Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742

505 events across 1 channel

EventTitleChannel
10NtfsLookupRealAllocation: Vcn .Operational
11NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:.Operational
12FileObject: .Operational
13NtfsAddAllocation IC:.Operational
14Purge failed: Scb: .Operational
15Purge failed: Scb: .Operational
16NtfsGetLastVcnForNewMappingPairSize IC:.Operational
17Can't find StdInfo in FileRef .Operational
18Can't find StdInfo in FileRef .Operational
19NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:.Operational
20NtfsAddAttributeAllocation(.Operational
21NtfsAddAttributeAllocation(.Operational
22NtfsAddAttributeAllocation(.Operational
23NtfsAddAttributeAllocation(.Operational
24NtfsAddAttributeAllocation(.Operational
25NtfsAddAttributeAllocation(.Operational
26NtfsRestartRemoveAttribute FileRef:0x.Operational
27NtfsRestartChangeValue FileRef:0x.Operational
28AddToAttributeList(.Operational
29DeleteFromAttributeList(.Operational
30MakeRoomForAttribute Moving Mft's attribute IC:.Operational
31MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:.Operational
32MoveAttributeToOwnRecord IC:.Operational
33NtfsRestartZeroEndOfFileRecord FileRef:0x.Operational
34MergeFRS2(.Operational
35MergeFRS2(.Operational
36MergeFRS2(.Operational
37MergeFRS2(.Operational
38MergeFRS2(.Operational
39MergeFRS2(.Operational
40MergeFRS2(.Operational
41MergeFRS2(.Operational
42MergeFRS2(.Operational
43MergeFRS2(.Operational
44MergeFRS2(.Operational
45MergeFRS2(.Operational
46MergeFRS2(.Operational
47MergeFRS2(.Operational
48RedoAttribute(.Operational
49RedoAttribute(.Operational
50NtfsConsolidateAllFileRecords: Invalid Vcb.Operational
51NtfsConsolidateAllFileRecords: Volume is locked.Operational
52NtfsConsolidateAllFileRecords(.Operational
53NtfsConsolidateAllFileRecords(.Operational
54NtfsConsolidateAllFileRecords(.Operational
55NtfsConsolidateAllFileRecords(.Operational
56NtfsConsolidateAllFileRecords(.Operational
57NtfsConsolidateAllFileRecords(.Operational
58NtfsConsolidateAllFileRecords(.Operational
59NtfsConsolidateAllFileRecords(.Operational
60NtfsConsolidateAllFileRecords(.Operational
61NtfsConsolidateAllFileRecords(.Operational
62NtfsConsolidateAllFileRecords(.Operational
63NtfsConsolidateAllFileRecords(.Operational
64NtfsConsolidateAllFileRecords(.Operational
65NtfsConsolidateAllFileRecords(.Operational
66UpdateLCS: Vcb .Operational
67NtfsAllocateClustersPriv IC: .Operational
68NtfsAllocateClustersPriv IC: .Operational
69NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.Operational
70NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.Operational
71NtfsAllocateClustersPriv IC: .Operational
72NtfsAllocateClustersPriv IC: .Operational
73NtfsDeallocateClusters IC: .Operational
74NtfsDeallocateClusters: Vcb .Operational
75NtfsDeallocateClusters IC: .Operational
76NtfsDeallocateClusters: Vcb .Operational
77NtfsDeallocateClusters: Vcb .Operational
78NtfsDeallocateClusters: Vcb .Operational
79NtfsDeallocateClusters: Decremented TotalAllocated by 0x.Operational
80NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.Operational
81NtfsDeallocateClusters: Vcb .Operational
82NtfsDeallocateClusters IC: .Operational
83NtfsDeallocateClusters IC: .Operational
84NtfsModifyBitsInBitmap IC: .Operational
85NtfsModifyBitsInBitmap IC: .Operational
86NtfsAllocateBitmapRun IC: .Operational
87NtfsAllocateBitmapRun IC: .Operational
88NtfsRestartSetBitsInBitMap IC: .Operational
89NtfsFreeBitmapRun IC: .Operational
90NtfsFreeBitmapRun IC: .Operational
91NtfsRestartClearBitsInBitMap IC: .Operational
92NtfsSetOrClearBitsUsingBaseMcb IC: .Operational
93NtfsSetOrClearBitsUsingBaseMcb IC: .Operational
94NtfsSetOrClearBitsUsingBaseMcb IC: .Operational
95System files not marked as in use in the MFT bitmap.Operational
96Length: 0 --> BinIndex : 0 - Unexpected lengthOperational
97Length: .Operational
98Length: .Operational
99BinIndex: .Operational
100BinIndex: .Operational
101BinGroupShift: .Operational
102BinIndex: .Operational
103Searched committed allocations but didnt find enough free space.Operational
104NtfsRemoveClustersFromTPMap: Vcb .Operational
105NtfsRemoveClustersFromTPMap: Vcb .Operational
106NtfsRemoveClustersFromTPMap: Vcb .Operational
107NtfsRemoveClustersFromTPMap: Vcb .Operational
108NtfsRemoveClustersFromTPMap: Vcb .Operational
109NtfsValidateTotalClustersCommitted(.Operational
110Illegal MDL Complete for major code .Operational
111Entering: Scb: .Operational
112RunEntry ==> .Operational
113Offset is beyond this extent skipping the extent.Operational
114Shrinking LengthInExtent (0x.Operational
115Zeroing: StartingPhysicalAddr: 0x.Operational
116Exiting: ExtentsDescriptorIndex: .Operational
117Entering: Scb: .Operational
118Dsm Ranges[.Operational
119RemainingClusterCount: 0x.Operational
120Dsm: TotalNumberOfRanges: .Operational
121DsmOut Ranges[.Operational
122Zeroing: StartingPhysicalAddr: 0x.Operational
123Updating ExtentsDescriptor Index and StartOffset from Locals: …Operational
124Entering: Scb: .Operational
125Updating ExtentsDescriptor Index and StartOffset from Locals: …Operational
126IrpContext: .Operational
127Return.Operational
128Unexpected open type received: .Operational
129Raising STATUS_SUCCESS from NtfsCommonCleanup: .Operational
130Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.Operational
131Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.Operational
132Irp: .Operational
133Irp: .Operational
134NtfsCommonCreate: Volume is locked.Operational
135NtfsCommonVolumeOpen: Invalid create disposition for volume open.Operational
136NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Operational
137NtfsCommonVolumeOpen: Thread: .Operational
138NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Operational
139NtfsCommonVolumeOpen: Conlicting file objects.Operational
140NtfsHandlePagingFile: Paging file already open, paging files can only be opened …Operational
141NtfsHandlePagingFile: Cannot open system file as paging file.Operational
142NtfsHandlePagingFile: Persisted paging file already exists.Operational
143NtfsOpenFcbById: Invalid system file access.Operational
144NtfsOpenExistingPrefixFcb: Can not directly open txf directory.Operational
145NtfsOpenExistingPrefixFcb: Invalid system file access.Operational
146NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system …Operational
147NtfsOpenFile: Invalid system file access.Operational
148NtfsOpenFile: Deny open when txf rm is active.Operational
149NtfsCreateNewFile: Deny creation in system directory (except root).Operational
150NtfsCreateNewFile: Unable to create Ea for the file.Operational
151NtfsCreateNewFile: Unable to create in the $txf directory.Operational
152NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.Operational
153NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.Operational
154NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.Operational
155NtfsOpenAttributeInExistingFile: Denying access for volume root directory.Operational
156NtfsCreateNewFile: Not allowed to create streams on system files.Operational
157NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging …Operational
158NtfsOverwriteAttr: Denying access due to user being Ea blind.Operational
159NtfsOverwriteAttr: Deny access due to encryption happening on the stream.Operational
160NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this …Operational
161NtfsCheckValidAttributeAccess: Only read attributes access is supported on this …Operational
162NtfsCheckValidAttributeAccess: Deny access for protected system attributes.Operational
163NtfsOpenAttributeCheck: File already has user writable references.Operational
164NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.Operational
165NtfsOpenAttributeCheck: File was granted write access but has image section.Operational
166NtfsOpenAttribute: Denying write access on disallowed writes.Operational
167NtfsOpenAttribute: File already has user writable references.Operational
168NtfsOpenAttribute: Open for exclusive read access is not allowed.Operational
169NtfsOpenAttribute: File already has user writable references.Operational
170NtfsOpenAttribute: Open for exclusive read access is not allowed.Operational
171NtfsCheckExistingFile: Desired access conflicts with read-only state.Operational
172NtfsOpenExistingEncryptedStream: No encryption driver found.Operational
173NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on …Operational
174NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for …Operational
175NtfsFindStartingNode: Opening not allowed for txf name when RM is active.Operational
176NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.Operational
177NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.Operational
178NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.Operational
179NtfsReCheckShareAccess: Does not meet allow open requirement.Operational
180...:...!d! Status: ...!S! ProcessName: ...!S!Operational
181...:...!d! Status: ...!S! ProcessName: ...!S!Operational
182...:...!d! Status: ...!S! ProcessName: ...!S!Operational
183...:...!d! Status: ...!S! ProcessName: ...!S!Operational
184NtfsSendUnusedClustersHint: Vcb .Operational
185NtfsSendUnusedClustersHint: Vcb .Operational
186NtfsSendUnusedClustersHint: Vcb .Operational
187NtfsSendUnusedClustersHint: Vcb .Operational
188NtfsSendUnusedClustersHint: Vcb .Operational
189NtfsSendUnusedClustersHint: Vcb .Operational
190NtfsSendUnusedClustersHint: Vcb .Operational
191NtfsTransferMaxDataSetRanges: Src .Operational
192NtfsTransferMaxDataSetRanges: Src .Operational
193NtfsMarkUnusedContextPostTrimProcessing: EnteringOperational
194NtfsMarkUnusedContextPostTrimProcessing: Vcb .Operational
195NtfsMarkUnusedContextPostTrimProcessing: Vcb .Operational
196NtfsMarkUnusedContextPostTrimProcessing: Vcb .Operational
197NtfsMarkUnusedContextPostTrimProcessing: Vcb .Operational
198NtfsMarkUnusedContextPostTrimProcessing: LeavingOperational
199NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp .Operational
200NtfsMarkUnusedContextPreTrimProcessing: Vcb .Operational
201NtfsMarkUnusedContextPreTrimProcessing: Vcb .Operational
202NtfsMarkUnusedContextPreTrimProcessing: Vcb .Operational
203NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb .Operational
204NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .Operational
205NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .Operational
206NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .Operational
207NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .Operational
208NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .Operational
209NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .Operational
210NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .Operational
211NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .Operational
212NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .Operational
213NtfsMarkUnusedContextPreTrimWorkItemProcessing: LeavingOperational
214NtfsWakeupDeallocatedClustersWaiters: Vcb .Operational
215NtfsWakeupDeallocatedClustersWaiters: Vcb .Operational
216NtfsWakeupDeallocatedClustersWaiters: Vcb .Operational
217NtfsWaitForDeallocatedClustersToDrain: Vcb .Operational
218NtfsWaitForDeallocatedClustersToDrain: Vcb .Operational
219NtfsWaitForDeallocatedClustersToDrain: Vcb .Operational
220NtfsWaitForDeallocatedClustersToDrain: Vcb .Operational
221NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .Operational
222NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .Operational
223NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .Operational
224NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb .Operational
225NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .Operational
226NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .Operational
227NtfsCheckForTrimThrottling: Vcb .Operational
228NtfsUpdateSmartTrimState: Vcb .Operational
229NtfsUpdateSmartTrimState: Vcb .Operational
230NtfsUpdateSmartTrimState: Vcb .Operational
231NtfsUpdateSmartTrimState: Vcb .Operational
232NtfsUpdateSmartTrimState: Vcb .Operational
233NtfsUpdateSmartTrimState: Vcb .Operational
234NtfsUpdateSmartTrimState: Vcb .Operational
235NtfsUpdateSmartTrimState: Vcb .Operational
236NtfsUpdateSmartTrimState: Vcb .Operational
237NtfsUpdateSmartTrimState: Vcb .Operational
238NtfsUpdateSmartTrimState: Vcb .Operational
239NtfsEvalSmartTrimState: Vcb .Operational
240NtfsEvalSmartTrimState: Vcb .Operational
241NtfsEvalSmartTrimState: Vcb .Operational
242NtfsEvalSmartTrimState: Vcb .Operational
243NtfsEvalSmartTrimState: Vcb .Operational
244NtfsEvalSmartTrimState: Vcb .Operational
245NtfsEvalSmartTrimState: Vcb .Operational
246NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.Operational
247NtfsVolumeDasdIo: Data section blocking flush.Operational
248Could not find paging file run.Operational
249Could not find paging file MCB entry.Operational
250Could not find paging file run.Operational
251Writing to $Bitmap.Operational
252NTFS: Posting hotfix on file object: .Operational
253NTFS: Freeing Bad Vcn: .Operational
254NTFS: Retiring Bad Lcn: .Operational
255NTFS: Reallocating Bad VcnOperational
256NTFS: Bad Cluster replacedOperational
257IrpContext: .Operational
258Compression buffers are already big enough.Operational
259Event ID 259Operational
260IrpContext: .Operational
261Compression buffers are already big enough.Operational
262Event ID 262Operational
263NtfsDefragFileInternal: Defrag is denied.Operational
264NtfsDefragFileInternal: Vcb .Operational
265NtfsDefragFileInternal: Vcb .Operational
266NtfsDefragFileInternal: Defrag is denied.Operational
267NtfsDefragFileInternal(.Operational
268NtfsDefragFileInternal(.Operational
269NtfsDefragFileInternal(.Operational
270NtfsDefragFileInternal(.Operational
271NtfsDefragFileInternal(.Operational
272NtfsDefragFileInternal(.Operational
273NtfsDefragFile: Defrag is denied without manage volume access.Operational
274NtfsEncryptDecryptOnline: Defrag is denied.Operational
275NtfsEncryptDecryptOnline: Vcb .Operational
276NtfsEncryptDecryptOnline: Vcb .Operational
277NtfsEncryptDecryptOnline: Defrag is denied.Operational
278SCB: .Operational
279StartOff=0x.Operational
280NumberOfValidRuns: 0Operational
281RemainingClusterCount: 0x.Operational
282STATUS_BUFFER_TOO_SMALL from FsLib.Operational
283Made an educated guess for remaining runs.Operational
284Made a wild guess for remaining runs.Operational
285NumberOfValidRuns: 0x.Operational
286BasePage: 0x.Operational
287About to zero range - ZeroStart: 0x.Operational
288Zeroed range - ZeroStart: 0x.Operational
289NtfsCommonQueryInformation: File information query not allowed as file was …Operational
290NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read …Operational
291NtfsQueryNameInfo: Name info query not allowed as file was opened without …Operational
292NtfsQueryLinksInfo: Link info query not allowed as file was opened without …Operational
293NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.Operational
294NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.Operational
295NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …Operational
296NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …Operational
297NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened …Operational
298NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …Operational
299NtfsSetRenameInfo: Can not rename a file marked for deletion.Operational
300NtfsSetRenameInfo: Can not rename a txf directory.Operational
301NtfsSetRenameInfo: Can not rename into a system directory.Operational
302NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.Operational
303NtfsSetRenameInfo: The file should not have in-memory directory descendents.Operational
304NtfsSetRenameInfo: Child Scb mismatch.Operational
305NtfsSetLinkInfo: Set link info is not allowed on txf directory.Operational
306NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.Operational
307NtfsSetLinkInfo: Set link info failed due to caller not having …Operational
308NtfsSetLinkInfo: Creating a link in system directory is not allowed.Operational
309NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.Operational
310NtfsSetShortNameInfo: Can not set a short name on a deleted file.Operational
311NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF …Operational
312NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction …Operational
313NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.Operational
314NtfsStreamRename: Deny access due to encryption happening on source stream.Operational
315NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.Operational
316NtfsFlushVolumeFlushSingleFcb: Thread: .Operational
317NtfsFlushVolumeFlushSingleFcb: Thread: .Operational
318NtfsFlushVolume: Thread: .Operational
319NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: .Operational
320NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: .Operational
321NtfsFlushCompletionRoutine: Vcb .Operational
322NtfsFlushCompletionRoutine: Vcb .Operational
323NtfsDiskFlushContextWorkItemProcessing: Process work itemOperational
324NtfsDiskFlushContextWorkItemProcessing: Nothing to work onOperational
325Irp: .Operational
326NtfsLockVolumeInternal: Cannot lock the volume.Operational
327NtfsLockVolumeInternal: Volume is already locked.Operational
328NtfsLockVolumeInternal: Failed to flush system files on the volume.Operational
329NtfsLockVolumeInternal: Failed to flush system files on the volume.Operational
330NtfsLockVolumeInternal: Outstanding user files open after flush and retry.Operational
331NtfsLockVolume: Cannot lock volume due to caller does not have manage volume …Operational
332NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.Operational
333...: Setting RM at 0x...!p! ({...!S!}) up for auto-restart.Operational
334NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume …Operational
335NtfsDismountVolume: IC: .Operational
336NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …Operational
337NtfsDismountVolume: Cannot dismount volume due to volume being locked.Operational
338NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …Operational
339NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage …Operational
340NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage …Operational
341NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage …Operational
342NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having …Operational
343NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …Operational
344NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …Operational
345NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage …Operational
346NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not …Operational
347NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage …Operational
348NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup …Operational
349NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup …Operational
350NtfsSetSparse: Caller does not have appropriate write access to the stream.Operational
351NtfsSetSparse: Cannot desparse encrypted file without write data access.Operational
352NtfsZeroRange: User mode caller not allowed.Operational
353IC: .Operational
354IC: .Operational
355NtfsReadRawEncrypted: Caller does not have backup access or read data access.Operational
356NtfsWriteRawEncrypted: Caller does not have write data access or restore access.Operational
357NtfsWriteRawEncrypted: Caller not having manage volume privilege.Operational
358NtfsLookupStreamFromCluster: Caller not having manage volume privilege.Operational
359NtfsChangeVolumeSize: Caller not having manage volume privilege.Operational
360NtfsChangeVolumeSize (.Operational
361NtfsChangeVolumeSize (.Operational
362NtfsMarkHandle: Caller does not have a valid volume handle or manage volume …Operational
363NtfsMarkHandle: Caller not having manage volume privilege.Operational
364NtfsMarkHandle: Cannot deny defrag.Operational
365NtfsMarkHandle: Cannot deny Frs consolidation.Operational
366NtfsMarkHandle: Cannot filter metadata.Operational
367NtfsMarkHandle: Mark handle is not allowed on system files.Operational
368NtfsMarkHandle: File already has user writable references.Operational
369NtfsMarkHandle: File was granted write access previously but no oplocks were …Operational
370NtfsPrefetchFile: Caller not having manage volume privilege.Operational
371NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.Operational
372NtfsSetShortNameBehavior: Caller not having manage volume privilege.Operational
373Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.Operational
374NtfsQueryPagefileEncryption: Caller not having manage volume privilege.Operational
375NtfsQueryPagefileEncryption: Caller not having manage volume privilege.Operational
376NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.Operational
377NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.Operational
378Resetting Volsnap behavior for VCB = 0x.Operational
379NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.Operational
380NtfsCorruptionHandling: Caller not having manage volume privilege.Operational
381NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.Operational
382Scrub resume from SystemScbIndex: .Operational
383Scb:.Operational
384Scrub SystemScbIndex: .Operational
385NtfsScrubData: Caller not having manage volume privilege.Operational
386Scrub not supported for Txf file, Scb: .Operational
387Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.Operational
388Scb:.Operational
389Scb:.Operational
390InternalFileReference: .Operational
391InternalFileReference:.Operational
392Scb:.Operational
393Scb:.Operational
394Scb:.Operational
395Scb:.Operational
396Scb:.Operational
397Scb:.Operational
398Scb:.Operational
399Scb:.Operational
400Scb:.Operational
401Scrub found problems Scb: .Operational
402Scb:.Operational
403Scb:.Operational
404FSCTL_REPAIR_COPIES not supported for Txf file, Scb: .Operational
405Scb:.Operational
406Scb:.Operational
407FSCTL_REPAIR_COPIES interrupted by thread termination.Operational
408FSCTL_REPAIR_COPIES canceledOperational
409Scb:.Operational
410Scb:.Operational
411Scb:.Operational
412Scb:.Operational
413Scb:.Operational
414Scb:.Operational
415Scb:.Operational
416NtfsQueryCachedRuns: Caller not having manage volume privilege.Operational
417NtfsQueryStorageClasses: Caller not having manage volume privilege.Operational
418NtfsQueryRegionInfo: Caller not having manage volume privilege.Operational
419NtfsUnloadFile: Caller not having manage volume privilege.Operational
420NtfsCheckForSection: File already has image section.Operational
421NtfsShuffleFile: User mode caller is not allowed.Operational
422NtfsShuffleFile: Denying access due to volume is locked.Operational
423NtfsShuffleFile: Defrag is denied.Operational
424NtfsShuffleFile: Denying access due to conflicting with read-only state.Operational
425NtfsRearrangeFile: User mode caller is not allowed.Operational
426NtfsRearrangeFile: Denying access due to volume is locked.Operational
427NtfsRearrangeFile: Defrag is denied.Operational
428NtfsShuffleFile: Denying access due to conflicting with read-only state.Operational
429NtfsSparseOverAllocate: Caller does not have appropriate write access.Operational
430NtfsInitiateFileMetadataOptimization: Only allowed on regular user …Operational
431NtfsQueryFileMetadataOptimization: Only allowed on regular user …Operational
432NtfsCleanVolumeMetadata: Caller not having manage volume privilege.Operational
433NtfsEnumOnMountToDeleteWorker(.Operational
434NtfsEnumOnMountToDeleteWorker(.Operational
435NtfsEnumMountWorker(.Operational
436NtfsEnumMountWorker(.Operational
437NtfsEnumOnMountToDeleteWorker(.Operational
438NtfsCleanVolumeMetadata: Caller not having manage volume privilege.Operational
439SCB: .Operational
440FsLibGetBadAddressRanges returned Status: .Operational
441FsInputRangeIndex: .Operational
442Scb: .Operational
443Scb: .Operational
444NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.Operational
445Logic error of posting close to work queue.Operational
446NtfsFindPrefixHashEntry: {Hash table: .Operational
447NtfsFindPrefixHashEntry: {Lcb: NULL}Operational
448NtfsFindPrefixHashEntry: {Lcb: .Operational
449NtfsFindPrefixHashEntry: {Lcb not found}Operational
450NtfsInsertHashEntry: {Hash table: .Operational
451NtfsRemoveHashEntry: {Hash table: .Operational
452Vcb .Operational
453Vcb .Operational
454Vcb .Operational
455Vcb .Operational
456Vcb .Operational
457Vcb .Operational
458Vcb .Operational
459Vcb .Operational
460Vcb .Operational
461Vcb .Operational
462Vcb .Operational
463Vcb .Operational
464Vcb .Operational
465NtfsCommitCurrentTransaction IC: .Operational
466NtfsCommitCurrentTransaction IC: .Operational
467NtfsCommitCurrentTransaction (.Operational
468NtfsCommitCurrentTransaction (.Operational
469NtfsCommitCurrentTransaction (.Operational
470NtfsCommitCurrentTransaction (.Operational
471NtfsCommitCurrentTransaction (.Operational
472NtfsCommitCurrentTransaction IC: .Operational
473NtfsCommitCurrentTransaction IC: .Operational
474NtfsFreeRecentlyDeallocated: Vcb .Operational
475NtfsFreeRecentlyDeallocated: Vcb .Operational
476NtfsFreeRecentlyDeallocated: Vcb .Operational
477NtfsFreeRecentlyDeallocated: Vcb .Operational
478NtfsFreeRecentlyDeallocated: Vcb .Operational
479NtfsFreeRecentlyDeallocated: Vcb .Operational
480NtfsFreeRecentlyDeallocated: Vcb .Operational
481Vcb: .Operational
482Looking for dangling MDLsOperational
483FsLibGroupSubExtentsByDanglingMdl failed: .Operational
484FsLibAddBaseMcbEntryEx failed: .Operational
485NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: .Operational
486NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: .Operational
487No sub extents has dangling MDLOperational
488NtfsFreeRecentlyDeallocated: Vcb .Operational
489NtfsFreeRecentlyDeallocated: Vcb .Operational
490NtfsFreeRecentlyDeallocated: Vcb .Operational
491NtfsFreeRecentlyDeallocated: Vcb .Operational
492NtfsFreeRecentlyDeallocated: Vcb .Operational
493NtfsRemoveNtfsMcbEntry Scb: .Operational
494NtfsRemoveNtfsMcbEntry Mcb: .Operational
495NtfsAddNtfsMcbEntry Scb: .Operational
496NtfsAddNtfsMcbEntry Mcb: .Operational
497NtfsUnloadNtfsMcbRange Scb: .Operational
498NtfsUnloadNtfsMcbRange Mcb: .Operational
499Valid NTFS boot sector.Operational
500Not an NTFS boot sector.Operational
501NtfsMountVolume: Vcb:.Operational
502NtfsMountVolume: IC: .Operational
503Mounting DAX partition.Operational
504DAX volume mounted without DAX support because storage is not DAX capable.Operational
505NtfsGrowMftsAttributeListAllocation Vcb:.Operational
506NtfsGrowMftsAttributeListAllocation Vcb:.Operational
507NtfsGrowMftsAttributeListAllocation Vcb:.Operational
508Unexpected exception code of 0x.Operational
509Exception code of 0x.Operational
510Unexpected exception code of 0x.Operational
511LogFileFull .Operational
512Unexpected raise of 0x.Operational
513NtfsProcessException IC: .Operational
514NtfsProcessException IC: .Operational

Event ID 10: NtfsLookupRealAllocation: Vcn .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 11: NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAllocateAttribute_MaxAlloc_for_Mfts_AttrList_ICNtfsAllocateAttribute MaxAlloc for Mft's AttrList IC.
p_Scb

Event ID 12: FileObject: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
FileObject
p_Scb
p_StaringVcn
I64x_ClusterCount
I64x_Flags!I64x!, Flags.

Event ID 13: NtfsAddAllocation IC:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAddAllocation_IC
p_FileObject
p_Scb
p_StaringVcn
I64x_ClusterCount
I64x_Flags!I64x!, Flags.

Event ID 14: Purge failed: Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Purge_failed_ScbPurge failed: Scb.

Event ID 15: Purge failed: Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Purge_failed_ScbPurge failed: Scb.

Event ID 16: NtfsGetLastVcnForNewMappingPairSize IC:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGetLastVcnForNewMappingPairSize_IC
p_Using_LastVcn

Event ID 17: Can't find StdInfo in FileRef .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 18: Can't find StdInfo in FileRef .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 19: NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCreateNonresidentWithValue_Create_Mfts_NonResident_Attribute_List_ICNtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC.
pValueLength

Event ID 20: NtfsAddAttributeAllocation(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 21: NtfsAddAttributeAllocation(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 22: NtfsAddAttributeAllocation(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 23: NtfsAddAttributeAllocation(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8

Event ID 24: NtfsAddAttributeAllocation(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 25: NtfsAddAttributeAllocation(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 26: NtfsRestartRemoveAttribute FileRef:0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 27: NtfsRestartChangeValue FileRef:0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 28: AddToAttributeList(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 29: DeleteFromAttributeList(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 30: MakeRoomForAttribute Moving Mft's attribute IC:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
MakeRoomForAttribute_Moving_Mfts_attribute_ICMakeRoomForAttribute Moving Mft's attribute IC.

Event ID 31: MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
MoveAttributeToOwnRecord_Moving_Mfts_BITMAP_ICMoveAttributeToOwnRecord Moving Mft's $BITMAP IC.
p_SizeNeeded
x_TypeCode
x_RecLen
x_Form
x_Instance

Event ID 32: MoveAttributeToOwnRecord IC:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
MoveAttributeToOwnRecord_IC
p_SizeNeeded
x_Bytes2Free
x_OldMappingSize
x_NewMappingSize

Event ID 33: NtfsRestartZeroEndOfFileRecord FileRef:0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 34: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10
param11

Event ID 35: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10
param11

Event ID 36: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10
param11

Event ID 37: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 38: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 39: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 40: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 41: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 42: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 43: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 44: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 45: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10
param11
param12
param13
param14
param15

Event ID 46: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 47: MergeFRS2(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 48: RedoAttribute(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10

Event ID 49: RedoAttribute(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10
param11
param12

Event ID 50: NtfsConsolidateAllFileRecords: Invalid Vcb.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsConsolidateAllFileRecords_Invalid_Vcb_ThreadNtfsConsolidateAllFileRecords: Invalid Vcb. Thread.

Event ID 51: NtfsConsolidateAllFileRecords: Volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsConsolidateAllFileRecords_Volume_is_locked_ThreadNtfsConsolidateAllFileRecords: Volume is locked. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Volume_Id

Event ID 52: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 53: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 54: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 55: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10
param11
param12

Event ID 56: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10

Event ID 57: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10

Event ID 58: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 59: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 60: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 61: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 62: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 63: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 64: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 65: NtfsConsolidateAllFileRecords(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 66: UpdateLCS: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 67: NtfsAllocateClustersPriv IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAllocateClustersPriv_IC
p_Vcb
p_Scb
p_Mcb
S_DelayedAllocation6!I64x!, AllocateAll.

Event ID 68: NtfsAllocateClustersPriv IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAllocateClustersPriv_IC
p_Vcb
p_Scb
p_Mcb
S_DelayedAllocation6!I64x!, AllocateAll.

Event ID 69: NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 70: NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
3I64xScbState1!I64x! clusters, Scb.

Event ID 71: NtfsAllocateClustersPriv IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAllocateClustersPriv_IC
p_ClustersAllocated

Event ID 72: NtfsAllocateClustersPriv IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAllocateClustersPriv_IC
p_ClustersAllocated

Event ID 73: NtfsDeallocateClusters IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDeallocateClusters_IC
p_Vcb
p_Scb
p_Mcb

Event ID 74: NtfsDeallocateClusters: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 75: NtfsDeallocateClusters IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDeallocateClusters_IC
p_Vcb
p_Scb
p_Mcb

Event ID 76: NtfsDeallocateClusters: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 77: NtfsDeallocateClusters: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 78: NtfsDeallocateClusters: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
p__Lsn
I64x_ClusterCount
I64x_Flags
I64x_new!08x!; Vcb's DeallocatedClustersCount old.

Event ID 79: NtfsDeallocateClusters: Decremented TotalAllocated by 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
3I64xAddrTotalAllocated1!I64x! clusters, Scb.

Event ID 80: NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
pAddrTotalAllocated1!I64x! clusters, Scb.
p_ScbState

Event ID 81: NtfsDeallocateClusters: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 82: NtfsDeallocateClusters IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDeallocateClusters_IC
p_ClustersDeallocated

Event ID 83: NtfsDeallocateClusters IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDeallocateClusters_IC
p_ClustersDeallocated

Event ID 84: NtfsModifyBitsInBitmap IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsModifyBitsInBitmap_IC
p_Vcb

Event ID 85: NtfsModifyBitsInBitmap IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsModifyBitsInBitmap_IC
p_Bitmap

Event ID 86: NtfsAllocateBitmapRun IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAllocateBitmapRun_IC
p_Vcb

Event ID 87: NtfsAllocateBitmapRun IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAllocateBitmapRun_IC
p_Bitmap

Event ID 88: NtfsRestartSetBitsInBitMap IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRestartSetBitsInBitMap_IC
p_Bitmap

Event ID 89: NtfsFreeBitmapRun IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFreeBitmapRun_IC
p_Vcb

Event ID 90: NtfsFreeBitmapRun IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFreeBitmapRun_IC
p_Bitmap

Event ID 91: NtfsRestartClearBitsInBitMap IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRestartClearBitsInBitMap_IC
p_Bitmap

Event ID 92: NtfsSetOrClearBitsUsingBaseMcb IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetOrClearBitsUsingBaseMcb_IC
p_Vcb
p_Bitmap

Event ID 93: NtfsSetOrClearBitsUsingBaseMcb IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetOrClearBitsUsingBaseMcb_IC
p_Bitmap

Event ID 94: NtfsSetOrClearBitsUsingBaseMcb IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetOrClearBitsUsingBaseMcb_IC
p_Result

Event ID 95: System files not marked as in use in the MFT bitmap.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 96: Length: 0 --> BinIndex : 0 - Unexpected length

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 97: Length: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Length
u_BitPosition
ld_GroupIndex
ld_GroupShiftFactor

Event ID 98: Length: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Length

Event ID 99: BinIndex: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
BinIndex

Event ID 100: BinIndex: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
BinIndex
ld_RelativeBinIndex
ld_MaxKey

Event ID 101: BinGroupShift: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
BinGroupShift

Event ID 102: BinIndex: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
BinIndex

Event ID 103: Searched committed allocations but didnt find enough free space.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 104: NtfsRemoveClustersFromTPMap: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 105: NtfsRemoveClustersFromTPMap: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 106: NtfsRemoveClustersFromTPMap: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 107: NtfsRemoveClustersFromTPMap: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 108: NtfsRemoveClustersFromTPMap: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 109: NtfsValidateTotalClustersCommitted(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 110: Illegal MDL Complete for major code .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 111: Entering: Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Entering_ScbEntering: Scb.
p_ExtentsDescriptorIndex

Event ID 112: RunEntry ==> .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 113: Offset is beyond this extent skipping the extent.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 114: Shrinking LengthInExtent (0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 115: Zeroing: StartingPhysicalAddr: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 116: Exiting: ExtentsDescriptorIndex: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Exiting_ExtentsDescriptorIndexExiting: ExtentsDescriptorIndex.

Event ID 117: Entering: Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Entering_ScbEntering: Scb.

Event ID 118: Dsm Ranges[.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 119: RemainingClusterCount: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 120: Dsm: TotalNumberOfRanges: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Dsm_TotalNumberOfRangesDsm: TotalNumberOfRanges.
d_NumberOfRangesReturned

Event ID 121: DsmOut Ranges[.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 122: Zeroing: StartingPhysicalAddr: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 123: Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Updating_ExtentsDescriptor_Index_and_StartOffset_from_Locals_ExtentsDescriptorIndexUpdating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Event ID 124: Entering: Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Entering_ScbEntering: Scb.
p_ExtentsDescriptorIndex

Event ID 125: Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Updating_ExtentsDescriptor_Index_and_StartOffset_from_Locals_ExtentsDescriptorIndexUpdating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Event ID 126: IrpContext: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
IrpContext
p_Scb

Event ID 127: Return.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Return_IrpContextReturn. IrpContext.

Event ID 128: Unexpected open type received: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Unexpected_open_type_received

Event ID 129: Raising STATUS_SUCCESS from NtfsCommonCleanup: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Raising_STATUSSUCCESS_from_NtfsCommonCleanupRaising STATUS_SUCCESS from NtfsCommonCleanup.

Event ID 130: Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 131: Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 132: Irp: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Irp
p_IC
p_Vcb
p_FileObject
p_RelatedFileObject
p_FileIdBuffer

Event ID 133: Irp: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Irp
p_IC
p_Vcb
p_FileObject
p_RelatedFileObject
p_Path

Event ID 134: NtfsCommonCreate: Volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommonCreate_Volume_is_locked_ThreadNtfsCommonCreate: Volume is locked. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Vcb_State

Event ID 135: NtfsCommonVolumeOpen: Invalid create disposition for volume open.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommonVolumeOpen_Invalid_create_disposition_for_volume_open_ThreadNtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread.

Event ID 136: NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommonVolumeOpen_Volume_is_locked_or_we_have_performed_a_dismount_ThreadNtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 137: NtfsCommonVolumeOpen: Thread: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommonVolumeOpen_ThreadNtfsCommonVolumeOpen: Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
d_BiasedCleanupCount

Event ID 138: NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommonVolumeOpen_Volume_is_locked_or_we_have_performed_a_dismountThreadNtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 139: NtfsCommonVolumeOpen: Conlicting file objects.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommonVolumeOpen_Conlicting_file_objects_ThreadNtfsCommonVolumeOpen: Conlicting file objects. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
d_VcbCloseCount
d_VcbSystemFileCloseCount

Event ID 140: NtfsHandlePagingFile: Paging file already open, paging files can only be opened once.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsHandlePagingFile_Paging_file_already_open_paging_files_can_only_be_opened_once_ThreadNtfsHandlePagingFile: Paging file already open, paging files can only be opened once. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 141: NtfsHandlePagingFile: Cannot open system file as paging file.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsHandlePagingFile_Cannot_open_system_file_as_paging_file_ThreadNtfsHandlePagingFile: Cannot open system file as paging file. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 142: NtfsHandlePagingFile: Persisted paging file already exists.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsHandlePagingFile_Persisted_paging_file_already_exists_ThreadNtfsHandlePagingFile: Persisted paging file already exists. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 143: NtfsOpenFcbById: Invalid system file access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenFcbById_Invalid_system_file_access_ThreadNtfsOpenFcbById: Invalid system file access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 144: NtfsOpenExistingPrefixFcb: Can not directly open txf directory.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenExistingPrefixFcb_Can_not_directly_open_txf_directory_ThreadNtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 145: NtfsOpenExistingPrefixFcb: Invalid system file access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenExistingPrefixFcb_Invalid_system_file_access_ThreadNtfsOpenExistingPrefixFcb: Invalid system file access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 146: NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenFile_Unsafe_to_acquire_parent_directory_after_acquiring_a_txfsystem_file_ThreadNtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 147: NtfsOpenFile: Invalid system file access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenFile_Invalid_system_file_access_ThreadNtfsOpenFile: Invalid system file access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 148: NtfsOpenFile: Deny open when txf rm is active.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenFile_Deny_open_when_txf_rm_is_active_ThreadNtfsOpenFile: Deny open when txf rm is active. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 149: NtfsCreateNewFile: Deny creation in system directory (except root).

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCreateNewFile_Deny_creation_in_system_directory_except_root_ThreadNtfsCreateNewFile: Deny creation in system directory (except root). Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Parent_Fcb_Fcb

Event ID 150: NtfsCreateNewFile: Unable to create Ea for the file.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCreateNewFile_Unable_to_create_Ea_for_the_file_ThreadNtfsCreateNewFile: Unable to create Ea for the file. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 151: NtfsCreateNewFile: Unable to create in the $txf directory.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCreateNewFile_Unable_to_create_in_the_txf_directory_ThreadNtfsCreateNewFile: Unable to create in the $txf directory. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Parent_Fcb_Fcb

Event ID 152: NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenSubdirectory_Denying_access_to_Txf_file_when_the_RM_is_active_ThreadNtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 153: NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttributeInExistingFile_Denying_access_due_to_caller_being_Ea_blind_ThreadNtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 154: NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttributeInExistingFile_Fail_to_find_INDEXROOT_attribute_ThreadNtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 155: NtfsOpenAttributeInExistingFile: Denying access for volume root directory.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttributeInExistingFile_Denying_access_for_volume_root_directory_ThreadNtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 156: NtfsCreateNewFile: Not allowed to create streams on system files.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCreateNewFile_Not_allowed_to_create_streams_on_system_files_ThreadNtfsCreateNewFile: Not allowed to create streams on system files. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 157: NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOverwriteAttr_Cannot_overwrite_hidden_or_system_attribute_for_a_nonpaging_file_ThreadNtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 158: NtfsOverwriteAttr: Denying access due to user being Ea blind.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOverwriteAttr_Denying_access_due_to_user_being_Ea_blind_ThreadNtfsOverwriteAttr: Denying access due to user being Ea blind. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
p_FileRef

Event ID 159: NtfsOverwriteAttr: Deny access due to encryption happening on the stream.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOverwriteAttr_Deny_access_due_to_encryption_happening_on_the_stream_ThreadNtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 160: NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckValidAttributeAccess_Supersede_or_overwrite_is_not_allowed_on_this_type_of_named_attribute_ThreadNtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 161: NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckValidAttributeAccess_Only_read_attributes_access_is_supported_on_this_attribute_ThreadNtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 162: NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckValidAttributeAccess_Deny_access_for_protected_system_attributes_ThreadNtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread.
p_AttributeTypeCode

Event ID 163: NtfsOpenAttributeCheck: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttributeCheck_File_already_has_user_writable_references_ThreadNtfsOpenAttributeCheck: File already has user writable references. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 164: NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttributeCheck_Deny_access_for_online_encryption_backup_data_stream_ThreadNtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 165: NtfsOpenAttributeCheck: File was granted write access but has image section.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttributeCheck_File_was_granted_write_access_but_has_image_section_ThreadNtfsOpenAttributeCheck: File was granted write access but has image section. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 166: NtfsOpenAttribute: Denying write access on disallowed writes.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttribute_Denying_write_access_on_disallowed_writes_ThreadNtfsOpenAttribute: Denying write access on disallowed writes. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
p_Disallow_write_count6!I64x!, Scb.

Event ID 167: NtfsOpenAttribute: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttribute_File_already_has_user_writable_references_ThreadNtfsOpenAttribute: File already has user writable references. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 168: NtfsOpenAttribute: Open for exclusive read access is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttribute_Open_for_exclusive_read_access_is_not_allowed_ThreadNtfsOpenAttribute: Open for exclusive read access is not allowed. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 169: NtfsOpenAttribute: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttribute_File_already_has_user_writable_references_ThreadNtfsOpenAttribute: File already has user writable references. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 170: NtfsOpenAttribute: Open for exclusive read access is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenAttribute_Open_for_exclusive_read_access_is_not_allowed_ThreadNtfsOpenAttribute: Open for exclusive read access is not allowed. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 171: NtfsCheckExistingFile: Desired access conflicts with read-only state.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckExistingFile_Desired_access_conflicts_with_readonly_state_ThreadNtfsCheckExistingFile: Desired access conflicts with read-only state. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 172: NtfsOpenExistingEncryptedStream: No encryption driver found.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenExistingEncryptedStream_No_encryption_driver_found_ThreadNtfsOpenExistingEncryptedStream: No encryption driver found. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 173: NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsOpenExistingEncryptedStream_Opening_for_readwrite_access_not_allowed_on_compressed_file_ThreadNtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 174: NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsEncryptionCreateCallback_Encrytion_engine_fail_to_encrypt_all_streams_for_file_with_open_handle_ThreadNtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 175: NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFindStartingNode_Opening_not_allowed_for_txf_name_when_RM_is_active_ThreadNtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread.
p_Fcb

Event ID 176: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_ThreadNtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
d_LinkShareAccessDeleters
d_LinkShareAccessSharedDelete

Event ID 177: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_ThreadNtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
d_ShareAccessReaders
d_ShareAccessWriters
d_ShareAccessDeleters
d_ShareAccessSharedRead
d_ShareAccessSharedWrite
d_ShareAccessSharedDelete

Event ID 178: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_ThreadNtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
d_ShareAccessReaders
d_ShareAccessWriters
d_ShareAccessDeleters
d_ShareAccessSharedRead
d_ShareAccessSharedWrite
d_ShareAccessSharedDelete
d_LinkShareAccessOpenCount
d_LinkShareAccessDeleters
d_LinkShareAccessSharedDelete

Event ID 179: NtfsReCheckShareAccess: Does not meet allow open requirement.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsReCheckShareAccess_Does_not_meet_allow_open_requirement_ThreadNtfsReCheckShareAccess: Does not meet allow open requirement. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
d_Readers
d_Writers
d_Deleters
d_SharedRead
d_Lcb_Deleters

Event ID 180: ...:...!d! Status: ...!S! ProcessName: ...!S!

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
1
d_Status
S_ProcessName

Event ID 181: ...:...!d! Status: ...!S! ProcessName: ...!S!

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
1
d_Status
S_ProcessName

Event ID 182: ...:...!d! Status: ...!S! ProcessName: ...!S!

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
1
d_Status
S_ProcessName

Event ID 183: ...:...!d! Status: ...!S! ProcessName: ...!S!

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
1
d_Status
S_ProcessName

Event ID 184: NtfsSendUnusedClustersHint: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 185: NtfsSendUnusedClustersHint: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 186: NtfsSendUnusedClustersHint: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 187: NtfsSendUnusedClustersHint: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 188: NtfsSendUnusedClustersHint: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 189: NtfsSendUnusedClustersHint: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 190: NtfsSendUnusedClustersHint: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 191: NtfsTransferMaxDataSetRanges: Src .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 192: NtfsTransferMaxDataSetRanges: Src .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 193: NtfsMarkUnusedContextPostTrimProcessing: Entering

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 194: NtfsMarkUnusedContextPostTrimProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 195: NtfsMarkUnusedContextPostTrimProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8

Event ID 196: NtfsMarkUnusedContextPostTrimProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 197: NtfsMarkUnusedContextPostTrimProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 198: NtfsMarkUnusedContextPostTrimProcessing: Leaving

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 199: NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 200: NtfsMarkUnusedContextPreTrimProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 201: NtfsMarkUnusedContextPreTrimProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 202: NtfsMarkUnusedContextPreTrimProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 203: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 204: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 205: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 206: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 207: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 208: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 209: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 210: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 211: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 212: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 213: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 214: NtfsWakeupDeallocatedClustersWaiters: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 215: NtfsWakeupDeallocatedClustersWaiters: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 216: NtfsWakeupDeallocatedClustersWaiters: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 217: NtfsWaitForDeallocatedClustersToDrain: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 218: NtfsWaitForDeallocatedClustersToDrain: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 219: NtfsWaitForDeallocatedClustersToDrain: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 220: NtfsWaitForDeallocatedClustersToDrain: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 221: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 222: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 223: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 224: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 225: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 226: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 227: NtfsCheckForTrimThrottling: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 228: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 229: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 230: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 231: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 232: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 233: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 234: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 235: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 236: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 237: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 238: NtfsUpdateSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 239: NtfsEvalSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 240: NtfsEvalSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 241: NtfsEvalSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 242: NtfsEvalSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 243: NtfsEvalSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 244: NtfsEvalSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 245: NtfsEvalSmartTrimState: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 246: NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommonDeviceControl_IOCTLDISKCOPYDATA_is_not_allowed_on_unlocked_volume_ThreadNtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 247: NtfsVolumeDasdIo: Data section blocking flush.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsVolumeDasdIo_Data_section_blocking_flush_ThreadNtfsVolumeDasdIo: Data section blocking flush. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Flush_status

Event ID 248: Could not find paging file run.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 249: Could not find paging file MCB entry.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 250: Could not find paging file run.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 251: Writing to $Bitmap.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Writing_to_Bitmap_VcbWriting to $Bitmap. Vcb.

Event ID 252: NTFS: Posting hotfix on file object: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NTFS_Posting_hotfix_on_file_objectNTFS: Posting hotfix on file object.

Event ID 253: NTFS: Freeing Bad Vcn: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NTFS_____Freeing_Bad_VcnNTFS: Freeing Bad Vcn.

Event ID 254: NTFS: Retiring Bad Lcn: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NTFS_____Retiring_Bad_LcnNTFS: Retiring Bad Lcn.

Event ID 255: NTFS: Reallocating Bad Vcn

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 256: NTFS: Bad Cluster replaced

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 257: IrpContext: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
IrpContext
p_Vcb

Event ID 258: Compression buffers are already big enough.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 259:

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 260: IrpContext: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
IrpContext
p_Vcb

Event ID 261: Compression buffers are already big enough.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 262:

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 263: NtfsDefragFileInternal: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDefragFileInternal_Defrag_is_denied_ThreadNtfsDefragFileInternal: Defrag is denied. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 264: NtfsDefragFileInternal: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 265: NtfsDefragFileInternal: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 266: NtfsDefragFileInternal: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDefragFileInternal_Defrag_is_denied_ThreadNtfsDefragFileInternal: Defrag is denied. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 267: NtfsDefragFileInternal(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10
param11

Event ID 268: NtfsDefragFileInternal(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10
param11

Event ID 269: NtfsDefragFileInternal(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 270: NtfsDefragFileInternal(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 271: NtfsDefragFileInternal(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10

Event ID 272: NtfsDefragFileInternal(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6

Event ID 273: NtfsDefragFile: Defrag is denied without manage volume access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDefragFile_Defrag_is_denied_without_manage_volume_access_ThreadNtfsDefragFile: Defrag is denied without manage volume access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 274: NtfsEncryptDecryptOnline: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsEncryptDecryptOnline_Defrag_is_denied_ThreadNtfsEncryptDecryptOnline: Defrag is denied. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 275: NtfsEncryptDecryptOnline: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 276: NtfsEncryptDecryptOnline: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 277: NtfsEncryptDecryptOnline: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsEncryptDecryptOnline_Defrag_is_denied_ThreadNtfsEncryptDecryptOnline: Defrag is denied. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 278: SCB: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
SCB

Event ID 279: StartOff=0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7

Event ID 280: NumberOfValidRuns: 0

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 281: RemainingClusterCount: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 282: STATUS_BUFFER_TOO_SMALL from FsLib.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 283: Made an educated guess for remaining runs.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 284: Made a wild guess for remaining runs.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 285: NumberOfValidRuns: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 286: BasePage: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 287: About to zero range - ZeroStart: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 288: Zeroed range - ZeroStart: 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 289: NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommonQueryInformation_File_information_query_not_allowed_as_file_was_opened_by_ID_without_traversal_privilege_ThreadNtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 290: NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsQueryCaseSensitiveInfo_Case_sensitive_info_query_not_allowed_without_read_attributes_access_ThreadNtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 291: NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsQueryNameInfo_Name_info_query_not_allowed_as_file_was_opened_without_traverse_privilege_ThreadNtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 292: NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 293: NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetCaseSensitiveInfo_Cannot_mark_root_directory_of_a_volume_casesensitive_ThreadNtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 294: NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_system_file_ThreadNtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 295: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_ThreadNtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 296: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_ThreadNtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
S_TxfNumWriters_count

Event ID 297: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_opened_by_ID_ThreadNtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 298: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_via_either_part_of_the_longshort_pair_ThreadNtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
d_SplitPrimaryLcb

Event ID 299: NtfsSetRenameInfo: Can not rename a file marked for deletion.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetRenameInfo_Can_not_rename_a_file_marked_for_deletion_ThreadNtfsSetRenameInfo: Can not rename a file marked for deletion. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 300: NtfsSetRenameInfo: Can not rename a txf directory.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetRenameInfo_Can_not_rename_a_txf_directory_ThreadNtfsSetRenameInfo: Can not rename a txf directory. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 301: NtfsSetRenameInfo: Can not rename into a system directory.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetRenameInfo_Can_not_rename_into_a_system_directory_ThreadNtfsSetRenameInfo: Can not rename into a system directory. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 302: NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetRenameInfo_Can_not_rename_a_file_that_is_part_of_a_TxF_transaction_ThreadNtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 303: NtfsSetRenameInfo: The file should not have in-memory directory descendents.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetRenameInfo_The_file_should_not_have_inmemory_directory_descendents_ThreadNtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 304: NtfsSetRenameInfo: Child Scb mismatch.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetRenameInfo_Child_Scb_mismatch_ThreadNtfsSetRenameInfo: Child Scb mismatch. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 305: NtfsSetLinkInfo: Set link info is not allowed on txf directory.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 306: NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 307: NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
S_SeAccessCheck_status6!I64x!, FileName.

Event ID 308: NtfsSetLinkInfo: Creating a link in system directory is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 309: NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
S_Target_RM_state6!I64x!, NewLinkName.

Event ID 310: NtfsSetShortNameInfo: Can not set a short name on a deleted file.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetShortNameInfo_Can_not_set_a_short_name_on_a_deleted_file_ThreadNtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 311: NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetShortNameInfo_Can_not_set_a_short_name_on_a_file_under_the_TxF_directory_ThreadNtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
S_Parent_FileRef

Event ID 312: NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckScbForLinkRemoval_Existing_handles_are_not_allowed_if_Txf_transaction_is_doing_the_rename_ThreadNtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 313: NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckScbForLinkRemoval_Not_all_open_handles_for_the_stream_are_byid_opens_ThreadNtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
d_Stream_cleanup_count6!I64x!, ByID opens.

Event ID 314: NtfsStreamRename: Deny access due to encryption happening on source stream.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsStreamRename_Deny_access_due_to_encryption_happening_on_source_stream_ThreadNtfsStreamRename: Deny access due to encryption happening on source stream. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 315: NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsProcessTreeForRename_Deny_access_due_to_number_of_batch_oplocks_has_grown_ThreadNtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
d_current_batch_oplock_count6!I64x!, Previous batch oplock count.

Event ID 316: NtfsFlushVolumeFlushSingleFcb: Thread: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFlushVolumeFlushSingleFcb_ThreadNtfsFlushVolumeFlushSingleFcb: Thread.
p_Vcb
p_Fcb
p_LocalFlags

Event ID 317: NtfsFlushVolumeFlushSingleFcb: Thread: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFlushVolumeFlushSingleFcb_ThreadNtfsFlushVolumeFlushSingleFcb: Thread.
p_Scb

Event ID 318: NtfsFlushVolume: Thread: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFlushVolume_ThreadNtfsFlushVolume: Thread.
p_Vcb
p_LocalFlags

Event ID 319: NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFlushVolume_setting_SCBPERSISTVOLUMEDISMOUNTED_on_BitmapScb_ScbNtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb.
p_Vcb

Event ID 320: NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFlushVolume_setting_SCBPERSISTVOLUMEDISMOUNTED_on_MftScb_ScbNtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb.
p_Vcb

Event ID 321: NtfsFlushCompletionRoutine: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 322: NtfsFlushCompletionRoutine: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 323: NtfsDiskFlushContextWorkItemProcessing: Process work item

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 324: NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 325: Irp: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Irp
p_IC
p_Vcb
p_MinorCode

Event ID 326: NtfsLockVolumeInternal: Cannot lock the volume.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsLockVolumeInternal_Cannot_lock_the_volume_ThreadNtfsLockVolumeInternal: Cannot lock the volume. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
d_ExplicitLock
d_Volume_CleanupCount
d_Handle_count

Event ID 327: NtfsLockVolumeInternal: Volume is already locked.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsLockVolumeInternal_Volume_is_already_lockedThreadNtfsLockVolumeInternal: Volume is already locked.Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 328: NtfsLockVolumeInternal: Failed to flush system files on the volume.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsLockVolumeInternal_Failed_to_flush_system_files_on_the_volume_ThreadNtfsLockVolumeInternal: Failed to flush system files on the volume. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Flush_Status

Event ID 329: NtfsLockVolumeInternal: Failed to flush system files on the volume.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsLockVolumeInternal_Failed_to_flush_system_files_on_the_volumeThreadNtfsLockVolumeInternal: Failed to flush system files on the volume.Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Flush_Status

Event ID 330: NtfsLockVolumeInternal: Outstanding user files open after flush and retry.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsLockVolumeInternal_Outstanding_user_files_open_after_flush_and_retry_ThreadNtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Volume_close_count
d_System_file_close_count
d_User_handle_count

Event ID 331: NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsLockVolume_Cannot_lock_volume_due_to_caller_does_not_have_manage_volume_privilege_ThreadNtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 332: NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsLockVolume_Cannot_lock_volume_due_to_active_secondary_RMs_on_the_volume_ThreadNtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Active_RM_count
d_Default_RM_Active

Event ID 333: ...: Setting RM at 0x...!p! ({...!S!}) up for auto-restart.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 334: NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsUnlockVolume_Cannot_unlock_volume_due_to_caller_does_not_have_manage_volume_privilege_ThreadNtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 335: NtfsDismountVolume: IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDismountVolume_ICNtfsDismountVolume: IC.
p_Vcb
p_Label
S_DeviceName

Event ID 336: NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDismountVolume_Cannot_dismount_volume_due_to_systempagefiles_being_open_for_write_access_ThreadNtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 337: NtfsDismountVolume: Cannot dismount volume due to volume being locked.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDismountVolume_Cannot_dismount_volume_due_to_volume_being_locked_ThreadNtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 338: NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsDismountVolume_Cannot_dismount_volume_due_to_systempagefiles_being_open_for_write_access_ThreadNtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
d_CloseCount
d_SystemFileCloseCount

Event ID 339: NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMarkVolumeDirty_Cannot_mark_volume_dirty_due_to_caller_not_having_manage_volume_privilege_ThreadNtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 340: NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGetVolumeBitmap_Cannot_get_volume_bitmap_due_to_caller_not_having_manage_volume_privilege_ThreadNtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 341: NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGetBootAreaInfo_Cannot_get_boot_area_info_due_to_caller_not_having_manage_volume_privilege_ThreadNtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 342: NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGetRetrievalPointers_Cannot_get_retrieval_pointers_due_to_caller_not_having_manage_volume_privilege_ThreadNtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 343: NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGetRetrievalPointerBase_Cannot_get_revrieval_pointer_base_info_due_to_caller_not_having_manage_volume_privilege_ThreadNtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 344: NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGetRetrievalPointerBase_Cannot_get_revrieval_pointer_base_info_due_to_caller_not_having_manage_volume_privilege_or_this_is_not_a_volume_open_ThreadNtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 345: NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCreateUsnJournal_Cannot_create_Usn_journal_due_to_caller_not_having_manage_volume_privilege_ThreadNtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 346: NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsUsnTrackModifiedRanges_Cannot_enable_range_tracking_due_to_caller_not_having_manage_volume_privilege_ThreadNtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 347: NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsEnumerateUsnData_Cannot_enumerate_Usn_data_due_to_caller_not_having_manage_volume_privilege_ThreadNtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 348: NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFindFilesOwnedBySid_Caller_not_having_manage_volume_privilege_backup_access_or_can_bypass_traverse_checks_ThreadNtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 349: NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFindFilesOwnedBySid_Caller_not_having_manage_volume_privilege_or_backup_access_and_is_not_admin_ThreadNtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
d_Context_owner_ID

Event ID 350: NtfsSetSparse: Caller does not have appropriate write access to the stream.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetSparse_Caller_does_not_have_appropriate_write_access_to_the_stream_ThreadNtfsSetSparse: Caller does not have appropriate write access to the stream. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 351: NtfsSetSparse: Cannot desparse encrypted file without write data access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetSparse_Cannot_desparse_encrypted_file_without_write_data_access_ThreadNtfsSetSparse: Cannot desparse encrypted file without write data access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 352: NtfsZeroRange: User mode caller not allowed.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsZeroRange_User_mode_caller_not_allowed_ThreadNtfsZeroRange: User mode caller not allowed. Thread.

Event ID 353: IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
IC
p_Scb
p_FileObject

Event ID 354: IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
IC

Event ID 355: NtfsReadRawEncrypted: Caller does not have backup access or read data access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsReadRawEncrypted_Caller_does_not_have_backup_access_or_read_data_access_ThreadNtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 356: NtfsWriteRawEncrypted: Caller does not have write data access or restore access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsWriteRawEncrypted_Caller_does_not_have_write_data_access_or_restore_access_ThreadNtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 357: NtfsWriteRawEncrypted: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsWriteRawEncrypted_Caller_not_having_manage_volume_privilege_ThreadNtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 358: NtfsLookupStreamFromCluster: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsLookupStreamFromCluster_Caller_not_having_manage_volume_privilege_ThreadNtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 359: NtfsChangeVolumeSize: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsChangeVolumeSize_Caller_not_having_manage_volume_privilege_ThreadNtfsChangeVolumeSize: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 360: NtfsChangeVolumeSize (.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 361: NtfsChangeVolumeSize (.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 362: NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMarkHandle_Caller_does_not_have_a_valid_volume_handle_or_manage_volume_access_or_is_not_kernel_model_caller_ThreadNtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 363: NtfsMarkHandle: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMarkHandle_Caller_not_having_manage_volume_privilege_ThreadNtfsMarkHandle: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 364: NtfsMarkHandle: Cannot deny defrag.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMarkHandle_Cannot_deny_defrag_ThreadNtfsMarkHandle: Cannot deny defrag. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 365: NtfsMarkHandle: Cannot deny Frs consolidation.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMarkHandle_Cannot_deny_Frs_consolidation_ThreadNtfsMarkHandle: Cannot deny Frs consolidation. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 366: NtfsMarkHandle: Cannot filter metadata.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMarkHandle_Cannot_filter_metadata_ThreadNtfsMarkHandle: Cannot filter metadata. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 367: NtfsMarkHandle: Mark handle is not allowed on system files.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMarkHandle_Mark_handle_is_not_allowed_on_system_files_ThreadNtfsMarkHandle: Mark handle is not allowed on system files. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 368: NtfsMarkHandle: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMarkHandle_File_already_has_user_writable_references_ThreadNtfsMarkHandle: File already has user writable references. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 369: NtfsMarkHandle: File was granted write access previously but no oplocks were broken.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMarkHandle_File_was_granted_write_access_previously_but_no_oplocks_were_broken_ThreadNtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
S_Writers

Event ID 370: NtfsPrefetchFile: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsPrefetchFile_Caller_not_having_manage_volume_privilege_ThreadNtfsPrefetchFile: Caller not having manage volume privilege. Thread.
p_TypeOfOpen
d_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 371: NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetZeroOnDeallocate_Only_allowed_on_regular_user_files_opened_for_write_ThreadNtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_TypeOfOpen
d_WriteAccess
d_Fcb

Event ID 372: NtfsSetShortNameBehavior: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSetShortNameBehavior_Caller_not_having_manage_volume_privilege_ThreadNtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 373: Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 374: NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsQueryPagefileEncryption_Caller_not_having_manage_volume_privilege_ThreadNtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 375: NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsQueryPagefileEncryption_Caller_not_having_manage_volume_privilege_ThreadNtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 376: NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsResetVolsnapBehaviorForVolume_Volsnap_hints_are_disabled_by_registry_ThreadNtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_NtfsData_Flags

Event ID 377: NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsResetVolsnapBehaviorForVolume_Caller_not_having_manage_volume_privilege_ThreadNtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 378: Resetting Volsnap behavior for VCB = 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 379: NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsResetVolsnapBehaviorForVolume_Caller_not_having_manage_volume_privilege_ThreadNtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 380: NtfsCorruptionHandling: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCorruptionHandling_Caller_not_having_manage_volume_privilege_ThreadNtfsCorruptionHandling: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 381: NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGlobalCorruptionHandling_Caller_does_not_have_manage_volume_privilege_ThreadNtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 382: Scrub resume from SystemScbIndex: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scrub_resume_from_SystemScbIndex
u_Vcn

Event ID 383: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_Scrub_resume_from_Vcn

Event ID 384: Scrub SystemScbIndex: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scrub_SystemScbIndex

Event ID 385: NtfsScrubData: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsScrubData_Caller_not_having_manage_volume_privilege_ThreadNtfsScrubData: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_TypeOfOpen
d_Fcb

Event ID 386: Scrub not supported for Txf file, Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scrub_not_supported_for_Txf_file_ScbScrub not supported for Txf file, Scb.
p_TxfScb

Event ID 387: Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 388: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_ScrubInternal_OperationStatus
S_Repaired
I64x_Failed!#I64x! Failed.
I64x_FileOffset!#I64x! FileOffset.
I64x_Length
I64x_ParityExtentCount

Event ID 389: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_ScrubInternal_Status
S_Repaired
I64x_Failed!#I64x! Failed.
I64x_ParityExtentCount

Event ID 390: InternalFileReference: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
InternalFileReference

Event ID 391: InternalFileReference:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
InternalFileReference

Event ID 392: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_Incomplete_IoCount
u_Cancel
u_ParityExtentCount

Event ID 393: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb

Event ID 394: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb

Event ID 395: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb

Event ID 396: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_Scrub_starting_vcn_is_beyond_VDL_FileOffset
I64x_SectorAlignedVdl!#I64x!, SectorAlignedVdl.

Event ID 397: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_Scrub_no_more_Mcb_entries_from_StartingVcn

Event ID 398: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_Scrub_skipping_UNUSEDLCN_Vcn
I64x_ClusterCount

Event ID 399: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_StartingVcn

Event ID 400: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
I64x_Bytes_StartingVcn

Event ID 401: Scrub found problems Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scrub_found_problems_Scb
I64x_Length2!#I64x! FileOffset.
I64x_Status
S_BytesFailed!#I64x! Status.
I64x_BytesRepaired
I64x_NewParityExtents!#I64x! BytesRepaired.

Event ID 402: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_DsmActionScrub_call_failed_Status

Event ID 403: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_DsmActionScrub_operation_failed_Status

Event ID 404: FSCTL_REPAIR_COPIES not supported for Txf file, Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
FSCTLREPAIRCOPIES_not_supported_for_Txf_file_ScbFSCTL_REPAIR_COPIES not supported for Txf file, Scb.
p_TxfScb

Event ID 405: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb

Event ID 406: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb

Event ID 407: FSCTL_REPAIR_COPIES interrupted by thread termination.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 408: FSCTL_REPAIR_COPIES canceled

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 409: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_FSCTLREPAIRCOPIES_no_more_Mcb_entries_from_StartingVcn

Event ID 410: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_FSCTLREPAIRCOPIES_No_more_Mcb_entries_unallocated_from_StartingVcn

Event ID 411: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_FSCTLREPAIRCOPIES_skipping_UNUSEDLCN_Vcn
I64x_ClusterCount

Event ID 412: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
I64x_Bytes_FileOffset

Event ID 413: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_DsmActionRepair_call_failed_Status

Event ID 414: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_DsmActionRepair_operation_failed_Status

Event ID 415: Scb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_DsmActionRepair_completed_IrpStatus

Event ID 416: NtfsQueryCachedRuns: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsQueryCachedRuns_Caller_not_having_manage_volume_privilege_ThreadNtfsQueryCachedRuns: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_TypeOfOpen
d_Fcb

Event ID 417: NtfsQueryStorageClasses: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsQueryStorageClasses_Caller_not_having_manage_volume_privilege_ThreadNtfsQueryStorageClasses: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_TypeOfOpen
d_Fcb

Event ID 418: NtfsQueryRegionInfo: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsQueryRegionInfo_Caller_not_having_manage_volume_privilege_ThreadNtfsQueryRegionInfo: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_TypeOfOpen
d_Fcb

Event ID 419: NtfsUnloadFile: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsUnloadFile_Caller_not_having_manage_volume_privilege_ThreadNtfsUnloadFile: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_TypeOfOpen
d_Fcb

Event ID 420: NtfsCheckForSection: File already has image section.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCheckForSection_File_already_has_image_section_ThreadNtfsCheckForSection: File already has image section. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 421: NtfsShuffleFile: User mode caller is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsShuffleFile_User_mode_caller_is_not_allowed_ThreadNtfsShuffleFile: User mode caller is not allowed. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_TypeOfOpen
d_Fcb
S_Irp_RequestorMode7!I64x!, Ccb FullFileName.

Event ID 422: NtfsShuffleFile: Denying access due to volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsShuffleFile_Denying_access_due_to_volume_is_locked_ThreadNtfsShuffleFile: Denying access due to volume is locked. Thread.
p_TypeOfOpen
d_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
p_FileRef
I64x_Ccb_FullFileName!I64x!, Ccb FullFileName.

Event ID 423: NtfsShuffleFile: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsShuffleFile_Defrag_is_denied_ThreadNtfsShuffleFile: Defrag is denied. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 424: NtfsShuffleFile: Denying access due to conflicting with read-only state.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsShuffleFile_Denying_access_due_to_conflicting_with_readonly_state_ThreadNtfsShuffleFile: Denying access due to conflicting with read-only state. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 425: NtfsRearrangeFile: User mode caller is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRearrangeFile_User_mode_caller_is_not_allowed_ThreadNtfsRearrangeFile: User mode caller is not allowed. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
S_Irp_RequestorMode6!I64x!, Ccb FullFileName.

Event ID 426: NtfsRearrangeFile: Denying access due to volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRearrangeFile_Denying_access_due_to_volume_is_locked_ThreadNtfsRearrangeFile: Denying access due to volume is locked. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 427: NtfsRearrangeFile: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRearrangeFile_Defrag_is_denied_ThreadNtfsRearrangeFile: Defrag is denied. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 428: NtfsShuffleFile: Denying access due to conflicting with read-only state.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsShuffleFile_Denying_access_due_to_conflicting_with_readonly_state_ThreadNtfsShuffleFile: Denying access due to conflicting with read-only state. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 429: NtfsSparseOverAllocate: Caller does not have appropriate write access.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsSparseOverAllocate_Caller_does_not_have_appropriate_write_access_ThreadNtfsSparseOverAllocate: Caller does not have appropriate write access. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_FileRef
I64x_FullFileName!I64x!, FullFileName.
S_Ccb_access_flags

Event ID 430: NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsInitiateFileMetadataOptimization_Only_allowed_on_regular_user_filesdirectories_opened_for_write_ThreadNtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread.
p_TypeOfOpen
d_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb
p_FileRef
I64x_Scb_AttributeTypeCode!I64x!, Scb AttributeTypeCode.
x_FcbState2
x_Ccb_FullFileName
S_Ccb_Access_flags
x_Ccb_Flags2

Event ID 431: NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsQueryFileMetadataOptimization_Only_allowed_on_regular_user_filesdirectories_opened_for_read_ThreadNtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread.
p_TypeOfOpen
d_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 432: NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCleanVolumeMetadata_Caller_not_having_manage_volume_privilege_ThreadNtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 433: NtfsEnumOnMountToDeleteWorker(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 434: NtfsEnumOnMountToDeleteWorker(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 435: NtfsEnumMountWorker(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 436: NtfsEnumMountWorker(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 437: NtfsEnumOnMountToDeleteWorker(.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 438: NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCleanVolumeMetadata_Caller_not_having_manage_volume_privilege_ThreadNtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread.
p_TypeOfOpen
d_Vcb
p_VolumeName
S_VolumeLabel
S_Fcb

Event ID 439: SCB: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
SCB

Event ID 440: FsLibGetBadAddressRanges returned Status: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
FsLibGetBadAddressRanges_returned_Status

Event ID 441: FsInputRangeIndex: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
FsInputRangeIndex

Event ID 442: Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_Status
S_AbnormalTermination

Event ID 443: Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Scb
p_Status

Event ID 444: NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsEncryptionKeyCtl_Caller_does_not_have_SETCBPRIVILEGE_ThreadNtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread.
p_Vcb
p_VolumeName
S_VolumeLabel

Event ID 445: Logic error of posting close to work queue.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 446: NtfsFindPrefixHashEntry: {Hash table: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFindPrefixHashEntry_Hash_tableNtfsFindPrefixHashEntry: {Hash table.
p_ParentScb

Event ID 447: NtfsFindPrefixHashEntry: {Lcb: NULL}

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 448: NtfsFindPrefixHashEntry: {Lcb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsFindPrefixHashEntry_LcbNtfsFindPrefixHashEntry: {Lcb.

Event ID 449: NtfsFindPrefixHashEntry: {Lcb not found}

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 450: NtfsInsertHashEntry: {Hash table: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsInsertHashEntry_Hash_tableNtfsInsertHashEntry: {Hash table.
p_HashValue
d_Lcb

Event ID 451: NtfsRemoveHashEntry: {Hash table: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRemoveHashEntry_Hash_tableNtfsRemoveHashEntry: {Hash table.
p_HashValue

Event ID 452: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 453: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 454: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 455: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 456: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 457: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 458: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 459: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 460: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 461: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 462: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 463: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 464: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 465: NtfsCommitCurrentTransaction IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommitCurrentTransaction_IC

Event ID 466: NtfsCommitCurrentTransaction IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommitCurrentTransaction_IC

Event ID 467: NtfsCommitCurrentTransaction (.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 468: NtfsCommitCurrentTransaction (.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 469: NtfsCommitCurrentTransaction (.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5

Event ID 470: NtfsCommitCurrentTransaction (.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 471: NtfsCommitCurrentTransaction (.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4

Event ID 472: NtfsCommitCurrentTransaction IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommitCurrentTransaction_IC

Event ID 473: NtfsCommitCurrentTransaction IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsCommitCurrentTransaction_IC

Event ID 474: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
I64x_ClearAll

Event ID 475: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 476: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 477: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 478: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 479: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 480: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
I64x_Flags

Event ID 481: Vcb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Vcb
p_Processing_range_DeallocatedClusters
p_RunIndex
d_StartingLcn
I64x_ClusterCount

Event ID 482: Looking for dangling MDLs

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 483: FsLibGroupSubExtentsByDanglingMdl failed: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
FsLibGroupSubExtentsByDanglingMdl_failed

Event ID 484: FsLibAddBaseMcbEntryEx failed: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
FsLibAddBaseMcbEntryEx_failed

Event ID 485: NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAddToMatchingDeallocatedClusters_ExtentsWithoutDanglingMdl__failedNtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed.

Event ID 486: NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAddToMatchingDeallocatedClusters_ExtentsWithDanglingMdl__failedNtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed.

Event ID 487: No sub extents has dangling MDL

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Event ID 488: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 489: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3

Event ID 490: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 491: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2

Event ID 492: NtfsFreeRecentlyDeallocated: Vcb .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 493: NtfsRemoveNtfsMcbEntry Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRemoveNtfsMcbEntry_Scb
p_Mcb

Event ID 494: NtfsRemoveNtfsMcbEntry Mcb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsRemoveNtfsMcbEntry_Mcb

Event ID 495: NtfsAddNtfsMcbEntry Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAddNtfsMcbEntry_Scb
p_Mcb

Event ID 496: NtfsAddNtfsMcbEntry Mcb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsAddNtfsMcbEntry_Mcb
p_Result

Event ID 497: NtfsUnloadNtfsMcbRange Scb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsUnloadNtfsMcbRange_Scb
p_Mcb

Event ID 498: NtfsUnloadNtfsMcbRange Mcb: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsUnloadNtfsMcbRange_Mcb

Event ID 499: Valid NTFS boot sector.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Valid_NTFS_boot_sector_VcbValid NTFS boot sector. Vcb.
p_BootSector

Event ID 500: Not an NTFS boot sector.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Not_an_NTFS_boot_sector_VcbNot an NTFS boot sector. Vcb.
p_BootSector
p_CheckNumber

Event ID 501: NtfsMountVolume: Vcb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMountVolume_VcbNtfsMountVolume: Vcb.
p_IC

Event ID 502: NtfsMountVolume: IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsMountVolume_ICNtfsMountVolume: IC.
p_Vcb
p_Label
S_DeviceName

Event ID 503: Mounting DAX partition.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
Mounting_DAX_partition_VcbMounting DAX partition. Vcb.

Event ID 504: DAX volume mounted without DAX support because storage is not DAX capable.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
DAX_volume_mounted_without_DAX_support_because_storage_is_not_DAX_capable_VcbDAX volume mounted without DAX support because storage is not DAX capable. Vcb.

Event ID 505: NtfsGrowMftsAttributeListAllocation Vcb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGrowMftsAttributeListAllocation_Vcb
p_IC

Event ID 506: NtfsGrowMftsAttributeListAllocation Vcb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGrowMftsAttributeListAllocation_Vcb
p_IC

Event ID 507: NtfsGrowMftsAttributeListAllocation Vcb:.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsGrowMftsAttributeListAllocation_Vcb
p_IC
p_AttrListScb

Event ID 508: Unexpected exception code of 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 509: Exception code of 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 510: Unexpected exception code of 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 511: LogFileFull .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1
param2
param3
param4
param5
param6
param7
param8
param9
param10
param11
param12
param13
param14
param15
param16
param17
param18
param19
param20
param21

Event ID 512: Unexpected raise of 0x.

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
param1

Event ID 513: NtfsProcessException IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsProcessException_IC

Event ID 514: NtfsProcessException IC: .

#
Provider
Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel
Operational

Fields #

NameDescription
NtfsProcessException_IC