Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc

707 events across 1 channel

Event ID	Title	Channel
10	NtfsLookupRealAllocation: Vcn %1!	Operational
11	NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC.	Operational
12	FileObject.	Operational
13	NtfsAddAllocation IC.	Operational
14	Purge failed: Scb.	Operational
15	Purge failed: Scb.	Operational
16	NtfsGetLastVcnForNewMappingPairSize IC.	Operational
17	Can't find StdInfo in FileRef %1!	Operational
18	Can't find StdInfo in FileRef %1!	Operational
19	NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC.	Operational
20	NtfsAddAttributeAllocation.	Operational
21	NtfsAddAttributeAllocation.	Operational
22	NtfsAddAttributeAllocation.	Operational
23	NtfsAddAttributeAllocation.	Operational
24	NtfsAddAttributeAllocation.	Operational
25	NtfsAddAttributeAllocation.	Operational
26	NtfsRestartRemoveAttribute FileRef:0x.	Operational
27	NtfsRestartChangeValue FileRef:0x.	Operational
28	AddToAttributeList.	Operational
29	DeleteFromAttributeList.	Operational
30	MakeRoomForAttribute Moving Mft's attribute IC.	Operational
31	MoveAttributeToOwnRecord Moving Mft's $BITMAP IC.	Operational
32	MoveAttributeToOwnRecord IC.	Operational
33	NtfsRestartZeroEndOfFileRecord FileRef:0x.	Operational
34	MergeFRS2.	Operational
35	MergeFRS2.	Operational
36	MergeFRS2.	Operational
37	MergeFRS2.	Operational
38	MergeFRS2.	Operational
39	MergeFRS2.	Operational
40	MergeFRS2.	Operational
41	MergeFRS2.	Operational
42	MergeFRS2.	Operational
43	MergeFRS2.	Operational
44	MergeFRS2.	Operational
45	MergeFRS2.	Operational
46	MergeFRS2.	Operational
47	MergeFRS2.	Operational
48	RedoAttribute.	Operational
49	RedoAttribute.	Operational
50	NtfsConsolidateAllFileRecords: Invalid Vcb.	Operational
51	NtfsConsolidateAllFileRecords: Volume is locked.	Operational
52	NtfsConsolidateAllFileRecords.	Operational
53	NtfsConsolidateAllFileRecords.	Operational
54	NtfsConsolidateAllFileRecords.	Operational
55	NtfsConsolidateAllFileRecords.	Operational
56	NtfsConsolidateAllFileRecords.	Operational
57	NtfsConsolidateAllFileRecords.	Operational
58	NtfsConsolidateAllFileRecords.	Operational
59	NtfsConsolidateAllFileRecords.	Operational
60	NtfsConsolidateAllFileRecords.	Operational
61	NtfsConsolidateAllFileRecords.	Operational
62	NtfsConsolidateAllFileRecords.	Operational
63	NtfsConsolidateAllFileRecords.	Operational
64	NtfsConsolidateAllFileRecords.	Operational
65	NtfsConsolidateAllFileRecords.	Operational
66	UpdateLCS: Vcb %1, IC %2, FRef %3!	Operational
67	NtfsAllocateClustersPriv IC.	Operational
68	NtfsAllocateClustersPriv IC.	Operational
69	NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.	Operational
70	NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.	Operational
71	NtfsAllocateClustersPriv IC.	Operational
72	NtfsAllocateClustersPriv IC.	Operational
73	NtfsDeallocateClusters IC.	Operational
74	NtfsDeallocateClusters: Vcb %1 - deleting FR %2!	Operational
75	NtfsDeallocateClusters IC.	Operational
76	NtfsDeallocateClusters: Vcb %1 - deleting FR %2!	Operational
77	NtfsDeallocateClusters: Vcb %1 - raising logfile full.	Operational
78	NtfsDeallocateClusters: Vcb %1 - adding clusters to DeallocatedClusters: %2 ==> …	Operational
79	NtfsDeallocateClusters: Decremented TotalAllocated by 0x.	Operational
80	NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.	Operational
81	NtfsDeallocateClusters: Vcb %1 - Undoing some changes to …	Operational
82	NtfsDeallocateClusters IC.	Operational
83	NtfsDeallocateClusters IC.	Operational
84	NtfsModifyBitsInBitmap IC.	Operational
85	NtfsModifyBitsInBitmap IC.	Operational
86	NtfsAllocateBitmapRun IC.	Operational
87	NtfsAllocateBitmapRun IC.	Operational
88	NtfsRestartSetBitsInBitMap IC.	Operational
89	NtfsFreeBitmapRun IC.	Operational
90	NtfsFreeBitmapRun IC.	Operational
91	NtfsRestartClearBitsInBitMap IC.	Operational
92	NtfsSetOrClearBitsUsingBaseMcb IC.	Operational
93	NtfsSetOrClearBitsUsingBaseMcb IC.	Operational
94	NtfsSetOrClearBitsUsingBaseMcb IC.	Operational
95	System files not marked as in use in the MFT bitmap.	Operational
96	Length: 0 --> BinIndex : 0 - Unexpected length	Operational
97	Length.	Operational
98	Length.	Operational
99	BinIndex.	Operational
100	BinIndex.	Operational
101	BinGroupShift.	Operational
102	BinIndex.	Operational
103	Searched committed allocations but didnt find enough free space.	Operational
104	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): first bit 0x%2, …	Operational
105	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): no leading partial …	Operational
106	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): leading partial …	Operational
107	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): no trailing …	Operational
108	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): trailing partial …	Operational
109	NtfsValidateTotalClustersCommitted.	Operational
110	Illegal MDL Complete for major code %1.	Operational
111	Entering: Scb.	Operational
112	RunEntry ==> %1!	Operational
113	Offset is beyond this extent skipping the extent.	Operational
114	Shrinking LengthInExtent.	Operational
115	Zeroing: StartingPhysicalAddr: 0x.	Operational
116	Exiting: ExtentsDescriptorIndex.	Operational
117	Entering: Scb.	Operational
118	Dsm Ranges[.	Operational
119	RemainingClusterCount: 0x.	Operational
120	Dsm: TotalNumberOfRanges.	Operational
121	DsmOut Ranges[.	Operational
122	Zeroing: StartingPhysicalAddr: 0x.	Operational
123	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational
124	Entering: Scb.	Operational
125	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational
126	IrpContext.	Operational
127	Return.	Operational
128	Unexpected open type received.	Operational
129	Raising STATUS_SUCCESS from NtfsCommonCleanup.	Operational
130	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational
131	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational
132	Irp.	Operational
133	Irp.	Operational
134	NtfsCommonVolumeOpen: Invalid create disposition for volume open.	Operational
135	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational
136	NtfsCommonVolumeOpen: Thread.	Operational
137	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational
138	NtfsCommonVolumeOpen: Conlicting file objects.	Operational
139	NtfsHandlePagingFile: Paging file already open, paging files can only be opened …	Operational
140	NtfsHandlePagingFile: Cannot open system file as paging file.	Operational
141	NtfsHandlePagingFile: Persisted paging file already exists.	Operational
142	NtfsOpenFcbById: Invalid system file access.	Operational
143	NtfsOpenExistingPrefixFcb: Can not directly open txf directory.	Operational
144	NtfsOpenExistingPrefixFcb: Invalid system file access.	Operational
145	NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system …	Operational
146	NtfsOpenFile: Invalid system file access.	Operational
147	NtfsOpenFile: Deny open when txf rm is active.	Operational
148	NtfsCreateNewFile: Deny creation in system directory (except root).	Operational
149	NtfsCreateNewFile: Unable to create Ea for the file.	Operational
150	NtfsCreateNewFile: Unable to create in the $txf directory.	Operational
151	NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.	Operational
152	NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.	Operational
153	NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.	Operational
154	NtfsOpenAttributeInExistingFile: Denying access for volume root directory.	Operational
155	NtfsCreateNewFile: Not allowed to create streams on system files.	Operational
156	NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging …	Operational
157	NtfsOverwriteAttr: Denying access due to user being Ea blind.	Operational
158	NtfsOverwriteAttr: Deny access due to encryption happening on the stream.	Operational
159	NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this …	Operational
160	NtfsCheckValidAttributeAccess: Only read attributes access is supported on this …	Operational
161	NtfsCheckValidAttributeAccess: Deny access for protected system attributes.	Operational
162	NtfsOpenAttributeCheck: File already has user writable references.	Operational
163	NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.	Operational
164	NtfsOpenAttributeCheck: File was granted write access but has image section.	Operational
165	NtfsOpenAttribute: Denying write access on disallowed writes.	Operational
166	NtfsOpenAttribute: File already has user writable references.	Operational
167	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational
168	NtfsOpenAttribute: File already has user writable references.	Operational
169	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational
170	NtfsCheckExistingFile: Desired access conflicts with read-only state.	Operational
171	NtfsOpenExistingEncryptedStream: No encryption driver found.	Operational
172	NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on …	Operational
173	NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for …	Operational
174	NtfsFindStartingNode: Opening not allowed for txf name when RM is active.	Operational
175	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
176	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
177	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
178	NtfsReCheckShareAccess: Does not meet allow open requirement.	Operational
179	%1:%2 Status: %3 ProcessName: %4.	Operational
180	%1:%2 Status: %3 ProcessName: %4.	Operational
181	%1:%2 Status: %3 ProcessName: %4.	Operational
182	%1:%2 Status: %3 ProcessName: %4.	Operational
183	NtfsSendUnusedClustersHint: Vcb %1 - Will tell storage we are freeing at %2!	Operational
184	NtfsSendUnusedClustersHint: Vcb %1 - Flush requested.	Operational
185	NtfsSendUnusedClustersHint: Vcb %1 - Created new MarkUnusedContext %2, …	Operational
186	NtfsSendUnusedClustersHint: Vcb %1 - Successfully added clusters starting at %2!	Operational
187	NtfsSendUnusedClustersHint: Vcb %1 - MCB %2 is full.	Operational
188	NtfsSendUnusedClustersHint: Vcb %1 - Queuing request to IC pre-trim list, MUC …	Operational
189	NtfsSendUnusedClustersHint: Vcb %1 - Failed to allocate/initial …	Operational
190	NtfsTransferMaxDataSetRanges: Src %1, Dst %2, SrcRemainClusCt %3!	Operational
191	NtfsTransferMaxDataSetRanges: Src %1, Dst %2, SrcRemainClusCt %3!	Operational
192	NtfsMarkUnusedContextPostTrimProcessing: Entering	Operational
193	NtfsMarkUnusedContextPostTrimProcessing: Vcb %1, MUC %2 - DC %3!	Operational
194	NtfsMarkUnusedContextPostTrimProcessing: Vcb %1, MUC %2 - Removed interior …	Operational
195	NtfsMarkUnusedContextPostTrimProcessing: Vcb %1 - Releasing bitmap.	Operational
196	NtfsMarkUnusedContextPostTrimProcessing: Vcb %1 - CloseCount %2.	Operational
197	NtfsMarkUnusedContextPostTrimProcessing: Leaving	Operational
198	NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp %1.	Operational
199	NtfsMarkUnusedContextPreTrimProcessing: Vcb %1, IC %2 - Entering.	Operational
200	NtfsMarkUnusedContextPreTrimProcessing: Vcb %1 - Kicked off DelayedWorkQueue.	Operational
201	NtfsMarkUnusedContextPreTrimProcessing: Vcb %1 - Leaving.	Operational
202	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb %1.	Operational
203	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Small MUC %2 instead of …	Operational
204	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Failed to allocate …	Operational
205	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Sending storage ioctl …	Operational
206	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2 - [%3] Offset %4!	Operational
207	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2, Irp %3 - …	Operational
208	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2 - %3 - failed to …	Operational
209	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Add MUC %2 to post trim …	Operational
210	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Free small MUC %2.	Operational
211	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Sending storage ioctl …	Operational
212	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving	Operational
213	NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - There are waiters for DC %2.	Operational
214	NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - Waking up waiter for DC %2.	Operational
215	NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - Done waking up DC %2.	Operational
216	NtfsWaitForDeallocatedClustersToDrain: Vcb %1, All %2 - Entering.	Operational
217	NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Waiting to drain.	Operational
218	NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Waiting for partial drain.	Operational
219	NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Leaving.	Operational
220	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Entering.	Operational
221	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Inserted %2.	Operational
222	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Leaving.	Operational
223	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb %1 - Wait for DC %2.	Operational
224	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1 (s), Exceeded …	Operational
225	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1 (s), Exceeded …	Operational
226	NtfsCheckForTrimThrottling: Vcb %1 - hitting trim threshold %2.	Operational
227	NtfsUpdateSmartTrimState: Vcb %1 - Entering.	Operational
228	NtfsUpdateSmartTrimState: Vcb %1 - Precondition checks failed.	Operational
229	NtfsUpdateSmartTrimState: Vcb %1 - Precondition checks failed; …	Operational
230	NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - Skipping deallocated clusters gen'd …	Operational
231	NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - MCB run %3; offs 0x%4!	Operational
232	NtfsUpdateSmartTrimState: Vcb %1 - MUC %2, DSR count %3, MCB count %4, ST free …	Operational
233	NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - DSR range %3; offs 0x%4!	Operational
234	NtfsUpdateSmartTrimState: Vcb %1 - MCB lcn %2!	Operational
235	NtfsUpdateSmartTrimState: Vcb %1 - Smart trim state on exit; %2 ranges.	Operational
236	NtfsUpdateSmartTrimState: Vcb %1 - Range %2: FirstTPMapBit 0x%3, LastTPMapBit …	Operational
237	NtfsUpdateSmartTrimState: Vcb %1 - Leaving.	Operational
238	NtfsEvalSmartTrimState: Vcb %1 - Entering.	Operational
239	NtfsEvalSmartTrimState: Vcb %1 - Precondition checks failed.	Operational
240	NtfsEvalSmartTrimState: Vcb %1 - Precondition checks failed; AcquiredBitmap %2.	Operational
241	NtfsEvalSmartTrimState: Vcb %1 - Checking slab 0x%2 for allocations.	Operational
242	NtfsEvalSmartTrimState: Vcb %1 - Slab 0x%2 has allocations, will not trim.	Operational
243	NtfsEvalSmartTrimState: Vcb %1 - Free slab found - TP map bit 0x%2, lcn %3!	Operational
244	NtfsEvalSmartTrimState: Vcb %1 - Leaving.	Operational
245	NtfsFlushAllTrimHintsSynchronous.	Operational
246	NtfsFlushAllTrimHintsSynchronous.	Operational
247	NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.	Operational
248	NtfsVolumeDasdIo: Data section blocking flush.	Operational
249	Could not find paging file run.	Operational
250	Could not find paging file MCB entry.	Operational
251	Could not find paging file run.	Operational
252	Writing to $Bitmap.	Operational
253	NTFS: Posting hotfix on file object.	Operational
254	NTFS: Freeing Bad Vcn.	Operational
255	NTFS: Retiring Bad Lcn.	Operational
256	NTFS: Reallocating Bad Vcn	Operational
257	NTFS: Bad Cluster replaced	Operational
258	IrpContext.	Operational
259	Compression buffers are already big enough.	Operational
260		Operational
261	IrpContext.	Operational
262	Compression buffers are already big enough.	Operational
263		Operational
264	NtfsDefragFileInternal: Defrag is denied.	Operational
265	NtfsDefragFileInternal: Vcb %1 - Calling FRD.	Operational
266	NtfsDefragFileInternal: Vcb %1 - Done calling FRD.	Operational
267	NtfsDefragFileInternal: Defrag is denied.	Operational
268	NtfsDefragFileInternal.	Operational
269	NtfsDefragFileInternal.	Operational
270	NtfsDefragFileInternal.	Operational
271	NtfsDefragFileInternal.	Operational
272	NtfsDefragFileInternal.	Operational
273	NtfsDefragFileInternal.	Operational
274	NtfsDefragFile: Defrag is denied without manage volume access.	Operational
275	NtfsEncryptDecryptOnline: Defrag is denied.	Operational
276	NtfsEncryptDecryptOnline: Vcb %1 - Calling FRD.	Operational
277	NtfsEncryptDecryptOnline: Vcb %1 - Done calling FRD.	Operational
278	NtfsEncryptDecryptOnline: Defrag is denied.	Operational
279	SCB.	Operational
280	StartOff=0x.	Operational
281	NumberOfValidRuns: 0	Operational
282	RemainingClusterCount: 0x.	Operational
283	STATUS_BUFFER_TOO_SMALL from FsLib.	Operational
284	Made an educated guess for remaining runs.	Operational
285	Made a wild guess for remaining runs.	Operational
286	NumberOfValidRuns: 0x.	Operational
287	BasePage: 0x.	Operational
288	About to zero range - ZeroStart: 0x.	Operational
289	Zeroed range - ZeroStart: 0x.	Operational
290	NtfsCommonQueryInformation: File information query not allowed as file was …	Operational
291	NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read …	Operational
292	NtfsQueryNameInfo: Name info query not allowed as file was opened without …	Operational
293	NtfsQueryLinksInfo: Link info query not allowed as file was opened without …	Operational
294	NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.	Operational
295	NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.	Operational
296	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
297	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
298	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened …	Operational
299	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
300	NtfsSetRenameInfo: Can not rename a file marked for deletion.	Operational
301	NtfsSetRenameInfo: Can not rename a txf directory.	Operational
302	NtfsSetRenameInfo: Can not rename into a system directory.	Operational
303	NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.	Operational
304	NtfsSetRenameInfo: The file should not have in-memory directory descendents.	Operational
305	NtfsSetRenameInfo: Child Scb mismatch.	Operational
306	NtfsSetLinkInfo: Set link info is not allowed on txf directory.	Operational
307	NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.	Operational
308	NtfsSetLinkInfo: Set link info failed due to caller not having …	Operational
309	NtfsSetLinkInfo: Creating a link in system directory is not allowed.	Operational
310	NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.	Operational
311	NtfsSetShortNameInfo: Can not set a short name on a deleted file.	Operational
312	NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF …	Operational
313	NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction …	Operational
314	NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.	Operational
315	NtfsStreamRename: Deny access due to encryption happening on source stream.	Operational
316	NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.	Operational
317	NtfsFlushVolumeFlushSingleFcb: Thread.	Operational
318	NtfsFlushVolumeFlushSingleFcb: Thread.	Operational
319	NtfsFlushVolume: Thread.	Operational
320	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb.	Operational
321	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb.	Operational
322	NtfsFlushCompletionRoutine: Vcb %1 - Add context %2 into completion queue.	Operational
323	NtfsFlushCompletionRoutine: Vcb %1 - Add context %2 into WorkQueue - Flink %3.	Operational
324	NtfsDiskFlushContextWorkItemProcessing: Process work item	Operational
325	NtfsDiskFlushContextWorkItemProcessing: Nothing to work on	Operational
326	Irp.	Operational
327	NtfsLockVolumeInternal: Cannot lock the volume.	Operational
328	NtfsLockVolumeInternal: Volume is already locked.	Operational
329	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational
330	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational
331	NtfsLockVolumeInternal: Outstanding user files open after flush and retry.	Operational
332	NtfsLockVolume: Cannot lock volume due to caller does not have manage volume …	Operational
333	NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.	Operational
334	%1: Setting RM at 0x%2 ({%3}) up for auto-restart.	Operational
335	NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume …	Operational
336	NtfsDismountVolume: IC.	Operational
337	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational
338	NtfsDismountVolume: Cannot dismount volume due to volume being locked.	Operational
339	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational
340	NtfsDismountVolume: Could not flush trim hints.	Operational
341	NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage …	Operational
342	NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage …	Operational
343	NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage …	Operational
344	NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having …	Operational
345	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational
346	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational
347	NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage …	Operational
348	NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not …	Operational
349	NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage …	Operational
350	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup …	Operational
351	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup …	Operational
352	NtfsSetSparse: Caller does not have appropriate write access to the stream.	Operational
353	NtfsSetSparse: Cannot desparse encrypted file without write data access.	Operational
354	NtfsZeroRange: User mode caller not allowed.	Operational
355	IC.	Operational
356	IC.	Operational
357	NtfsReadRawEncrypted: Caller does not have backup access or read data access.	Operational
358	NtfsWriteRawEncrypted: Caller does not have write data access or restore access.	Operational
359	NtfsWriteRawEncrypted: Caller not having manage volume privilege.	Operational
360	NtfsLookupStreamFromCluster: Caller not having manage volume privilege.	Operational
361	NtfsChangeVolumeSize: Caller not having manage volume privilege.	Operational
362	NtfsChangeVolumeSize.	Operational
363	NtfsChangeVolumeSize.	Operational
364	NtfsMarkHandle: Caller does not have a valid volume handle or manage volume …	Operational
365	NtfsMarkHandle: Caller not having manage volume privilege.	Operational
366	NtfsMarkHandle: Cannot deny defrag.	Operational
367	NtfsMarkHandle: Cannot deny Frs consolidation.	Operational
368	NtfsMarkHandle: Cannot filter metadata.	Operational
369	NtfsMarkHandle: Mark handle is not allowed on system files.	Operational
370	NtfsMarkHandle: File already has user writable references.	Operational
371	NtfsMarkHandle: File was granted write access previously but no oplocks were …	Operational
372	NtfsPrefetchFile: Caller not having manage volume privilege.	Operational
373	NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.	Operational
374	NtfsSetShortNameBehavior: Caller not having manage volume privilege.	Operational
375	Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.	Operational
376	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational
377	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational
378	NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.	Operational
379	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational
380	Resetting Volsnap behavior for VCB = 0x.	Operational
381	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational
382	NtfsCorruptionHandling: Caller not having manage volume privilege.	Operational
383	NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.	Operational
384	Scrub resume from SystemScbIndex.	Operational
385	Scb.	Operational
386	Scrub SystemScbIndex.	Operational
387	NtfsScrubData: Caller not having manage volume privilege.	Operational
388	Scrub not supported for Txf file, Scb.	Operational
389	Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.	Operational
390	Scb.	Operational
391	Scb.	Operational
392	InternalFileReference.	Operational
393	InternalFileReference.	Operational
394	Scb.	Operational
395	Scb.	Operational
396	Scb.	Operational
397	Scb.	Operational
398	Scb.	Operational
399	Scb.	Operational
400	Scb.	Operational
401	Scb.	Operational
402	Scb.	Operational
403	Scrub found problems Scb.	Operational
404	Scb.	Operational
405	Scb.	Operational
406	FSCTL_REPAIR_COPIES not supported for Txf file, Scb.	Operational
407	Scb.	Operational
408	Scb.	Operational
409	FSCTL_REPAIR_COPIES interrupted by thread termination.	Operational
410	FSCTL_REPAIR_COPIES canceled	Operational
411	Scb.	Operational
412	Scb.	Operational
413	Scb.	Operational
414	Scb.	Operational
415	Scb.	Operational
416	Scb.	Operational
417	Scb.	Operational
418	NtfsQueryCachedRuns: Caller not having manage volume privilege.	Operational
419	NtfsQueryStorageClasses: Caller not having manage volume privilege.	Operational
420	NtfsQueryRegionInfo: Caller not having manage volume privilege.	Operational
421	NtfsUnloadFile: Caller not having manage volume privilege.	Operational
422	NtfsCheckForSection: File already has image section.	Operational
423	NtfsShuffleFile: User mode caller is not allowed.	Operational
424	NtfsShuffleFile: Denying access due to volume is locked.	Operational
425	NtfsShuffleFile: Defrag is denied.	Operational
426	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational
427	NtfsRearrangeFile: User mode caller is not allowed.	Operational
428	NtfsRearrangeFile: Denying access due to volume is locked.	Operational
429	NtfsRearrangeFile: Defrag is denied.	Operational
430	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational
431	NtfsSparseOverAllocate: Caller does not have appropriate write access.	Operational
432	NtfsInitiateFileMetadataOptimization: Only allowed on regular user …	Operational
433	NtfsQueryFileMetadataOptimization: Only allowed on regular user …	Operational
434	NtfsCleanVolumeMetadata: Caller not having manage volume privilege.	Operational
435	NtfsEnumOnMountToDeleteWorker.	Operational
436	NtfsEnumOnMountToDeleteWorker.	Operational
437	NtfsEnumMountWorker.	Operational
438	NtfsEnumMountWorker.	Operational
439	NtfsEnumOnMountToDeleteWorker.	Operational
440	NtfsCleanVolumeMetadata: Caller not having manage volume privilege.	Operational
441	SCB.	Operational
442	FsLibGetBadAddressRanges returned Status: %1, NumBadRanges: 0x%2.	Operational
443	FsInputRangeIndex.	Operational
444	Scb.	Operational
445	Scb.	Operational
446	NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.	Operational
447	Logic error of posting close to work queue.	Operational
448	NtfsFindPrefixHashEntry: {Hash table.	Operational
449	NtfsFindPrefixHashEntry: {Lcb: NULL}	Operational
450	NtfsFindPrefixHashEntry: {Lcb.	Operational
451	NtfsFindPrefixHashEntry: {Lcb not found}	Operational
452	NtfsInsertHashEntry: {Hash table.	Operational
453	NtfsRemoveHashEntry: {Hash table.	Operational
454	Vcb %1.	Operational
455	Vcb %1.	Operational
456	Vcb %1.	Operational
457	Vcb %1.	Operational
458	Vcb %1.	Operational
459	Vcb %1.	Operational
460	Vcb %1.	Operational
461	Vcb %1.	Operational
462	Vcb %1.	Operational
463	Vcb %1.	Operational
464	Vcb %1.	Operational
465	NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked.	Operational
466	Vcb %1.	Operational
467	Vcb %1.	Operational
468	NtfsCommitCurrentTransaction IC.	Operational
469	NtfsCommitCurrentTransaction IC.	Operational
470	NtfsCommitCurrentTransaction.	Operational
471	NtfsCommitCurrentTransaction.	Operational
472	NtfsCommitCurrentTransaction.	Operational
473	NtfsCommitCurrentTransaction.	Operational
474	NtfsCommitCurrentTransaction.	Operational
475	NtfsCommitCurrentTransaction IC.	Operational
476	NtfsCommitCurrentTransaction IC.	Operational
477	NtfsFreeRecentlyDeallocated: Vcb %1 - Entering - ActiveLsn: %2!	Operational
478	NtfsFreeRecentlyDeallocated: Vcb %1 empty list - Leaving.	Operational
479	NtfsFreeRecentlyDeallocated: Vcb %1 empty list - Leaving.	Operational
480	NtfsFreeRecentlyDeallocated: Vcb %1 - Found frozen deallocated clusters with %2!	Operational
481	NtfsFreeRecentlyDeallocated: Vcb %1 - No actionable deallocated clusters.	Operational
482	NtfsFreeRecentlyDeallocated: Vcb %1 - No actionable deallocated clusters.	Operational
483	NtfsFreeRecentlyDeallocated: Vcb %1 - Found a deallocated clusters %2 with %3!	Operational
484	Vcb.	Operational
485	Looking for dangling MDLs	Operational
486	FsLibGroupSubExtentsByDanglingMdl failed.	Operational
487	FsLibAddBaseMcbEntryEx failed.	Operational
488	NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed.	Operational
489	NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed.	Operational
490	No sub extents has dangling MDL	Operational
491	NtfsFreeRecentlyDeallocated: Vcb %1 - Telling volsnap freeing at %2!	Operational
492	NtfsFreeRecentlyDeallocated: Vcb %1 - Volsnap responsed with freeing at %2!	Operational
493	NtfsFreeRecentlyDeallocated: Vcb %1 - Got error 0x%2 from below.	Operational
494	NtfsFreeRecentlyDeallocated: Vcb %1 - Deleting MarkUnusedContext %2.	Operational
495	NtfsFreeRecentlyDeallocated: Vcb %1 - Leaving.	Operational
496	NtfsRemoveNtfsMcbEntry Scb.	Operational
497	NtfsRemoveNtfsMcbEntry Mcb.	Operational
498	NtfsAddNtfsMcbEntry Scb.	Operational
499	NtfsAddNtfsMcbEntry Mcb.	Operational
500	NtfsUnloadNtfsMcbRange Scb.	Operational
501	NtfsUnloadNtfsMcbRange Mcb.	Operational
502	Valid NTFS boot sector.	Operational
503	Not an NTFS boot sector.	Operational
504	NtfsMountVolume: Vcb.	Operational
505	NtfsMountVolume: IC.	Operational
506	Mounting DAX partition.	Operational
507	DAX volume mounted without DAX support because storage is not DAX capable.	Operational
508	NtfsGrowMftsAttributeListAllocation Vcb.	Operational
509	NtfsGrowMftsAttributeListAllocation Vcb.	Operational
510	NtfsGrowMftsAttributeListAllocation Vcb.	Operational
511	Unexpected exception code of 0x.	Operational
512	Exception code of 0x.	Operational
513	Unexpected exception code of 0x.	Operational
514	LogFileFull %1 BackTrace: ln %2; ln %3; ln %4; ln %5; ln %6; ln %7; ln %8; ln …	Operational
515	Unexpected raise of 0x.	Operational
516	NtfsProcessException IC.	Operational
517	NtfsProcessException IC.	Operational
518	Failed to abort - IrpContext %1, Irp %2, Vcb %3, Count %4, Status %5.	Operational
519	Failed to abort - IrpContext %1, Irp %2, Vcb %3, Scb %4, FileRef %5!	Operational
520	Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x.	Operational
521	Setting 0x.	Operational
522	[.	Operational
523	[.	Operational
524	Can't handle invalid bitmap in a positive way.	Operational
525	NTFS ETW tracing is now active.	Operational
526	Updating NtfsMinTrimTotalSize to %1.	Operational
527	Updating NtfsMaxTrimTotalSize to %1.	Operational
528	NtfsSetObjectId: Caller does not have restore access.	Operational
529	NtfsSetObjectIdExtendedInfo: Caller does not have write access.	Operational
530	NtfsDeleteObjectId: Caller does not have write access.	Operational
531	%1: Setting RM at 0x%2 ({%3}) up for auto-restart.	Operational
532	NtfsFsQuotaSetInfo: Denying access due to administrator limit.	Operational
533	NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not …	Operational
534	Unexpected Paging-Read on DAX mappable stream, Scb=.	Operational
535	NtfsSetReparsePoint: Caller does not have write access.	Operational
536	NtfsSetReparsePointEx: Caller does not have write access.	Operational
537	NtfsDeleteReparsePoint: Caller does not have write access.	Operational
538	NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling …	Operational
539	NtfsReleaseVcbCheckDelete - deleted Vcb.	Operational
540	NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb.	Operational
541	NtfsAbortTransaction IC.	Operational
542	NtfsAbortTransaction IC.	Operational
543	DoAction::InitializeFRS IC.	Operational
544	DoAction::DeallocateFRS IC.	Operational
545	DoAction::WriteEndOfFRS IC.	Operational
546	DoAction::CreateAttribute IC.	Operational
547	NtfsRestartChangeValue IC.	Operational
548	DoAction::SetNewAttributeSizes IC.	Operational
549	DoAction(SetBitsInNonresidentBitMap) IC.	Operational
550	DoAction(ClearBitsInNonresidentBitMap) IC.	Operational
551	NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf.	Operational
552	NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.	Operational
553	NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.	Operational
554	NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to …	Operational
555	NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.	Operational
556	NtfsCheckFileForDelete: Denying access due to superseding view indexes are not …	Operational
557	NtfsCheckFileForDelete: Denying access due to non-posix delete of target …	Operational
558	NtfsCheckFileForDelete: Denying access due to file is not deleteable.	Operational
559	NtfsCheckFileForDelete: Denying access due to target file is read only.	Operational
560	NtfsCheckFileForDelete: Caller does not have write attributes access …	Operational
561	NtfsCheckFileForDelete: Denying access due to failing to remove image section.	Operational
562	NtfsGlobalSdUpdate: Caller does not have manage volume privilege.	Operational
563	NtfsRepairItem: Denying access due to volume is locked.	Operational
564	NtfsSetRepairState: Caller does not have manage volume privilege.	Operational
565	NtfsInitiateRepair: Caller does not have manage volume privilege.	Operational
566	NTFS ETW tracing is shutting down.	Operational
567	NtfsDefineStorageReserve: Caller does not have manage volume privilege.	Operational
568	NtfsDeleteStorageReserve: Caller does not have manage volume privilege.	Operational
569	NtfsRepairStorageReserve: Caller does not have manage volume privilege.	Operational
570	NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a …	Operational
571	NtfsSetStorageReserveIdInfo: Caller does not have appropriate access.	Operational
572	NtfsChangeStorageReserveId: Caller does not have manage volume privilege.	Operational
573	NtfsChangeStorageReserveId: Caller does not have manage volume privilege to …	Operational
574	Failed to get a non-volatile token for Vcb.	Operational
575	Failed to free non-volatile token for Vcb.	Operational
576	NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb.	Operational
577	NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters.	Operational
578	ClustersLinkAsHead.	Operational
579	Clusters.	Operational
580	Matching cluster.	Operational
581	Clusters.	Operational
582	Allocated new deallocated clusters	Operational
583	Need to add Range.	Operational
584	Added range.	Operational
585	TxfCheckForLockConflict: File locked for modify transaction.	Operational
586	TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans …	Operational
587	TxfCheckForLockConflict: Modification access desired.	Operational
588	TxfCheckForLockConflict: File has user handle opened on one of the versions or …	Operational
589	%1: from %2 (%3:%4) RM at 0x%5 {%6}, Tx at 0x%7 {%8}, Status was 0x%9.	Operational
590	%1: from %2 (%3:%4) RM at 0x%5 {%6}, Tx at 0x%7 {%8}, Status was 0x%9.	Operational
591	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.	Operational
592	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.	Operational
593	%1: RM at 0x%2 {%3}: Unexpected exception code of 0x%4 received.	Operational
594	%1: TxfStartRm reports RM will be reset: RM metadata corrupt.	Operational
595	%1: TxfStartRm reports RM will be reset: TM could not be initialized.	Operational
596	%1: TxfStartRm reports RM will be reset: RM log corrupt.	Operational
597	%1: TxfStartRm reports RM will be reset: log version changed.	Operational
598	%1: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed.	Operational
599	%1: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated.	Operational
600	%1: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.	Operational
601	%1: TxfStartRm reports RM will be reset: 0x%2.	Operational
602	%1: RM did not start and WILL NOT be reset, status code is 0x%2!	Operational
603	%1: Could not initialize IrpContext: 0x%2.	Operational
604	TxfInitializeVolume: Denying access due to Txf start is not allowed (possible …	Operational
605	%1: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x%2 for default RM on VCB at 0x%3.	Operational
606	%1: Exception code 0x%2, Status 0x%3 for default RM on VCB at 0x%4.	Operational
607	%1: Couldn't reset default RM on VCB at 0x%2 after %3 tries: 0x%4.	Operational
608	%1: Exception 0x%2 raised from TxfConvertRmStartFailureStatusCode for default RM …	Operational
609	%1: %2 auto-restart of RM at 0x%3 ({%4}): 0x%5.	Operational
610	%1: Attempting auto-restart of RM at 0x%2 ({%3}).	Operational
611	%1: Volume too small to start RM at 0x%2 ({%3}).	Operational
612	%1: Corrupt RM at 0x%2 {%3}: invalid flags in $Tops.	Operational
613	TxfStartRm: Denying access due to Txf start is not allowed (possible racing with …	Operational
614	%1: Raising to reset RM at 0x%2 ({%3}): Explicit reset requested.	Operational
615	TxfStartRm: Denying access due to Txf start is not allowed (possible racing with …	Operational
616	%1: Corrupt RM at 0x%2 {%3}: no TXF_DATA in root.	Operational
617	%1: RM at 0x%2 {%3}: Different nesting levels of 0x%4 and 0x%5.	Operational
618	%1: Corrupt RM at 0x%2 {%3}: restart area already exists.	Operational
619	%1: Corrupt RM at 0x%2 {%3}: restart area already exists.	Operational
620	%1: Corrupt RM at 0x%2 {%3}: RmID in restart area does not match {%4}.	Operational
621	%1: Got %2 from ClfsGetLogFileInformation for RM at 0x%3 {%4}.	Operational
622	%1: Corrupt RM at 0x%2 {%3}: Restart LSN is before beginning of log.	Operational
623	%1: Corrupt RM at 0x%2 {%3}: MinRollforwardEndLsn is beyond end of log.	Operational
624	%1: TxF RM at 0x%2 {%3} started successfully.	Operational
625	%1: TxF RM at 0x%2 {%3} failed to start with Status 0x%4 %5.	Operational
626	%1: Shutting down %2 RM at 0x%3 {%4}.	Operational
627	%1: Setting RM at 0x%2 {%3} up for auto-restart.	Operational
628	TxfFlushAndInvalidateExistingStructures: File has open user handles.	Operational
629	(%1:%2) - TXF_HARD_ERROR on RM at 0x%3 ({%4}): %5).	Operational
630	%1: Renamed RM at 0x%2 from {%3} to {%4}.	Operational
631	%1: RM at 0x%2 {%3}, rolling back Tx at 0x%4 {%5}, Status was 0x%6.	Operational
632	%1: Renamed RM at 0x%2 from {%3} to {%4}.	Operational
633	TxfFsctlStartRm: Denying access due starting default RM is not allowed.	Operational
634	TxfFsctlWriteBackupInformation: Denying access due RM is active.	Operational
635	%1: Corrupt RM at 0x%2 {%3}: Found too high of a TxF ID in log.	Operational
636	%1: Error Setting Delete Disposition: 0x%2 FileObject: 0x%3.	Operational
637	%1: Corrupt RM at 0x%2 {%3}: Got a RECOVER notification for a transaction that …	Operational
638	TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a …	Operational
639	TxfSetupTransactionContextFromCcb: Invalid TxF structure.	Operational
640	TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a …	Operational
641	%1: RM at 0x%2 {%3} raising 0x%4 to KTM!	Operational
642	%1: Commit (0x%2) of%3tx {%4} on RM at 0x%5 {%6} failed with 0x%7.	Operational
643	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5} (notify commit).	Operational
644	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5} (notify rollback).	Operational
645	%1: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x%2 {%3}: 0x%4.	Operational
646	%1: RM at 0x%2 {%3} trying to abort transaction at 0x%4 {%5}.	Operational
647	%1: Aborting call stack: 0x%2 0x%3 0x%4 0x%5 0x%6.	Operational
648	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.	Operational
649	%1: 0x%2 initializing IrpContext for tx at %3 {%4}, RM at %5 {%6}.	Operational
650	%1: 0x%2 writing log record for RM at 0x%3 {%4}, Tx at 0x%5 {%6}.	Operational
651	%1: About to force aborts on RM at 0x%2 {%3}.	Operational
652	%1: BaseLsn is greater than TargetLsn on RM at 0x%2 {%3}.	Operational
653	%1: No transactions remain on RM at 0x%2 {%3}.	Operational
654	%1: Transaction's first undo LSN greater than TargetLsn on RM at 0x%2 {%3}.	Operational
655	%1: RM at 0x%2 {%3} surprise-aborting transaction at 0x%4 {%5}.	Operational
656	%1: RM at 0x%2 {%3} got 0x%4 from TxfTryAbortTransaction on Tx 0x%5 {%6}.	Operational
657	%1: Inactive RM at 0x%2 {%3}.	Operational
658	%1: Log is pinned on RM at 0x%2 {%3}.	Operational
659	%1: RM at 0x%2 {%3}, rolling back KTM Tx at 0x%4 {%5}, Status was 0x%6.	Operational
660	%1: Log pinned trying to advance RestartLsn on RM at 0x%2 {%3}.	Operational
661	%1: Log pinned by doomed transaction on RM at 0x%2 {%3}.	Operational
662	%1: Reporting 0x%2 to CLFS from RM at 0x%3 {%4}: 0x%5.	Operational
663	%1: Done forcing aborts on RM at 0x%2 {%3}.	Operational
664	%1: Corrupt RM at 0x%2 {%3}: $Txf directory is missing in pre-existing RM.	Operational
665	%1: Corrupt RM at 0x%2 {%3}: Found $Txf without …	Operational
666	%1: Corrupt RM at 0x%2 {%3}: Found non-empty $Txf but there is no log.	Operational
667	%1: Corrupt RM at 0x%2 {%3}: Couldn't find $INDEX_ROOT on $Txf.	Operational
668	%1: Corrupt RM at 0x%2 {%3}: Couldn't find TXF_DATA_ATTR on $Txf.	Operational
669	%1: Corrupt RM at 0x%2 {%3}: Found TXF_DATA_ATTR for normal file on $Txf.	Operational
670	%1: Corrupt RM at 0x%2 {%3}: Expected a secondary RM here.	Operational
671	%1: Corrupt RM at 0x%2 {%3}: $Tops is missing but $Txf is non-empty.	Operational
672	%1: Corrupt RM at 0x%2 {%3}: $Tops is missing but there is already a log.	Operational
673	%1: Corrupt RM at 0x%2 {%3}: $Tops is %4.	Operational
674	%1: Corrupt RM at 0x%2 {%3}: Missing $STANDARD_INFORMATION.	Operational
675	%1: Corrupt RM at 0x%2 {%3}: Couldn't find file attributes.	Operational
676	%1: Corrupt RM at 0x%2 {%3}: $Tops is corrupt.	Operational
677	%1: Corrupt RM at 0x%2 {%3}: Could not find unnamed data stream.	Operational
678	%1: Corrupt RM at 0x%2 {%3}: $Tops metadata is the wrong version or records …	Operational
679	%1: Corrupt RM at 0x%2 {%3}: $Tops metadata is the wrong size.	Operational
680	%1: Corrupt RM at 0x%2 {%3}: Non-NULL RM ID found in $Tops and there is no log.	Operational
681	%1: Corrupt RM at 0x%2 {%3}: Epoch in $Tops metadata doesn't match RM.	Operational
682	%1: Corrupt RM at 0x%2 {%3}: Couldn't find $T stream.	Operational
683	NtfsReadUsnJournal: Caller does not have manage volume privilege.	Operational
684	TrimUsnJournal.	Operational
685	TrimUsnJournal.	Operational
686	TrimUsnJournal.	Operational
687	TrimUsnJournal.	Operational
688	TrimUsnJournal.	Operational
689	TrimUsnJournal.	Operational
690	NtfsQueryUsnJournal: Denying access due to NULL Ccb.	Operational
691	NtfsDeleteUsnJournal: Caller does not have manage volume access.	Operational
692	NtfsRestartUsnJournal: Caller does not have manage volume privilege.	Operational
693	NtOfsCreateAttributeEx: Stream already has a open user handle.	Operational
694	OfsSetLength.	Operational
695	OfsSetLength.	Operational
696	OfsSetLength.	Operational
697	OfsSetLength.	Operational
698	NtOfsPostNewLength.	Operational
699	NtfsIsRegionDangling: RemainingClusterCount: 0x.	Operational
700	Vcb %1 - has no active PFNs.	Operational
701	Vcb %1 - failed to query active PFNs assuming there are some.	Operational
702	Vcb %1 - has active PFNs.	Operational
703	NtfsPerformDismountOnVcb: Vcb %1.	Operational
704	NtfsPerformDismountOnVcb: Vcb %1 - Found frozen deallocated clusters.	Operational
705	NtfsPerformDismountOnVcb: Vcb %1 - Wait for any on going trim to finish.	Operational
706	NtfsPerformDismountOnVcb: Vcb %1 - No more on going trim.	Operational
707	NtfsPerformDismountOnVcb: IC.	Operational
708	NtfsPostVcbIsCorrupt.	Operational
709	NtfsPostVcbIsCorrupt: Marking volume dirty.	Operational
710	NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for …	Operational
711	NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for …	Operational
712	Succeeding log write @ 0x.	Operational
713	Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=.	Operational
714	NtfsCommonWrite: Writing beyond highest writable sector on active volume is not …	Operational
715	Ignoring write to 0x.	Operational
716	Truncating write from 0x.	Operational

Event ID 10 — NtfsLookupRealAllocation: Vcn %1!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsLookupRealAllocation: Vcn %1!I64x!, LowestVcn %2!I64x!, HighestVcn %3!I64x!, AllocationClusters %4!I64x!

Fields

Name	Description
`A10_Vcn`	—
`A11_Attribute->Form.Nonresident.LowestVcn`	—
`A12_Attribute->Form.Nonresident.HighestVcn`	—
`A13_AllocationClusters`	—

Event ID 11 — NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:%1!p!, Scb:%2!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—

Event ID 12 — FileObject.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

FileObject: %1!p!, Scb: %2!p!, StaringVcn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!, CcbForWriteExtend: %6!p!

Fields

Name	Description
`A10_FileObject`	—
`A11_Scb`	—
`A12_StartingVcn`	—
`A13_ClusterCount`	—
`A14_Flags`	—
`A15_CcbForWriteExtend`	—

Event ID 13 — NtfsAddAllocation IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddAllocation IC:%1!p!, FileObject:%2!p!, Scb:%3!p!, StaringVcn:%4!I64x!, ClusterCount:%5!I64x!, Flags:%6!08x!, CcbForWriteExtend:%7!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileObject`	—
`A12_Scb`	—
`A13_StartingVcn`	—
`A14_ClusterCount`	—
`A15_Flags`	—
`A16_CcbForWriteExtend`	—

Event ID 14 — Purge failed: Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_PurgeOffset`	—

Event ID 15 — Purge failed: Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!, PurgeChunkLength: 0x%3!x!

Fields

Name	Description
`A10_Scb`	—
`A11_PurgeOffset`	—
`A12_PurgeChunkLength`	—

Event ID 16 — NtfsGetLastVcnForNewMappingPairSize IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGetLastVcnForNewMappingPairSize IC:%1!p!, Using LastVcn:%2!4I64x!, InstanceId:%3!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_*LastVcn`	—
`A12_Attribute->Instance`	—

Event ID 17 — Can't find StdInfo in FileRef %1!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Can't find StdInfo in FileRef %1!I64x!

Fields

Name	Description
`A10_NtfsFullFileRefNumber( _Fcb->FileReference )`	—

Event ID 18 — Can't find StdInfo in FileRef %1!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Can't find StdInfo in FileRef %1!I64x!

Fields

Name	Description
`A10_NtfsFullFileRefNumber( _Fcb->FileReference )`	—

Event ID 19 — NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:%1!p!ValueLength:%2!x!, AttrFlags=%3!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ValueLength`	—
`A12_AttributeFlags`	—

Event ID 20 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LastVcn %5!I64x!, NewHighestVcn %6!I64x!, PassCount %7!x! - step 6

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_LastVcn`	—
`A15_NewHighestVcn`	—
`A16_PassCount`	—

Event ID 21 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - try to merge backward

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn`	—
`A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn`	—
`A16_Context->AttributeList.Entry->LowestVcn`	—

Event ID 22 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after merge backward

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn`	—
`A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn`	—
`A16_Context->AttributeList.Entry->LowestVcn`	—

Event ID 23 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x!, PassCount %8!x! - before last merge after step 6

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn`	—
`A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn`	—
`A16_Context->AttributeList.Entry->LowestVcn`	—
`A17_PassCount`	—

Event ID 24 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after last merge after step 6

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn`	—
`A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn`	—
`A16_Context->AttributeList.Entry->LowestVcn`	—

Event ID 25 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, MergeSkipCt %5!x! - done

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NtfsFrsConsolidationStatistics.MergeSkipCount`	—

Event ID 26 — NtfsRestartRemoveAttribute FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRestartRemoveAttribute FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields

Name	Description
`A10_FileRecord->SegmentNumberHighPart`	—
`A11_FileRecord->SegmentNumberLowPart`	—
`A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )`	—
`A13_Attribute->TypeCode`	—

Event ID 27 — NtfsRestartChangeValue FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRestartChangeValue FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields

Name	Description
`A10_FileRecord->SegmentNumberHighPart`	—
`A11_FileRecord->SegmentNumberLowPart`	—
`A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )`	—
`A13_Attribute->TypeCode`	—

Event ID 28 — AddToAttributeList.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

AddToAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields

Name	Description
`A10_Fcb->Vcb`	—
`A11_IrpContext`	—
`A12_*(PULONGLONG)_Fcb->FileReference`	—
`A13_StdInfoAttrListEntry->Signature`	—
`A14_StdInfoAttrListEntry->LastCompactedSize`	—
`A15_CurrentAttributeListSize`	—

Event ID 29 — DeleteFromAttributeList.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DeleteFromAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields

Name	Description
`A10_Fcb->Vcb`	—
`A11_IrpContext`	—
`A12_*(PULONGLONG)_Fcb->FileReference`	—
`A13_StdInfoAttrListEntry->Signature`	—
`A14_StdInfoAttrListEntry->LastCompactedSize`	—
`A15_NewStdInfoAttrListEntry.LastCompactedSize`	—

Event ID 30 — MakeRoomForAttribute Moving Mft's attribute IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MakeRoomForAttribute Moving Mft's attribute IC:%1!p!, Moving Attrib %2!x!/%3!x!, Type=%4!x!, RecLengh=%5!x!, Instance:%6!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_i`	—
`A12_MAX_MOVEABLE_ATTRIBUTES`	—
`A13_Attribute->TypeCode`	—
`A14_Attribute->RecordLength`	—
`A15_Attribute->Instance`	—

Event ID 31 — MoveAttributeToOwnRecord Moving Mft's $BITMAP IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:%1!p!, SizeNeeded:%2!x!, TypeCode:%3!x!, RecLen:%4!x!, Form:%5!x!, Instance:%6!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_SizeNeeded`	—
`A12_Attribute->TypeCode`	—
`A13_Attribute->RecordLength`	—
`A14_Attribute->FormCode`	—
`A15_Attribute->Instance`	—

Event ID 32 — MoveAttributeToOwnRecord IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MoveAttributeToOwnRecord IC:%1!p!, SizeNeeded:%2!x!, Bytes2Free:%3!x!, OldMappingSize:%4!x!, NewMappingSize:%5!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_SizeNeeded`	—
`A12_BytesToFree`	—
`A13_MappingPairSize`	—
`A14_NewMappingPairSize`	—

Event ID 33 — NtfsRestartZeroEndOfFileRecord FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRestartZeroEndOfFileRecord FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Start:0x%4!x!, Len:0x%5!x!

Fields

Name	Description
`A10_FileRecord->SegmentNumberHighPart`	—
`A11_FileRecord->SegmentNumberLowPart`	—
`A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )`	—
`A13_StartZero`	—
`A14_ZeroLength`	—

Event ID 34 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, LowVcn %7!I64x!, HalfWayVcn %8!I64x!, FinalVcn %9!I64x!, PackedMode %10!x!, TryPrior %11!x! - about to merge

Event ID 35 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - all fit in one so get rid of the second one

Event ID 36 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - should all fit into one so get rid of the second one FIRST

Event ID 37 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x! - initial RangePtr query

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NewFinalVcn`	—

Event ID 38 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - secondary RangePtr query

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NewHalfWayVcn`	—
`A15_RangePtr`	—

Event ID 39 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - calling lookup runs range

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NewHalfWayVcn`	—
`A15_RangePtr`	—

Event ID 40 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - current McbArray

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NtfsMcbArray`	—
`A15_NtfsMcbArray->StartingVcn`	—
`A16_NtfsMcbArray->EndingVcn`	—

Event ID 41 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - previous McbArray

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NtfsMcbArray`	—
`A15_NtfsMcbArray->StartingVcn`	—
`A16_NtfsMcbArray->EndingVcn`	—

Event ID 42 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - prev prev McbArray

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NtfsMcbArray`	—
`A15_NtfsMcbArray->StartingVcn`	—
`A16_NtfsMcbArray->EndingVcn`	—

Event ID 43 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - next McbArray

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NtfsMcbArray`	—
`A15_NtfsMcbArray->StartingVcn`	—
`A16_NtfsMcbArray->EndingVcn`	—

Event ID 44 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewFinalVcnInMcb %5!I64x! > NewFinalVcn %6!I64x! - NewFinalVcn is smaller

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NewFinalVcnInMcb`	—
`A15_NewFinalVcn`	—

Event ID 45 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewStartVcn %5!I64x!, LastVcn %6!I64x!, NewFinalVcn %7!I64x!, NewFinalVcnInMcb %8!I64x!, #Ranges %9!x!, DeletedNextAttribute %10!x!, Mcb1(%11!x!,%12!x!), Mcb2(%13!x!,%14!x!), McbArraySizeInUseChange %15!d! - final vcn in mcb

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NewStartVcn`	—
`A15_LastVcn`	—
`A16_NewFinalVcn`	—
`A17_NewFinalVcnInMcb`	—
`A18_NumberOfRanges`	—
`A19_DeletedNextAttribute`	—
`A20_Mcb1StartWithNewStartVcn`	—
`A21_Mcb1HoldNewStartVcn`	—
`A22_Mcb2StartWithNewStartVcn`	—
`A23_Mcb2HoldNewStartVcn`	—
`A24_McbArraySizeInUseChange`	—

Event ID 46 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range1

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_NewStartVcn`	—
`A15_DeletedNextAttribute ? NewFinalVcnInMcb : (LastVcn-1)`	—

Event ID 47 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range2

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A14_LastVcn`	—
`A15_NewFinalVcnInMcb`	—

Event ID 48 — RedoAttribute.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, FileRef %7!I64x!, OldLowVcn %8!I64x!, NewLowVcn %9!I64x!, Instance %10!x! - updating LowestVcn in attribute list entry

Event ID 49 — RedoAttribute.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, OldLowVcn %7!I64x!, NewLowVcn %8!I64x!, OldHighVcn %9!I64x!, NewHighVcn %10!I64x!, ChildRef %11!x!0000%12!08x! - done

Event ID 50 — NtfsConsolidateAllFileRecords: Invalid Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: %1!p!.

Fields

Name	Description
`A10_PsGetCurrentThread()`	—

Event ID 51 — NtfsConsolidateAllFileRecords: Volume is locked.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords: Volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume Id: %5!S!, Vcb State: 0x%6!08x!.

Event ID 52 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, FirstRequest %5!x! - opened fcb

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_*(PULONGLONG)_Fcb->FileReference`	—
`A14_AllFlags.FirstRequest`	—

Event ID 53 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - already in progress so get out

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_*(PULONGLONG)_Fcb->FileReference`	—

Event ID 54 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - set in progress flag

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_*(PULONGLONG)_Fcb->FileReference`	—

Event ID 55 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RstrTypeCode %5!x!, RstrAttrName %6!S!, RstrVcn %7!I64x!, RstrAttrListEntryOffset %8!x!, AttrListEntryOffset %9!x!, AttrListLength %10!I64x!, AttrListGrowBy %11!x!(%12!d!) - adjust FinalCompactedSizeDeduction

Event ID 56 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 1

Event ID 57 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 2

Event ID 58 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, Scb %5!p! - completed this Scb

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_*(PULONGLONG)_Fcb->FileReference`	—
`A14_Scb`	—

Event ID 59 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - going into finally

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_*(PULONGLONG)_Fcb->FileReference`	—

Event ID 60 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): FileRef %3!I64x!, Status %4!x! - Abnormal Termination

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_*(PULONGLONG)_FrsConsolidationContext->FileReference`	—
`A13_IrpContext->ExceptionStatus`	—

Event ID 61 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - decremented close counts

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_*(PULONGLONG)_Fcb->FileReference`	—

Event ID 62 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - clearing in progress flag

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_*(PULONGLONG)_Fcb->FileReference`	—

Event ID 63 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, ExceptionStatus %5!x!- released

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_FileRef`	—
`A14_ExceptionStatus`	—

Event ID 64 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RemovedFcb %5!x!, AllFlags.FcbAcquired %6!x!, TransId %7!x! - no release

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_FileRef`	—
`A14_RemovedFcb`	—
`A15_AllFlags.FcbAcquired`	—
`A16_IrpContext->TransactionId`	—

Event ID 65 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): DeltaTime %3!I64d! (ms), TotalTime %4!I64d! (ms)

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_(EndTime.QuadPart*1000)/NtfsPerformanceFrequency.QuadPart`	—
`A13_(FrsConsolidationContext->TotalTime*1000)/NtfsPerformanceFrequency.QuadPart`	—

Event ID 66 — UpdateLCS: Vcb %1, IC %2, FRef %3!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

UpdateLCS: Vcb %1!p!, IC %2!p!, FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields

Name	Description
`A10_Fcb->Vcb`	—
`A11_IrpContext`	—
`A12_*(PULONGLONG)_Fcb->FileReference`	—
`A13_StdInfoAttrListEntry->Signature`	—
`A14_StdInfoAttrListEntry->LastCompactedSize`	—
`A15_AttributeListSize`	—

Event ID 67 — NtfsAllocateClustersPriv IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A13__Scb->Mcb`	—
`A14_OriginalStartingVcn`	—
`A15_ClusterCount`	—
`A16_AllocateAll`	—
`A17_(TargetLcn != NULL) ? *TargetLcn : (ULONGLONG)-1`	—
`A18_PreAllocated`	—
`A19_UseDelayedAllocation`	—

Event ID 68 — NtfsAllocateClustersPriv IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A13__Scb->Mcb`	—
`A14_OriginalStartingVcn`	—
`A15_ClusterCount`	—
`A16_AllocateAll`	—
`A17_(TargetLcn != NULL) ? *TargetLcn : (ULONGLONG)-1`	—
`A18_PreAllocated`	—
`A19_UseDelayedAllocation`	—

Event ID 69 — NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!

Fields

Name	Description
`A10_FoundClusterCount`	—
`A11_Scb`	—
`A12_Scb->TotalAllocated`	—

Event ID 70 — NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!ScbState: %4!08x!, IrpContextState2: %5!08x!, AllocateWithNoHole: %6!d!

Fields

Name	Description
`A10_FoundClusterCount`	—
`A11_Scb`	—
`A12_Scb->TotalAllocated`	—
`A13_Scb->State`	—
`A14_IrpContext->State2`	—
`A15_AllocateWithNoHole`	—

Event ID 71 — NtfsAllocateClustersPriv IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersAllocated`	—

Event ID 72 — NtfsAllocateClustersPriv IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersAllocated`	—

Event ID 73 — NtfsDeallocateClusters IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A13__Scb->Mcb`	—
`A14_StartingVcn`	—
`A15_EndingVcn`	—

Event ID 74 — NtfsDeallocateClusters: Vcb %1 - deleting FR %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! from clusters %3!I64x! to %4!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A12_StartingVcn`	—
`A13_EndingVcn`	—

Event ID 75 — NtfsDeallocateClusters IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A13__Scb->Mcb`	—
`A14_StartingVcn`	—
`A15_EndingVcn`	—

Event ID 76 — NtfsDeallocateClusters: Vcb %1 - deleting FR %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! starting at %3!I64x! for %4!I64x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_*(PULONGLONG)_Scb->Fcb->FileReference`	—
`A12_AdjLcn`	—
`A13_AdjClusterCount`	—

Event ID 77 — NtfsDeallocateClusters: Vcb %1 - raising logfile full.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - raising logfile full

Fields

Name	Description
`A10_Vcb`	—

Event ID 78 — NtfsDeallocateClusters: Vcb %1 - adding clusters to DeallocatedClusters: %2 ==> Lsn: %3!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - adding clusters to DeallocatedClusters: %2!p! ==> Lsn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!; Vcb's DeallocatedClustersCount old: %6!I64x! new: %7!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—
`A12_DeallocatedClusters->Lsn.QuadPart`	—
`A13_DeallocatedClusters->ClusterCount`	—
`A14_DeallocatedClusters->Flags`	—
`A15_Vcb->DeallocatedClusters`	—
`A16_Vcb->DeallocatedClusters + AdjClusterCount`	—

Event ID 79 — NtfsDeallocateClusters: Decremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters: Decremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!Addr(TotalAllocated): %4!p!

Fields

Name	Description
`A10_ClusterCount`	—
`A11_Scb`	—
`A12_*TotalAllocated`	—
`A13_TotalAllocated`	—

Event ID 80 — NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!Addr(TotalAllocated): %3!p!, ScbState: %4!08x!, IrpContextState2: %5!08x!

Fields

Name	Description
`A10_ClusterCount`	—
`A11_Scb`	—
`A12_TotalAllocated`	—
`A13_Scb->State`	—
`A14_IrpContext->State2`	—

Event ID 81 — NtfsDeallocateClusters: Vcb %1 - Undoing some changes to DeallocatedClustersCount from %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - Undoing some changes to DeallocatedClustersCount from %2!I64x! to %3!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->DeallocatedClusters`	—
`A12_Vcb->DeallocatedClusters-ClustersRemoved`	—

Event ID 82 — NtfsDeallocateClusters IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersDeallocated`	—

Event ID 83 — NtfsDeallocateClusters IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersDeallocated`	—

Event ID 84 — NtfsModifyBitsInBitmap IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsModifyBitsInBitmap IC: %1!p!, Vcb: %2!p!, FirstBit: 0x%3!I64x!, BeyondLastBit: 0x%4!I64x!, Redo: 0x%5!x!, Undo: 0x%6!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_FirstBit`	—
`A13_BeyondFinalBit`	—
`A14_RedoOperation`	—
`A15_UndoOperation`	—

Event ID 85 — NtfsModifyBitsInBitmap IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsModifyBitsInBitmap IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, CurrentLcn: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11__Bitmap`	—
`A12_BaseLcn`	—
`A13_CurrentLcn`	—

Event ID 86 — NtfsAllocateBitmapRun IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAllocateBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_StartingLcn`	—
`A13_ClusterCount`	—

Event ID 87 — NtfsAllocateBitmapRun IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAllocateBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11__Bitmap`	—
`A12_BaseLcn`	—
`A13_StartingLcn`	—

Event ID 88 — NtfsRestartSetBitsInBitMap IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRestartSetBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Bitmap`	—
`A12_BitMapOffset`	—
`A13_NumberOfBits`	—

Event ID 89 — NtfsFreeBitmapRun IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_StartingLcn`	—
`A13_*ClusterCount`	—

Event ID 90 — NtfsFreeBitmapRun IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11__Bitmap`	—
`A12_BaseLcn`	—
`A13_StartingLcn`	—

Event ID 91 — NtfsRestartClearBitsInBitMap IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRestartClearBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Bitmap`	—
`A12_BitMapOffset`	—
`A13_NumberOfBits`	—

Event ID 92 — NtfsSetOrClearBitsUsingBaseMcb IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!, StartingBitmapLcn: 0x%4!I64x!, SetBits: %5!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Bitmap`	—
`A13_StartingBitmapLcn`	—
`A14_SetBits`	—

Event ID 93 — NtfsSetOrClearBitsUsingBaseMcb IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Bitmap: %2!p!, StartLcn: 0x%3!I64x!, EndLcn: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Bitmap`	—
`A12_StartingBit`	—
`A13_EndingBit`	—

Event ID 94 — NtfsSetOrClearBitsUsingBaseMcb IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Result: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Results`	—

Event ID 95 — System files not marked as in use in the MFT bitmap.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

System files not marked as in use in the MFT bitmap.  DWord offset %1!x!, value %2!x!.

Fields

Name	Description
`A10_i`	—
`A11_OriginalSystemBitmap[i / sizeof( OriginalSystemBitmap[0] )]`	—

Event ID 96 — Length: 0 --> BinIndex : 0 - Unexpected length

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Length:        0 --> BinIndex :        0    - Unexpected length

Event ID 97 — Length.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Length: %1!8I64d! --> BinIndex : %2!8u!    - Key: %3!u!, BitPosition: %4!ld!, GroupIndex: %5!ld!, GroupShiftFactor: %6!ld!

Fields

Name	Description
`A10_Length`	—
`A11_BinIndex`	—
`A12_Key`	—
`A13_BitPosition`	—
`A14_GroupIndex`	—
`A15_GroupShiftFactor`	—

Event ID 98 — Length.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Length: %1!8I64d! --> BinIndex : %2!8u!    - BinIndex was beyond TotalBins: %3!u! hence brought down

Fields

Name	Description
`A10_Length`	—
`A11_BinIndex`	—
`A12_TotalBins`	—

Event ID 99 — BinIndex.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - BinIndex is set to last bin or beyond, TotalBins: %3!u!

Fields

Name	Description
`A10_BinIndex`	—
`A11_MAXLONGLONG`	—
`A12_TotalBins`	—

Event ID 100 — BinIndex.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - GroupIndex: %3!ld!, RelativeBinIndex: %4!ld!, MaxKey: %5!u!

Fields

Name	Description
`A10_BinIndex`	—
`A11_MaxLength`	—
`A12_GroupIndex`	—
`A13_RelativeBinIndex`	—
`A14_MaxKey`	—

Event ID 101 — BinGroupShift.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

BinGroupShift: %1!8ld!, BinGroupSize: %2!8u!, BinGroupMask: %3!8x!

Fields

Name	Description
`A10_NtfsCachedRunBinGroupShift`	—
`A11_NtfsCachedRunBinGroupSize`	—
`A12_NtfsCachedRunBinGroupMask`	—

Event ID 102 — BinIndex.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

BinIndex: %1!8u! --> MaxLength: %2!8I64u! (0x%3!8I64x!)

Fields

Name	Description
`A10_BinIndex`	—
`A11_MaxLength`	—
`A12_MaxLength`	—

Event ID 103 — Searched committed allocations but didnt find enough free space.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Searched committed allocations but didnt find enough free space.  StartingCluster %1!I64x!, ClusterCount %2!I64x!, Committed %3!I64x!, Total %4!I64x!, Free %5!I64x!

Fields

Name	Description
`A10_StartingCluster`	—
`A11_ClusterCount`	—
`A12_Vcb->TotalClustersCommitted`	—
`A13_Vcb->TotalClusters`	—
`A14_Vcb->FreeClusters`	—

Event ID 104 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): first bit 0x%2, last bit 0x%3.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): first bit 0x%2!X!, last bit 0x%3!X!

Fields

Name	Description
`A10_Vcb`	—
`A11_FirstBitToClear`	—
`A12_BeyondLastBitToClear - 1`	—

Event ID 105 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): no leading partial slab.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no leading partial slab

Fields

Name	Description
`A10_Vcb`	—

Event ID 106 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): leading partial slab returned - LCN %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): leading partial slab returned - LCN %2!I64X!, len %3!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_*FreeClusterBase1`	—
`A12_*FreeClusterCount1`	—

Event ID 107 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): no trailing partial slab.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no trailing partial slab

Fields

Name	Description
`A10_Vcb`	—

Event ID 108 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): trailing partial slab returned - lcn %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): trailing partial slab returned - lcn %2!I64X!, len %3!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_*FreeClusterBase2`	—
`A12_*FreeClusterCount2`	—

Event ID 109 — NtfsValidateTotalClustersCommitted.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsValidateTotalClustersCommitted(%1!p!,%2!p!): TCC %3!I64x!, TC %4!I64x!, BMSize %5!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread()`	—
`A12_Vcb->TotalClustersCommitted`	—
`A13_Vcb->TotalClusters`	—
`A14_Vcb->TPMap.SizeOfBitMap`	—

Event ID 110 — Illegal MDL Complete for major code %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Illegal MDL Complete for major code %1!u!

Fields

Name	Description
`A10_IrpContext->MajorFunction`	—

Event ID 111 — Entering: Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, ByteCount: 0x%3!016I64x!, ExtentsDescriptor: %4!p!, ExtentsDescriptorIndex: %5!d!, ExtentsDescriptorStartOffset: 0x%6!016I64x!, Offset: 0x%7!016I64x!, MaxRuns: %8!d!,

Fields

Name	Description
`A10_Scb`	—
`A11_StartingZero`	—
`A12_ByteCount`	—
`A13_ExtentsDescriptor`	—
`A14_*ExtentsDescriptorIndex`	—
`A15_*ExtentsDescriptorStartOffset`	—
`A16_Offset`	—
`A17_MaxRuns`	—

Event ID 112 — RunEntry ==> %1!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

RunEntry ==> %1!4d!: [0x%2!016I64x!, 0x%3!016I64x!], ExtentLength: 0x%4!016I64x!, Offset: 0x%5!016I64x!, RunIndexStartOffset: 0x%6!016I64x!

Fields

Name	Description
`A10_RunIndex`	—
`A11_ExtentsDescriptor->Run[RunIndex].BasePage`	—
`A12_ExtentsDescriptor->Run[RunIndex].PageCount`	—
`A13_ExtentLength`	—
`A14_Offset`	—
`A15_RunIndexStartOffset`	—

Event ID 113 — Offset is beyond this extent skipping the extent.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Offset is beyond this extent skipping the extent.

Event ID 114 — Shrinking LengthInExtent.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Shrinking LengthInExtent (0x%1!016I64x!) to ByteCount (0x%2!016I64x!) that we have to zero

Fields

Name	Description
`A10_LengthInExtent`	—
`A11_ByteCount`	—

Event ID 115 — Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields

Name	Description
`A10_StartingPhysicalAddr.QuadPart`	—
`A11_LengthInExtent`	—

Event ID 116 — Exiting: ExtentsDescriptorIndex.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Exiting: ExtentsDescriptorIndex: %1!d! ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields

Name	Description
`A10_*ExtentsDescriptorIndex`	—
`A11_*ExtentsDescriptorStartOffset`	—

Event ID 117 — Entering: Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingOffset`	—
`A12_BeyondEndOffset`	—

Event ID 118 — Dsm Ranges[.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Dsm Ranges[%1!d!]: StartingOffset: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields

Name	Description
`A10_DataSetRangeIndex`	—
`A11_DsmBuffer->DataSetRanges[DataSetRangeIndex].StartingOffset`	—
`A12_DsmBuffer->DataSetRanges[DataSetRangeIndex].LengthInBytes`	—

Event ID 119 — RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_DataSetRangeIndex`	—

Event ID 120 — Dsm: TotalNumberOfRanges.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Dsm: TotalNumberOfRanges: %1!d!, NumberOfRangesReturned: %2!d!

Fields

Name	Description
`A10_DsmByteAddressRanges->TotalNumberOfRanges`	—
`A11_DsmByteAddressRanges->NumberOfRangesReturned`	—

Event ID 121 — DsmOut Ranges[.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DsmOut Ranges[%1!d!]: StartingAddress: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields

Name	Description
`A10_Index`	—
`A11_DsmByteAddressRanges->Ranges[Index].StartAddress`	—
`A12_DsmByteAddressRanges->Ranges[Index].LengthInBytes`	—

Event ID 122 — Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields

Name	Description
`A10_StartingPhysicalAddr.QuadPart`	—
`A11_LengthInExtent`	—

Event ID 123 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields

Name	Description
`A10_*ExtentsDescriptorIndex`	—
`A11_*ExtentsDescriptorStartOffset`	—

Event ID 124 — Entering: Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!, ByteCount: 0x%4!016I64x!, ExtentsDescriptor: %5!p!, ExtentsDescriptorIndex: %6!d!, ExtentsDescriptorStartOffset: 0x%7!016I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingZero`	—
`A12_BeyondEndOffset`	—
`A13_ByteCount`	—
`A14_ExtentsDescriptor`	—
`A15_ExtentsDescriptorIndex ? *ExtentsDescriptorIndex : 0`	—
`A16_ExtentsDescriptorStartOffset ? *ExtentsDescriptorStartOffset : 0`	—

Event ID 125 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields

Name	Description
`A10_*ExtentsDescriptorIndex`	—
`A11_*ExtentsDescriptorStartOffset`	—

Event ID 126 — IrpContext.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

IrpContext: %1!p!; Scb: %2!p!; StartOffset: 0x%3!I64x!; ByteCount: 0x%4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—
`A12_StartOffset`	—
`A13_ByteCount`	—

Event ID 127 — Return.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Return. IrpContext: %1!p!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 128 — Unexpected open type received.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Unexpected open type received: %1!u!

Fields

Name	Description
`A10_TypeOfOpen`	—

Event ID 129 — Raising STATUS_SUCCESS from NtfsCommonCleanup.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Raising STATUS_SUCCESS from NtfsCommonCleanup: %1

Fields

Name	Description
`A10_Status`	—

Event ID 130 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields

Name	Description
`A10_Status`	—

Event ID 131 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields

Name	Description
`A10_Status`	—

Event ID 132 — Irp.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, FileIdBuffer: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Event ID 133 — Irp.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, Path: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Event ID 134 — NtfsCommonVolumeOpen: Invalid create disposition for volume open.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: %1!p!, CreateDisposition: 0x%2!x!.

Fields

Name	Description
`A10_PsGetCurrentThread()`	—
`A11_CreateDisposition`	—

Event ID 135 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Event ID 136 — NtfsCommonVolumeOpen: Thread.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonVolumeOpen: Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->CleanupCount: %6!d!, BiasedCleanupCount: %7!d!.

Event ID 137 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Event ID 138 — NtfsCommonVolumeOpen: Conlicting file objects.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonVolumeOpen: Conlicting file objects. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->ReadOnlyCloseCount: %6!d!, Vcb->CloseCount: %7!d!, Vcb->SystemFileCloseCount: %8!d!.

Event ID 139 — NtfsHandlePagingFile: Paging file already open, paging files can only be opened once.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsHandlePagingFile: Paging file already open, paging files can only be opened once. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->CleanupCount: %7!d!, Fcb->FcbState: 0x%8!08x!, IrpSp->Flags: 0x%9!08x!.

Event ID 140 — NtfsHandlePagingFile: Cannot open system file as paging file.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->FcbState: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Event ID 141 — NtfsHandlePagingFile: Persisted paging file already exists.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsHandlePagingFile: Persisted paging file already exists. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, IrpContext->State: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Event ID 142 — NtfsOpenFcbById: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenFcbById: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Event ID 143 — NtfsOpenExistingPrefixFcb: Can not directly open txf directory.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Event ID 144 — NtfsOpenExistingPrefixFcb: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenExistingPrefixFcb: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Event ID 145 — NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Event ID 146 — NtfsOpenFile: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenFile: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Event ID 147 — NtfsOpenFile: Deny open when txf rm is active.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenFile: Deny open when txf rm is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb Rmstate: 0x%7!08x!.

Event ID 148 — NtfsCreateNewFile: Deny creation in system directory (except root).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCreateNewFile: Deny creation in system directory (except root). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb): Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!, AttrTypeCode: 0x%9!x!.

Event ID 149 — NtfsCreateNewFile: Unable to create Ea for the file.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCreateNewFile: Unable to create Ea for the file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Create options: 0x%7!08x!, Ccb flags: 0x%8!08x!.

Event ID 150 — NtfsCreateNewFile: Unable to create in the $txf directory.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCreateNewFile: Unable to create in the $txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb) Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!.

Event ID 151 — NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb state: 0x%7!08x!.

Event ID 152 — NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NeedEaCount: %7!d!, CreateOptions: 0x%8!08x!, CcbFlags: 0x%9!08x!.

Event ID 153 — NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttrTypeCode to create: 0x%7!x!, CreateDisposition: 0x%8!08x!.

Event ID 154 — NtfsOpenAttributeInExistingFile: Denying access for volume root directory.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CreateDisposition: 0x%7!08x!.

Event ID 155 — NtfsCreateNewFile: Not allowed to create streams on system files.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, AttrTypeCode: 0x%8!x!.

Event ID 156 — NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, DuplicateInfo attributes: 0x%7!08x!, FileAttributes: 0x%8!08x!.

Event ID 157 — NtfsOverwriteAttr: Denying access due to user being Ea blind.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Create options: 0x%7!08x!.

Event ID 158 — NtfsOverwriteAttr: Deny access due to encryption happening on the stream.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttributeTypeCode: 0x%7!x!, Scb state: 0x%8!08x!, Scb HighWaterMark: %9!I64d!.

Event ID 159 — NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, CreateDisposition: 0x%6!08x!.

Event ID 160 — NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, DesiredAccess: 0x%6!08x!.

Event ID 161 — NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: %1!p!, AttributeTypeCode: %2!x!.

Fields

Name	Description
`A10_PsGetCurrentThread()`	—
`A11_*AttrCode`	—

Event ID 162 — NtfsOpenAttributeCheck: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttributeCheck: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Event ID 163 — NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Event ID 164 — NtfsOpenAttributeCheck: File was granted write access but has image section.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttributeCheck: File was granted write access but has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Previously granted access: 0x%10!08x!.

Event ID 165 — NtfsOpenAttribute: Denying write access on disallowed writes.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttribute: Denying write access on disallowed writes. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Disallow write count: %8!d!, Desired Access: 0x%9!08x!.

Event ID 166 — NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Event ID 167 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Event ID 168 — NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Event ID 169 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Event ID 170 — NtfsCheckExistingFile: Desired access conflicts with read-only state.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Desired Access: 0x%7!08x!, FileAttributes: 0x%8!08x!, SL control flags: 0x%9!08x!.

Event ID 171 — NtfsOpenExistingEncryptedStream: No encryption driver found.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, NtfsData flags: 0x%8!08x!.

Event ID 172 — NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Stream attribute flags: 0x%8!08x!.

Event ID 173 — NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb cleanup count: %7!d!, EncryptionCallBackTable flags: 0x%8!08x!.

Event ID 174 — NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: %1!p!, Fcb: %2!p!, FileRef: 0x%3!I64x!, TxfRmcb RM state: %4!x!.

Fields

Name	Description
`A10_PsGetCurrentThread()`	—
`A11_CurrentFcb`	—
`A12_NtfsFullFileRefNumber( _CurrentFcb->FileReference )`	—
`A13_CurrentFcb->TxfRmcb->RmState`	—

Event ID 175 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Link Name: %7!S!, DesiredAccess: 0x%8!08x!, DesiredShareAccess: 0x%9!08x!, IoShareAccessFlags: 0x%10!08x!, LinkShareAccess->OpenCount: %11!d!, LinkShareAccess->Deleters: %12!d!, LinkShareAccess->SharedDelete: %13!d!.

Event ID 176 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, DesiredAccess: 0x%9!08x!, DesiredShareAccess: 0x%10!08x!, IoShareAccessFlags: 0x%11!08x!, ShareAccess->OpenCount: %12!d!, ShareAccess->Readers: %13!d!, ShareAccess->Writers: %14!d!, ShareAccess->->Deleters: %15!d!, ShareAccess->SharedRead: %16!d!, ShareAccess->SharedWrite: %17!d!, ShareAccess->SharedDelete: %18!d!.

Event ID 177 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, DesiredAccess: 0x%10!08x!, DesiredShareAccess: 0x%11!08x!, IoShareAccessFlags: 0x%12!08x!, ShareAccess->OpenCount: %13!d!, ShareAccess->Readers: %14!d!, ShareAccess->Writers: %15!d!, ShareAccess->->Deleters: %16!d!, ShareAccess->SharedRead: %17!d!, ShareAccess->SharedWrite: %18!d!, ShareAccess->SharedDelete: %19!d!, LinkShareAccess->OpenCount: %20!d!, LinkShareAccess->Deleters: %21!d!, LinkShareAccess->SharedDelete: %22!d!.

Event ID 178 — NtfsReCheckShareAccess: Does not meet allow open requirement.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsReCheckShareAccess: Does not meet allow open requirement. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, Previously granted access: 0x%10!08x!, AccessState->Flags: 0x%11!08x!, DesiredShareAccess: 0x%12!08x!, CreateDisposition: 0x%13!08x!, OpenCount: %14!d!, Readers: %15!d!, Writers: %16!d!, Deleters: %17!d!, SharedRead: %18!d!, Lcb Deleters: %19!d!.

Event ID 179 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 180 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 181 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 182 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 183 — NtfsSendUnusedClustersHint: Vcb %1 - Will tell storage we are freeing at %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - Will tell storage we are freeing at %2!I64x! for %3!x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingCluster`	—
`A12_RunLength`	—

Event ID 184 — NtfsSendUnusedClustersHint: Vcb %1 - Flush requested.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - Flush requested

Fields

Name	Description
`A10_Vcb`	—

Event ID 185 — NtfsSendUnusedClustersHint: Vcb %1 - Created new MarkUnusedContext %2, DEALLOCATED_CLUSTERS %3, MCB %4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! -  Created new MarkUnusedContext %2!p!, DEALLOCATED_CLUSTERS %3!p!, MCB %4!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_*MarkUnusedContext`	—
`A12_(*MarkUnusedContext)->DeallocatedClusters`	—
`A13__(*MarkUnusedContext)->DeallocatedClusters->Mcb`	—

Event ID 186 — NtfsSendUnusedClustersHint: Vcb %1 - Successfully added clusters starting at %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - Successfully added clusters starting at %2!I64x! for %3!x! into MCB %4!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingCluster`	—
`A12_RunLength`	—
`A13__(*MarkUnusedContext)->DeallocatedClusters->Mcb`	—

Event ID 187 — NtfsSendUnusedClustersHint: Vcb %1 - MCB %2 is full.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - MCB %2!p! is full

Fields

Name	Description
`A10_Vcb`	—
`A11__(*MarkUnusedContext)->DeallocatedClusters->Mcb`	—

Event ID 188 — NtfsSendUnusedClustersHint: Vcb %1 - Queuing request to IC pre-trim list, MUC %2, IC %3.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - Queuing request to IC pre-trim list, MUC %2!p!, IC %3!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_*MarkUnusedContext`	—
`A12_IrpContext`	—

Event ID 189 — NtfsSendUnusedClustersHint: Vcb %1 - Failed to allocate/initial MarkUnusedContext.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! -  Failed to allocate/initial MarkUnusedContext

Fields

Name	Description
`A10_Vcb`	—

Event ID 190 — NtfsTransferMaxDataSetRanges: Src %1, Dst %2, SrcRemainClusCt %3!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, SrcOrigClusCt %4!I64x!, SrcDSRL %5!x! - Entering

Fields

Name	Description
`A10_Src`	—
`A11_Dst`	—
`A12_Src->ClustersCount`	—
`A13_Src->DeallocatedClusters->ClusterCount`	—
`A14_SrcDsmAttr->DataSetRangesLength`	—

Event ID 191 — NtfsTransferMaxDataSetRanges: Src %1, Dst %2, SrcRemainClusCt %3!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, DstClusCt %4!I64x!, DstDSRL %5!x!, DstLIB %6!I64x!, DstSOff %7!I64x! - Leaving

Fields

Name	Description
`A10_Src`	—
`A11_Dst`	—
`A12_Src->ClustersCount`	—
`A13_Dst->ClustersCount`	—
`A14_DstDsmAttr->DataSetRangesLength`	—
`A15_DstFirstDataSetRangePtr->LengthInBytes`	—
`A16_DstFirstDataSetRangePtr->StartingOffset`	—

Event ID 192 — NtfsMarkUnusedContextPostTrimProcessing: Entering

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Entering

Event ID 193 — NtfsMarkUnusedContextPostTrimProcessing: Vcb %1, MUC %2 - DC %3!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - DC %3!I64x!, DCIT %4!x!, DCTD %5!x!, CC %6!I64x!, IR %7!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_Vcb->DeallocatedClusters`	—
`A13_Vcb->DeallocatedClustersListLengthInTrim`	—
`A14_Vcb->DeallocatedClustersListLengthToDrain`	—
`A15_Clusters->ClusterCount`	—
`A16_InitialRanges`	—

Event ID 194 — NtfsMarkUnusedContextPostTrimProcessing: Vcb %1, MUC %2 - Removed interior slab(s) from TP map - [LCN %3!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - Removed interior slab(s) from TP map - [LCN %3!I64X!, len %4!I64X!] => [LCN %5!I64X!, len %6!I64X!], [LCN %7!I64X!, len %8!I64X!]

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_StartingLcn`	—
`A13_ClusterCount`	—
`A14_FreeClusterBase1`	—
`A15_FreeClusterCount1`	—
`A16_FreeClusterBase2`	—
`A17_FreeClusterCount2`	—

Event ID 195 — NtfsMarkUnusedContextPostTrimProcessing: Vcb %1 - Releasing bitmap.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - Releasing bitmap

Fields

Name	Description
`A10_Vcb`	—

Event ID 196 — NtfsMarkUnusedContextPostTrimProcessing: Vcb %1 - CloseCount %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - CloseCount %2!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->CloseCount`	—

Event ID 197 — NtfsMarkUnusedContextPostTrimProcessing: Leaving

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Leaving

Event ID 198 — NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp %1!p!

Fields

Name	Description
`A10_Irp`	—

Event ID 199 — NtfsMarkUnusedContextPreTrimProcessing: Vcb %1, IC %2 - Entering.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p!, IC %2!p! - Entering

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 200 — NtfsMarkUnusedContextPreTrimProcessing: Vcb %1 - Kicked off DelayedWorkQueue.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Kicked off DelayedWorkQueue

Fields

Name	Description
`A10_Vcb`	—

Event ID 201 — NtfsMarkUnusedContextPreTrimProcessing: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 202 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb %1!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 203 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Small MUC %2 instead of MUC %3.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Small MUC %2!p! instead of MUC %3!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_SmallMarkUnusedContext`	—
`A12_MarkUnusedContext`	—

Event ID 204 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Failed to allocate small MUC so use MUC %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Failed to allocate small MUC so use MUC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 205 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Sending storage ioctl down.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down.  MUC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 206 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2 - [%3] Offset %4!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - [%3!x!] Offset %4!I64x!, Length %5!I64x! - trim entry

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_TrimEntryCount++`	—
`A13_DataSetRangePtr->StartingOffset`	—
`A14_DataSetRangePtr->LengthInBytes`	—

Event ID 207 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2, Irp %3 - Completed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p!, Irp %3!p! - Completed

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_IrpUsed`	—

Event ID 208 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2 - %3 - failed to send.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - %3!x! - failed to send

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_Status`	—

Event ID 209 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Add MUC %2 to post trim list.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Add MUC %2!p! to post trim list

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 210 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Free small MUC %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Free small MUC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 211 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Sending storage ioctl down failed with %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down failed with %2!x!.  MUC %3!p!, Count %4!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—
`A12_MarkUnusedContext`	—
`A13_((MarkUnusedContext != NULL) __ (MarkUnusedContext->DeallocatedClusters != NULL)) ? MarkUnusedContext->DeallocatedClusters->ClusterCount : -1LL`	—

Event ID 212 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Event ID 213 — NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - There are waiters for DC %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - There are waiters for DC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 214 — NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - Waking up waiter for DC %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Waking up waiter for DC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 215 — NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - Done waking up DC %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Done waking up DC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 216 — NtfsWaitForDeallocatedClustersToDrain: Vcb %1, All %2 - Entering.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p!, All %2!x! - Entering

Fields

Name	Description
`A10_Vcb`	—
`A11_All`	—

Event ID 217 — NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Waiting to drain.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting to drain

Fields

Name	Description
`A10_Vcb`	—

Event ID 218 — NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Waiting for partial drain.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting for partial drain

Fields

Name	Description
`A10_Vcb`	—

Event ID 219 — NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 220 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Entering.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Entering

Fields

Name	Description
`A10_Vcb`	—

Event ID 221 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Inserted %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Inserted %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClustersToWaitFor->DeallocatedClusters`	—

Event ID 222 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 223 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb %1 - Wait for DC %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb %1!p! - Wait for DC %2!p!

Fields

Name	Description
`A10_IrpContext->Vcb`	—
`A11_DeallocatedClustersToWaitFor->DeallocatedClusters`	—

Event ID 224 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1 (s), Exceeded by %2 (s), IC %3, Vcb %4, DC %5.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields

Name	Description
`A10_WaitInSeconds`	—
`A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ? (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)`	—
`A12_IrpContext`	—
`A13_IrpContext->Vcb`	—
`A14_DeallocatedClusters`	—

Event ID 225 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1 (s), Exceeded by %2 (s), IC %3, Vcb %4, DC %5.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields

Name	Description
`A10_WaitInSeconds`	—
`A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ? (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)`	—
`A12_IrpContext`	—
`A13_IrpContext->Vcb`	—
`A14_DeallocatedClusters`	—

Event ID 226 — NtfsCheckForTrimThrottling: Vcb %1 - hitting trim threshold %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckForTrimThrottling: Vcb %1!p! - hitting trim threshold %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->DeallocatedClustersListLengthInTrim`	—

Event ID 227 — NtfsUpdateSmartTrimState: Vcb %1 - Entering.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Entering

Fields

Name	Description
`A10_Vcb`	—

Event ID 228 — NtfsUpdateSmartTrimState: Vcb %1 - Precondition checks failed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields

Name	Description
`A10_Vcb`	—

Event ID 229 — NtfsUpdateSmartTrimState: Vcb %1 - Precondition checks failed; AcquiredSyncResource %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredSyncResource %2!u!

Fields

Name	Description
`A10_Vcb`	—
`A11_AcquiredVcb`	—

Event ID 230 — NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - Skipping deallocated clusters gen'd by smart trim.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - Skipping deallocated clusters gen'd by smart trim

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 231 — NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - MCB run %3; offs 0x%4!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - MCB run %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_RunIndex`	—
`A13_StartingOffset`	—
`A14_LengthInBytes`	—

Event ID 232 — NtfsUpdateSmartTrimState: Vcb %1 - MUC %2, DSR count %3, MCB count %4, ST free slots %5.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - MUC %2!p!, DSR count %3!u!, MCB count %4!u!, ST free slots %5!u!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_DataSetRangeCount`	—
`A13_McbRunCount`	—
`A14_SmartTrimFreeRangeCount`	—

Event ID 233 — NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - DSR range %3; offs 0x%4!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - DSR range %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_RunIndex`	—
`A13_DataSetRange->StartingOffset`	—
`A14_DataSetRange->LengthInBytes`	—

Event ID 234 — NtfsUpdateSmartTrimState: Vcb %1 - MCB lcn %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - MCB lcn %2!I64X! len %3!I64X! maps to TP map bits [0x%4!X!, 0x%5!X!]

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingLcn`	—
`A12_ClusterCount`	—
`A13_FirstTpMapBit`	—
`A14_LastTpMapBit`	—

Event ID 235 — NtfsUpdateSmartTrimState: Vcb %1 - Smart trim state on exit; %2 ranges.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Smart trim state on exit; %2!u! ranges:

Fields

Name	Description
`A10_Vcb`	—
`A11_SmartTrimState->SlabRangesCount`	—

Event ID 236 — NtfsUpdateSmartTrimState: Vcb %1 - Range %2: FirstTPMapBit 0x%3, LastTPMapBit 0x%4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Range %2!u!: FirstTPMapBit 0x%3!X!, LastTPMapBit 0x%4!X!

Fields

Name	Description
`A10_Vcb`	—
`A11_SlabRangeIndex`	—
`A12_SlabRange->FirstTPMapBit`	—
`A13_SlabRange->LastTPMapBit`	—

Event ID 237 — NtfsUpdateSmartTrimState: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 238 — NtfsEvalSmartTrimState: Vcb %1 - Entering.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Entering

Fields

Name	Description
`A10_Vcb`	—

Event ID 239 — NtfsEvalSmartTrimState: Vcb %1 - Precondition checks failed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields

Name	Description
`A10_Vcb`	—

Event ID 240 — NtfsEvalSmartTrimState: Vcb %1 - Precondition checks failed; AcquiredBitmap %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredBitmap %2!u!

Fields

Name	Description
`A10_Vcb`	—
`A11_AcquiredBitmap`	—

Event ID 241 — NtfsEvalSmartTrimState: Vcb %1 - Checking slab 0x%2 for allocations.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Checking slab 0x%2!X! for allocations

Fields

Name	Description
`A10_Vcb`	—
`A11_TpMapBit`	—

Event ID 242 — NtfsEvalSmartTrimState: Vcb %1 - Slab 0x%2 has allocations, will not trim.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Slab 0x%2!X! has allocations, will not trim

Fields

Name	Description
`A10_Vcb`	—
`A11_TpMapBit`	—

Event ID 243 — NtfsEvalSmartTrimState: Vcb %1 - Free slab found - TP map bit 0x%2, lcn %3!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Free slab found - TP map bit 0x%2!X!, lcn %3!I64X!, len %4!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_TpMapBit`	—
`A12_SlabBaseLcn`	—
`A13_SlabLengthInClusters`	—

Event ID 244 — NtfsEvalSmartTrimState: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 245 — NtfsFlushAllTrimHintsSynchronous.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFlushAllTrimHintsSynchronous (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 246 — NtfsFlushAllTrimHintsSynchronous.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFlushAllTrimHintsSynchronous (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 247 — NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, SL control flags: 0x%6!08x!.

Event ID 248 — NtfsVolumeDasdIo: Data section blocking flush.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsVolumeDasdIo: Data section blocking flush. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush status: %5!S!.

Event ID 249 — Could not find paging file run.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Could not find paging file run.

Event ID 250 — Could not find paging file MCB entry.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Could not find paging file MCB entry.

Event ID 251 — Could not find paging file run.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Could not find paging file run.

Event ID 252 — Writing to $Bitmap.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Writing to $Bitmap. Vcb: %1!p!, Offset: 0x%2!I64x!, Length: 0x%3!x!

Fields

Name	Description
`A10_Scb->Vcb`	—
`A11_StartingVbo`	—
`A12_ByteCount`	—

Event ID 253 — NTFS: Posting hotfix on file object.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NTFS: Posting hotfix on file object: %1!p!

Fields

Name	Description
`A10_FileObject`	—

Event ID 254 — NTFS: Freeing Bad Vcn.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NTFS:     Freeing Bad Vcn: %1!08x!, %2!08x!

Fields

Name	Description
`A10_((ULONG)BadVcn)`	—
`A11_((PLARGE_INTEGER)_BadVcn)->HighPart`	—

Event ID 255 — NTFS: Retiring Bad Lcn.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NTFS:     Retiring Bad Lcn: %1!08x!, %2!08x!

Fields

Name	Description
`A10_((ULONG)BadLcn)`	—
`A11_((PLARGE_INTEGER)_BadLcn)->HighPart`	—

Event ID 256 — NTFS: Reallocating Bad Vcn

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NTFS:     Reallocating Bad Vcn

Event ID 257 — NTFS: Bad Cluster replaced

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NTFS:     Bad Cluster replaced

Event ID 258 — IrpContext.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_NewBufferSize`	—

Event ID 259 — Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields

Name	Description
`A10_NewBufferSize`	—
`A11_NtfsGetCompressionBufferSize()`	—

Event ID 260 —

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1

Fields

Name	Description
`A10_Status`	—

Event ID 261 — IrpContext.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_NewBufferSize`	—

Event ID 262 — Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields

Name	Description
`A10_NewBufferSize`	—
`A11_NtfsGetUsaBufferSize( Vcb )`	—

Event ID 263 —

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1

Fields

Name	Description
`A10_Status`	—

Event ID 264 — NtfsDefragFileInternal: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 265 — NtfsDefragFileInternal: Vcb %1 - Calling FRD.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal: Vcb %1!p! - Calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 266 — NtfsDefragFileInternal: Vcb %1 - Done calling FRD.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal: Vcb %1!p! - Done calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 267 — NtfsDefragFileInternal: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 268 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x! - copy offload

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )`	—
`A14_MoveData->StartingVcn.QuadPart`	—
`A15_TransferClusters`	—
`A16_Lcn`	—
`A17_MoveData->StartingLcn.QuadPart`	—
`A18_CopyLength`	—
`A19_Flags.UseDelayedAllocation`	—
`A20_Status`	—

Event ID 269 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )`	—
`A14_MoveData->StartingVcn.QuadPart`	—
`A15_TransferClusters`	—
`A16_Lcn`	—
`A17_MoveData->StartingLcn.QuadPart`	—
`A18_CopyLength`	—
`A19_Flags.UseDelayedAllocation`	—
`A20_MyStatus`	—

Event ID 270 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, CurrLcn %5!I64x!, Len %6!x!, Status %7!x! - read completed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )`	—
`A14_Lcn`	—
`A15_CopyLength`	—
`A16_MyStatus`	—

Event ID 271 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, NewLcn %5!I64x!, Len %6!x!, Status %7!x! - write completed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )`	—
`A14_MoveData->StartingLcn.QuadPart`	—
`A15_CopyLength`	—
`A16_MyStatus`	—

Event ID 272 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, DA %9!d!, ValidClusters %10!I64x! - beyond VDL

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )`	—
`A14_MoveData->StartingVcn.QuadPart`	—
`A15_TransferClusters`	—
`A16_Lcn`	—
`A17_MoveData->StartingLcn.QuadPart`	—
`A18_Flags.UseDelayedAllocation`	—
`A19_ValidClusters`	—

Event ID 273 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x! - committed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )`	—
`A14_MoveData->StartingVcn.QuadPart`	—
`A15_TransferClusters`	—

Event ID 274 — NtfsDefragFile: Defrag is denied without manage volume access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefragFile: Defrag is denied without manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Event ID 275 — NtfsEncryptDecryptOnline: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 276 — NtfsEncryptDecryptOnline: Vcb %1 - Calling FRD.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEncryptDecryptOnline: Vcb %1!p! - Calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 277 — NtfsEncryptDecryptOnline: Vcb %1 - Done calling FRD.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEncryptDecryptOnline: Vcb %1!p! - Done calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 278 — NtfsEncryptDecryptOnline: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 279 — SCB.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

SCB: %1!p!, VDL=0x%2!I64x!, FS=0x%3!I64x!, StartOff=0x%4!I64x!, StartVcn=0x%5!I64x!, Length=0x%6!I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_Scb->Header.ValidDataLength.QuadPart`	—
`A12_Scb->Header.FileSize.QuadPart`	—
`A13_QueryDaxExtents->FileOffset`	—
`A14_StartingVcn`	—
`A15_QueryDaxExtents->Length`	—

Event ID 280 — StartOff=0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

StartOff=0x%1!I64x!, Length=0x%2!I64x!, EffectiveLength=0x%3!I64x! StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!, Clusters=0x%6!I64x!, LastVcnInFile=0x%7!I64x!

Fields

Name	Description
`A10_QueryDaxExtents->FileOffset`	—
`A11_QueryDaxExtents->Length`	—
`A12_EffectiveInputFileRegionLength`	—
`A13_StartingVcn`	—
`A14_BeyondEndVcn`	—
`A15_RemainingClusterCount`	—
`A16_LastVcnInFile`	—

Event ID 281 — NumberOfValidRuns: 0

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NumberOfValidRuns: 0

Event ID 282 — RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!, OutputBufferLength: 0x%3!d!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_DataSetRangeIndex`	—
`A12_OutputBufferLength`	—

Event ID 283 — STATUS_BUFFER_TOO_SMALL from FsLib.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0x%1!x!, MaxRuns: 0x%2!x!, BytesReturned: 0x%3!I64x!

Fields

Name	Description
`A10_ExtentsDescriptor->NumberOfValidRuns`	—
`A11_MaxRuns`	—
`A12_*BytesReturned`	—

Event ID 284 — Made an educated guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Made an educated guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_ExtentsDescriptor->NumberOfValidRuns`	—

Event ID 285 — Made a wild guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Made a wild guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_ExtentsDescriptor->NumberOfValidRuns`	—

Event ID 286 — NumberOfValidRuns: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NumberOfValidRuns: 0x%1!08x!, MaxRuns: 0x%2!08x!, Status: 0x%3!08x!, BytesReturned: 0x%4!I64x!

Fields

Name	Description
`A10_ExtentsDescriptor->NumberOfValidRuns`	—
`A11_MaxRuns`	—
`A12_Status`	—
`A13_*BytesReturned`	—

Event ID 287 — BasePage: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

BasePage: 0x%1!-16I64x!, PageCount: 0x%2!-16I64x!

Fields

Name	Description
`A10_ExtentsDescriptor->Run[Index].BasePage`	—
`A11_ExtentsDescriptor->Run[Index].PageCount`	—

Event ID 288 — About to zero range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

About to zero range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields

Name	Description
`A10_ZeroStart`	—
`A11_ZeroEnd`	—

Event ID 289 — Zeroed range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Zeroed range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields

Name	Description
`A10_ZeroStart`	—
`A11_ZeroEnd`	—

Event ID 290 — NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Event ID 291 — NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb access flags: 0x%10!08x!, Granted access: 0x%11!08x!.

Event ID 292 — NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Event ID 293 — NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Event ID 294 — NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Device Object flags: 0x%10!08x!.

Event ID 295 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: %7!x!.

Event ID 296 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfNumWriters count: %7!d!.

Event ID 297 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, TxfNumWriters count: %9!d!.

Event ID 298 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Cleanup count: %7!d!.

Event ID 299 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, Link cleanup count: %9!d!, SplitPrimaryLcb: %10!p!, Split link name: %11!S!, Split link cleanup count: %12!d!.

Event ID 300 — NtfsSetRenameInfo: Can not rename a file marked for deletion.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: 0x%7!08x!, Lcb: %8!p!, link name: %9!S!, link name flag: 0x%10!08x!, link state: 0x%11!08x!.

Event ID 301 — NtfsSetRenameInfo: Can not rename a txf directory.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, File attributes: 0x%7!08x!.

Event ID 302 — NtfsSetRenameInfo: Can not rename into a system directory.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename into a system directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Event ID 303 — NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Event ID 304 — NtfsSetRenameInfo: The file should not have in-memory directory descendents.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!.

Event ID 305 — NtfsSetRenameInfo: Child Scb mismatch.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetRenameInfo: Child Scb mismatch. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Potential child FileRef: %7!I64x!.

Event ID 306 — NtfsSetLinkInfo: Set link info is not allowed on txf directory.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!.

Event ID 307 — NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, TxfVisibleLinks: %8!d!.

Event ID 308 — NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, SeAccessCheck status: %8!S!.

Event ID 309 — NtfsSetLinkInfo: Creating a link in system directory is not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!.

Event ID 310 — NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!, Target RM state: %8!x!.

Event ID 311 — NtfsSetShortNameInfo: Can not set a short name on a deleted file.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!.

Event ID 312 — NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!, Parent FileRef: %9!I64x!.

Event ID 313 — NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Stream cleanup count: %7!d!.

Event ID 314 — NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, ByID opens: %7!d!, Stream cleanup count: %8!d!.

Event ID 315 — NtfsStreamRename: Deny access due to encryption happening on source stream.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsStreamRename: Deny access due to encryption happening on source stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb state: 0x%10!08x! Scb HighWaterMark: %11!I64d!.

Event ID 316 — NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Previous batch oplock count: %7!d!, current batch oplock count: %8!d!.

Event ID 317 — NtfsFlushVolumeFlushSingleFcb: Thread.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Vcb: %2!p!, Fcb: %3!p!, LocalFlags: %4!#08x!

Fields

Name	Description
`A10_PsGetCurrentThread()`	—
`A11_Vcb`	—
`A12_Fcb`	—
`A13_LocalFlags->EntireFlags`	—

Event ID 318 — NtfsFlushVolumeFlushSingleFcb: Thread.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Scb: %2!p!

Fields

Name	Description
`A10_PsGetCurrentThread()`	—
`A11_Scb`	—

Event ID 319 — NtfsFlushVolume: Thread.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFlushVolume: Thread: %1!p!, Vcb: %2!p!, LocalFlags: %3!#08x!

Fields

Name	Description
`A10_PsGetCurrentThread()`	—
`A11_Vcb`	—
`A12_LocalFlags.EntireFlags`	—

Event ID 320 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: %1!p! Vcb: %2!p!

Fields

Name	Description
`A10_Vcb->BitmapScb`	—
`A11_Vcb`	—

Event ID 321 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: %1!p! Vcb: %2!p!

Fields

Name	Description
`A10_Vcb->MftScb`	—
`A11_Vcb`	—

Event ID 322 — NtfsFlushCompletionRoutine: Vcb %1 - Add context %2 into completion queue.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into completion queue

Fields

Name	Description
`A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb`	—
`A11_Context`	—

Event ID 323 — NtfsFlushCompletionRoutine: Vcb %1 - Add context %2 into WorkQueue - Flink %3.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into WorkQueue - Flink %3!p!

Fields

Name	Description
`A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb`	—
`A11_Context`	—
`A12_NtfsData.DiskFlushContextCompletedWorkItem.List.Flink`	—

Event ID 324 — NtfsDiskFlushContextWorkItemProcessing: Process work item

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDiskFlushContextWorkItemProcessing: Process work item

Event ID 325 — NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Event ID 326 — Irp.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, MinorCode: %4!02x!, FsControlCode: 0x%5!08x!

Fields

Name	Description
`A10_Irp`	—
`A11_IrpContext`	—
`A12_IrpContext->Vcb`	—
`A13_IrpSp->MinorFunction`	—
`A14_FsControlCode`	—

Event ID 327 — NtfsLockVolumeInternal: Cannot lock the volume.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsLockVolumeInternal: Cannot lock the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!, DisallowDismountCount: %6!d!, ExplicitLock: %7!d!, Volume CleanupCount: %8!d!, Handle count: %9!d!.

Event ID 328 — NtfsLockVolumeInternal: Volume is already locked.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsLockVolumeInternal: Volume is already locked.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Event ID 329 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Event ID 330 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Event ID 331 — NtfsLockVolumeInternal: Outstanding user files open after flush and retry.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume close count: %5!d!, System file close count: %6!d!, User handle count: %7!d!.

Event ID 332 — NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 333 — NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Active RM count: %5!d!, Default RM Active: %6!d!.

Event ID 334 — %1: Setting RM at 0x%2 ({%3}) up for auto-restart.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)Vcb->TxfVcb.DefaultRm`	—
`A12_(Vcb->TxfVcb.DefaultRm != NULL) ? _Vcb->TxfVcb.DefaultRm->RmId : NULL`	—

Event ID 335 — NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 336 — NtfsDismountVolume: IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDismountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Event ID 337 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 338 — NtfsDismountVolume: Cannot dismount volume due to volume being locked.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Event ID 339 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, ReadOnlyCloseCount: %6!d!, CloseCount: %7!d!, SystemFileCloseCount: %8!d!.

Event ID 340 — NtfsDismountVolume: Could not flush trim hints.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDismountVolume: Could not flush trim hints.  Couldn't make progress flushing log.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Event ID 341 — NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 342 — NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 343 — NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 344 — NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 345 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 346 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, TypeOfOpen: %6!d!.

Event ID 347 — NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Irp Request Mode: %6!d!.

Event ID 348 — NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 349 — NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 350 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!.

Event ID 351 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!, CallerId: %7!d!, Context owner ID: %8!d!.

Event ID 352 — NtfsSetSparse: Caller does not have appropriate write access to the stream.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetSparse: Caller does not have appropriate write access to the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, FileObject write access: %9!d!.

Event ID 353 — NtfsSetSparse: Cannot desparse encrypted file without write data access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetSparse: Cannot desparse encrypted file without write data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Scb attributes: 0x%9!08x!.

Event ID 354 — NtfsZeroRange: User mode caller not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsZeroRange: User mode caller not allowed. Thread: %1!p!, Zero flags: 0x%2!08x!, Irp Requestor Mode: %3!d!.

Fields

Name	Description
`A10_PsGetCurrentThread()`	—
`A11_ZeroFlags`	—
`A12_Irp->RequestorMode`	—

Event ID 355 — IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

IC: %1!p!, Scb: %2!p!, FileObject: %3!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—
`A12_IrpSp->FileObject`	—

Event ID 356 — IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

IC: %1!p!, EncryptionOperation: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_EncryptionOperation`	—

Event ID 357 — NtfsReadRawEncrypted: Caller does not have backup access or read data access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 358 — NtfsWriteRawEncrypted: Caller does not have write data access or restore access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 359 — NtfsWriteRawEncrypted: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 360 — NtfsLookupStreamFromCluster: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 361 — NtfsChangeVolumeSize: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 362 — NtfsChangeVolumeSize.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsChangeVolumeSize (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 363 — NtfsChangeVolumeSize.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsChangeVolumeSize (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 364 — NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, HandleInfo flags: 0x%9!08x!, Irp Requestor Mode: %10!d!.

Event ID 365 — NtfsMarkHandle: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkHandle: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 366 — NtfsMarkHandle: Cannot deny defrag.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkHandle: Cannot deny defrag. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, HandleInfo flags: 0x%11!08x!.

Event ID 367 — NtfsMarkHandle: Cannot deny Frs consolidation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkHandle: Cannot deny Frs consolidation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState2: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!.

Event ID 368 — NtfsMarkHandle: Cannot filter metadata.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkHandle: Cannot filter metadata. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!, Irp RequestorMode: %13!d!.

Event ID 369 — NtfsMarkHandle: Mark handle is not allowed on system files.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, HandleInfo flags: %8!x!.

Event ID 370 — NtfsMarkHandle: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkHandle: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, HandleInfo: 0x%10!08x!.

Event ID 371 — NtfsMarkHandle: File was granted write access previously but no oplocks were broken.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Writers: %10!d!.

Event ID 372 — NtfsPrefetchFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPrefetchFile: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 373 — NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, WriteAccess: %6!d!, Fcb: %7!p!, FileRef: 0x%8!I64x!, FcbState: %9!x!, Scb AttributeTypeCode: 0x%10!x!, Ccb FullFileName: %11!S!.

Event ID 374 — NtfsSetShortNameBehavior: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 375 — Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x%1!p! to %2!u!.

Fields

Name	Description
`A10_(PVOID)Vcb`	—
`A11_InputParameter`	—

Event ID 376 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 377 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 378 — NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, NtfsData Flags: %5!x!.

Event ID 379 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 380 — Resetting Volsnap behavior for VCB = 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Resetting Volsnap behavior for VCB = 0x%1!p!.  New state is 0x%2!x!.

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->VcbState`	—

Event ID 381 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 382 — NtfsCorruptionHandling: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCorruptionHandling: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 383 — NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Event ID 384 — Scrub resume from SystemScbIndex.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scrub resume from SystemScbIndex: %1!u! Vcn: %2!#I64x! + %3!#x!

Fields

Name	Description
`A10_ScrubResumeContext.SystemScbIndex`	—
`A11_ScrubResumeContext.ResumeVcn`	—
`A12_ScrubResumeContext.ResumeVcnOffset`	—

Event ID 385 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! Scrub resume from Vcn: %2!#I64x! + %3!#x!

Fields

Name	Description
`A10_Scb`	—
`A11_ScrubResumeContext.ResumeVcn`	—
`A12_ScrubResumeContext.ResumeVcnOffset`	—

Event ID 386 — Scrub SystemScbIndex.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scrub SystemScbIndex: %1!u!

Fields

Name	Description
`A10_ScrubResumeContext.SystemScbIndex`	—

Event ID 387 — NtfsScrubData: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsScrubData: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 388 — Scrub not supported for Txf file, Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scrub not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields

Name	Description
`A10_Scb`	—
`A11_Scb->TxfScb`	—

Event ID 389 — Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request. noop

Event ID 390 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! ScrubInternal OperationStatus: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! FileOffset: %5!#I64x! Length: %6!#I64x! ParityExtentCount: %7!u!

Fields

Name	Description
`A10_Scb`	—
`A11_ScrubContext.OperationStatus`	—
`A12_ScrubContext.NumberOfBytesRepaired`	—
`A13_ScrubContext.NumberOfBytesFailed`	—
`A14_ScrubContext.ErrorFileOffset`	—
`A15_ScrubContext.ErrorLength`	—
`A16_ScrubContext.ParityExtentData->NumberOfParityExtents`	—

Event ID 391 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! ScrubInternal Status: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! ParityExtentCount: %5!u!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—
`A12_ScrubContext.NumberOfBytesRepaired`	—
`A13_ScrubContext.NumberOfBytesFailed`	—
`A14_ScrubContext.ParityExtentData->NumberOfParityExtents`	—

Event ID 392 — InternalFileReference.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

InternalFileReference: %1!u!

Fields

Name	Description
`A10_InternalFileReference`	—

Event ID 393 — InternalFileReference.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

InternalFileReference:%1!u!

Fields

Name	Description
`A10_InternalFileReference`	—

Event ID 394 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! Incomplete IoCount:%2!u! Cancel:%3!u! ParityExtentCount:%4!u!

Fields

Name	Description
`A10_Scb`	—
`A11_ScrubIoCount`	—
`A12_Irp->Cancel`	—
`A13_ScrubContext.ParityExtentData->NumberOfParityExtents`	—

Event ID 395 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! Scrub skipping resident attribute (d) (%2!S!)

Event ID 396 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! Scrub skipping resident attribute (%2!S!)

Event ID 397 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! Scrub StartingVcn(%2!#I64d!) is negative

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 398 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! Scrub starting vcn is beyond VDL (FileOffset: %2!#I64x!, SectorAlignedVdl: %3!#I64x!)

Fields

Name	Description
`A10_Scb`	—
`A11_FileScrubOffset`	—
`A12_SectorAlignedVdl`	—

Event ID 399 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! Scrub no more Mcb entries from StartingVcn:%2!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 400 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! Scrub skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—
`A12_ClusterCount`	—

Event ID 401 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! StartingVcn:%2!#I64x! is beyond Vdl

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 402 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! ScrubDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) StartingVcn:%5!#I64x! + %6!#x! SectorAlignedVdl:%7!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_DsmRange.StartingOffset`	—
`A12_DsmRange.StartingOffset + DsmRange.LengthInBytes`	—
`A13_DsmRange.LengthInBytes`	—
`A14_StartingVcn`	—
`A15_StartingVcnOffset`	—
`A16_SectorAlignedVdl`	—

Event ID 403 — Scrub found problems Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scrub found problems Scb: %1!p! Vcn %2!#I64x! FileOffset: %3!#I64x! Length: %4!#I64x! Status: %5!S! BytesFailed: %6!#I64x! BytesRepaired: %7!#I64x! NewParityExtents: %8!u!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—
`A12_ScrubContext->ErrorFileOffset`	—
`A13_ScrubbedLength`	—
`A14_ScrubContext->OperationStatus`	—
`A15_ScrubContext->NumberOfBytesFailed`	—
`A16_ScrubContext->NumberOfBytesRepaired`	—
`A17_NewParityExtentCount`	—

Event ID 404 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! DsmAction_Scrub call failed, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 405 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! DsmAction_Scrub operation failed, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 406 — FSCTL_REPAIR_COPIES not supported for Txf file, Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

FSCTL_REPAIR_COPIES not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields

Name	Description
`A10_Scb`	—
`A11_Scb->TxfScb`	—

Event ID 407 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2!S!)

Event ID 408 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (%2!S!)

Event ID 409 — FSCTL_REPAIR_COPIES interrupted by thread termination.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

FSCTL_REPAIR_COPIES interrupted by thread termination.

Event ID 410 — FSCTL_REPAIR_COPIES canceled

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

FSCTL_REPAIR_COPIES canceled

Event ID 411 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:%2!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 412 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:%2!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 413 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—
`A12_ClusterCount`	—

Event ID 414 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! RepairDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) FileOffset: %5!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_RepairDataSetRange->StartingOffset`	—
`A12_RepairDataSetRange->StartingOffset + RepairDataSetRange->LengthInBytes`	—
`A13_RepairDataSetRange->LengthInBytes`	—
`A14_RepairFileOffset`	—

Event ID 415 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! DsmAction_Repair call failed, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 416 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! DsmAction_Repair operation failed, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_IrpStatus`	—

Event ID 417 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb:%1!p! DsmAction_Repair completed, IrpStatus: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_RepairCopiesOutput->Status`	—

Event ID 418 — NtfsQueryCachedRuns: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 419 — NtfsQueryStorageClasses: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 420 — NtfsQueryRegionInfo: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 421 — NtfsUnloadFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUnloadFile: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 422 — NtfsCheckForSection: File already has image section.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckForSection: File already has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!.

Event ID 423 — NtfsShuffleFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsShuffleFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Irp RequestorMode: %9!d!.

Event ID 424 — NtfsShuffleFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsShuffleFile: Denying access due to volume is locked. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, VcbState: 0x%9!08x!.

Event ID 425 — NtfsShuffleFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsShuffleFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 426 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Event ID 427 — NtfsRearrangeFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRearrangeFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Irp RequestorMode: %8!d!.

Event ID 428 — NtfsRearrangeFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRearrangeFile: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, VcbState: 0x%8!08x!.

Event ID 429 — NtfsRearrangeFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRearrangeFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 430 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Event ID 431 — NtfsSparseOverAllocate: Caller does not have appropriate write access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FileRef: %5!I64x!, FullFileName: %6!S!, Ccb access flags: %7!x!.

Event ID 432 — NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Scb AttributeTypeCode: %8!x!, FcbState2: %9!x!, Ccb FullFileName: %10!S!, Ccb Access flags: %11!x!, Ccb Flags2: %12!x!.

Event ID 433 — NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Scb AttributeTypeCode: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb Access flags: 0x%10!08x!.

Event ID 434 — NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 435 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Open status=0x%3!x!, path="%4!S!"

Event ID 436 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Enumerate status=0x%3!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread()`	—
`A12_Status`	—

Event ID 437 — NtfsEnumMountWorker.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEnumMountWorker(%1!p!,%2!p!): Open status=0x%3!x!, file="%4!S!"

Event ID 438 — NtfsEnumMountWorker.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEnumMountWorker(%1!p!,%2!p!): Close status=0x%3!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread()`	—
`A12_Status`	—

Event ID 439 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Close dir status=0x%3!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread()`	—
`A12_Status`	—

Event ID 440 — NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, EffectiveMode: %10!d!.

Event ID 441 — SCB.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

SCB: %1!p!, StartOffset: 0x%2!I64x!, Length: 0x%3!I64x!, StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartOffset`	—
`A12_Length`	—
`A13_StartVcn`	—
`A14_BeyondEndVcn`	—

Event ID 442 — FsLibGetBadAddressRanges returned Status: %1, NumBadRanges: 0x%2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

FsLibGetBadAddressRanges returned Status: %1, NumBadRanges: 0x%2!x!

Fields

Name	Description
`A10_Status`	—
`A11_Output->NumBadRanges`	—

Event ID 443 — FsInputRangeIndex.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

FsInputRangeIndex: %1!u!, FileOffset: 0x%2!I64x!, VolumeOffset: 0x%3!I64x!, LengthInBytes: 0x%4!I64x!

Fields

Name	Description
`A10_FsInputRangeIndex`	—
`A11_FsInputRanges[FsInputRangeIndex].FileOffset`	—
`A12_FsInputRanges[FsInputRangeIndex].VolumeOffset`	—
`A13_FsInputRanges[FsInputRangeIndex].LengthInBytes`	—

Event ID 444 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb: %1!p!, Status: %2!S!, AbnormalTermination: %3!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—
`A12_(BOOLEAN)AbnormalTermination()`	—

Event ID 445 — Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Scb: %1!p!, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 446 — NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Event ID 447 — Logic error of posting close to work queue.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Logic error of posting close to work queue.

Event ID 448 — NtfsFindPrefixHashEntry: {Hash table.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Hash table: %1!p!} {ParentScb: %2!p!, '%3!S!'} {RemainingName: '%4!S!'}

Event ID 449 — NtfsFindPrefixHashEntry: {Lcb: NULL}

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Lcb: NULL}

Event ID 450 — NtfsFindPrefixHashEntry: {Lcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Lcb: %1!p!, '%2!S!'}

Event ID 451 — NtfsFindPrefixHashEntry: {Lcb not found}

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Lcb not found}

Event ID 452 — NtfsInsertHashEntry: {Hash table.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsInsertHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {FullNameLength: %3!d!} {Lcb: %4!p!, '%5!S!'}

Event ID 453 — NtfsRemoveHashEntry: {Hash table.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {HashLcb: %3!p!, '%4!S!'}

Event ID 454 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Checkpoint injection.  Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->CheckpointInjectionCount`	—

Event ID 455 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Log %2!d!%!PCT! full.  Wait for CC to flush metadata first. Count %3!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_PercentFull`	—
`A12_Vcb->WaitForCcLoggedDataActivityCount`	—

Event ID 456 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Done waiting for CC to flush metadata

Fields

Name	Description
`A10_Vcb`	—

Event ID 457 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Injected checkpoint.

Fields

Name	Description
`A10_Vcb`	—

Event ID 458 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Start of checkpoint

Fields

Name	Description
`A10_Vcb`	—

Event ID 459 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Clean checkpoint. Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->CleanCheckpointCount`	—

Event ID 460 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Overflowed DPT. Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->OverflowedDPTCount`	—

Event ID 461 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Fuzzy checkpoint. Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->FuzzyCheckpointCount`	—

Event ID 462 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Flush oldest FO.  Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->FlushOldestFOCount`	—

Event ID 463 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Flush starts with FRef %2!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_NtfsFullSegmentNumber( _Scb->Fcb->FileReference )`	—

Event ID 464 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Flush ends.  FO %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DirtyPageContext.OldestFileObject`	—

Event ID 465 — NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Event ID 466 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Checkpoint completed.

Fields

Name	Description
`A10_Vcb`	—

Event ID 467 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p!.  Leaving NtfsCheckpointVolume.

Fields

Name	Description
`A10_Vcb`	—

Event ID 468 — NtfsCommitCurrentTransaction IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->TransactionId`	—

Event ID 469 — NtfsCommitCurrentTransaction IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->TransactionId`	—

Event ID 470 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsWriteLog failure %4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->OriginatingIrp`	—
`A12_PsGetCurrentThread()`	—
`A13_IrpContext->ExceptionStatus`	—

Event ID 471 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsWriteLog failure %4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->OriginatingIrp`	—
`A12_PsGetCurrentThread()`	—
`A13_IrpContext->ExceptionStatus`	—

Event ID 472 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): LfsFlushToLsn failure %4!x! Count %5!d!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->OriginatingIrp`	—
`A12_PsGetCurrentThread()`	—
`A13_IrpContext->ExceptionStatus`	—
`A14_FailedFlushCount`	—

Event ID 473 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsProcessNewLengthQueue failure %4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->OriginatingIrp`	—
`A12_PsGetCurrentThread()`	—
`A13_IrpContext->ExceptionStatus`	—

Event ID 474 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsProcessNewLengthQueue failure %4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->OriginatingIrp`	—
`A12_PsGetCurrentThread()`	—
`A13_IrpContext->ExceptionStatus`	—

Event ID 475 — NtfsCommitCurrentTransaction IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->TransactionId`	—

Event ID 476 — NtfsCommitCurrentTransaction IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->TransactionId`	—

Event ID 477 — NtfsFreeRecentlyDeallocated: Vcb %1 - Entering - ActiveLsn: %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Entering - ActiveLsn: %2!I64x!, ClearAll: %3!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_ActiveLsn->QuadPart`	—
`A12_ClearAll`	—

Event ID 478 — NtfsFreeRecentlyDeallocated: Vcb %1 empty list - Leaving.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 479 — NtfsFreeRecentlyDeallocated: Vcb %1 empty list - Leaving.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list  - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 480 — NtfsFreeRecentlyDeallocated: Vcb %1 - Found frozen deallocated clusters with %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found frozen deallocated clusters with %2!I64x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_Clusters->ClusterCount`	—

Event ID 481 — NtfsFreeRecentlyDeallocated: Vcb %1 - No actionable deallocated clusters.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 482 — NtfsFreeRecentlyDeallocated: Vcb %1 - No actionable deallocated clusters.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 483 — NtfsFreeRecentlyDeallocated: Vcb %1 - Found a deallocated clusters %2 with %3!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found a deallocated clusters %2!p! with %3!I64x! clusters, Lsn: %4!I64x!, Flags: %5!08x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Clusters`	—
`A12_Clusters->ClusterCount`	—
`A13_Clusters->Lsn.QuadPart`	—
`A14_Clusters->Flags`	—

Event ID 484 — Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb: %1!p!, Processing range. DeallocatedClusters: %2!p!, RunIndex: %3!d!, StartingLcn: %4!I64x!, ClusterCount: %5!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Clusters`	—
`A12_i`	—
`A13_StartingLcn`	—
`A14_ClusterCount`	—

Event ID 485 — Looking for dangling MDLs

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Looking for dangling MDLs

Event ID 486 — FsLibGroupSubExtentsByDanglingMdl failed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

FsLibGroupSubExtentsByDanglingMdl failed: %1

Fields

Name	Description
`A10_Status`	—

Event ID 487 — FsLibAddBaseMcbEntryEx failed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

FsLibAddBaseMcbEntryEx failed: %1

Fields

Name	Description
`A10_Status`	—

Event ID 488 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: %1

Fields

Name	Description
`A10_Status`	—

Event ID 489 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: %1

Fields

Name	Description
`A10_Status`	—

Event ID 490 — No sub extents has dangling MDL

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

No sub extents has dangling MDL

Event ID 491 — NtfsFreeRecentlyDeallocated: Vcb %1 - Telling volsnap freeing at %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Telling volsnap freeing at %2!I64x! for %3!x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingLcn`	—
`A12_(ULONG)ClusterCount`	—

Event ID 492 — NtfsFreeRecentlyDeallocated: Vcb %1 - Volsnap responsed with freeing at %2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Volsnap responsed with freeing at %2!I64x! for %3!x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingLcn + StartingIndex`	—
`A12_runLength`	—

Event ID 493 — NtfsFreeRecentlyDeallocated: Vcb %1 - Got error 0x%2 from below.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Got error 0x%2!x! from below

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 494 — NtfsFreeRecentlyDeallocated: Vcb %1 - Deleting MarkUnusedContext %2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Deleting MarkUnusedContext %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 495 — NtfsFreeRecentlyDeallocated: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 496 — NtfsRemoveNtfsMcbEntry Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Length: 0x%4!I64x!

Fields

Name	Description
`A10_Mcb->Scb`	—
`A11_Mcb`	—
`A12_StartingVcn`	—
`A13_Count`	—

Event ID 497 — NtfsRemoveNtfsMcbEntry Mcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRemoveNtfsMcbEntry Mcb: %1!p! Completed.

Fields

Name	Description
`A10_Mcb`	—

Event ID 498 — NtfsAddNtfsMcbEntry Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Length: 0x%5!I64x!

Fields

Name	Description
`A10_Mcb->Scb`	—
`A11_Mcb`	—
`A12_Vcn`	—
`A13_Lcn`	—
`A14_RunCount`	—

Event ID 499 — NtfsAddNtfsMcbEntry Mcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAddNtfsMcbEntry Mcb: %1!p!, Result: %2!S!

Fields

Name	Description
`A10_Mcb`	—
`A11_Result`	—

Event ID 500 — NtfsUnloadNtfsMcbRange Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUnloadNtfsMcbRange Scb: %1!p!, Mcb: %2!p!, StartVcn: 0x%3!I64x!, EndVcn: 0x%4!I64x!, TruncateOnly: %5!S!

Fields

Name	Description
`A10_Mcb->Scb`	—
`A11_Mcb`	—
`A12_StartingVcn`	—
`A13_EndingVcn`	—
`A14_TruncateOnly`	—

Event ID 501 — NtfsUnloadNtfsMcbRange Mcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUnloadNtfsMcbRange Mcb: %1!p! Completed.

Fields

Name	Description
`A10_Mcb`	—

Event ID 502 — Valid NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Valid NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_BootSector`	—

Event ID 503 — Not an NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Not an NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!; CheckNumber: %3!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_BootSector`	—
`A12_CheckNumber`	—

Event ID 504 — NtfsMountVolume: Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMountVolume: Vcb:%1!p!, IC:%2!p!, Growing allocation for Mft's Attribute List failed with exception:0x%3!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContext->ExceptionStatus`	—

Event ID 505 — NtfsMountVolume: IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsMountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Event ID 506 — Mounting DAX partition.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Mounting DAX partition. Vcb: %1!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 507 — DAX volume mounted without DAX support because storage is not DAX capable.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: %1!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 508 — NtfsGrowMftsAttributeListAllocation Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Mft AttributeList not found, skipping growth

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 509 — NtfsGrowMftsAttributeListAllocation Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Converting Resident AttributeList(size:0x%3!I64x!) to NonResident

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_AttrListAllocationSize`	—

Event ID 510 — NtfsGrowMftsAttributeListAllocation Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p!, AttrListScb:%3!p! Added Allocation for NonResident AttributeList (old size:0x%4!I64x!)

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_AttrListAllocationSize`	—

Event ID 511 — Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Unexpected exception code of 0x%1!x! received

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 512 — Exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Exception code of 0x%1!x! received during mount.

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 513 — Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Unexpected exception code of 0x%1!x! received.

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 514 — LogFileFull %1 BackTrace: ln %2; ln %3; ln %4; ln %5; ln %6; ln %7; ln %8; ln %9; ln %10; ln %11; ln %12; ln %13; ln %14; ln %15; ln %16; ln %17; l...

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

LogFileFull %1 BackTrace: ln %2!p!; ln %3!p!; ln %4!p!; ln %5!p!; ln %6!p!; ln %7!p!; ln %8!p!; ln %9!p!; ln %10!p!; ln %11!p!; ln %12!p!; ln %13!p!; ln %14!p!; ln %15!p!; ln %16!p!; ln %17!p!; ln %18!p!; ln %19!p!; ln %20!p!; ln %21!p!;

Fields

Name	Description
`A10_IrpContext->LogFullReason`	—
`A11_BackTrace[0]`	—
`A12_BackTrace[1]`	—
`A13_BackTrace[2]`	—
`A14_BackTrace[3]`	—
`A15_BackTrace[4]`	—
`A16_BackTrace[5]`	—
`A17_BackTrace[6]`	—
`A18_BackTrace[7]`	—
`A19_BackTrace[8]`	—
`A20_BackTrace[9]`	—
`A21_BackTrace[10]`	—
`A22_BackTrace[11]`	—
`A23_BackTrace[12]`	—
`A24_BackTrace[13]`	—
`A25_BackTrace[14]`	—
`A26_BackTrace[15]`	—
`A27_BackTrace[16]`	—
`A28_BackTrace[17]`	—
`A29_BackTrace[18]`	—
`A30_BackTrace[19]`	—

Event ID 515 — Unexpected raise of 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Unexpected raise of 0x%1!x! during critical non-raise code

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 516 — NtfsProcessException IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ExceptionCode`	—

Event ID 517 — NtfsProcessException IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ExceptionCode`	—

Event ID 518 — Failed to abort - IrpContext %1, Irp %2, Vcb %3, Count %4, Status %5.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Count %4!x!, Status %5!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Irp`	—
`A12_IrpContext->Vcb`	—
`A13_NtfsFailedAborts`	—
`A14_GetExceptionCode()`	—

Event ID 519 — Failed to abort - IrpContext %1, Irp %2, Vcb %3, Scb %4, FileRef %5!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Scb %4!p!, FileRef %5!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Irp`	—
`A12_IrpContext->Vcb`	—
`A13_NextScb`	—
`A14_*(PULONGLONG)_NextScb->Fcb->FileReference`	—

Event ID 520 — Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x%1!08x!%2!08x!

Fields

Name	Description
`A10_IrpSp->Parameters.Write.ByteOffset.HighPart`	—
`A11_IrpSp->Parameters.Write.ByteOffset.LowPart`	—

Event ID 521 — Setting 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Setting 0x%1!x! in top-level exception status for write @ 0x%2!08x!%3!08x!

Fields

Name	Description
`A10_ExceptionCode`	—
`A11_IrpSp->Parameters.Write.ByteOffset.HighPart`	—
`A12_IrpSp->Parameters.Write.ByteOffset.LowPart`	—

Event ID 522 — [.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields

Name	Description
`A10_IrpSp->MajorFunction`	—
`A11_IrpSp->MinorFunction`	—
`A12_Irp`	—
`A13_IrpContext`	—
`A14_Status`	—

Event ID 523 — [.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields

Name	Description
`A10_IrpSp->MajorFunction`	—
`A11_IrpSp->MinorFunction`	—
`A12_Irp`	—
`A13_IrpContext`	—
`A14_Status`	—

Event ID 524 — Can't handle invalid bitmap in a positive way.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Can't handle invalid bitmap in a positive way.

Event ID 525 — NTFS ETW tracing is now active.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NTFS ETW tracing is now active.

Event ID 526 — Updating NtfsMinTrimTotalSize to %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Updating NtfsMinTrimTotalSize to %1!x!.

Fields

Name	Description
`A10_MinTrimTotalSize`	—

Event ID 527 — Updating NtfsMaxTrimTotalSize to %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Updating NtfsMaxTrimTotalSize to %1!x!.

Fields

Name	Description
`A10_MaxTrimTotalSize`	—

Event ID 528 — NtfsSetObjectId: Caller does not have restore access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetObjectId: Caller does not have restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Event ID 529 — NtfsSetObjectIdExtendedInfo: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetObjectIdExtendedInfo: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Event ID 530 — NtfsDeleteObjectId: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeleteObjectId: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Event ID 531 — %1: Setting RM at 0x%2 ({%3}) up for auto-restart.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)Vcb->TxfVcb.DefaultRm`	—
`A12__Vcb->TxfVcb.DefaultRm->RmId`	—

Event ID 532 — NtfsFsQuotaSetInfo: Denying access due to administrator limit.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsFsQuotaSetInfo: Denying access due to administrator limit. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Event ID 533 — NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not quota file.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not quota file. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, Ccb Flags: 0x%10!08x!.

Event ID 534 — Unexpected Paging-Read on DAX mappable stream, Scb=.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Unexpected Paging-Read on DAX mappable stream, Scb=%1!p!

Fields

Name	Description
`A10_Scb`	—

Event ID 535 — NtfsSetReparsePoint: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Event ID 536 — NtfsSetReparsePointEx: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetReparsePointEx: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Event ID 537 — NtfsDeleteReparsePoint: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeleteReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Event ID 538 — NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->LogFileObject`	—
`A12_IrpContext`	—

Event ID 539 — NtfsReleaseVcbCheckDelete - deleted Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsReleaseVcbCheckDelete - deleted Vcb: %1!p!, IC: %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 540 — NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_Vcb->LogFileObject`	—
`A12_IrpContext`	—

Event ID 541 — NtfsAbortTransaction IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->TransactionId`	—

Event ID 542 — NtfsAbortTransaction IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->TransactionId`	—

Event ID 543 — DoAction::InitializeFRS IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DoAction::InitializeFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecord->SegmentNumberHighPart`	—
`A12_FileRecord->SegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )`	—

Event ID 544 — DoAction::DeallocateFRS IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DoAction::DeallocateFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecord->SegmentNumberHighPart`	—
`A12_FileRecord->SegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )`	—

Event ID 545 — DoAction::WriteEndOfFRS IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DoAction::WriteEndOfFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x! Off:0x%6!x!, Len:0x%7!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecord->SegmentNumberHighPart`	—
`A12_FileRecord->SegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )`	—
`A14_Attribute->TypeCode`	—
`A15_LogRecord->RecordOffset`	—
`A16_Length`	—

Event ID 546 — DoAction::CreateAttribute IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DoAction::CreateAttribute IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecord->SegmentNumberHighPart`	—
`A12_FileRecord->SegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )`	—
`A14_((PATTRIBUTE_RECORD_HEADER)Data)->TypeCode`	—

Event ID 547 — NtfsRestartChangeValue IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRestartChangeValue IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, FileRef:0x%5!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecord->SegmentNumberHighPart`	—
`A12_FileRecord->SegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )`	—
`A14_NtfsFullSegmentNumber( _FileReference )`	—

Event ID 548 — DoAction::SetNewAttributeSizes IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DoAction::SetNewAttributeSizes IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x! OLD: Alloc:%5!I64x!, FileSize:%6!I64x!, VDL:%7!I64x!, TotalAlloc:%8!I64x! NEW: Alloc:%9!I64x!, FileSize:%10!I64x!, VDL:%11!I64x!, TotalAlloc:%12!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecord->SegmentNumberHighPart`	—
`A12_FileRecord->SegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )`	—
`A14_Attribute->Form.Nonresident.AllocatedLength`	—
`A15_Attribute->Form.Nonresident.FileSize`	—
`A16_Attribute->Form.Nonresident.ValidDataLength`	—
`A17_Attribute->Form.Nonresident.TotalAllocated`	—
`A18_Sizes->AllocationSize`	—
`A19_Sizes->FileSize`	—
`A20_Sizes->ValidDataLength`	—
`A21_Sizes->TotalAllocated`	—

Event ID 549 — DoAction(SetBitsInNonresidentBitMap) IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DoAction(SetBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12__Bitmap`	—

Event ID 550 — DoAction(ClearBitsInNonresidentBitMap) IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

DoAction(ClearBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12__Bitmap`	—

Event ID 551 — NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Event ID 552 — NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!.

Event ID 553 — NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!.

Event ID 554 — NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Txf Writers Count: %7!d!.

Event ID 555 — NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Original status: %7!S!.

Event ID 556 — NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Event ID 557 — NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Event ID 558 — NtfsCheckFileForDelete: Denying access due to file is not deleteable.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Event ID 559 — NtfsCheckFileForDelete: Denying access due to target file is read only.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to target file is read only. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Event ID 560 — NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb AccessFlags: 0x%7!08x!, TxfAccessCheck access status: %8!S!.

Event ID 561 — NtfsCheckFileForDelete: Denying access due to failing to remove image section.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to failing to remove image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Event ID 562 — NtfsGlobalSdUpdate: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 563 — NtfsRepairItem: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRepairItem: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Event ID 564 — NtfsSetRepairState: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 565 — NtfsInitiateRepair: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 566 — NTFS ETW tracing is shutting down.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NTFS ETW tracing is shutting down.

Event ID 567 — NtfsDefineStorageReserve: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDefineStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 568 — NtfsDeleteStorageReserve: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeleteStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 569 — NtfsRepairStorageReserve: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRepairStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 570 — NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a storage reserve.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a storage reserve. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Fcb State: 0x%7!08x!, Ccb FullFileName: %8!S!.

Event ID 571 — NtfsSetStorageReserveIdInfo: Caller does not have appropriate access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsSetStorageReserveIdInfo: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 572 — NtfsChangeStorageReserveId: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsChangeStorageReserveId: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Operation flags: 0x%9!08x!.

Event ID 573 — NtfsChangeStorageReserveId: Caller does not have manage volume privilege to explicitly setting reserve ID to/from a "restricted area".

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsChangeStorageReserveId: Caller does not have manage volume privilege to explicitly setting reserve ID to/from a "restricted area". Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 574 — Failed to get a non-volatile token for Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Failed to get a non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 575 — Failed to free non-volatile token for Vcb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Failed to free non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 576 — NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: %1!p!, TotalAllocated: 0x%2!I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_Scb->TotalAllocated`	—

Event ID 577 — NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: %1!p!, Lsn: %2!I64x!

Fields

Name	Description
`A10_CurrentClusters`	—
`A11_CurrentClusters->Lsn.QuadPart`	—

Event ID 578 — ClustersLinkAsHead.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

ClustersLinkAsHead: %1!p!, FlagsToMatch: 0x%2!x!, InsertAfter: %3!S!

Fields

Name	Description
`A10_ClustersLinkAsHead`	—
`A11_FlagsToMatch`	—
`A12_InsertAfter`	—

Event ID 579 — Clusters.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Clusters: %1!p!, Flags: 0x%2!x!

Fields

Name	Description
`A10_Clusters`	—
`A11_Clusters->Flags`	—

Event ID 580 — Matching cluster.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Matching cluster: %1!p!, NumberOfRuns: 0x%2!x!

Fields

Name	Description
`A10_Clusters`	—
`A11_NumberOfRuns`	—

Event ID 581 — Clusters.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Clusters: %1!p!

Fields

Name	Description
`A10_Clusters`	—

Event ID 582 — Allocated new deallocated clusters

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Allocated new deallocated clusters

Event ID 583 — Need to add Range.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Need to add Range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields

Name	Description
`A10_!FlagOn( Clusters->Flags, DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL )`	—
`A11_Clusters`	—
`A12_Lcn`	—
`A13_ClusterCount`	—

Event ID 584 — Added range.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Added range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields

Name	Description
`A10_!FlagOn( Clusters->Flags, DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL )`	—
`A11_Clusters`	—
`A12_Lcn`	—
`A13_ClusterCount`	—

Event ID 585 — TxfCheckForLockConflict: File locked for modify transaction.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfCheckForLockConflict: File locked for modify transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!,Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfFcb Flags: 0x%7!08x!, ShareMode: 0x%8!08x!.

Event ID 586 — TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans or different trans who wants to modify.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans or different trans who wants to modify. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Event ID 587 — TxfCheckForLockConflict: Modification access desired.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfCheckForLockConflict: Modification access desired. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Event ID 588 — TxfCheckForLockConflict: File has user handle opened on one of the versions or user-mapping on a section.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfCheckForLockConflict: File has user handle opened on one of the versions or user-mapping on a section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!, Reader cleanup count: %8!d!.

Event ID 589 — %1: from %2 (%3:%4) RM at 0x%5 {%6}, Tx at 0x%7 {%8}, Status was 0x%9.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_CallerFunction`	—
`A12_CallerFile`	—
`A13_CallerLineNumber`	—
`A14_(PVOID)TxfRmcb`	—
`A15__TxfRmcb->RmId`	—
`A16_(PVOID)TxfTrans`	—
`A17__TxfTrans->KtmUow`	—
`A18_AbortReasonStatus`	—

Event ID 590 — %1: from %2 (%3:%4) RM at 0x%5 {%6}, Tx at 0x%7 {%8}, Status was 0x%9.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_CallerFunction`	—
`A12_CallerFile`	—
`A13_CallerLineNumber`	—
`A14_(PVOID)TxfRmcb`	—
`A15__TxfRmcb->RmId`	—
`A16_(PVOID)TxfTrans`	—
`A17__TxfTrans->KtmUow`	—
`A18_Status`	—

Event ID 591 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_TxfTrans`	—
`A14__TxfTrans->KtmUow`	—

Event ID 592 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_TxfTrans`	—
`A14__TxfTrans->KtmUow`	—

Event ID 593 — %1: RM at 0x%2 {%3}: Unexpected exception code of 0x%4 received.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!}: Unexpected exception code of 0x%4!x! received.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)CalloutParameters->TxfFlush.TxfRmcb`	—
`A12__CalloutParameters->TxfFlush.TxfRmcb->RmId`	—
`A13_GetExceptionCode()`	—

Event ID 594 — %1: TxfStartRm reports RM will be reset: RM metadata corrupt.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: RM metadata corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 595 — %1: TxfStartRm reports RM will be reset: TM could not be initialized.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: TM could not be initialized

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 596 — %1: TxfStartRm reports RM will be reset: RM log corrupt.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: RM log corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 597 — %1: TxfStartRm reports RM will be reset: log version changed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: log version changed

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 598 — %1: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 599 — %1: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 600 — %1: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: CLFS log metadata corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 601 — %1: TxfStartRm reports RM will be reset: 0x%2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: 0x%2!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_FailureStatus`	—

Event ID 602 — %1: RM did not start and WILL NOT be reset, status code is 0x%2!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM did not start and WILL NOT be reset, status code is 0x%2!x!!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_FailureStatus`	—

Event ID 603 — %1: Could not initialize IrpContext: 0x%2.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Could not initialize IrpContext: 0x%2!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—

Event ID 604 — TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Event ID 605 — %1: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x%2 for default RM on VCB at 0x%3.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x%2!x! for default RM on VCB at 0x%3!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_TempStatus`	—
`A12_(PVOID)Vcb`	—

Event ID 606 — %1: Exception code 0x%2, Status 0x%3 for default RM on VCB at 0x%4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Exception code 0x%2!x!, Status 0x%3!x! for default RM on VCB at 0x%4!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_GetExceptionCode()`	—
`A12_Status`	—
`A13_(PVOID)Vcb`	—

Event ID 607 — %1: Couldn't reset default RM on VCB at 0x%2 after %3 tries: 0x%4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Couldn't reset default RM on VCB at 0x%2!p! after %3!d! tries: 0x%4!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)Vcb`	—
`A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT`	—
`A13_OldStatus`	—

Event ID 608 — %1: Exception 0x%2 raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x%3.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Exception 0x%2!x! raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x%3!p!.  RM will NOT be reset.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_GetExceptionCode()`	—
`A12_(PVOID)Vcb`	—

Event ID 609 — %1: %2 auto-restart of RM at 0x%3 ({%4}): 0x%5.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: %2!S! auto-restart of RM at 0x%3!p! ({%4!S!}): 0x%5!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(NT_SUCCESS( Status ) ? 'Succeeded' : 'FAILED')`	—
`A12_(PVOID)TxfRmcb`	—
`A13__TxfRmcb->RmId`	—
`A14_Status`	—

Event ID 610 — %1: Attempting auto-restart of RM at 0x%2 ({%3}).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Attempting auto-restart of RM at 0x%2!p! ({%3!S!})

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 611 — %1: Volume too small to start RM at 0x%2 ({%3}).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Volume too small to start RM at 0x%2!p! ({%3!S!})

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 612 — %1: Corrupt RM at 0x%2 {%3}: invalid flags in $Tops.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: invalid flags in $Tops

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 613 — TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Event ID 614 — %1: Raising to reset RM at 0x%2 ({%3}): Explicit reset requested.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Raising to reset RM at 0x%2!p! ({%3!S!}): Explicit reset requested

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 615 — TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Event ID 616 — %1: Corrupt RM at 0x%2 {%3}: no TXF_DATA in root.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: no TXF_DATA in root

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 617 — %1: RM at 0x%2 {%3}: Different nesting levels of 0x%4 and 0x%5.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!}: Different nesting levels of 0x%4!x! and 0x%5!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_LogNestingLevel`	—
`A14_DiskNestingLevel`	—

Event ID 618 — %1: Corrupt RM at 0x%2 {%3}: restart area already exists.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 619 — %1: Corrupt RM at 0x%2 {%3}: restart area already exists.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 620 — %1: Corrupt RM at 0x%2 {%3}: RmID in restart area does not match {%4}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: RmID in restart area does not match {%4!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13__ClfsRestartArea->RmId`	—

Event ID 621 — %1: Got %2 from ClfsGetLogFileInformation for RM at 0x%3 {%4}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Got %2!d! from ClfsGetLogFileInformation for RM at 0x%3!p! {%4!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—
`A12_(PVOID)TxfRmcb`	—
`A13__TxfRmcb->RmId`	—

Event ID 622 — %1: Corrupt RM at 0x%2 {%3}: Restart LSN is before beginning of log.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Restart LSN is before beginning of log.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 623 — %1: Corrupt RM at 0x%2 {%3}: MinRollforwardEndLsn is beyond end of log.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: MinRollforwardEndLsn is beyond end of log.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 624 — %1: TxF RM at 0x%2 {%3} started successfully.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxF RM at 0x%2!p! {%3!S!} started successfully.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 625 — %1: TxF RM at 0x%2 {%3} failed to start with Status 0x%4 %5.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: TxF RM at 0x%2!p! {%3!S!} failed to start with Status 0x%4!x! %5!S!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_Status`	—
`A14_AbnormalTermination() ? '(abnormal termination)' : ''`	—

Event ID 626 — %1: Shutting down %2 RM at 0x%3 {%4}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Shutting down %2!S! RM at 0x%3!p! {%4!S!}.  Shutdown is %5!S!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(TxfIsDefaultRm( TxfRmcb ) ? 'default' : 'secondary')`	—
`A12_(PVOID)TxfRmcb`	—
`A13__TxfRmcb->RmId`	—
`A14_(ForceDirtyShutdown ? 'DIRTY!' : 'CLEAN.')`	—

Event ID 627 — %1: Setting RM at 0x%2 {%3} up for auto-restart.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Setting RM at 0x%2!p! {%3!S!} up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 628 — TxfFlushAndInvalidateExistingStructures: File has open user handles.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfFlushAndInvalidateExistingStructures: File has open user handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CleanupCount: %7!d!.

Event ID 629 — (%1:%2) - TXF_HARD_ERROR on RM at 0x%3 ({%4}): %5).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

(%1:%2!d!) - TXF_HARD_ERROR on RM at 0x%3!p! ({%4!S!}): %5!S!)

Fields

Name	Description
`A10_FILEID_FROM_SOURCE( FileNLine )`	—
`A11_LINENUM_FROM_SOURCE( FileNLine )`	—
`A12_TxfRmcb`	—
`A13__TxfRmcb->RmId`	—
`A14_Status`	—

Event ID 630 — %1: Renamed RM at 0x%2 from {%3} to {%4}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__OldGuid`	—
`A13__TxfRmcb->RmId`	—

Event ID 631 — %1: RM at 0x%2 {%3}, rolling back Tx at 0x%4 {%5}, Status was 0x%6.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!}, rolling back Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_(PVOID)TxfTrans`	—
`A14__TxfTrans->KtmUow`	—
`A15_Status`	—

Event ID 632 — %1: Renamed RM at 0x%2 from {%3} to {%4}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__OldGuid`	—
`A13__TxfRmcb->RmId`	—

Event ID 633 — TxfFsctlStartRm: Denying access due starting default RM is not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfFsctlStartRm: Denying access due starting default RM is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RmRootFcb: %5!p!.

Event ID 634 — TxfFsctlWriteBackupInformation: Denying access due RM is active.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, BackupInfo flags: 0x%5!08x!.

Event ID 635 — %1: Corrupt RM at 0x%2 {%3}: Found too high of a TxF ID in log.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found too high of a TxF ID in log

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 636 — %1: Error Setting Delete Disposition: 0x%2 FileObject: 0x%3.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Error Setting Delete Disposition: 0x%2!x!  FileObject: 0x%3!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—
`A12_(PVOID)FileObject`	—

Event ID 637 — %1: Corrupt RM at 0x%2 {%3}: Got a RECOVER notification for a transaction that isn't in-doubt.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Got a RECOVER notification for a transaction that isn't in-doubt

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 638 — TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a non-TxF modify handle.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a non-TxF modify handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Attribute Type Code: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb flags: 0x%10!08x!.

Event ID 639 — TxfSetupTransactionContextFromCcb: Invalid TxF structure.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfSetupTransactionContextFromCcb: Invalid TxF structure. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, TxfFo: %8!p!, KtmTrans: %9!p!, TxfRmcb: %10!p!, Ccb FullFileName: %11!S!

Event ID 640 — TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a read-only handle.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a read-only handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, FO write access: %10!d!, FO delete access: %11!d!.

Event ID 641 — %1: RM at 0x%2 {%3} raising 0x%4 to KTM!

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} raising 0x%4!x! to KTM!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_ExceptionCode`	—

Event ID 642 — %1: Commit (0x%2) of%3tx {%4} on RM at 0x%5 {%6} failed with 0x%7.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Commit (0x%2!x!) of%3!S!tx {%4!S!} on RM at 0x%5!p! {%6!S!} failed with 0x%7!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_TransactionNotification`	—
`A12_(TransactionAlreadyPrepared ? ' PREPARED ' : ' ')`	—
`A13__TxfTrans->KtmUow`	—
`A14_(PVOID)TxfRmcb`	—
`A15__TxfRmcb->RmId`	—
`A16_Status`	—

Event ID 643 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5} (notify commit).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify commit)

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_TxfTrans`	—
`A14__TxfTrans->KtmUow`	—

Event ID 644 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5} (notify rollback).

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify rollback)

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_TxfTrans`	—
`A14__TxfTrans->KtmUow`	—

Event ID 645 — %1: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x%2 {%3}: 0x%4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x%2!p! {%3!S!}: 0x%4!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)Trans->TxfRmcb`	—
`A12__Trans->TxfRmcb->RmId`	—
`A13_FlushStatus`	—

Event ID 646 — %1: RM at 0x%2 {%3} trying to abort transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} trying to abort transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_Trans`	—
`A14__Trans->KtmUow`	—

Event ID 647 — %1: Aborting call stack: 0x%2 0x%3 0x%4 0x%5 0x%6.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Aborting call stack: 0x%2!p! 0x%3!p! 0x%4!p! 0x%5!p! 0x%6!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_CallStack[0]`	—
`A12_CallStack[1]`	—
`A13_CallStack[2]`	—
`A14_CallStack[3]`	—
`A15_CallStack[4]`	—

Event ID 648 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_Trans`	—
`A14__Trans->KtmUow`	—

Event ID 649 — %1: 0x%2 initializing IrpContext for tx at %3 {%4}, RM at %5 {%6}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: 0x%2!x! initializing IrpContext for tx at %3!p! {%4!S!}, RM at %5!p! {%6!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—
`A12_(PVOID)Trans`	—
`A13__Trans->KtmUow`	—
`A14_(PVOID)TxfRmcb`	—
`A15__TxfRmcb->RmId`	—

Event ID 650 — %1: 0x%2 writing log record for RM at 0x%3 {%4}, Tx at 0x%5 {%6}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: 0x%2!x! writing log record for RM at 0x%3!p! {%4!S!}, Tx at 0x%5!p! {%6!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—
`A12_(PVOID)TxfRmcb`	—
`A13__TxfRmcb->RmId`	—
`A14_(PVOID)Trans`	—
`A15__Trans->KtmUow`	—

Event ID 651 — %1: About to force aborts on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: About to force aborts on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 652 — %1: BaseLsn is greater than TargetLsn on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: BaseLsn is greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 653 — %1: No transactions remain on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: No transactions remain on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 654 — %1: Transaction's first undo LSN greater than TargetLsn on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Transaction's first undo LSN greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 655 — %1: RM at 0x%2 {%3} surprise-aborting transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} surprise-aborting transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_OldestTrans`	—
`A14__OldestTrans->KtmUow`	—

Event ID 656 — %1: RM at 0x%2 {%3} got 0x%4 from TxfTryAbortTransaction on Tx 0x%5 {%6}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} got 0x%4!x! from TxfTryAbortTransaction on Tx 0x%5!p! {%6!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_Status`	—
`A14_OldestTrans`	—
`A15__OldestTrans->KtmUow`	—

Event ID 657 — %1: Inactive RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Inactive RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 658 — %1: Log is pinned on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Log is pinned on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 659 — %1: RM at 0x%2 {%3}, rolling back KTM Tx at 0x%4 {%5}, Status was 0x%6.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!}, rolling back KTM Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_(PVOID)TransToDereference`	—
`A14__TransToDereference->KtmUow`	—
`A15_Status`	—

Event ID 660 — %1: Log pinned trying to advance RestartLsn on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Log pinned trying to advance RestartLsn on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 661 — %1: Log pinned by doomed transaction on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Log pinned by doomed transaction on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 662 — %1: Reporting 0x%2 to CLFS from RM at 0x%3 {%4}: 0x%5.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Reporting 0x%2!X! to CLFS from RM at 0x%3!p! {%4!S!}: 0x%5!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PinnedStatus`	—
`A12_(PVOID)TxfRmcb`	—
`A13__TxfRmcb->RmId`	—
`A14_Status`	—

Event ID 663 — %1: Done forcing aborts on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Done forcing aborts on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 664 — %1: Corrupt RM at 0x%2 {%3}: $Txf directory is missing in pre-existing RM.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Txf directory is missing in pre-existing RM

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 665 — %1: Corrupt RM at 0x%2 {%3}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 666 — %1: Corrupt RM at 0x%2 {%3}: Found non-empty $Txf but there is no log.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found non-empty $Txf but there is no log

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 667 — %1: Corrupt RM at 0x%2 {%3}: Couldn't find $INDEX_ROOT on $Txf.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find $INDEX_ROOT on $Txf

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 668 — %1: Corrupt RM at 0x%2 {%3}: Couldn't find TXF_DATA_ATTR on $Txf.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find TXF_DATA_ATTR on $Txf

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 669 — %1: Corrupt RM at 0x%2 {%3}: Found TXF_DATA_ATTR for normal file on $Txf.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found TXF_DATA_ATTR for normal file on $Txf

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 670 — %1: Corrupt RM at 0x%2 {%3}: Expected a secondary RM here.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Expected a secondary RM here

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 671 — %1: Corrupt RM at 0x%2 {%3}: $Tops is missing but $Txf is non-empty.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but $Txf is non-empty

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 672 — %1: Corrupt RM at 0x%2 {%3}: $Tops is missing but there is already a log.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but there is already a log

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 673 — %1: Corrupt RM at 0x%2 {%3}: $Tops is %4.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is %4!S!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—
`A13_(IsEncrypted( _TopsFcb->Info ) ? 'encrypted' : 'compressed')`	—

Event ID 674 — %1: Corrupt RM at 0x%2 {%3}: Missing $STANDARD_INFORMATION.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Missing $STANDARD_INFORMATION

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 675 — %1: Corrupt RM at 0x%2 {%3}: Couldn't find file attributes.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find file attributes

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 676 — %1: Corrupt RM at 0x%2 {%3}: $Tops is corrupt.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is corrupt

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 677 — %1: Corrupt RM at 0x%2 {%3}: Could not find unnamed data stream.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Could not find unnamed data stream

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 678 — %1: Corrupt RM at 0x%2 {%3}: $Tops metadata is the wrong version or records wrong size.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong version or records wrong size

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 679 — %1: Corrupt RM at 0x%2 {%3}: $Tops metadata is the wrong size.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong size

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 680 — %1: Corrupt RM at 0x%2 {%3}: Non-NULL RM ID found in $Tops and there is no log.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Non-NULL RM ID found in $Tops and there is no log

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 681 — %1: Corrupt RM at 0x%2 {%3}: Epoch in $Tops metadata doesn't match RM.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Epoch in $Tops metadata doesn't match RM

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 682 — %1: Corrupt RM at 0x%2 {%3}: Couldn't find $T stream.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find $T stream

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_(PVOID)TxfRmcb`	—
`A12__TxfRmcb->RmId`	—

Event ID 683 — NtfsReadUsnJournal: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsReadUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 684 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): Decided to trim usn journal.  FirstValidUsn %3!I64x!, new FirstValidUsn %4!I64x!, FS %5!I64x!, AS %6!I64x!, MaxSize %7!I64x!, DeltaSize %8!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Vcb->FirstValidUsn`	—
`A13_FirstValidUsn`	—
`A14_TrackUsnJournalFileSize`	—
`A15_TrackUsnJournalAllocationSize`	—
`A16_TrackUsnJournalMaxSize`	—
`A17_TrackUsnJournalDeltaAllocation`	—

Event ID 685 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): About to delete allocation till %3!I64x!, SavedReserve %4!I64x!, RequiredReserve %5!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_FirstValidUsn - 1`	—
`A13_SavedReserved`	—
`A14_RequiredReserved`	—

Event ID 686 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): Before trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_UsnJournal->Header.AllocationSize.QuadPart`	—
`A13_UsnJournal->Header.FileSize.QuadPart`	—
`A14_UsnJournal->Header.ValidDataLength.QuadPart`	—
`A15_UsnJournal->TotalAllocated`	—

Event ID 687 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): After trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_UsnJournal->Header.AllocationSize.QuadPart`	—
`A13_UsnJournal->Header.FileSize.QuadPart`	—
`A14_UsnJournal->Header.ValidDataLength.QuadPart`	—
`A15_UsnJournal->TotalAllocated`	—

Event ID 688 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): Mapping pairs validated

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 689 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): Checkpointed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 690 — NtfsQueryUsnJournal: Denying access due to NULL Ccb.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsQueryUsnJournal: Denying access due to NULL Ccb. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!.

Event ID 691 — NtfsDeleteUsnJournal: Caller does not have manage volume access.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsDeleteUsnJournal: Caller does not have manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 692 — NtfsRestartUsnJournal: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsRestartUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 693 — NtOfsCreateAttributeEx: Stream already has a open user handle.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtOfsCreateAttributeEx: Stream already has a open user handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb CleanupCount: %10!d!.

Event ID 694 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Extending journal from AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, to AS %8!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContext->OriginatingIrp`	—
`A13_PsGetCurrentThread()`	—
`A14_Scb->Header.AllocationSize.QuadPart`	—
`A15_Scb->Header.FileSize.QuadPart`	—
`A16_Scb->Header.ValidDataLength.QuadPart`	—
`A17_NewAllocationSize`	—

Event ID 695 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Done extending journal AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, TA %8!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContext->OriginatingIrp`	—
`A13_PsGetCurrentThread()`	—
`A14_Scb->Header.AllocationSize.QuadPart`	—
`A15_Scb->Header.FileSize.QuadPart`	—
`A16_Scb->Header.ValidDataLength.QuadPart`	—
`A17_Scb->TotalAllocated`	—

Event ID 696 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsWriteFileSizes

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContext->OriginatingIrp`	—
`A13_PsGetCurrentThread()`	—

Event ID 697 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsSetCcFileSizesUsnBiasAware

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContext->OriginatingIrp`	—
`A13_PsGetCurrentThread()`	—

Event ID 698 — NtOfsPostNewLength.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtOfsPostNewLength (%1!p!,%2!p!,%3!p!): Status %4!x! before calling NtfsReadUsnJournal

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContext->OriginatingIrp`	—
`A12_PsGetCurrentThread()`	—
`A13_IrpContext->ExceptionStatus`	—

Event ID 699 — NtfsIsRegionDangling: RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsIsRegionDangling: RemainingClusterCount: 0x%1!I64x!, Scb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Clusters: 0x%5!I64x!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_Scb`	—
`A12_Vcn`	—
`A13_Lcn`	—
`A14_ClusterCount`	—

Event ID 700 — Vcb %1 - has no active PFNs.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p! - has *no* active PFNs

Fields

Name	Description
`A10_Vcb`	—

Event ID 701 — Vcb %1 - failed to query active PFNs assuming there are some.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p! - failed to query active PFNs assuming there are some

Fields

Name	Description
`A10_Vcb`	—

Event ID 702 — Vcb %1 - has active PFNs.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Vcb %1!p! - has active PFNs

Fields

Name	Description
`A10_Vcb`	—

Event ID 703 — NtfsPerformDismountOnVcb: Vcb %1.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb %1!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 704 — NtfsPerformDismountOnVcb: Vcb %1 - Found frozen deallocated clusters.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb %1!p! - Found frozen deallocated clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 705 — NtfsPerformDismountOnVcb: Vcb %1 - Wait for any on going trim to finish.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb %1!p! - Wait for any on going trim to finish

Fields

Name	Description
`A10_Vcb`	—

Event ID 706 — NtfsPerformDismountOnVcb: Vcb %1 - No more on going trim.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb %1!p! - No more on going trim

Fields

Name	Description
`A10_Vcb`	—

Event ID 707 — NtfsPerformDismountOnVcb: IC.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPerformDismountOnVcb: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Event ID 708 — NtfsPostVcbIsCorrupt.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPostVcbIsCorrupt(%1!p!, %2!x!, %3!p!, %4!p!, %5!016I64x!): IrpContext->TopLevelIrpContext->ExceptionStatus == %6!x! before NtfsSetVcbDirtyFlag.

Fields

Name	Description
`A10_IrpContext`	—
`A11_Status`	—
`A12_FileReference`	—
`A13_Fcb`	—
`A14_Source`	—
`A15_TopLevelExceptionStatus`	—

Event ID 709 — NtfsPostVcbIsCorrupt: Marking volume dirty.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsPostVcbIsCorrupt: Marking volume dirty.  Vcb %1!p!, WasDirty: %2!x!, FileReference %3!I64x!, Source %4!016I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_WasDirty`	—
`A12_NtfsFullSegmentNumber( _BugCheckFileReference )`	—
`A13_Source`	—

Event ID 710 — NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Event ID 711 — NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Event ID 712 — Succeeding log write @ 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Succeeding log write @ 0x%1!08x!%2!08x! after getting 0x%3!x! in top-level irpcontext

Fields

Name	Description
`A10_IrpSp->Parameters.Write.ByteOffset.HighPart`	—
`A11_IrpSp->Parameters.Write.ByteOffset.LowPart`	—
`A12_IrpContext->TopLevelIrpContext->ExceptionStatus`	—

Event ID 713 — Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=%1!p!

Fields

Name	Description
`A10_Scb`	—

Event ID 714 — NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RequestedRange: 0x%5!I64x!, AllowedRange: 0x%6!I64x!.

Event ID 715 — Ignoring write to 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Ignoring write to 0x%1!I64x!, SCB length is 0x%2!I64x! for SCB 0x%3!Ix!

Fields

Name	Description
`A10_StartingVbo`	—
`A11_Scb->Header.ValidDataLength.QuadPart`	—
`A12_(ptrdiff_t) Scb`	—

Event ID 716 — Truncating write from 0x.

Provider: Microsoft-Windows-NtfsLog_a7a8d4b5051e3de1574b6c625a6a54cc
Channel: Operational

Message

Truncating write from 0x%1!I64x! to 0x%2!I64x! for SCB 0x%3!Ix!

Fields

Name	Description
`A10_ByteRange`	—
`A11_SectorAlignedVdl`	—
`A12_(ptrdiff_t) Scb`	—