVOID)Vcb}!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_TempStatus`	—

Event ID 606 — {A10_FUNCTION}: Exception code 0x{A11_GetExceptionCode()}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Exception code 0x{A11_GetExceptionCode()}!x!; Status 0x{A12_Status}!x! for default RM on VCB at 0x{A13_(PVOID)Vcb}!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A12_Status`	—

Event ID 607 — {A10_FUNCTION}: Couldn't reset default RM on VCB at 0x{A11_(PVOID)Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Couldn't reset default RM on VCB at 0x{A11_(PVOID)Vcb}!p! after {A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT}!d! tries: 0x{A13_OldStatus}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT`	—
`A13_OldStatus`	—

Event ID 608 — {A10_FUNCTION}: Exception 0x{A11_GetExceptionCode()}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Exception 0x{A11_GetExceptionCode()}!x! raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x{A12_(PVOID)Vcb}!p!.  RM will NOT be reset.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 609 — {A10_FUNCTION}: {A11_.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: {A11_(NT_SUCCESS( Status ) ? 'Succeeded' : 'FAILED')}!S! auto-restart of RM at 0x{A12_(PVOID)TxfRmcb}!p! ({{A13__TxfRmcb->RmId}!S!}): 0x{A14_Status}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A14_Status`	—

Event ID 610 — {A10_FUNCTION}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!})

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 611 — {A10_FUNCTION}: Volume too small to start RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Volume too small to start RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!})

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 612 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: invalid flags in $Tops

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 613 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: restart area already exists

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 614 — {A10_FUNCTION}: Raising to reset RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Raising to reset RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!}): Explicit reset requested

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 615 — {A10_FUNCTION}: Got {A11_Status}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Got {A11_Status}!d! from ClfsGetLogFileInformation for RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—

Event ID 616 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: no TXF_DATA in root

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 617 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Different nesting levels of 0x{A13_LogNestingLevel}!x! and 0x{A14_DiskNestingLevel}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_LogNestingLevel`	—
`A14_DiskNestingLevel`	—

Event ID 618 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: restart area already exists

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 619 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: restart area already exists

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 620 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: RmID in restart area does not match {{A13__ClfsRestartArea->RmId}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 621 — {A10_FUNCTION}: Got {A11_Status}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Got {A11_Status}!d! from ClfsGetLogFileInformation for RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—

Event ID 622 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Restart LSN is before beginning of log.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 623 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: MinRollforwardEndLsn is beyond end of log.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 624 — {A10_FUNCTION}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} started successfully.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 625 — {A10_FUNCTION}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} failed to start with Status 0x{A13_Status}!x! {A14_AbnormalTermination() ? '(abnormal termination)' : ''}!S!

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_Status`	—

Event ID 626 — {A10_FUNCTION}: Shutting down {A11_.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Shutting down {A11_(TxfIsDefaultRm( TxfRmcb ) ? 'default' : 'secondary')}!S! RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}.  Shutdown is {A14_(ForceDirtyShutdown ? 'DIRTY!' : 'CLEAN.')}!S!

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 627 — {A10_FUNCTION}: Setting RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 628 — (.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

({A10_FILEID_FROM_SOURCE( FileNLine )}:{A11_LINENUM_FROM_SOURCE( FileNLine )}!d!) - TXF_HARD_ERROR on RM at 0x{A12_TxfRmcb}!p! ({{A13__TxfRmcb->RmId}!S!}): {A14_Status}!S!)

Fields

Name	Description
`A12_TxfRmcb`	—
`A14_Status`	—

Event ID 629 — (.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

({A10_FILEID_FROM_SOURCE( FileNLine )}:{A11_LINENUM_FROM_SOURCE( FileNLine )}!d!) - TXF_HARD_ERROR on RM at 0x{A12_TxfRmcb}!p! ({{A13__TxfRmcb->RmId}!S!}): {A14_Status}!S!)

Fields

Name	Description
`A12_TxfRmcb`	—
`A14_Status`	—

Event ID 630 — {A10_FUNCTION}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!p! from {{A12__OldGuid}!S!} to {{A13__TxfRmcb->RmId}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A12__OldGuid`	—

Event ID 631 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}; rolling back Tx at 0x{A13_(PVOID)TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}; Status was 0x{A15_Status}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A15_Status`	—

Event ID 632 — {A10_FUNCTION}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!p! from {{A12__OldGuid}!S!} to {{A13__TxfRmcb->RmId}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A12__OldGuid`	—

Event ID 633 — TxfFsctlWriteBackupInformation: Denying access due RM is active.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; BackupInfo flags: 0x%5!08x!.

Event ID 634 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found too high of a TxF ID in log

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 635 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found too high of a TxF ID in log

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 636 — {A10_FUNCTION}: Error Setting Delete Disposition: 0x{A11_Status}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Error Setting Delete Disposition: 0x{A11_Status}!x!  FileObject: 0x{A12_(PVOID)FileObject}!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—

Event ID 637 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Got a RECOVER notification for a transaction that isn't in-doubt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 638 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!} (notify rollback)

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_TxfTrans`	—

Event ID 639 — {A10_FUNCTION}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!p! {{A12__Trans->TxfRmcb->RmId}!S!}: 0x{A13_FlushStatus}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_FlushStatus`	—

Event ID 640 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} trying to abort transaction at 0x{A13_Trans}!p! {{A14__Trans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_Trans`	—

Event ID 641 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} raising 0x{A13_ExceptionCode}!x! to KTM!

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_ExceptionCode`	—

Event ID 642 — {A10_FUNCTION}: Commit.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Commit (0x{A11_TransactionNotification}!x!) of{A12_(TransactionAlreadyPrepared ? ' **PREPARED** ' : ' ')}!S!tx {{A13__TxfTrans->KtmUow}!S!} on RM at 0x{A14_(PVOID)TxfRmcb}!p! {{A15__TxfRmcb->RmId}!S!} failed with 0x{A16_Status}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_TransactionNotification`	—
`A16_Status`	—

Event ID 643 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!} (notify commit)

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_TxfTrans`	—

Event ID 644 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!} (notify rollback)

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_TxfTrans`	—

Event ID 645 — {A10_FUNCTION}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!p! {{A12__Trans->TxfRmcb->RmId}!S!}: 0x{A13_FlushStatus}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_FlushStatus`	—

Event ID 646 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} trying to abort transaction at 0x{A13_Trans}!p! {{A14__Trans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_Trans`	—

Event ID 647 — {A10_FUNCTION}: Aborting call stack: 0x{A11_CallStack[0]}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Aborting call stack: 0x{A11_CallStack[0]}!p! 0x{A12_CallStack[1]}!p! 0x{A13_CallStack[2]}!p! 0x{A14_CallStack[3]}!p! 0x{A15_CallStack[4]}!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_CallStack[0]`	—
`A12_CallStack[1]`	—
`A13_CallStack[2]`	—
`A14_CallStack[3]`	—
`A15_CallStack[4]`	—

Event ID 648 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_Trans}!p! {{A14__Trans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_Trans`	—

Event ID 649 — {A10_FUNCTION}: 0x{A11_Status}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: 0x{A11_Status}!x! initializing IrpContext for tx at {A12_(PVOID)Trans}!p! {{A13__Trans->KtmUow}!S!}; RM at {A14_(PVOID)TxfRmcb}!p! {{A15__TxfRmcb->RmId}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—

Event ID 650 — {A10_FUNCTION}: 0x{A11_Status}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: 0x{A11_Status}!x! writing log record for RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}; Tx at 0x{A14_(PVOID)Trans}!p! {{A15__Trans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—

Event ID 651 — {A10_FUNCTION}: About to force aborts on RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: About to force aborts on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 652 — {A10_FUNCTION}: BaseLsn is greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: BaseLsn is greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 653 — {A10_FUNCTION}: No transactions remain on RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: No transactions remain on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 654 — {A10_FUNCTION}: Transaction's first undo LSN greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Transaction's first undo LSN greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 655 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} surprise-aborting transaction at 0x{A13_OldestTrans}!p! {{A14__OldestTrans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_OldestTrans`	—

Event ID 656 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} got 0x{A13_Status}!x! from TxfTryAbortTransaction on Tx 0x{A14_OldestTrans}!p! {{A15__OldestTrans->KtmUow}!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A13_Status`	—
`A14_OldestTrans`	—

Event ID 657 — {A10_FUNCTION}: Inactive RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Inactive RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 658 — {A10_FUNCTION}: Log is pinned on RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Log is pinned on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 659 — {A10_FUNCTION}: RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}; rolling back KTM Tx at 0x{A13_(PVOID)TransToDereference}!p! {{A14__TransToDereference->KtmUow}!S!}; Status was 0x{A15_Status}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A15_Status`	—

Event ID 660 — {A10_FUNCTION}: Log pinned trying to advance RestartLsn on RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Log pinned trying to advance RestartLsn on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 661 — {A10_FUNCTION}: Log pinned by doomed transaction on RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Log pinned by doomed transaction on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 662 — {A10_FUNCTION}: Reporting 0x{A11_PinnedStatus}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Reporting 0x{A11_PinnedStatus}!X! to CLFS from RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}: 0x{A14_Status}!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PinnedStatus`	—
`A14_Status`	—

Event ID 663 — {A10_FUNCTION}: Done forcing aborts on RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Done forcing aborts on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 664 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Txf directory is missing in pre-existing RM

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 665 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 666 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found non-empty $Txf but there is no log

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 667 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find $INDEX_ROOT on $Txf

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 668 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find TXF_DATA_ATTR on $Txf

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 669 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found TXF_DATA_ATTR for normal file on $Txf

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 670 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Expected a secondary RM here

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 671 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is missing but $Txf is non-empty

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 672 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is missing but there is already a log

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 673 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is {A13_(IsEncrypted( _TopsFcb->Info ) ? 'encrypted' : 'compressed')}!S!

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 674 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Missing $STANDARD_INFORMATION

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 675 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find file attributes

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 676 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 677 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Could not find unnamed data stream

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 678 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops metadata is the wrong version or records wrong size

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 679 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops metadata is the wrong size

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 680 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Non-NULL RM ID found in $Tops and there is no log

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 681 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Epoch in $Tops metadata doesn't match RM

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 682 — {A10_FUNCTION}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find $T stream

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 683 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Checkpointed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 684 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Decided to trim usn journal.  FirstValidUsn {A12_Vcb->FirstValidUsn}!I64x!; new FirstValidUsn {A13_FirstValidUsn}!I64x!; FS {A14_TrackUsnJournalFileSize}!I64x!; AS {A15_TrackUsnJournalAllocationSize}!I64x!; MaxSize {A16_TrackUsnJournalMaxSize}!I64x!; DeltaSize {A17_TrackUsnJournalDeltaAllocation}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A13_FirstValidUsn`	—
`A14_TrackUsnJournalFileSize`	—
`A15_TrackUsnJournalAllocationSize`	—
`A16_TrackUsnJournalMaxSize`	—
`A17_TrackUsnJournalDeltaAllocation`	—

Event ID 685 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): About to delete allocation till {A12_FirstValidUsn - 1}!I64x!; SavedReserve {A13_SavedReserved}!I64x!; RequiredReserve {A14_RequiredReserved}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A13_SavedReserved`	—
`A14_RequiredReserved`	—

Event ID 686 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Before trimming journal AS {A12_UsnJournal->Header.AllocationSize.QuadPart}!I64x!; FS {A13_UsnJournal->Header.FileSize.QuadPart}!I64x!; VDL {A14_UsnJournal->Header.ValidDataLength.QuadPart}!I64x!; TA {A15_UsnJournal->TotalAllocated}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 687 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): After trimming journal AS {A12_UsnJournal->Header.AllocationSize.QuadPart}!I64x!; FS {A13_UsnJournal->Header.FileSize.QuadPart}!I64x!; VDL {A14_UsnJournal->Header.ValidDataLength.QuadPart}!I64x!; TA {A15_UsnJournal->TotalAllocated}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 688 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Mapping pairs validated

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 689 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Checkpointed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 690 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsWriteFileSizes

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 691 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsSetCcFileSizesUsnBiasAware

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 692 — NtOfsPostNewLength.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtOfsPostNewLength ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Status {A13_IrpContext->ExceptionStatus}!x! before calling NtfsReadUsnJournal

Fields

Name	Description
`A10_IrpContext`	—

Event ID 693 — NtfsIsRegionDangling: RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsIsRegionDangling: RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; Scb: {A11_Scb}!p!; Vcn: 0x{A12_Vcn}!I64x!; Lcn: 0x{A13_Lcn}!I64x!; Clusters: 0x{A14_ClusterCount}!I64x!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_Scb`	—
`A12_Vcn`	—
`A13_Lcn`	—
`A14_ClusterCount`	—

Event ID 694 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): Extending journal from AS {A14_Scb->Header.AllocationSize.QuadPart}!I64x!; FS {A15_Scb->Header.FileSize.QuadPart}!I64x!; VDL {A16_Scb->Header.ValidDataLength.QuadPart}!I64x!; to AS {A17_NewAllocationSize}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A17_NewAllocationSize`	—

Event ID 695 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): Done extending journal AS {A14_Scb->Header.AllocationSize.QuadPart}!I64x!; FS {A15_Scb->Header.FileSize.QuadPart}!I64x!; VDL {A16_Scb->Header.ValidDataLength.QuadPart}!I64x!; TA {A17_Scb->TotalAllocated}!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 696 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsWriteFileSizes

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 697 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsSetCcFileSizesUsnBiasAware

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 698 — NtOfsPostNewLength.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtOfsPostNewLength ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Status {A13_IrpContext->ExceptionStatus}!x! before calling NtfsReadUsnJournal

Fields

Name	Description
`A10_IrpContext`	—

Event ID 699 — NtfsIsRegionDangling: RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsIsRegionDangling: RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; Scb: {A11_Scb}!p!; Vcn: 0x{A12_Vcn}!I64x!; Lcn: 0x{A13_Lcn}!I64x!; Clusters: 0x{A14_ClusterCount}!I64x!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_Scb`	—
`A12_Vcn`	—
`A13_Lcn`	—
`A14_ClusterCount`	—

Event ID 700 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p! - has *no* active PFNs

Fields

Name	Description
`A10_Vcb`	—

Event ID 701 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p! - failed to query active PFNs assuming there are some

Fields

Name	Description
`A10_Vcb`	—

Event ID 702 — Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Vcb {A10_Vcb}!p! - has active PFNs

Fields

Name	Description
`A10_Vcb`	—

Event ID 703 — NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 704 — NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p! - Found frozen deallocated clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 705 — NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p! - Wait for any on going trim to finish

Fields

Name	Description
`A10_Vcb`	—

Event ID 706 — NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p! - No more on going trim

Fields

Name	Description
`A10_Vcb`	—

Event ID 707 — Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb=.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb={A10_Scb}!p!

Fields

Name	Description
`A10_Scb`	—

Event ID 708 — NtfsPostVcbIsCorrupt.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPostVcbIsCorrupt({A10_IrpContext}!p!; {A11_Status}!x!; {A12_FileReference}!p!; {A13_Fcb}!p!; {A14_Source}!016I64x!): IrpContext->TopLevelIrpContext->ExceptionStatus == {A15_TopLevelExceptionStatus}!x! before NtfsSetVcbDirtyFlag.

Fields

Name	Description
`A10_IrpContext`	—
`A11_Status`	—
`A12_FileReference`	—
`A13_Fcb`	—
`A14_Source`	—
`A15_TopLevelExceptionStatus`	—

Event ID 709 — NtfsPostVcbIsCorrupt: Marking volume dirty.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

NtfsPostVcbIsCorrupt: Marking volume dirty.  Vcb {A10_Vcb}!p!; WasDirty: {A11_WasDirty}!x!; FileReference {A12_NtfsFullSegmentNumber( _BugCheckFileReference )}!I64x!; Source {A13_Source}!016I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_WasDirty`	—
`A13_Source`	—

Event ID 710 — Truncating write from 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Truncating write from 0x{A10_ByteRange}!I64x! to 0x{A11_SectorAlignedVdl}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Fields

Name	Description
`A10_ByteRange`	—
`A11_SectorAlignedVdl`	—

Event ID 711 — Succeeding log write @ 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Succeeding log write @ 0x{A10_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A11_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x! after getting 0x{A12_IrpContext->TopLevelIrpContext->ExceptionStatus}!x! in top-level irpcontext

Event ID 712 — Succeeding log write @ 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Succeeding log write @ 0x{A10_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A11_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x! after getting 0x{A12_IrpContext->TopLevelIrpContext->ExceptionStatus}!x! in top-level irpcontext

Fields

Name	Description
`A10_Scb`	—

Event ID 713 — Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb=.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb={A10_Scb}!p!

Fields

Name	Description
`A10_Scb`	—

Event ID 714 — Ignoring write to 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Ignoring write to 0x{A10_StartingVbo}!I64x!; SCB length is 0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Fields

Name	Description
`A10_StartingVbo`	—

Event ID 715 — Ignoring write to 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Ignoring write to 0x{A10_StartingVbo}!I64x!; SCB length is 0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Fields

Name	Description
`A10_StartingVbo`	—

Event ID 716 — Truncating write from 0x.

Provider: Microsoft-Windows-NtfsLog
Channel: Operational

Message

Truncating write from 0x{A10_ByteRange}!I64x! to 0x{A11_SectorAlignedVdl}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Fields

Name	Description
`A10_ByteRange`	—
`A11_SectorAlignedVdl`	—