Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742

505 events across 1 channel

Event ID	Title	Channel
10	NtfsLookupRealAllocation: Vcn .	Operational
11	NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:.	Operational
12	FileObject: .	Operational
13	NtfsAddAllocation IC:.	Operational
14	Purge failed: Scb: .	Operational
15	Purge failed: Scb: .	Operational
16	NtfsGetLastVcnForNewMappingPairSize IC:.	Operational
17	Can't find StdInfo in FileRef .	Operational
18	Can't find StdInfo in FileRef .	Operational
19	NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:.	Operational
20	NtfsAddAttributeAllocation(.	Operational
21	NtfsAddAttributeAllocation(.	Operational
22	NtfsAddAttributeAllocation(.	Operational
23	NtfsAddAttributeAllocation(.	Operational
24	NtfsAddAttributeAllocation(.	Operational
25	NtfsAddAttributeAllocation(.	Operational
26	NtfsRestartRemoveAttribute FileRef:0x.	Operational
27	NtfsRestartChangeValue FileRef:0x.	Operational
28	AddToAttributeList(.	Operational
29	DeleteFromAttributeList(.	Operational
30	MakeRoomForAttribute Moving Mft's attribute IC:.	Operational
31	MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:.	Operational
32	MoveAttributeToOwnRecord IC:.	Operational
33	NtfsRestartZeroEndOfFileRecord FileRef:0x.	Operational
34	MergeFRS2(.	Operational
35	MergeFRS2(.	Operational
36	MergeFRS2(.	Operational
37	MergeFRS2(.	Operational
38	MergeFRS2(.	Operational
39	MergeFRS2(.	Operational
40	MergeFRS2(.	Operational
41	MergeFRS2(.	Operational
42	MergeFRS2(.	Operational
43	MergeFRS2(.	Operational
44	MergeFRS2(.	Operational
45	MergeFRS2(.	Operational
46	MergeFRS2(.	Operational
47	MergeFRS2(.	Operational
48	RedoAttribute(.	Operational
49	RedoAttribute(.	Operational
50	NtfsConsolidateAllFileRecords: Invalid Vcb.	Operational
51	NtfsConsolidateAllFileRecords: Volume is locked.	Operational
52	NtfsConsolidateAllFileRecords(.	Operational
53	NtfsConsolidateAllFileRecords(.	Operational
54	NtfsConsolidateAllFileRecords(.	Operational
55	NtfsConsolidateAllFileRecords(.	Operational
56	NtfsConsolidateAllFileRecords(.	Operational
57	NtfsConsolidateAllFileRecords(.	Operational
58	NtfsConsolidateAllFileRecords(.	Operational
59	NtfsConsolidateAllFileRecords(.	Operational
60	NtfsConsolidateAllFileRecords(.	Operational
61	NtfsConsolidateAllFileRecords(.	Operational
62	NtfsConsolidateAllFileRecords(.	Operational
63	NtfsConsolidateAllFileRecords(.	Operational
64	NtfsConsolidateAllFileRecords(.	Operational
65	NtfsConsolidateAllFileRecords(.	Operational
66	UpdateLCS: Vcb .	Operational
67	NtfsAllocateClustersPriv IC: .	Operational
68	NtfsAllocateClustersPriv IC: .	Operational
69	NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.	Operational
70	NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.	Operational
71	NtfsAllocateClustersPriv IC: .	Operational
72	NtfsAllocateClustersPriv IC: .	Operational
73	NtfsDeallocateClusters IC: .	Operational
74	NtfsDeallocateClusters: Vcb .	Operational
75	NtfsDeallocateClusters IC: .	Operational
76	NtfsDeallocateClusters: Vcb .	Operational
77	NtfsDeallocateClusters: Vcb .	Operational
78	NtfsDeallocateClusters: Vcb .	Operational
79	NtfsDeallocateClusters: Decremented TotalAllocated by 0x.	Operational
80	NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.	Operational
81	NtfsDeallocateClusters: Vcb .	Operational
82	NtfsDeallocateClusters IC: .	Operational
83	NtfsDeallocateClusters IC: .	Operational
84	NtfsModifyBitsInBitmap IC: .	Operational
85	NtfsModifyBitsInBitmap IC: .	Operational
86	NtfsAllocateBitmapRun IC: .	Operational
87	NtfsAllocateBitmapRun IC: .	Operational
88	NtfsRestartSetBitsInBitMap IC: .	Operational
89	NtfsFreeBitmapRun IC: .	Operational
90	NtfsFreeBitmapRun IC: .	Operational
91	NtfsRestartClearBitsInBitMap IC: .	Operational
92	NtfsSetOrClearBitsUsingBaseMcb IC: .	Operational
93	NtfsSetOrClearBitsUsingBaseMcb IC: .	Operational
94	NtfsSetOrClearBitsUsingBaseMcb IC: .	Operational
95	System files not marked as in use in the MFT bitmap.	Operational
96	Length: 0 --> BinIndex : 0 - Unexpected length	Operational
97	Length: .	Operational
98	Length: .	Operational
99	BinIndex: .	Operational
100	BinIndex: .	Operational
101	BinGroupShift: .	Operational
102	BinIndex: .	Operational
103	Searched committed allocations but didnt find enough free space.	Operational
104	NtfsRemoveClustersFromTPMap: Vcb .	Operational
105	NtfsRemoveClustersFromTPMap: Vcb .	Operational
106	NtfsRemoveClustersFromTPMap: Vcb .	Operational
107	NtfsRemoveClustersFromTPMap: Vcb .	Operational
108	NtfsRemoveClustersFromTPMap: Vcb .	Operational
109	NtfsValidateTotalClustersCommitted(.	Operational
110	Illegal MDL Complete for major code .	Operational
111	Entering: Scb: .	Operational
112	RunEntry ==> .	Operational
113	Offset is beyond this extent skipping the extent.	Operational
114	Shrinking LengthInExtent (0x.	Operational
115	Zeroing: StartingPhysicalAddr: 0x.	Operational
116	Exiting: ExtentsDescriptorIndex: .	Operational
117	Entering: Scb: .	Operational
118	Dsm Ranges[.	Operational
119	RemainingClusterCount: 0x.	Operational
120	Dsm: TotalNumberOfRanges: .	Operational
121	DsmOut Ranges[.	Operational
122	Zeroing: StartingPhysicalAddr: 0x.	Operational
123	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational
124	Entering: Scb: .	Operational
125	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational
126	IrpContext: .	Operational
127	Return.	Operational
128	Unexpected open type received: .	Operational
129	Raising STATUS_SUCCESS from NtfsCommonCleanup: .	Operational
130	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational
131	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational
132	Irp: .	Operational
133	Irp: .	Operational
134	NtfsCommonCreate: Volume is locked.	Operational
135	NtfsCommonVolumeOpen: Invalid create disposition for volume open.	Operational
136	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational
137	NtfsCommonVolumeOpen: Thread: .	Operational
138	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational
139	NtfsCommonVolumeOpen: Conlicting file objects.	Operational
140	NtfsHandlePagingFile: Paging file already open, paging files can only be opened …	Operational
141	NtfsHandlePagingFile: Cannot open system file as paging file.	Operational
142	NtfsHandlePagingFile: Persisted paging file already exists.	Operational
143	NtfsOpenFcbById: Invalid system file access.	Operational
144	NtfsOpenExistingPrefixFcb: Can not directly open txf directory.	Operational
145	NtfsOpenExistingPrefixFcb: Invalid system file access.	Operational
146	NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system …	Operational
147	NtfsOpenFile: Invalid system file access.	Operational
148	NtfsOpenFile: Deny open when txf rm is active.	Operational
149	NtfsCreateNewFile: Deny creation in system directory (except root).	Operational
150	NtfsCreateNewFile: Unable to create Ea for the file.	Operational
151	NtfsCreateNewFile: Unable to create in the $txf directory.	Operational
152	NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.	Operational
153	NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.	Operational
154	NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.	Operational
155	NtfsOpenAttributeInExistingFile: Denying access for volume root directory.	Operational
156	NtfsCreateNewFile: Not allowed to create streams on system files.	Operational
157	NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging …	Operational
158	NtfsOverwriteAttr: Denying access due to user being Ea blind.	Operational
159	NtfsOverwriteAttr: Deny access due to encryption happening on the stream.	Operational
160	NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this …	Operational
161	NtfsCheckValidAttributeAccess: Only read attributes access is supported on this …	Operational
162	NtfsCheckValidAttributeAccess: Deny access for protected system attributes.	Operational
163	NtfsOpenAttributeCheck: File already has user writable references.	Operational
164	NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.	Operational
165	NtfsOpenAttributeCheck: File was granted write access but has image section.	Operational
166	NtfsOpenAttribute: Denying write access on disallowed writes.	Operational
167	NtfsOpenAttribute: File already has user writable references.	Operational
168	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational
169	NtfsOpenAttribute: File already has user writable references.	Operational
170	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational
171	NtfsCheckExistingFile: Desired access conflicts with read-only state.	Operational
172	NtfsOpenExistingEncryptedStream: No encryption driver found.	Operational
173	NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on …	Operational
174	NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for …	Operational
175	NtfsFindStartingNode: Opening not allowed for txf name when RM is active.	Operational
176	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
177	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
178	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
179	NtfsReCheckShareAccess: Does not meet allow open requirement.	Operational
180	...:...!d! Status: ...!S! ProcessName: ...!S!	Operational
181	...:...!d! Status: ...!S! ProcessName: ...!S!	Operational
182	...:...!d! Status: ...!S! ProcessName: ...!S!	Operational
183	...:...!d! Status: ...!S! ProcessName: ...!S!	Operational
184	NtfsSendUnusedClustersHint: Vcb .	Operational
185	NtfsSendUnusedClustersHint: Vcb .	Operational
186	NtfsSendUnusedClustersHint: Vcb .	Operational
187	NtfsSendUnusedClustersHint: Vcb .	Operational
188	NtfsSendUnusedClustersHint: Vcb .	Operational
189	NtfsSendUnusedClustersHint: Vcb .	Operational
190	NtfsSendUnusedClustersHint: Vcb .	Operational
191	NtfsTransferMaxDataSetRanges: Src .	Operational
192	NtfsTransferMaxDataSetRanges: Src .	Operational
193	NtfsMarkUnusedContextPostTrimProcessing: Entering	Operational
194	NtfsMarkUnusedContextPostTrimProcessing: Vcb .	Operational
195	NtfsMarkUnusedContextPostTrimProcessing: Vcb .	Operational
196	NtfsMarkUnusedContextPostTrimProcessing: Vcb .	Operational
197	NtfsMarkUnusedContextPostTrimProcessing: Vcb .	Operational
198	NtfsMarkUnusedContextPostTrimProcessing: Leaving	Operational
199	NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp .	Operational
200	NtfsMarkUnusedContextPreTrimProcessing: Vcb .	Operational
201	NtfsMarkUnusedContextPreTrimProcessing: Vcb .	Operational
202	NtfsMarkUnusedContextPreTrimProcessing: Vcb .	Operational
203	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb .	Operational
204	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational
205	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational
206	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational
207	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational
208	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational
209	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational
210	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational
211	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational
212	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational
213	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving	Operational
214	NtfsWakeupDeallocatedClustersWaiters: Vcb .	Operational
215	NtfsWakeupDeallocatedClustersWaiters: Vcb .	Operational
216	NtfsWakeupDeallocatedClustersWaiters: Vcb .	Operational
217	NtfsWaitForDeallocatedClustersToDrain: Vcb .	Operational
218	NtfsWaitForDeallocatedClustersToDrain: Vcb .	Operational
219	NtfsWaitForDeallocatedClustersToDrain: Vcb .	Operational
220	NtfsWaitForDeallocatedClustersToDrain: Vcb .	Operational
221	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .	Operational
222	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .	Operational
223	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .	Operational
224	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb .	Operational
225	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .	Operational
226	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .	Operational
227	NtfsCheckForTrimThrottling: Vcb .	Operational
228	NtfsUpdateSmartTrimState: Vcb .	Operational
229	NtfsUpdateSmartTrimState: Vcb .	Operational
230	NtfsUpdateSmartTrimState: Vcb .	Operational
231	NtfsUpdateSmartTrimState: Vcb .	Operational
232	NtfsUpdateSmartTrimState: Vcb .	Operational
233	NtfsUpdateSmartTrimState: Vcb .	Operational
234	NtfsUpdateSmartTrimState: Vcb .	Operational
235	NtfsUpdateSmartTrimState: Vcb .	Operational
236	NtfsUpdateSmartTrimState: Vcb .	Operational
237	NtfsUpdateSmartTrimState: Vcb .	Operational
238	NtfsUpdateSmartTrimState: Vcb .	Operational
239	NtfsEvalSmartTrimState: Vcb .	Operational
240	NtfsEvalSmartTrimState: Vcb .	Operational
241	NtfsEvalSmartTrimState: Vcb .	Operational
242	NtfsEvalSmartTrimState: Vcb .	Operational
243	NtfsEvalSmartTrimState: Vcb .	Operational
244	NtfsEvalSmartTrimState: Vcb .	Operational
245	NtfsEvalSmartTrimState: Vcb .	Operational
246	NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.	Operational
247	NtfsVolumeDasdIo: Data section blocking flush.	Operational
248	Could not find paging file run.	Operational
249	Could not find paging file MCB entry.	Operational
250	Could not find paging file run.	Operational
251	Writing to $Bitmap.	Operational
252	NTFS: Posting hotfix on file object: .	Operational
253	NTFS: Freeing Bad Vcn: .	Operational
254	NTFS: Retiring Bad Lcn: .	Operational
255	NTFS: Reallocating Bad Vcn	Operational
256	NTFS: Bad Cluster replaced	Operational
257	IrpContext: .	Operational
258	Compression buffers are already big enough.	Operational
259		Operational
260	IrpContext: .	Operational
261	Compression buffers are already big enough.	Operational
262		Operational
263	NtfsDefragFileInternal: Defrag is denied.	Operational
264	NtfsDefragFileInternal: Vcb .	Operational
265	NtfsDefragFileInternal: Vcb .	Operational
266	NtfsDefragFileInternal: Defrag is denied.	Operational
267	NtfsDefragFileInternal(.	Operational
268	NtfsDefragFileInternal(.	Operational
269	NtfsDefragFileInternal(.	Operational
270	NtfsDefragFileInternal(.	Operational
271	NtfsDefragFileInternal(.	Operational
272	NtfsDefragFileInternal(.	Operational
273	NtfsDefragFile: Defrag is denied without manage volume access.	Operational
274	NtfsEncryptDecryptOnline: Defrag is denied.	Operational
275	NtfsEncryptDecryptOnline: Vcb .	Operational
276	NtfsEncryptDecryptOnline: Vcb .	Operational
277	NtfsEncryptDecryptOnline: Defrag is denied.	Operational
278	SCB: .	Operational
279	StartOff=0x.	Operational
280	NumberOfValidRuns: 0	Operational
281	RemainingClusterCount: 0x.	Operational
282	STATUS_BUFFER_TOO_SMALL from FsLib.	Operational
283	Made an educated guess for remaining runs.	Operational
284	Made a wild guess for remaining runs.	Operational
285	NumberOfValidRuns: 0x.	Operational
286	BasePage: 0x.	Operational
287	About to zero range - ZeroStart: 0x.	Operational
288	Zeroed range - ZeroStart: 0x.	Operational
289	NtfsCommonQueryInformation: File information query not allowed as file was …	Operational
290	NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read …	Operational
291	NtfsQueryNameInfo: Name info query not allowed as file was opened without …	Operational
292	NtfsQueryLinksInfo: Link info query not allowed as file was opened without …	Operational
293	NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.	Operational
294	NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.	Operational
295	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
296	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
297	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened …	Operational
298	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
299	NtfsSetRenameInfo: Can not rename a file marked for deletion.	Operational
300	NtfsSetRenameInfo: Can not rename a txf directory.	Operational
301	NtfsSetRenameInfo: Can not rename into a system directory.	Operational
302	NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.	Operational
303	NtfsSetRenameInfo: The file should not have in-memory directory descendents.	Operational
304	NtfsSetRenameInfo: Child Scb mismatch.	Operational
305	NtfsSetLinkInfo: Set link info is not allowed on txf directory.	Operational
306	NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.	Operational
307	NtfsSetLinkInfo: Set link info failed due to caller not having …	Operational
308	NtfsSetLinkInfo: Creating a link in system directory is not allowed.	Operational
309	NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.	Operational
310	NtfsSetShortNameInfo: Can not set a short name on a deleted file.	Operational
311	NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF …	Operational
312	NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction …	Operational
313	NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.	Operational
314	NtfsStreamRename: Deny access due to encryption happening on source stream.	Operational
315	NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.	Operational
316	NtfsFlushVolumeFlushSingleFcb: Thread: .	Operational
317	NtfsFlushVolumeFlushSingleFcb: Thread: .	Operational
318	NtfsFlushVolume: Thread: .	Operational
319	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: .	Operational
320	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: .	Operational
321	NtfsFlushCompletionRoutine: Vcb .	Operational
322	NtfsFlushCompletionRoutine: Vcb .	Operational
323	NtfsDiskFlushContextWorkItemProcessing: Process work item	Operational
324	NtfsDiskFlushContextWorkItemProcessing: Nothing to work on	Operational
325	Irp: .	Operational
326	NtfsLockVolumeInternal: Cannot lock the volume.	Operational
327	NtfsLockVolumeInternal: Volume is already locked.	Operational
328	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational
329	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational
330	NtfsLockVolumeInternal: Outstanding user files open after flush and retry.	Operational
331	NtfsLockVolume: Cannot lock volume due to caller does not have manage volume …	Operational
332	NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.	Operational
333	...: Setting RM at 0x...!p! ({...!S!}) up for auto-restart.	Operational
334	NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume …	Operational
335	NtfsDismountVolume: IC: .	Operational
336	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational
337	NtfsDismountVolume: Cannot dismount volume due to volume being locked.	Operational
338	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational
339	NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage …	Operational
340	NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage …	Operational
341	NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage …	Operational
342	NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having …	Operational
343	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational
344	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational
345	NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage …	Operational
346	NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not …	Operational
347	NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage …	Operational
348	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup …	Operational
349	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup …	Operational
350	NtfsSetSparse: Caller does not have appropriate write access to the stream.	Operational
351	NtfsSetSparse: Cannot desparse encrypted file without write data access.	Operational
352	NtfsZeroRange: User mode caller not allowed.	Operational
353	IC: .	Operational
354	IC: .	Operational
355	NtfsReadRawEncrypted: Caller does not have backup access or read data access.	Operational
356	NtfsWriteRawEncrypted: Caller does not have write data access or restore access.	Operational
357	NtfsWriteRawEncrypted: Caller not having manage volume privilege.	Operational
358	NtfsLookupStreamFromCluster: Caller not having manage volume privilege.	Operational
359	NtfsChangeVolumeSize: Caller not having manage volume privilege.	Operational
360	NtfsChangeVolumeSize (.	Operational
361	NtfsChangeVolumeSize (.	Operational
362	NtfsMarkHandle: Caller does not have a valid volume handle or manage volume …	Operational
363	NtfsMarkHandle: Caller not having manage volume privilege.	Operational
364	NtfsMarkHandle: Cannot deny defrag.	Operational
365	NtfsMarkHandle: Cannot deny Frs consolidation.	Operational
366	NtfsMarkHandle: Cannot filter metadata.	Operational
367	NtfsMarkHandle: Mark handle is not allowed on system files.	Operational
368	NtfsMarkHandle: File already has user writable references.	Operational
369	NtfsMarkHandle: File was granted write access previously but no oplocks were …	Operational
370	NtfsPrefetchFile: Caller not having manage volume privilege.	Operational
371	NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.	Operational
372	NtfsSetShortNameBehavior: Caller not having manage volume privilege.	Operational
373	Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.	Operational
374	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational
375	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational
376	NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.	Operational
377	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational
378	Resetting Volsnap behavior for VCB = 0x.	Operational
379	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational
380	NtfsCorruptionHandling: Caller not having manage volume privilege.	Operational
381	NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.	Operational
382	Scrub resume from SystemScbIndex: .	Operational
383	Scb:.	Operational
384	Scrub SystemScbIndex: .	Operational
385	NtfsScrubData: Caller not having manage volume privilege.	Operational
386	Scrub not supported for Txf file, Scb: .	Operational
387	Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.	Operational
388	Scb:.	Operational
389	Scb:.	Operational
390	InternalFileReference: .	Operational
391	InternalFileReference:.	Operational
392	Scb:.	Operational
393	Scb:.	Operational
394	Scb:.	Operational
395	Scb:.	Operational
396	Scb:.	Operational
397	Scb:.	Operational
398	Scb:.	Operational
399	Scb:.	Operational
400	Scb:.	Operational
401	Scrub found problems Scb: .	Operational
402	Scb:.	Operational
403	Scb:.	Operational
404	FSCTL_REPAIR_COPIES not supported for Txf file, Scb: .	Operational
405	Scb:.	Operational
406	Scb:.	Operational
407	FSCTL_REPAIR_COPIES interrupted by thread termination.	Operational
408	FSCTL_REPAIR_COPIES canceled	Operational
409	Scb:.	Operational
410	Scb:.	Operational
411	Scb:.	Operational
412	Scb:.	Operational
413	Scb:.	Operational
414	Scb:.	Operational
415	Scb:.	Operational
416	NtfsQueryCachedRuns: Caller not having manage volume privilege.	Operational
417	NtfsQueryStorageClasses: Caller not having manage volume privilege.	Operational
418	NtfsQueryRegionInfo: Caller not having manage volume privilege.	Operational
419	NtfsUnloadFile: Caller not having manage volume privilege.	Operational
420	NtfsCheckForSection: File already has image section.	Operational
421	NtfsShuffleFile: User mode caller is not allowed.	Operational
422	NtfsShuffleFile: Denying access due to volume is locked.	Operational
423	NtfsShuffleFile: Defrag is denied.	Operational
424	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational
425	NtfsRearrangeFile: User mode caller is not allowed.	Operational
426	NtfsRearrangeFile: Denying access due to volume is locked.	Operational
427	NtfsRearrangeFile: Defrag is denied.	Operational
428	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational
429	NtfsSparseOverAllocate: Caller does not have appropriate write access.	Operational
430	NtfsInitiateFileMetadataOptimization: Only allowed on regular user …	Operational
431	NtfsQueryFileMetadataOptimization: Only allowed on regular user …	Operational
432	NtfsCleanVolumeMetadata: Caller not having manage volume privilege.	Operational
433	NtfsEnumOnMountToDeleteWorker(.	Operational
434	NtfsEnumOnMountToDeleteWorker(.	Operational
435	NtfsEnumMountWorker(.	Operational
436	NtfsEnumMountWorker(.	Operational
437	NtfsEnumOnMountToDeleteWorker(.	Operational
438	NtfsCleanVolumeMetadata: Caller not having manage volume privilege.	Operational
439	SCB: .	Operational
440	FsLibGetBadAddressRanges returned Status: .	Operational
441	FsInputRangeIndex: .	Operational
442	Scb: .	Operational
443	Scb: .	Operational
444	NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.	Operational
445	Logic error of posting close to work queue.	Operational
446	NtfsFindPrefixHashEntry: {Hash table: .	Operational
447	NtfsFindPrefixHashEntry: {Lcb: NULL}	Operational
448	NtfsFindPrefixHashEntry: {Lcb: .	Operational
449	NtfsFindPrefixHashEntry: {Lcb not found}	Operational
450	NtfsInsertHashEntry: {Hash table: .	Operational
451	NtfsRemoveHashEntry: {Hash table: .	Operational
452	Vcb .	Operational
453	Vcb .	Operational
454	Vcb .	Operational
455	Vcb .	Operational
456	Vcb .	Operational
457	Vcb .	Operational
458	Vcb .	Operational
459	Vcb .	Operational
460	Vcb .	Operational
461	Vcb .	Operational
462	Vcb .	Operational
463	Vcb .	Operational
464	Vcb .	Operational
465	NtfsCommitCurrentTransaction IC: .	Operational
466	NtfsCommitCurrentTransaction IC: .	Operational
467	NtfsCommitCurrentTransaction (.	Operational
468	NtfsCommitCurrentTransaction (.	Operational
469	NtfsCommitCurrentTransaction (.	Operational
470	NtfsCommitCurrentTransaction (.	Operational
471	NtfsCommitCurrentTransaction (.	Operational
472	NtfsCommitCurrentTransaction IC: .	Operational
473	NtfsCommitCurrentTransaction IC: .	Operational
474	NtfsFreeRecentlyDeallocated: Vcb .	Operational
475	NtfsFreeRecentlyDeallocated: Vcb .	Operational
476	NtfsFreeRecentlyDeallocated: Vcb .	Operational
477	NtfsFreeRecentlyDeallocated: Vcb .	Operational
478	NtfsFreeRecentlyDeallocated: Vcb .	Operational
479	NtfsFreeRecentlyDeallocated: Vcb .	Operational
480	NtfsFreeRecentlyDeallocated: Vcb .	Operational
481	Vcb: .	Operational
482	Looking for dangling MDLs	Operational
483	FsLibGroupSubExtentsByDanglingMdl failed: .	Operational
484	FsLibAddBaseMcbEntryEx failed: .	Operational
485	NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: .	Operational
486	NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: .	Operational
487	No sub extents has dangling MDL	Operational
488	NtfsFreeRecentlyDeallocated: Vcb .	Operational
489	NtfsFreeRecentlyDeallocated: Vcb .	Operational
490	NtfsFreeRecentlyDeallocated: Vcb .	Operational
491	NtfsFreeRecentlyDeallocated: Vcb .	Operational
492	NtfsFreeRecentlyDeallocated: Vcb .	Operational
493	NtfsRemoveNtfsMcbEntry Scb: .	Operational
494	NtfsRemoveNtfsMcbEntry Mcb: .	Operational
495	NtfsAddNtfsMcbEntry Scb: .	Operational
496	NtfsAddNtfsMcbEntry Mcb: .	Operational
497	NtfsUnloadNtfsMcbRange Scb: .	Operational
498	NtfsUnloadNtfsMcbRange Mcb: .	Operational
499	Valid NTFS boot sector.	Operational
500	Not an NTFS boot sector.	Operational
501	NtfsMountVolume: Vcb:.	Operational
502	NtfsMountVolume: IC: .	Operational
503	Mounting DAX partition.	Operational
504	DAX volume mounted without DAX support because storage is not DAX capable.	Operational
505	NtfsGrowMftsAttributeListAllocation Vcb:.	Operational
506	NtfsGrowMftsAttributeListAllocation Vcb:.	Operational
507	NtfsGrowMftsAttributeListAllocation Vcb:.	Operational
508	Unexpected exception code of 0x.	Operational
509	Exception code of 0x.	Operational
510	Unexpected exception code of 0x.	Operational
511	LogFileFull .	Operational
512	Unexpected raise of 0x.	Operational
513	NtfsProcessException IC: .	Operational
514	NtfsProcessException IC: .	Operational

Event ID 10 — NtfsLookupRealAllocation: Vcn .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 11 — NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAllocateAttribute_MaxAlloc_for_Mfts_AttrList_IC`	NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC.
`p_Scb`	—

Event ID 12 — FileObject: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`FileObject`	—
`p_Scb`	—
`p_StaringVcn`	—
`I64x_ClusterCount`	!I64x!, ClusterCount.
`I64x_Flags`	!I64x!, Flags.

Event ID 13 — NtfsAddAllocation IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAddAllocation_IC`	—
`p_FileObject`	—
`p_Scb`	—
`p_StaringVcn`	—
`I64x_ClusterCount`	!I64x!, ClusterCount.
`I64x_Flags`	!I64x!, Flags.

Event ID 14 — Purge failed: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Purge_failed_Scb`	Purge failed: Scb.

Event ID 15 — Purge failed: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Purge_failed_Scb`	Purge failed: Scb.

Event ID 16 — NtfsGetLastVcnForNewMappingPairSize IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGetLastVcnForNewMappingPairSize_IC`	—
`p_Using_LastVcn`	—

Event ID 17 — Can't find StdInfo in FileRef .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 18 — Can't find StdInfo in FileRef .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 19 — NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCreateNonresidentWithValue_Create_Mfts_NonResident_Attribute_List_IC`	NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC.
`pValueLength`	—

Event ID 20 — NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 21 — NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 22 — NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 23 — NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—

Event ID 24 — NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 25 — NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 26 — NtfsRestartRemoveAttribute FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 27 — NtfsRestartChangeValue FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 28 — AddToAttributeList(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 29 — DeleteFromAttributeList(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 30 — MakeRoomForAttribute Moving Mft's attribute IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`MakeRoomForAttribute_Moving_Mfts_attribute_IC`	MakeRoomForAttribute Moving Mft's attribute IC.

Event ID 31 — MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`MoveAttributeToOwnRecord_Moving_Mfts_BITMAP_IC`	MoveAttributeToOwnRecord Moving Mft's $BITMAP IC.
`p_SizeNeeded`	—
`x_TypeCode`	—
`x_RecLen`	—
`x_Form`	—
`x_Instance`	—

Event ID 32 — MoveAttributeToOwnRecord IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`MoveAttributeToOwnRecord_IC`	—
`p_SizeNeeded`	—
`x_Bytes2Free`	—
`x_OldMappingSize`	—
`x_NewMappingSize`	—

Event ID 33 — NtfsRestartZeroEndOfFileRecord FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 34 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—
`param11`	—

Event ID 35 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—
`param11`	—

Event ID 36 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—
`param11`	—

Event ID 37 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 38 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 39 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 40 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 41 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 42 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 43 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 44 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 45 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—
`param11`	—
`param12`	—
`param13`	—
`param14`	—
`param15`	—

Event ID 46 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 47 — MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 48 — RedoAttribute(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—

Event ID 49 — RedoAttribute(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—
`param11`	—
`param12`	—

Event ID 50 — NtfsConsolidateAllFileRecords: Invalid Vcb.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsConsolidateAllFileRecords_Invalid_Vcb_Thread`	NtfsConsolidateAllFileRecords: Invalid Vcb. Thread.

Event ID 51 — NtfsConsolidateAllFileRecords: Volume is locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsConsolidateAllFileRecords_Volume_is_locked_Thread`	NtfsConsolidateAllFileRecords: Volume is locked. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Volume_Id`	—

Event ID 52 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 53 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 54 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 55 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—
`param11`	—
`param12`	—

Event ID 56 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—

Event ID 57 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—

Event ID 58 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 59 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 60 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 61 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 62 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 63 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 64 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 65 — NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 66 — UpdateLCS: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 67 — NtfsAllocateClustersPriv IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAllocateClustersPriv_IC`	—
`p_Vcb`	—
`p_Scb`	—
`p_Mcb`	—
`S_DelayedAllocation`	6!I64x!, AllocateAll.

Event ID 68 — NtfsAllocateClustersPriv IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAllocateClustersPriv_IC`	—
`p_Vcb`	—
`p_Scb`	—
`p_Mcb`	—
`S_DelayedAllocation`	6!I64x!, AllocateAll.

Event ID 69 — NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 70 — NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`3I64xScbState`	1!I64x! clusters, Scb.

Event ID 71 — NtfsAllocateClustersPriv IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAllocateClustersPriv_IC`	—
`p_ClustersAllocated`	—

Event ID 72 — NtfsAllocateClustersPriv IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAllocateClustersPriv_IC`	—
`p_ClustersAllocated`	—

Event ID 73 — NtfsDeallocateClusters IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDeallocateClusters_IC`	—
`p_Vcb`	—
`p_Scb`	—
`p_Mcb`	—

Event ID 74 — NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 75 — NtfsDeallocateClusters IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDeallocateClusters_IC`	—
`p_Vcb`	—
`p_Scb`	—
`p_Mcb`	—

Event ID 76 — NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 77 — NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 78 — NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`p__Lsn`	—
`I64x_ClusterCount`	—
`I64x_Flags`	!I64x!, ClusterCount.
`I64x_new`	!08x!; Vcb's DeallocatedClustersCount old.

Event ID 79 — NtfsDeallocateClusters: Decremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`3I64xAddrTotalAllocated`	1!I64x! clusters, Scb.

Event ID 80 — NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`pAddrTotalAllocated`	1!I64x! clusters, Scb.
`p_ScbState`	—

Event ID 81 — NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 82 — NtfsDeallocateClusters IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDeallocateClusters_IC`	—
`p_ClustersDeallocated`	—

Event ID 83 — NtfsDeallocateClusters IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDeallocateClusters_IC`	—
`p_ClustersDeallocated`	—

Event ID 84 — NtfsModifyBitsInBitmap IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsModifyBitsInBitmap_IC`	—
`p_Vcb`	—

Event ID 85 — NtfsModifyBitsInBitmap IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsModifyBitsInBitmap_IC`	—
`p_Bitmap`	—

Event ID 86 — NtfsAllocateBitmapRun IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAllocateBitmapRun_IC`	—
`p_Vcb`	—

Event ID 87 — NtfsAllocateBitmapRun IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAllocateBitmapRun_IC`	—
`p_Bitmap`	—

Event ID 88 — NtfsRestartSetBitsInBitMap IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRestartSetBitsInBitMap_IC`	—
`p_Bitmap`	—

Event ID 89 — NtfsFreeBitmapRun IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFreeBitmapRun_IC`	—
`p_Vcb`	—

Event ID 90 — NtfsFreeBitmapRun IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFreeBitmapRun_IC`	—
`p_Bitmap`	—

Event ID 91 — NtfsRestartClearBitsInBitMap IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRestartClearBitsInBitMap_IC`	—
`p_Bitmap`	—

Event ID 92 — NtfsSetOrClearBitsUsingBaseMcb IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetOrClearBitsUsingBaseMcb_IC`	—
`p_Vcb`	—
`p_Bitmap`	—

Event ID 93 — NtfsSetOrClearBitsUsingBaseMcb IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetOrClearBitsUsingBaseMcb_IC`	—
`p_Bitmap`	—

Event ID 94 — NtfsSetOrClearBitsUsingBaseMcb IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetOrClearBitsUsingBaseMcb_IC`	—
`p_Result`	—

Event ID 95 — System files not marked as in use in the MFT bitmap.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 96 — Length: 0 --> BinIndex : 0 - Unexpected length

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 97 — Length: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Length`	—
`u_BitPosition`	—
`ld_GroupIndex`	—
`ld_GroupShiftFactor`	—

Event ID 98 — Length: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Length`	—

Event ID 99 — BinIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`BinIndex`	—

Event ID 100 — BinIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`BinIndex`	—
`ld_RelativeBinIndex`	—
`ld_MaxKey`	—

Event ID 101 — BinGroupShift: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`BinGroupShift`	—

Event ID 102 — BinIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`BinIndex`	—

Event ID 103 — Searched committed allocations but didnt find enough free space.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 104 — NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 105 — NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 106 — NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 107 — NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 108 — NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 109 — NtfsValidateTotalClustersCommitted(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 110 — Illegal MDL Complete for major code .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 111 — Entering: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Entering_Scb`	Entering: Scb.
`p_ExtentsDescriptorIndex`	—

Event ID 112 — RunEntry ==> .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 113 — Offset is beyond this extent skipping the extent.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 114 — Shrinking LengthInExtent (0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 115 — Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 116 — Exiting: ExtentsDescriptorIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Exiting_ExtentsDescriptorIndex`	Exiting: ExtentsDescriptorIndex.

Event ID 117 — Entering: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Entering_Scb`	Entering: Scb.

Event ID 118 — Dsm Ranges[.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 119 — RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 120 — Dsm: TotalNumberOfRanges: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Dsm_TotalNumberOfRanges`	Dsm: TotalNumberOfRanges.
`d_NumberOfRangesReturned`	—

Event ID 121 — DsmOut Ranges[.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 122 — Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 123 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Updating_ExtentsDescriptor_Index_and_StartOffset_from_Locals_ExtentsDescriptorIndex`	Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Event ID 124 — Entering: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Entering_Scb`	Entering: Scb.
`p_ExtentsDescriptorIndex`	—

Event ID 125 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Updating_ExtentsDescriptor_Index_and_StartOffset_from_Locals_ExtentsDescriptorIndex`	Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Event ID 126 — IrpContext: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`IrpContext`	—
`p_Scb`	—

Event ID 127 — Return.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Return_IrpContext`	Return. IrpContext.

Event ID 128 — Unexpected open type received: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Unexpected_open_type_received`	—

Event ID 129 — Raising STATUS_SUCCESS from NtfsCommonCleanup: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Raising_STATUSSUCCESS_from_NtfsCommonCleanup`	Raising STATUS_SUCCESS from NtfsCommonCleanup.

Event ID 130 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 131 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 132 — Irp: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Irp`	—
`p_IC`	—
`p_Vcb`	—
`p_FileObject`	—
`p_RelatedFileObject`	—
`p_FileIdBuffer`	—

Event ID 133 — Irp: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Irp`	—
`p_IC`	—
`p_Vcb`	—
`p_FileObject`	—
`p_RelatedFileObject`	—
`p_Path`	—

Event ID 134 — NtfsCommonCreate: Volume is locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommonCreate_Volume_is_locked_Thread`	NtfsCommonCreate: Volume is locked. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Vcb_State`	—

Event ID 135 — NtfsCommonVolumeOpen: Invalid create disposition for volume open.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommonVolumeOpen_Invalid_create_disposition_for_volume_open_Thread`	NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread.

Event ID 136 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommonVolumeOpen_Volume_is_locked_or_we_have_performed_a_dismount_Thread`	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 137 — NtfsCommonVolumeOpen: Thread: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommonVolumeOpen_Thread`	NtfsCommonVolumeOpen: Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`d_BiasedCleanupCount`	5!08x!, Vcb->CleanupCount.

Event ID 138 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommonVolumeOpen_Volume_is_locked_or_we_have_performed_a_dismountThread`	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 139 — NtfsCommonVolumeOpen: Conlicting file objects.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommonVolumeOpen_Conlicting_file_objects_Thread`	NtfsCommonVolumeOpen: Conlicting file objects. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`d_VcbCloseCount`	5!08x!, Vcb->ReadOnlyCloseCount.
`d_VcbSystemFileCloseCount`	—

Event ID 140 — NtfsHandlePagingFile: Paging file already open, paging files can only be opened once.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsHandlePagingFile_Paging_file_already_open_paging_files_can_only_be_opened_once_Thread`	NtfsHandlePagingFile: Paging file already open, paging files can only be opened once. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 141 — NtfsHandlePagingFile: Cannot open system file as paging file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsHandlePagingFile_Cannot_open_system_file_as_paging_file_Thread`	NtfsHandlePagingFile: Cannot open system file as paging file. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 142 — NtfsHandlePagingFile: Persisted paging file already exists.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsHandlePagingFile_Persisted_paging_file_already_exists_Thread`	NtfsHandlePagingFile: Persisted paging file already exists. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 143 — NtfsOpenFcbById: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenFcbById_Invalid_system_file_access_Thread`	NtfsOpenFcbById: Invalid system file access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 144 — NtfsOpenExistingPrefixFcb: Can not directly open txf directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenExistingPrefixFcb_Can_not_directly_open_txf_directory_Thread`	NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 145 — NtfsOpenExistingPrefixFcb: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenExistingPrefixFcb_Invalid_system_file_access_Thread`	NtfsOpenExistingPrefixFcb: Invalid system file access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 146 — NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenFile_Unsafe_to_acquire_parent_directory_after_acquiring_a_txfsystem_file_Thread`	NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 147 — NtfsOpenFile: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenFile_Invalid_system_file_access_Thread`	NtfsOpenFile: Invalid system file access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 148 — NtfsOpenFile: Deny open when txf rm is active.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenFile_Deny_open_when_txf_rm_is_active_Thread`	NtfsOpenFile: Deny open when txf rm is active. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 149 — NtfsCreateNewFile: Deny creation in system directory (except root).

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCreateNewFile_Deny_creation_in_system_directory_except_root_Thread`	NtfsCreateNewFile: Deny creation in system directory (except root). Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Parent_Fcb_Fcb`	—

Event ID 150 — NtfsCreateNewFile: Unable to create Ea for the file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCreateNewFile_Unable_to_create_Ea_for_the_file_Thread`	NtfsCreateNewFile: Unable to create Ea for the file. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 151 — NtfsCreateNewFile: Unable to create in the $txf directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCreateNewFile_Unable_to_create_in_the_txf_directory_Thread`	NtfsCreateNewFile: Unable to create in the $txf directory. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Parent_Fcb_Fcb`	—

Event ID 152 — NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenSubdirectory_Denying_access_to_Txf_file_when_the_RM_is_active_Thread`	NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 153 — NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttributeInExistingFile_Denying_access_due_to_caller_being_Ea_blind_Thread`	NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 154 — NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttributeInExistingFile_Fail_to_find_INDEXROOT_attribute_Thread`	NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 155 — NtfsOpenAttributeInExistingFile: Denying access for volume root directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttributeInExistingFile_Denying_access_for_volume_root_directory_Thread`	NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 156 — NtfsCreateNewFile: Not allowed to create streams on system files.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCreateNewFile_Not_allowed_to_create_streams_on_system_files_Thread`	NtfsCreateNewFile: Not allowed to create streams on system files. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 157 — NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOverwriteAttr_Cannot_overwrite_hidden_or_system_attribute_for_a_nonpaging_file_Thread`	NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 158 — NtfsOverwriteAttr: Denying access due to user being Ea blind.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOverwriteAttr_Denying_access_due_to_user_being_Ea_blind_Thread`	NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`p_FileRef`	—

Event ID 159 — NtfsOverwriteAttr: Deny access due to encryption happening on the stream.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOverwriteAttr_Deny_access_due_to_encryption_happening_on_the_stream_Thread`	NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 160 — NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckValidAttributeAccess_Supersede_or_overwrite_is_not_allowed_on_this_type_of_named_attribute_Thread`	NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 161 — NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckValidAttributeAccess_Only_read_attributes_access_is_supported_on_this_attribute_Thread`	NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 162 — NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckValidAttributeAccess_Deny_access_for_protected_system_attributes_Thread`	NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread.
`p_AttributeTypeCode`	—

Event ID 163 — NtfsOpenAttributeCheck: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttributeCheck_File_already_has_user_writable_references_Thread`	NtfsOpenAttributeCheck: File already has user writable references. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 164 — NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttributeCheck_Deny_access_for_online_encryption_backup_data_stream_Thread`	NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 165 — NtfsOpenAttributeCheck: File was granted write access but has image section.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttributeCheck_File_was_granted_write_access_but_has_image_section_Thread`	NtfsOpenAttributeCheck: File was granted write access but has image section. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 166 — NtfsOpenAttribute: Denying write access on disallowed writes.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttribute_Denying_write_access_on_disallowed_writes_Thread`	NtfsOpenAttribute: Denying write access on disallowed writes. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`p_Disallow_write_count`	6!I64x!, Scb.

Event ID 167 — NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttribute_File_already_has_user_writable_references_Thread`	NtfsOpenAttribute: File already has user writable references. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 168 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttribute_Open_for_exclusive_read_access_is_not_allowed_Thread`	NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 169 — NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttribute_File_already_has_user_writable_references_Thread`	NtfsOpenAttribute: File already has user writable references. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 170 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenAttribute_Open_for_exclusive_read_access_is_not_allowed_Thread`	NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 171 — NtfsCheckExistingFile: Desired access conflicts with read-only state.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckExistingFile_Desired_access_conflicts_with_readonly_state_Thread`	NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 172 — NtfsOpenExistingEncryptedStream: No encryption driver found.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenExistingEncryptedStream_No_encryption_driver_found_Thread`	NtfsOpenExistingEncryptedStream: No encryption driver found. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 173 — NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsOpenExistingEncryptedStream_Opening_for_readwrite_access_not_allowed_on_compressed_file_Thread`	NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 174 — NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsEncryptionCreateCallback_Encrytion_engine_fail_to_encrypt_all_streams_for_file_with_open_handle_Thread`	NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 175 — NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFindStartingNode_Opening_not_allowed_for_txf_name_when_RM_is_active_Thread`	NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread.
`p_Fcb`	—

Event ID 176 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_Thread`	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`d_LinkShareAccessDeleters`	—
`d_LinkShareAccessSharedDelete`	—

Event ID 177 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_Thread`	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`d_ShareAccessReaders`	—
`d_ShareAccessWriters`	—
`d_ShareAccessDeleters`	—
`d_ShareAccessSharedRead`	—
`d_ShareAccessSharedWrite`	11!08x!, ShareAccess->OpenCount.
`d_ShareAccessSharedDelete`	—

Event ID 178 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_Thread`	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`S_Link_Name`	—
`d_ShareAccessReaders`	—
`d_ShareAccessWriters`	—
`d_ShareAccessDeleters`	—
`d_ShareAccessSharedRead`	—
`d_ShareAccessSharedWrite`	12!08x!, ShareAccess->OpenCount.
`d_ShareAccessSharedDelete`	—
`d_LinkShareAccessOpenCount`	—
`d_LinkShareAccessDeleters`	—
`d_LinkShareAccessSharedDelete`	—

Event ID 179 — NtfsReCheckShareAccess: Does not meet allow open requirement.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsReCheckShareAccess_Does_not_meet_allow_open_requirement_Thread`	NtfsReCheckShareAccess: Does not meet allow open requirement. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`S_Link_Name`	—
`d_Readers`	—
`d_Writers`	—
`d_Deleters`	—
`d_SharedRead`	—
`d_Lcb_Deleters`	—

Event ID 180 — ...:...!d! Status: ...!S! ProcessName: ...!S!

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`1`	—
`d_Status`	—
`S_ProcessName`	—

Event ID 181 — ...:...!d! Status: ...!S! ProcessName: ...!S!

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`1`	—
`d_Status`	—
`S_ProcessName`	—

Event ID 182 — ...:...!d! Status: ...!S! ProcessName: ...!S!

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`1`	—
`d_Status`	—
`S_ProcessName`	—

Event ID 183 — ...:...!d! Status: ...!S! ProcessName: ...!S!

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`1`	—
`d_Status`	—
`S_ProcessName`	—

Event ID 184 — NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 185 — NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 186 — NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 187 — NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 188 — NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 189 — NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 190 — NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 191 — NtfsTransferMaxDataSetRanges: Src .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 192 — NtfsTransferMaxDataSetRanges: Src .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 193 — NtfsMarkUnusedContextPostTrimProcessing: Entering

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 194 — NtfsMarkUnusedContextPostTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 195 — NtfsMarkUnusedContextPostTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—

Event ID 196 — NtfsMarkUnusedContextPostTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 197 — NtfsMarkUnusedContextPostTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 198 — NtfsMarkUnusedContextPostTrimProcessing: Leaving

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 199 — NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 200 — NtfsMarkUnusedContextPreTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 201 — NtfsMarkUnusedContextPreTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 202 — NtfsMarkUnusedContextPreTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 203 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 204 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 205 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 206 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 207 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 208 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 209 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 210 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 211 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 212 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 213 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 214 — NtfsWakeupDeallocatedClustersWaiters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 215 — NtfsWakeupDeallocatedClustersWaiters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 216 — NtfsWakeupDeallocatedClustersWaiters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 217 — NtfsWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 218 — NtfsWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 219 — NtfsWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 220 — NtfsWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 221 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 222 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 223 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 224 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 225 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 226 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 227 — NtfsCheckForTrimThrottling: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 228 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 229 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 230 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 231 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 232 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 233 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 234 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 235 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 236 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 237 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 238 — NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 239 — NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 240 — NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 241 — NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 242 — NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 243 — NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 244 — NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 245 — NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 246 — NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommonDeviceControl_IOCTLDISKCOPYDATA_is_not_allowed_on_unlocked_volume_Thread`	NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 247 — NtfsVolumeDasdIo: Data section blocking flush.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsVolumeDasdIo_Data_section_blocking_flush_Thread`	NtfsVolumeDasdIo: Data section blocking flush. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Flush_status`	—

Event ID 248 — Could not find paging file run.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 249 — Could not find paging file MCB entry.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 250 — Could not find paging file run.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 251 — Writing to $Bitmap.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Writing_to_Bitmap_Vcb`	Writing to $Bitmap. Vcb.

Event ID 252 — NTFS: Posting hotfix on file object: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NTFS_Posting_hotfix_on_file_object`	NTFS: Posting hotfix on file object.

Event ID 253 — NTFS: Freeing Bad Vcn: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NTFS_____Freeing_Bad_Vcn`	NTFS: Freeing Bad Vcn.

Event ID 254 — NTFS: Retiring Bad Lcn: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NTFS_____Retiring_Bad_Lcn`	NTFS: Retiring Bad Lcn.

Event ID 255 — NTFS: Reallocating Bad Vcn

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 256 — NTFS: Bad Cluster replaced

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 257 — IrpContext: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`IrpContext`	—
`p_Vcb`	—

Event ID 258 — Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 259 —

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 260 — IrpContext: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`IrpContext`	—
`p_Vcb`	—

Event ID 261 — Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 262 —

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 263 — NtfsDefragFileInternal: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDefragFileInternal_Defrag_is_denied_Thread`	NtfsDefragFileInternal: Defrag is denied. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 264 — NtfsDefragFileInternal: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 265 — NtfsDefragFileInternal: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 266 — NtfsDefragFileInternal: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDefragFileInternal_Defrag_is_denied_Thread`	NtfsDefragFileInternal: Defrag is denied. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 267 — NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—
`param11`	—

Event ID 268 — NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—
`param11`	—

Event ID 269 — NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 270 — NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 271 — NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—

Event ID 272 — NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—

Event ID 273 — NtfsDefragFile: Defrag is denied without manage volume access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDefragFile_Defrag_is_denied_without_manage_volume_access_Thread`	NtfsDefragFile: Defrag is denied without manage volume access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 274 — NtfsEncryptDecryptOnline: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsEncryptDecryptOnline_Defrag_is_denied_Thread`	NtfsEncryptDecryptOnline: Defrag is denied. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 275 — NtfsEncryptDecryptOnline: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 276 — NtfsEncryptDecryptOnline: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 277 — NtfsEncryptDecryptOnline: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsEncryptDecryptOnline_Defrag_is_denied_Thread`	NtfsEncryptDecryptOnline: Defrag is denied. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 278 — SCB: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`SCB`	—

Event ID 279 — StartOff=0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—

Event ID 280 — NumberOfValidRuns: 0

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 281 — RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 282 — STATUS_BUFFER_TOO_SMALL from FsLib.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 283 — Made an educated guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 284 — Made a wild guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 285 — NumberOfValidRuns: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 286 — BasePage: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 287 — About to zero range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 288 — Zeroed range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 289 — NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommonQueryInformation_File_information_query_not_allowed_as_file_was_opened_by_ID_without_traversal_privilege_Thread`	NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 290 — NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsQueryCaseSensitiveInfo_Case_sensitive_info_query_not_allowed_without_read_attributes_access_Thread`	NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 291 — NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsQueryNameInfo_Name_info_query_not_allowed_as_file_was_opened_without_traverse_privilege_Thread`	NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 292 — NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsQueryLinksInfo_Link_info_query_not_allowed_as_file_was_opened_without_traverse_privilege_Thread`	NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 293 — NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetCaseSensitiveInfo_Cannot_mark_root_directory_of_a_volume_casesensitive_Thread`	NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 294 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_system_file_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 295 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 296 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`p_Link_name`	6!I64x!, Lcb.
`S_TxfNumWriters_count`	—

Event ID 297 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_opened_by_ID_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 298 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_via_either_part_of_the_longshort_pair_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`p_Link_name`	6!I64x!, Lcb.
`S_Link_cleanup_count`	—
`d_SplitPrimaryLcb`	—
`p_Split_link_name`	—
`S_Split_link_cleanup_count`	—

Event ID 299 — NtfsSetRenameInfo: Can not rename a file marked for deletion.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetRenameInfo_Can_not_rename_a_file_marked_for_deletion_Thread`	NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`p_link_name`	—

Event ID 300 — NtfsSetRenameInfo: Can not rename a txf directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetRenameInfo_Can_not_rename_a_txf_directory_Thread`	NtfsSetRenameInfo: Can not rename a txf directory. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 301 — NtfsSetRenameInfo: Can not rename into a system directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetRenameInfo_Can_not_rename_into_a_system_directory_Thread`	NtfsSetRenameInfo: Can not rename into a system directory. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 302 — NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetRenameInfo_Can_not_rename_a_file_that_is_part_of_a_TxF_transaction_Thread`	NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 303 — NtfsSetRenameInfo: The file should not have in-memory directory descendents.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetRenameInfo_The_file_should_not_have_inmemory_directory_descendents_Thread`	NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 304 — NtfsSetRenameInfo: Child Scb mismatch.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetRenameInfo_Child_Scb_mismatch_Thread`	NtfsSetRenameInfo: Child Scb mismatch. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 305 — NtfsSetLinkInfo: Set link info is not allowed on txf directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetLinkInfo_Set_link_info_is_not_allowed_on_txf_directory_Thread`	NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 306 — NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetLinkInfo_Set_link_info_is_not_allowed_on_a_file_in_a_TxF_transaction_Thread`	NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`S_TxfVisibleLinks`	6!I64x!, FileName.

Event ID 307 — NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetLinkInfo_Set_link_info_failed_due_to_caller_not_having_FILEWRITEATTRIBUTES_access_Thread`	NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`S_SeAccessCheck_status`	6!I64x!, FileName.

Event ID 308 — NtfsSetLinkInfo: Creating a link in system directory is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetLinkInfo_Creating_a_link_in_system_directory_is_not_allowed_Thread`	NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 309 — NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetLinkInfo_Creating_a_link_in_txf_is_not_allowed_if_the_RM_is_running_Thread`	NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`S_Target_RM_state`	6!I64x!, NewLinkName.

Event ID 310 — NtfsSetShortNameInfo: Can not set a short name on a deleted file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetShortNameInfo_Can_not_set_a_short_name_on_a_deleted_file_Thread`	NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`p_Link_Name`	6!I64x!, Lcb.

Event ID 311 — NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetShortNameInfo_Can_not_set_a_short_name_on_a_file_under_the_TxF_directory_Thread`	NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`p_Link_Name`	6!I64x!, Lcb.
`S_Parent_FileRef`	—

Event ID 312 — NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckScbForLinkRemoval_Existing_handles_are_not_allowed_if_Txf_transaction_is_doing_the_rename_Thread`	NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 313 — NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckScbForLinkRemoval_Not_all_open_handles_for_the_stream_are_byid_opens_Thread`	NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`d_Stream_cleanup_count`	6!I64x!, ByID opens.

Event ID 314 — NtfsStreamRename: Deny access due to encryption happening on source stream.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsStreamRename_Deny_access_due_to_encryption_happening_on_source_stream_Thread`	NtfsStreamRename: Deny access due to encryption happening on source stream. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 315 — NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsProcessTreeForRename_Deny_access_due_to_number_of_batch_oplocks_has_grown_Thread`	NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`d_current_batch_oplock_count`	6!I64x!, Previous batch oplock count.

Event ID 316 — NtfsFlushVolumeFlushSingleFcb: Thread: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFlushVolumeFlushSingleFcb_Thread`	NtfsFlushVolumeFlushSingleFcb: Thread.
`p_Vcb`	—
`p_Fcb`	—
`p_LocalFlags`	—

Event ID 317 — NtfsFlushVolumeFlushSingleFcb: Thread: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFlushVolumeFlushSingleFcb_Thread`	NtfsFlushVolumeFlushSingleFcb: Thread.
`p_Scb`	—

Event ID 318 — NtfsFlushVolume: Thread: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFlushVolume_Thread`	NtfsFlushVolume: Thread.
`p_Vcb`	—
`p_LocalFlags`	—

Event ID 319 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFlushVolume_setting_SCBPERSISTVOLUMEDISMOUNTED_on_BitmapScb_Scb`	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb.
`p_Vcb`	—

Event ID 320 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFlushVolume_setting_SCBPERSISTVOLUMEDISMOUNTED_on_MftScb_Scb`	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb.
`p_Vcb`	—

Event ID 321 — NtfsFlushCompletionRoutine: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 322 — NtfsFlushCompletionRoutine: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 323 — NtfsDiskFlushContextWorkItemProcessing: Process work item

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 324 — NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 325 — Irp: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Irp`	—
`p_IC`	—
`p_Vcb`	—
`p_MinorCode`	—

Event ID 326 — NtfsLockVolumeInternal: Cannot lock the volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsLockVolumeInternal_Cannot_lock_the_volume_Thread`	NtfsLockVolumeInternal: Cannot lock the volume. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`d_ExplicitLock`	5!08x!, DisallowDismountCount.
`d_Volume_CleanupCount`	—
`d_Handle_count`	—

Event ID 327 — NtfsLockVolumeInternal: Volume is already locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsLockVolumeInternal_Volume_is_already_lockedThread`	NtfsLockVolumeInternal: Volume is already locked.Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 328 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsLockVolumeInternal_Failed_to_flush_system_files_on_the_volume_Thread`	NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Flush_Status`	—

Event ID 329 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsLockVolumeInternal_Failed_to_flush_system_files_on_the_volumeThread`	NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Flush_Status`	—

Event ID 330 — NtfsLockVolumeInternal: Outstanding user files open after flush and retry.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsLockVolumeInternal_Outstanding_user_files_open_after_flush_and_retry_Thread`	NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Volume_close_count`	—
`d_System_file_close_count`	—
`d_User_handle_count`	—

Event ID 331 — NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsLockVolume_Cannot_lock_volume_due_to_caller_does_not_have_manage_volume_privilege_Thread`	NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 332 — NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsLockVolume_Cannot_lock_volume_due_to_active_secondary_RMs_on_the_volume_Thread`	NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Active_RM_count`	—
`d_Default_RM_Active`	—

Event ID 333 — ...: Setting RM at 0x...!p! ({...!S!}) up for auto-restart.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 334 — NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsUnlockVolume_Cannot_unlock_volume_due_to_caller_does_not_have_manage_volume_privilege_Thread`	NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 335 — NtfsDismountVolume: IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDismountVolume_IC`	NtfsDismountVolume: IC.
`p_Vcb`	—
`p_Label`	—
`S_DeviceName`	—

Event ID 336 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDismountVolume_Cannot_dismount_volume_due_to_systempagefiles_being_open_for_write_access_Thread`	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 337 — NtfsDismountVolume: Cannot dismount volume due to volume being locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDismountVolume_Cannot_dismount_volume_due_to_volume_being_locked_Thread`	NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 338 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsDismountVolume_Cannot_dismount_volume_due_to_systempagefiles_being_open_for_write_access_Thread`	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`d_CloseCount`	5!08x!, ReadOnlyCloseCount.
`d_SystemFileCloseCount`	—

Event ID 339 — NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMarkVolumeDirty_Cannot_mark_volume_dirty_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 340 — NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGetVolumeBitmap_Cannot_get_volume_bitmap_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 341 — NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGetBootAreaInfo_Cannot_get_boot_area_info_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 342 — NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGetRetrievalPointers_Cannot_get_retrieval_pointers_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 343 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGetRetrievalPointerBase_Cannot_get_revrieval_pointer_base_info_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 344 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGetRetrievalPointerBase_Cannot_get_revrieval_pointer_base_info_due_to_caller_not_having_manage_volume_privilege_or_this_is_not_a_volume_open_Thread`	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 345 — NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCreateUsnJournal_Cannot_create_Usn_journal_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 346 — NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsUsnTrackModifiedRanges_Cannot_enable_range_tracking_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 347 — NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsEnumerateUsnData_Cannot_enumerate_Usn_data_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 348 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFindFilesOwnedBySid_Caller_not_having_manage_volume_privilege_backup_access_or_can_bypass_traverse_checks_Thread`	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 349 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFindFilesOwnedBySid_Caller_not_having_manage_volume_privilege_or_backup_access_and_is_not_admin_Thread`	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`d_Context_owner_ID`	—

Event ID 350 — NtfsSetSparse: Caller does not have appropriate write access to the stream.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetSparse_Caller_does_not_have_appropriate_write_access_to_the_stream_Thread`	NtfsSetSparse: Caller does not have appropriate write access to the stream. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 351 — NtfsSetSparse: Cannot desparse encrypted file without write data access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetSparse_Cannot_desparse_encrypted_file_without_write_data_access_Thread`	NtfsSetSparse: Cannot desparse encrypted file without write data access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 352 — NtfsZeroRange: User mode caller not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsZeroRange_User_mode_caller_not_allowed_Thread`	NtfsZeroRange: User mode caller not allowed. Thread.

Event ID 353 — IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`IC`	—
`p_Scb`	—
`p_FileObject`	—

Event ID 354 — IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`IC`	—

Event ID 355 — NtfsReadRawEncrypted: Caller does not have backup access or read data access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsReadRawEncrypted_Caller_does_not_have_backup_access_or_read_data_access_Thread`	NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 356 — NtfsWriteRawEncrypted: Caller does not have write data access or restore access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsWriteRawEncrypted_Caller_does_not_have_write_data_access_or_restore_access_Thread`	NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 357 — NtfsWriteRawEncrypted: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsWriteRawEncrypted_Caller_not_having_manage_volume_privilege_Thread`	NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 358 — NtfsLookupStreamFromCluster: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsLookupStreamFromCluster_Caller_not_having_manage_volume_privilege_Thread`	NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 359 — NtfsChangeVolumeSize: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsChangeVolumeSize_Caller_not_having_manage_volume_privilege_Thread`	NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 360 — NtfsChangeVolumeSize (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 361 — NtfsChangeVolumeSize (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 362 — NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMarkHandle_Caller_does_not_have_a_valid_volume_handle_or_manage_volume_access_or_is_not_kernel_model_caller_Thread`	NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 363 — NtfsMarkHandle: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMarkHandle_Caller_not_having_manage_volume_privilege_Thread`	NtfsMarkHandle: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 364 — NtfsMarkHandle: Cannot deny defrag.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMarkHandle_Cannot_deny_defrag_Thread`	NtfsMarkHandle: Cannot deny defrag. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 365 — NtfsMarkHandle: Cannot deny Frs consolidation.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMarkHandle_Cannot_deny_Frs_consolidation_Thread`	NtfsMarkHandle: Cannot deny Frs consolidation. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 366 — NtfsMarkHandle: Cannot filter metadata.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMarkHandle_Cannot_filter_metadata_Thread`	NtfsMarkHandle: Cannot filter metadata. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 367 — NtfsMarkHandle: Mark handle is not allowed on system files.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMarkHandle_Mark_handle_is_not_allowed_on_system_files_Thread`	NtfsMarkHandle: Mark handle is not allowed on system files. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 368 — NtfsMarkHandle: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMarkHandle_File_already_has_user_writable_references_Thread`	NtfsMarkHandle: File already has user writable references. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 369 — NtfsMarkHandle: File was granted write access previously but no oplocks were broken.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMarkHandle_File_was_granted_write_access_previously_but_no_oplocks_were_broken_Thread`	NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`S_Writers`	—

Event ID 370 — NtfsPrefetchFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsPrefetchFile_Caller_not_having_manage_volume_privilege_Thread`	NtfsPrefetchFile: Caller not having manage volume privilege. Thread.
`p_TypeOfOpen`	—
`d_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 371 — NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetZeroOnDeallocate_Only_allowed_on_regular_user_files_opened_for_write_Thread`	NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_TypeOfOpen`	—
`d_WriteAccess`	—
`d_Fcb`	—

Event ID 372 — NtfsSetShortNameBehavior: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSetShortNameBehavior_Caller_not_having_manage_volume_privilege_Thread`	NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 373 — Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 374 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsQueryPagefileEncryption_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 375 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsQueryPagefileEncryption_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 376 — NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsResetVolsnapBehaviorForVolume_Volsnap_hints_are_disabled_by_registry_Thread`	NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_NtfsData_Flags`	—

Event ID 377 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsResetVolsnapBehaviorForVolume_Caller_not_having_manage_volume_privilege_Thread`	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 378 — Resetting Volsnap behavior for VCB = 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 379 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsResetVolsnapBehaviorForVolume_Caller_not_having_manage_volume_privilege_Thread`	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 380 — NtfsCorruptionHandling: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCorruptionHandling_Caller_not_having_manage_volume_privilege_Thread`	NtfsCorruptionHandling: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 381 — NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGlobalCorruptionHandling_Caller_does_not_have_manage_volume_privilege_Thread`	NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 382 — Scrub resume from SystemScbIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scrub_resume_from_SystemScbIndex`	—
`u_Vcn`	—

Event ID 383 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_Scrub_resume_from_Vcn`	—

Event ID 384 — Scrub SystemScbIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scrub_SystemScbIndex`	—

Event ID 385 — NtfsScrubData: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsScrubData_Caller_not_having_manage_volume_privilege_Thread`	NtfsScrubData: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_TypeOfOpen`	—
`d_Fcb`	—

Event ID 386 — Scrub not supported for Txf file, Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scrub_not_supported_for_Txf_file_Scb`	Scrub not supported for Txf file, Scb.
`p_TxfScb`	—

Event ID 387 — Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 388 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_ScrubInternal_OperationStatus`	—
`S_Repaired`	—
`I64x_Failed`	!#I64x! Failed.
`I64x_FileOffset`	!#I64x! FileOffset.
`I64x_Length`	!#I64x! Length.
`I64x_ParityExtentCount`	!#I64x! ParityExtentCount.

Event ID 389 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_ScrubInternal_Status`	—
`S_Repaired`	—
`I64x_Failed`	!#I64x! Failed.
`I64x_ParityExtentCount`	!#I64x! ParityExtentCount.

Event ID 390 — InternalFileReference: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`InternalFileReference`	—

Event ID 391 — InternalFileReference:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`InternalFileReference`	—

Event ID 392 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_Incomplete_IoCount`	—
`u_Cancel`	—
`u_ParityExtentCount`	—

Event ID 393 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—

Event ID 394 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—

Event ID 395 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—

Event ID 396 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_Scrub_starting_vcn_is_beyond_VDL_FileOffset`	—
`I64x_SectorAlignedVdl`	!#I64x!, SectorAlignedVdl.

Event ID 397 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_Scrub_no_more_Mcb_entries_from_StartingVcn`	—

Event ID 398 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_Scrub_skipping_UNUSEDLCN_Vcn`	—
`I64x_ClusterCount`	!#I64x!, ClusterCount.

Event ID 399 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_StartingVcn`	—

Event ID 400 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`I64x_Bytes_StartingVcn`	—

Event ID 401 — Scrub found problems Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scrub_found_problems_Scb`	—
`I64x_Length`	2!#I64x! FileOffset.
`I64x_Status`	!#I64x! Length.
`S_BytesFailed`	!#I64x! Status.
`I64x_BytesRepaired`	—
`I64x_NewParityExtents`	!#I64x! BytesRepaired.

Event ID 402 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_DsmActionScrub_call_failed_Status`	—

Event ID 403 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_DsmActionScrub_operation_failed_Status`	—

Event ID 404 — FSCTL_REPAIR_COPIES not supported for Txf file, Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`FSCTLREPAIRCOPIES_not_supported_for_Txf_file_Scb`	FSCTL_REPAIR_COPIES not supported for Txf file, Scb.
`p_TxfScb`	—

Event ID 405 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—

Event ID 406 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—

Event ID 407 — FSCTL_REPAIR_COPIES interrupted by thread termination.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 408 — FSCTL_REPAIR_COPIES canceled

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 409 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_FSCTLREPAIRCOPIES_no_more_Mcb_entries_from_StartingVcn`	—

Event ID 410 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_FSCTLREPAIRCOPIES_No_more_Mcb_entries_unallocated_from_StartingVcn`	—

Event ID 411 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_FSCTLREPAIRCOPIES_skipping_UNUSEDLCN_Vcn`	—
`I64x_ClusterCount`	!#I64x!, ClusterCount.

Event ID 412 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`I64x_Bytes_FileOffset`	—

Event ID 413 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_DsmActionRepair_call_failed_Status`	—

Event ID 414 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_DsmActionRepair_operation_failed_Status`	—

Event ID 415 — Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_DsmActionRepair_completed_IrpStatus`	—

Event ID 416 — NtfsQueryCachedRuns: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsQueryCachedRuns_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_TypeOfOpen`	—
`d_Fcb`	—

Event ID 417 — NtfsQueryStorageClasses: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsQueryStorageClasses_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_TypeOfOpen`	—
`d_Fcb`	—

Event ID 418 — NtfsQueryRegionInfo: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsQueryRegionInfo_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_TypeOfOpen`	—
`d_Fcb`	—

Event ID 419 — NtfsUnloadFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsUnloadFile_Caller_not_having_manage_volume_privilege_Thread`	NtfsUnloadFile: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_TypeOfOpen`	—
`d_Fcb`	—

Event ID 420 — NtfsCheckForSection: File already has image section.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCheckForSection_File_already_has_image_section_Thread`	NtfsCheckForSection: File already has image section. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 421 — NtfsShuffleFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsShuffleFile_User_mode_caller_is_not_allowed_Thread`	NtfsShuffleFile: User mode caller is not allowed. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_TypeOfOpen`	—
`d_Fcb`	—
`S_Irp_RequestorMode`	7!I64x!, Ccb FullFileName.

Event ID 422 — NtfsShuffleFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsShuffleFile_Denying_access_due_to_volume_is_locked_Thread`	NtfsShuffleFile: Denying access due to volume is locked. Thread.
`p_TypeOfOpen`	—
`d_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`p_FileRef`	—
`I64x_Ccb_FullFileName`	!I64x!, Ccb FullFileName.

Event ID 423 — NtfsShuffleFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsShuffleFile_Defrag_is_denied_Thread`	NtfsShuffleFile: Defrag is denied. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 424 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsShuffleFile_Denying_access_due_to_conflicting_with_readonly_state_Thread`	NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 425 — NtfsRearrangeFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRearrangeFile_User_mode_caller_is_not_allowed_Thread`	NtfsRearrangeFile: User mode caller is not allowed. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`S_Irp_RequestorMode`	6!I64x!, Ccb FullFileName.

Event ID 426 — NtfsRearrangeFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRearrangeFile_Denying_access_due_to_volume_is_locked_Thread`	NtfsRearrangeFile: Denying access due to volume is locked. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 427 — NtfsRearrangeFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRearrangeFile_Defrag_is_denied_Thread`	NtfsRearrangeFile: Defrag is denied. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 428 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsShuffleFile_Denying_access_due_to_conflicting_with_readonly_state_Thread`	NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 429 — NtfsSparseOverAllocate: Caller does not have appropriate write access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsSparseOverAllocate_Caller_does_not_have_appropriate_write_access_Thread`	NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_FileRef`	—
`I64x_FullFileName`	!I64x!, FullFileName.
`S_Ccb_access_flags`	—

Event ID 430 — NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsInitiateFileMetadataOptimization_Only_allowed_on_regular_user_filesdirectories_opened_for_write_Thread`	NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread.
`p_TypeOfOpen`	—
`d_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—
`p_FileRef`	—
`I64x_Scb_AttributeTypeCode`	!I64x!, Scb AttributeTypeCode.
`x_FcbState2`	—
`x_Ccb_FullFileName`	—
`S_Ccb_Access_flags`	—
`x_Ccb_Flags2`	—

Event ID 431 — NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsQueryFileMetadataOptimization_Only_allowed_on_regular_user_filesdirectories_opened_for_read_Thread`	NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread.
`p_TypeOfOpen`	—
`d_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 432 — NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCleanVolumeMetadata_Caller_not_having_manage_volume_privilege_Thread`	NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 433 — NtfsEnumOnMountToDeleteWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 434 — NtfsEnumOnMountToDeleteWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 435 — NtfsEnumMountWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 436 — NtfsEnumMountWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 437 — NtfsEnumOnMountToDeleteWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 438 — NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCleanVolumeMetadata_Caller_not_having_manage_volume_privilege_Thread`	NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread.
`p_TypeOfOpen`	—
`d_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—
`S_Fcb`	—

Event ID 439 — SCB: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`SCB`	—

Event ID 440 — FsLibGetBadAddressRanges returned Status: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`FsLibGetBadAddressRanges_returned_Status`	—

Event ID 441 — FsInputRangeIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`FsInputRangeIndex`	—

Event ID 442 — Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_Status`	—
`S_AbnormalTermination`	—

Event ID 443 — Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Scb`	—
`p_Status`	—

Event ID 444 — NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsEncryptionKeyCtl_Caller_does_not_have_SETCBPRIVILEGE_Thread`	NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread.
`p_Vcb`	—
`p_VolumeName`	—
`S_VolumeLabel`	—

Event ID 445 — Logic error of posting close to work queue.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 446 — NtfsFindPrefixHashEntry: {Hash table: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFindPrefixHashEntry_Hash_table`	NtfsFindPrefixHashEntry: {Hash table.
`p_ParentScb`	—

Event ID 447 — NtfsFindPrefixHashEntry: {Lcb: NULL}

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 448 — NtfsFindPrefixHashEntry: {Lcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsFindPrefixHashEntry_Lcb`	NtfsFindPrefixHashEntry: {Lcb.

Event ID 449 — NtfsFindPrefixHashEntry: {Lcb not found}

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 450 — NtfsInsertHashEntry: {Hash table: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsInsertHashEntry_Hash_table`	NtfsInsertHashEntry: {Hash table.
`p_HashValue`	—
`d_Lcb`	—

Event ID 451 — NtfsRemoveHashEntry: {Hash table: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRemoveHashEntry_Hash_table`	NtfsRemoveHashEntry: {Hash table.
`p_HashValue`	—

Event ID 452 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 453 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 454 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 455 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 456 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 457 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 458 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 459 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 460 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 461 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 462 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 463 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 464 — Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 465 — NtfsCommitCurrentTransaction IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommitCurrentTransaction_IC`	—

Event ID 466 — NtfsCommitCurrentTransaction IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommitCurrentTransaction_IC`	—

Event ID 467 — NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 468 — NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 469 — NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—

Event ID 470 — NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 471 — NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—

Event ID 472 — NtfsCommitCurrentTransaction IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommitCurrentTransaction_IC`	—

Event ID 473 — NtfsCommitCurrentTransaction IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsCommitCurrentTransaction_IC`	—

Event ID 474 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`I64x_ClearAll`	—

Event ID 475 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 476 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 477 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 478 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 479 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 480 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`I64x_Flags`	—

Event ID 481 — Vcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Vcb`	—
`p_Processing_range_DeallocatedClusters`	—
`p_RunIndex`	—
`d_StartingLcn`	—
`I64x_ClusterCount`	!I64x!, ClusterCount.

Event ID 482 — Looking for dangling MDLs

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 483 — FsLibGroupSubExtentsByDanglingMdl failed: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`FsLibGroupSubExtentsByDanglingMdl_failed`	—

Event ID 484 — FsLibAddBaseMcbEntryEx failed: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`FsLibAddBaseMcbEntryEx_failed`	—

Event ID 485 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAddToMatchingDeallocatedClusters_ExtentsWithoutDanglingMdl__failed`	NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed.

Event ID 486 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAddToMatchingDeallocatedClusters_ExtentsWithDanglingMdl__failed`	NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed.

Event ID 487 — No sub extents has dangling MDL

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 488 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 489 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—

Event ID 490 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 491 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—

Event ID 492 — NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 493 — NtfsRemoveNtfsMcbEntry Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRemoveNtfsMcbEntry_Scb`	—
`p_Mcb`	—

Event ID 494 — NtfsRemoveNtfsMcbEntry Mcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsRemoveNtfsMcbEntry_Mcb`	—

Event ID 495 — NtfsAddNtfsMcbEntry Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAddNtfsMcbEntry_Scb`	—
`p_Mcb`	—

Event ID 496 — NtfsAddNtfsMcbEntry Mcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsAddNtfsMcbEntry_Mcb`	—
`p_Result`	—

Event ID 497 — NtfsUnloadNtfsMcbRange Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsUnloadNtfsMcbRange_Scb`	—
`p_Mcb`	—

Event ID 498 — NtfsUnloadNtfsMcbRange Mcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsUnloadNtfsMcbRange_Mcb`	—

Event ID 499 — Valid NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Valid_NTFS_boot_sector_Vcb`	Valid NTFS boot sector. Vcb.
`p_BootSector`	—

Event ID 500 — Not an NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Not_an_NTFS_boot_sector_Vcb`	Not an NTFS boot sector. Vcb.
`p_BootSector`	—
`p_CheckNumber`	—

Event ID 501 — NtfsMountVolume: Vcb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMountVolume_Vcb`	NtfsMountVolume: Vcb.
`p_IC`	—

Event ID 502 — NtfsMountVolume: IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsMountVolume_IC`	NtfsMountVolume: IC.
`p_Vcb`	—
`p_Label`	—
`S_DeviceName`	—

Event ID 503 — Mounting DAX partition.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`Mounting_DAX_partition_Vcb`	Mounting DAX partition. Vcb.

Event ID 504 — DAX volume mounted without DAX support because storage is not DAX capable.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`DAX_volume_mounted_without_DAX_support_because_storage_is_not_DAX_capable_Vcb`	DAX volume mounted without DAX support because storage is not DAX capable. Vcb.

Event ID 505 — NtfsGrowMftsAttributeListAllocation Vcb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGrowMftsAttributeListAllocation_Vcb`	—
`p_IC`	—

Event ID 506 — NtfsGrowMftsAttributeListAllocation Vcb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGrowMftsAttributeListAllocation_Vcb`	—
`p_IC`	—

Event ID 507 — NtfsGrowMftsAttributeListAllocation Vcb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsGrowMftsAttributeListAllocation_Vcb`	—
`p_IC`	—
`p_AttrListScb`	—

Event ID 508 — Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 509 — Exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 510 — Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 511 — LogFileFull .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—
`param2`	—
`param3`	—
`param4`	—
`param5`	—
`param6`	—
`param7`	—
`param8`	—
`param9`	—
`param10`	—
`param11`	—
`param12`	—
`param13`	—
`param14`	—
`param15`	—
`param16`	—
`param17`	—
`param18`	—
`param19`	—
`param20`	—
`param21`	—

Event ID 512 — Unexpected raise of 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`param1`	—

Event ID 513 — NtfsProcessException IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsProcessException_IC`	—

Event ID 514 — NtfsProcessException IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields

Name	Description
`NtfsProcessException_IC`	—