Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f

708 events across 1 channel

Event ID	Title	Channel
10	NtfsLookupRealAllocation: Vcn %1!	Operational
11	NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC.	Operational
12	FileObject.	Operational
13	NtfsAddAllocation IC.	Operational
14	Purge failed: Scb.	Operational
15	Purge failed: Scb.	Operational
16	NtfsGetLastVcnForNewMappingPairSize IC.	Operational
17	Can't find StdInfo in FileRef %1!	Operational
18	Can't find StdInfo in FileRef %1!	Operational
19	NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC.	Operational
20	NtfsAddAttributeAllocation.	Operational
21	NtfsAddAttributeAllocation.	Operational
22	NtfsAddAttributeAllocation.	Operational
23	NtfsAddAttributeAllocation.	Operational
24	NtfsAddAttributeAllocation.	Operational
25	NtfsAddAttributeAllocation.	Operational
26	NtfsRestartRemoveAttribute FileRef:0x.	Operational
27	NtfsRestartChangeValue FileRef:0x.	Operational
28	AddToAttributeList.	Operational
29	DeleteFromAttributeList.	Operational
30	MakeRoomForAttribute Moving Mft's attribute IC.	Operational
31	MoveAttributeToOwnRecord Moving Mft's $BITMAP IC.	Operational
32	MoveAttributeToOwnRecord IC.	Operational
33	NtfsRestartZeroEndOfFileRecord FileRef:0x.	Operational
34	MergeFRS2.	Operational
35	MergeFRS2.	Operational
36	MergeFRS2.	Operational
37	MergeFRS2.	Operational
38	MergeFRS2.	Operational
39	MergeFRS2.	Operational
40	MergeFRS2.	Operational
41	MergeFRS2.	Operational
42	MergeFRS2.	Operational
43	MergeFRS2.	Operational
44	MergeFRS2.	Operational
45	MergeFRS2.	Operational
46	MergeFRS2.	Operational
47	MergeFRS2.	Operational
48	RedoAttribute.	Operational
49	RedoAttribute.	Operational
50	NtfsConsolidateAllFileRecords: Invalid Vcb.	Operational
51	NtfsConsolidateAllFileRecords: Volume is locked.	Operational
52	NtfsConsolidateAllFileRecords.	Operational
53	NtfsConsolidateAllFileRecords.	Operational
54	NtfsConsolidateAllFileRecords.	Operational
55	NtfsConsolidateAllFileRecords.	Operational
56	NtfsConsolidateAllFileRecords.	Operational
57	NtfsConsolidateAllFileRecords.	Operational
58	NtfsConsolidateAllFileRecords.	Operational
59	NtfsConsolidateAllFileRecords.	Operational
60	NtfsConsolidateAllFileRecords.	Operational
61	NtfsConsolidateAllFileRecords.	Operational
62	NtfsConsolidateAllFileRecords.	Operational
63	NtfsConsolidateAllFileRecords.	Operational
64	NtfsConsolidateAllFileRecords.	Operational
65	NtfsConsolidateAllFileRecords.	Operational
66	UpdateLCS: Vcb %1, IC %2, FRef %3!	Operational
67	NtfsAllocateClustersPriv IC.	Operational
68	NtfsAllocateClustersPriv IC.	Operational
69	NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.	Operational
70	NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.	Operational
71	NtfsAllocateClustersPriv IC.	Operational
72	NtfsAllocateClustersPriv IC.	Operational
73	NtfsDeallocateClusters IC.	Operational
74	NtfsDeallocateClusters: Vcb %1 - deleting FR %2!	Operational
75	NtfsDeallocateClusters IC.	Operational
76	NtfsDeallocateClusters: Vcb %1 - deleting FR %2!	Operational
77	NtfsDeallocateClusters: Vcb %1 - raising logfile full.	Operational
78	NtfsDeallocateClusters: Vcb %1 - adding clusters to DeallocatedClusters: %2 ==> …	Operational
79	NtfsDeallocateClusters: Decremented TotalAllocated by 0x.	Operational
80	NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.	Operational
81	NtfsDeallocateClusters: Vcb %1 - Undoing some changes to …	Operational
82	NtfsDeallocateClusters IC.	Operational
83	NtfsDeallocateClusters IC.	Operational
84	NtfsModifyBitsInBitmap IC.	Operational
85	NtfsModifyBitsInBitmap IC.	Operational
86	NtfsAllocateBitmapRun IC.	Operational
87	NtfsAllocateBitmapRun IC.	Operational
88	NtfsRestartSetBitsInBitMap IC.	Operational
89	NtfsFreeBitmapRun IC.	Operational
90	NtfsFreeBitmapRun IC.	Operational
91	NtfsRestartClearBitsInBitMap IC.	Operational
92	NtfsSetOrClearBitsUsingBaseMcb IC.	Operational
93	NtfsSetOrClearBitsUsingBaseMcb IC.	Operational
94	NtfsSetOrClearBitsUsingBaseMcb IC.	Operational
95	System files not marked as in use in the MFT bitmap.	Operational
96	Length: 0 --> BinIndex : 0 - Unexpected length	Operational
97	Length.	Operational
98	Length.	Operational
99	BinIndex.	Operational
100	BinIndex.	Operational
101	BinGroupShift.	Operational
102	BinIndex.	Operational
103	Searched committed allocations but didnt find enough free space.	Operational
104	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): first bit 0x%2, …	Operational
105	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): no leading partial …	Operational
106	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): leading partial …	Operational
107	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): no trailing …	Operational
108	NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): trailing partial …	Operational
109	NtfsValidateTotalClustersCommitted.	Operational
110	Illegal MDL Complete for major code %1.	Operational
111	Entering: Scb.	Operational
112	RunEntry ==> %1!	Operational
113	Offset is beyond this extent skipping the extent.	Operational
114	Shrinking LengthInExtent.	Operational
115	Zeroing: StartingPhysicalAddr: 0x.	Operational
116	Exiting: ExtentsDescriptorIndex.	Operational
117	Entering: Scb.	Operational
118	Dsm Ranges[.	Operational
119	RemainingClusterCount: 0x.	Operational
120	Dsm: TotalNumberOfRanges.	Operational
121	DsmOut Ranges[.	Operational
122	Zeroing: StartingPhysicalAddr: 0x.	Operational
123	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational
124	Entering: Scb.	Operational
125	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational
126	IrpContext.	Operational
127	Return.	Operational
128	Unexpected open type received.	Operational
129	Raising STATUS_SUCCESS from NtfsCommonCleanup.	Operational
130	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational
131	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational
132	Irp.	Operational
133	Irp.	Operational
134	NtfsCommonCreate: Volume is locked.	Operational
135	NtfsCommonVolumeOpen: Invalid create disposition for volume open.	Operational
136	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational
137	NtfsCommonVolumeOpen: Thread.	Operational
138	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational
139	NtfsCommonVolumeOpen: Conlicting file objects.	Operational
140	NtfsHandlePagingFile: Paging file already open, paging files can only be opened …	Operational
141	NtfsHandlePagingFile: Cannot open system file as paging file.	Operational
142	NtfsHandlePagingFile: Persisted paging file already exists.	Operational
143	NtfsOpenFcbById: Invalid system file access.	Operational
144	NtfsOpenExistingPrefixFcb: Can not directly open txf directory.	Operational
145	NtfsOpenExistingPrefixFcb: Invalid system file access.	Operational
146	NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system …	Operational
147	NtfsOpenFile: Invalid system file access.	Operational
148	NtfsOpenFile: Deny open when txf rm is active.	Operational
149	NtfsCreateNewFile: Deny creation in system directory (except root).	Operational
150	NtfsCreateNewFile: Unable to create Ea for the file.	Operational
151	NtfsCreateNewFile: Unable to create in the $txf directory.	Operational
152	NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.	Operational
153	NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.	Operational
154	NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.	Operational
155	NtfsOpenAttributeInExistingFile: Denying access for volume root directory.	Operational
156	NtfsCreateNewFile: Not allowed to create streams on system files.	Operational
157	NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging …	Operational
158	NtfsOverwriteAttr: Denying access due to user being Ea blind.	Operational
159	NtfsOverwriteAttr: Deny access due to encryption happening on the stream.	Operational
160	NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this …	Operational
161	NtfsCheckValidAttributeAccess: Only read attributes access is supported on this …	Operational
162	NtfsCheckValidAttributeAccess: Deny access for protected system attributes.	Operational
163	NtfsOpenAttributeCheck: File already has user writable references.	Operational
164	NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.	Operational
165	NtfsOpenAttributeCheck: File was granted write access but has image section.	Operational
166	NtfsOpenAttribute: Denying write access on disallowed writes.	Operational
167	NtfsOpenAttribute: File already has user writable references.	Operational
168	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational
169	NtfsOpenAttribute: File already has user writable references.	Operational
170	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational
171	NtfsCheckExistingFile: Desired access conflicts with read-only state.	Operational
172	NtfsOpenExistingEncryptedStream: No encryption driver found.	Operational
173	NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on …	Operational
174	NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for …	Operational
175	NtfsFindStartingNode: Opening not allowed for txf name when RM is active.	Operational
176	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
177	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
178	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational
179	NtfsReCheckShareAccess: Does not meet allow open requirement.	Operational
180	%1:%2 Status: %3 ProcessName: %4.	Operational
181	%1:%2 Status: %3 ProcessName: %4.	Operational
182	%1:%2 Status: %3 ProcessName: %4.	Operational
183	%1:%2 Status: %3 ProcessName: %4.	Operational
184	NtfsSendUnusedClustersHint: Vcb %1 - Will tell storage we are freeing at %2!	Operational
185	NtfsSendUnusedClustersHint: Vcb %1 - Flush requested.	Operational
186	NtfsSendUnusedClustersHint: Vcb %1 - Created new MarkUnusedContext %2, …	Operational
187	NtfsSendUnusedClustersHint: Vcb %1 - Successfully added clusters starting at %2!	Operational
188	NtfsSendUnusedClustersHint: Vcb %1 - MCB %2 is full.	Operational
189	NtfsSendUnusedClustersHint: Vcb %1 - Queuing request to IC pre-trim list, MUC …	Operational
190	NtfsSendUnusedClustersHint: Vcb %1 - Failed to allocate/initial …	Operational
191	NtfsTransferMaxDataSetRanges: Src %1, Dst %2, SrcRemainClusCt %3!	Operational
192	NtfsTransferMaxDataSetRanges: Src %1, Dst %2, SrcRemainClusCt %3!	Operational
193	NtfsMarkUnusedContextPostTrimProcessing: Entering	Operational
194	NtfsMarkUnusedContextPostTrimProcessing: Vcb %1, MUC %2 - DC %3!	Operational
195	NtfsMarkUnusedContextPostTrimProcessing: Vcb %1, MUC %2 - Removed interior …	Operational
196	NtfsMarkUnusedContextPostTrimProcessing: Vcb %1 - Releasing bitmap.	Operational
197	NtfsMarkUnusedContextPostTrimProcessing: Vcb %1 - CloseCount %2.	Operational
198	NtfsMarkUnusedContextPostTrimProcessing: Leaving	Operational
199	NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp %1.	Operational
200	NtfsMarkUnusedContextPreTrimProcessing: Vcb %1, IC %2 - Entering.	Operational
201	NtfsMarkUnusedContextPreTrimProcessing: Vcb %1 - Kicked off DelayedWorkQueue.	Operational
202	NtfsMarkUnusedContextPreTrimProcessing: Vcb %1 - Leaving.	Operational
203	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb %1.	Operational
204	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Small MUC %2 instead of …	Operational
205	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Failed to allocate …	Operational
206	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Sending storage ioctl …	Operational
207	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2 - [%3] Offset %4!	Operational
208	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2, Irp %3 - …	Operational
209	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2 - %3 - failed to …	Operational
210	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Add MUC %2 to post trim …	Operational
211	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Free small MUC %2.	Operational
212	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Sending storage ioctl …	Operational
213	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving	Operational
214	NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - There are waiters for DC %2.	Operational
215	NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - Waking up waiter for DC %2.	Operational
216	NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - Done waking up DC %2.	Operational
217	NtfsWaitForDeallocatedClustersToDrain: Vcb %1, All %2 - Entering.	Operational
218	NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Waiting to drain.	Operational
219	NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Waiting for partial drain.	Operational
220	NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Leaving.	Operational
221	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Entering.	Operational
222	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Inserted %2.	Operational
223	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Leaving.	Operational
224	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb %1 - Wait for DC %2.	Operational
225	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1 (s), Exceeded …	Operational
226	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1 (s), Exceeded …	Operational
227	NtfsCheckForTrimThrottling: Vcb %1 - hitting trim threshold %2.	Operational
228	NtfsUpdateSmartTrimState: Vcb %1 - Entering.	Operational
229	NtfsUpdateSmartTrimState: Vcb %1 - Precondition checks failed.	Operational
230	NtfsUpdateSmartTrimState: Vcb %1 - Precondition checks failed; …	Operational
231	NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - Skipping deallocated clusters gen'd …	Operational
232	NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - MCB run %3; offs 0x%4!	Operational
233	NtfsUpdateSmartTrimState: Vcb %1 - MUC %2, DSR count %3, MCB count %4, ST free …	Operational
234	NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - DSR range %3; offs 0x%4!	Operational
235	NtfsUpdateSmartTrimState: Vcb %1 - MCB lcn %2!	Operational
236	NtfsUpdateSmartTrimState: Vcb %1 - Smart trim state on exit; %2 ranges.	Operational
237	NtfsUpdateSmartTrimState: Vcb %1 - Range %2: FirstTPMapBit 0x%3, LastTPMapBit …	Operational
238	NtfsUpdateSmartTrimState: Vcb %1 - Leaving.	Operational
239	NtfsEvalSmartTrimState: Vcb %1 - Entering.	Operational
240	NtfsEvalSmartTrimState: Vcb %1 - Precondition checks failed.	Operational
241	NtfsEvalSmartTrimState: Vcb %1 - Precondition checks failed; AcquiredBitmap %2.	Operational
242	NtfsEvalSmartTrimState: Vcb %1 - Checking slab 0x%2 for allocations.	Operational
243	NtfsEvalSmartTrimState: Vcb %1 - Slab 0x%2 has allocations, will not trim.	Operational
244	NtfsEvalSmartTrimState: Vcb %1 - Free slab found - TP map bit 0x%2, lcn %3!	Operational
245	NtfsEvalSmartTrimState: Vcb %1 - Leaving.	Operational
246	NtfsFlushAllTrimHintsSynchronous.	Operational
247	NtfsFlushAllTrimHintsSynchronous.	Operational
248	NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.	Operational
249	NtfsVolumeDasdIo: Data section blocking flush.	Operational
250	Could not find paging file run.	Operational
251	Could not find paging file MCB entry.	Operational
252	Could not find paging file run.	Operational
253	Writing to $Bitmap.	Operational
254	NTFS: Posting hotfix on file object.	Operational
255	NTFS: Freeing Bad Vcn.	Operational
256	NTFS: Retiring Bad Lcn.	Operational
257	NTFS: Reallocating Bad Vcn	Operational
258	NTFS: Bad Cluster replaced	Operational
259	IrpContext.	Operational
260	Compression buffers are already big enough.	Operational
261		Operational
262	IrpContext.	Operational
263	Compression buffers are already big enough.	Operational
264		Operational
265	NtfsDefragFileInternal: Defrag is denied.	Operational
266	NtfsDefragFileInternal: Vcb %1 - Calling FRD.	Operational
267	NtfsDefragFileInternal: Vcb %1 - Done calling FRD.	Operational
268	NtfsDefragFileInternal: Defrag is denied.	Operational
269	NtfsDefragFileInternal.	Operational
270	NtfsDefragFileInternal.	Operational
271	NtfsDefragFileInternal.	Operational
272	NtfsDefragFileInternal.	Operational
273	NtfsDefragFileInternal.	Operational
274	NtfsDefragFileInternal.	Operational
275	NtfsDefragFile: Defrag is denied without manage volume access.	Operational
276	NtfsEncryptDecryptOnline: Defrag is denied.	Operational
277	NtfsEncryptDecryptOnline: Vcb %1 - Calling FRD.	Operational
278	NtfsEncryptDecryptOnline: Vcb %1 - Done calling FRD.	Operational
279	NtfsEncryptDecryptOnline: Defrag is denied.	Operational
280	SCB.	Operational
281	StartOff=0x.	Operational
282	NumberOfValidRuns: 0	Operational
283	RemainingClusterCount: 0x.	Operational
284	STATUS_BUFFER_TOO_SMALL from FsLib.	Operational
285	Made an educated guess for remaining runs.	Operational
286	Made a wild guess for remaining runs.	Operational
287	NumberOfValidRuns: 0x.	Operational
288	BasePage: 0x.	Operational
289	About to zero range - ZeroStart: 0x.	Operational
290	Zeroed range - ZeroStart: 0x.	Operational
291	NtfsCommonQueryInformation: File information query not allowed as file was …	Operational
292	NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read …	Operational
293	NtfsQueryNameInfo: Name info query not allowed as file was opened without …	Operational
294	NtfsQueryLinksInfo: Link info query not allowed as file was opened without …	Operational
295	NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.	Operational
296	NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.	Operational
297	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
298	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
299	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened …	Operational
300	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational
301	NtfsSetRenameInfo: Can not rename a file marked for deletion.	Operational
302	NtfsSetRenameInfo: Can not rename a txf directory.	Operational
303	NtfsSetRenameInfo: Can not rename into a system directory.	Operational
304	NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.	Operational
305	NtfsSetRenameInfo: The file should not have in-memory directory descendents.	Operational
306	NtfsSetRenameInfo: Child Scb mismatch.	Operational
307	NtfsSetLinkInfo: Set link info is not allowed on txf directory.	Operational
308	NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.	Operational
309	NtfsSetLinkInfo: Set link info failed due to caller not having …	Operational
310	NtfsSetLinkInfo: Creating a link in system directory is not allowed.	Operational
311	NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.	Operational
312	NtfsSetShortNameInfo: Can not set a short name on a deleted file.	Operational
313	NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF …	Operational
314	NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction …	Operational
315	NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.	Operational
316	NtfsStreamRename: Deny access due to encryption happening on source stream.	Operational
317	NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.	Operational
318	NtfsFlushVolumeFlushSingleFcb: Thread.	Operational
319	NtfsFlushVolumeFlushSingleFcb: Thread.	Operational
320	NtfsFlushVolume: Thread.	Operational
321	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb.	Operational
322	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb.	Operational
323	NtfsFlushCompletionRoutine: Vcb %1 - Add context %2 into completion queue.	Operational
324	NtfsFlushCompletionRoutine: Vcb %1 - Add context %2 into WorkQueue - Flink %3.	Operational
325	NtfsDiskFlushContextWorkItemProcessing: Process work item	Operational
326	NtfsDiskFlushContextWorkItemProcessing: Nothing to work on	Operational
327	Irp.	Operational
328	NtfsLockVolumeInternal: Cannot lock the volume.	Operational
329	NtfsLockVolumeInternal: Volume is already locked.	Operational
330	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational
331	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational
332	NtfsLockVolumeInternal: Outstanding user files open after flush and retry.	Operational
333	NtfsLockVolume: Cannot lock volume due to caller does not have manage volume …	Operational
334	NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.	Operational
335	%1: Setting RM at 0x%2 ({%3}) up for auto-restart.	Operational
336	NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume …	Operational
337	NtfsDismountVolume: IC.	Operational
338	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational
339	NtfsDismountVolume: Cannot dismount volume due to volume being locked.	Operational
340	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational
341	NtfsDismountVolume: Could not flush trim hints.	Operational
342	NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage …	Operational
343	NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage …	Operational
344	NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage …	Operational
345	NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having …	Operational
346	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational
347	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational
348	NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage …	Operational
349	NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not …	Operational
350	NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage …	Operational
351	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup …	Operational
352	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup …	Operational
353	NtfsSetSparse: Caller does not have appropriate write access to the stream.	Operational
354	NtfsSetSparse: Cannot desparse encrypted file without write data access.	Operational
355	NtfsZeroRange: User mode caller not allowed.	Operational
356	IC.	Operational
357	IC.	Operational
358	NtfsReadRawEncrypted: Caller does not have backup access or read data access.	Operational
359	NtfsWriteRawEncrypted: Caller does not have write data access or restore access.	Operational
360	NtfsWriteRawEncrypted: Caller not having manage volume privilege.	Operational
361	NtfsLookupStreamFromCluster: Caller not having manage volume privilege.	Operational
362	NtfsChangeVolumeSize: Caller not having manage volume privilege.	Operational
363	NtfsChangeVolumeSize.	Operational
364	NtfsChangeVolumeSize.	Operational
365	NtfsMarkHandle: Caller does not have a valid volume handle or manage volume …	Operational
366	NtfsMarkHandle: Caller not having manage volume privilege.	Operational
367	NtfsMarkHandle: Cannot deny defrag.	Operational
368	NtfsMarkHandle: Cannot deny Frs consolidation.	Operational
369	NtfsMarkHandle: Cannot filter metadata.	Operational
370	NtfsMarkHandle: Mark handle is not allowed on system files.	Operational
371	NtfsMarkHandle: File already has user writable references.	Operational
372	NtfsMarkHandle: File was granted write access previously but no oplocks were …	Operational
373	NtfsPrefetchFile: Caller not having manage volume privilege.	Operational
374	NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.	Operational
375	NtfsSetShortNameBehavior: Caller not having manage volume privilege.	Operational
376	Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.	Operational
377	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational
378	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational
379	NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.	Operational
380	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational
381	Resetting Volsnap behavior for VCB = 0x.	Operational
382	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational
383	NtfsCorruptionHandling: Caller not having manage volume privilege.	Operational
384	NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.	Operational
385	Scrub resume from SystemScbIndex.	Operational
386	Scb.	Operational
387	Scrub SystemScbIndex.	Operational
388	NtfsScrubData: Caller not having manage volume privilege.	Operational
389	Scrub not supported for Txf file, Scb.	Operational
390	Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.	Operational
391	Scb.	Operational
392	Scb.	Operational
393	InternalFileReference.	Operational
394	InternalFileReference.	Operational
395	Scb.	Operational
396	Scb.	Operational
397	Scb.	Operational
398	Scb.	Operational
399	Scb.	Operational
400	Scb.	Operational
401	Scb.	Operational
402	Scb.	Operational
403	Scb.	Operational
404	Scrub found problems Scb.	Operational
405	Scb.	Operational
406	Scb.	Operational
407	FSCTL_REPAIR_COPIES not supported for Txf file, Scb.	Operational
408	Scb.	Operational
409	Scb.	Operational
410	FSCTL_REPAIR_COPIES interrupted by thread termination.	Operational
411	FSCTL_REPAIR_COPIES canceled	Operational
412	Scb.	Operational
413	Scb.	Operational
414	Scb.	Operational
415	Scb.	Operational
416	Scb.	Operational
417	Scb.	Operational
418	Scb.	Operational
419	NtfsQueryCachedRuns: Caller not having manage volume privilege.	Operational
420	NtfsQueryStorageClasses: Caller not having manage volume privilege.	Operational
421	NtfsQueryRegionInfo: Caller not having manage volume privilege.	Operational
422	NtfsUnloadFile: Caller not having manage volume privilege.	Operational
423	NtfsCheckForSection: File already has image section.	Operational
424	NtfsShuffleFile: User mode caller is not allowed.	Operational
425	NtfsShuffleFile: Denying access due to volume is locked.	Operational
426	NtfsShuffleFile: Defrag is denied.	Operational
427	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational
428	NtfsRearrangeFile: User mode caller is not allowed.	Operational
429	NtfsRearrangeFile: Denying access due to volume is locked.	Operational
430	NtfsRearrangeFile: Defrag is denied.	Operational
431	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational
432	NtfsSparseOverAllocate: Caller does not have appropriate write access.	Operational
433	NtfsInitiateFileMetadataOptimization: Only allowed on regular user …	Operational
434	NtfsQueryFileMetadataOptimization: Only allowed on regular user …	Operational
435	NtfsCleanVolumeMetadata: Caller not having manage volume privilege.	Operational
436	NtfsEnumOnMountToDeleteWorker.	Operational
437	NtfsEnumOnMountToDeleteWorker.	Operational
438	NtfsEnumMountWorker.	Operational
439	NtfsEnumMountWorker.	Operational
440	NtfsEnumOnMountToDeleteWorker.	Operational
441	NtfsCleanVolumeMetadata: Caller not having manage volume privilege.	Operational
442	SCB.	Operational
443	FsLibGetBadAddressRanges returned Status: %1, NumBadRanges: 0x%2.	Operational
444	FsInputRangeIndex.	Operational
445	Scb.	Operational
446	Scb.	Operational
447	NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.	Operational
448	Logic error of posting close to work queue.	Operational
449	NtfsFindPrefixHashEntry: {Hash table.	Operational
450	NtfsFindPrefixHashEntry: {Lcb: NULL}	Operational
451	NtfsFindPrefixHashEntry: {Lcb.	Operational
452	NtfsFindPrefixHashEntry: {Lcb not found}	Operational
453	NtfsInsertHashEntry: {Hash table.	Operational
454	NtfsRemoveHashEntry: {Hash table.	Operational
455	Vcb %1.	Operational
456	Vcb %1.	Operational
457	Vcb %1.	Operational
458	Vcb %1.	Operational
459	Vcb %1.	Operational
460	Vcb %1.	Operational
461	Vcb %1.	Operational
462	Vcb %1.	Operational
463	Vcb %1.	Operational
464	Vcb %1.	Operational
465	Vcb %1.	Operational
466	NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked.	Operational
467	Vcb %1.	Operational
468	Vcb %1.	Operational
469	NtfsCommitCurrentTransaction IC.	Operational
470	NtfsCommitCurrentTransaction IC.	Operational
471	NtfsCommitCurrentTransaction.	Operational
472	NtfsCommitCurrentTransaction.	Operational
473	NtfsCommitCurrentTransaction.	Operational
474	NtfsCommitCurrentTransaction.	Operational
475	NtfsCommitCurrentTransaction.	Operational
476	NtfsCommitCurrentTransaction IC.	Operational
477	NtfsCommitCurrentTransaction IC.	Operational
478	NtfsFreeRecentlyDeallocated: Vcb %1 - Entering - ActiveLsn: %2!	Operational
479	NtfsFreeRecentlyDeallocated: Vcb %1 empty list - Leaving.	Operational
480	NtfsFreeRecentlyDeallocated: Vcb %1 empty list - Leaving.	Operational
481	NtfsFreeRecentlyDeallocated: Vcb %1 - Found frozen deallocated clusters with %2!	Operational
482	NtfsFreeRecentlyDeallocated: Vcb %1 - No actionable deallocated clusters.	Operational
483	NtfsFreeRecentlyDeallocated: Vcb %1 - No actionable deallocated clusters.	Operational
484	NtfsFreeRecentlyDeallocated: Vcb %1 - Found a deallocated clusters %2 with %3!	Operational
485	Vcb.	Operational
486	Looking for dangling MDLs	Operational
487	FsLibGroupSubExtentsByDanglingMdl failed.	Operational
488	FsLibAddBaseMcbEntryEx failed.	Operational
489	NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed.	Operational
490	NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed.	Operational
491	No sub extents has dangling MDL	Operational
492	NtfsFreeRecentlyDeallocated: Vcb %1 - Telling volsnap freeing at %2!	Operational
493	NtfsFreeRecentlyDeallocated: Vcb %1 - Volsnap responsed with freeing at %2!	Operational
494	NtfsFreeRecentlyDeallocated: Vcb %1 - Got error 0x%2 from below.	Operational
495	NtfsFreeRecentlyDeallocated: Vcb %1 - Deleting MarkUnusedContext %2.	Operational
496	NtfsFreeRecentlyDeallocated: Vcb %1 - Leaving.	Operational
497	NtfsRemoveNtfsMcbEntry Scb.	Operational
498	NtfsRemoveNtfsMcbEntry Mcb.	Operational
499	NtfsAddNtfsMcbEntry Scb.	Operational
500	NtfsAddNtfsMcbEntry Mcb.	Operational
501	NtfsUnloadNtfsMcbRange Scb.	Operational
502	NtfsUnloadNtfsMcbRange Mcb.	Operational
503	Valid NTFS boot sector.	Operational
504	Not an NTFS boot sector.	Operational
505	NtfsMountVolume: Vcb.	Operational
506	NtfsMountVolume: IC.	Operational
507	Mounting DAX partition.	Operational
508	DAX volume mounted without DAX support because storage is not DAX capable.	Operational
509	NtfsGrowMftsAttributeListAllocation Vcb.	Operational
510	NtfsGrowMftsAttributeListAllocation Vcb.	Operational
511	NtfsGrowMftsAttributeListAllocation Vcb.	Operational
512	Unexpected exception code of 0x.	Operational
513	Exception code of 0x.	Operational
514	Unexpected exception code of 0x.	Operational
515	LogFileFull %1 BackTrace: ln %2; ln %3; ln %4; ln %5; ln %6; ln %7; ln %8; ln …	Operational
516	Unexpected raise of 0x.	Operational
517	NtfsProcessException IC.	Operational
518	NtfsProcessException IC.	Operational
519	Failed to abort - IrpContext %1, Irp %2, Vcb %3, Count %4, Status %5.	Operational
520	Failed to abort - IrpContext %1, Irp %2, Vcb %3, Scb %4, FileRef %5!	Operational
521	Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x.	Operational
522	Setting 0x.	Operational
523	[.	Operational
524	[.	Operational
525	Can't handle invalid bitmap in a positive way.	Operational
526	NTFS ETW tracing is now active.	Operational
527	Updating NtfsMinTrimTotalSize to %1.	Operational
528	Updating NtfsMaxTrimTotalSize to %1.	Operational
529	NtfsSetObjectId: Caller does not have restore access.	Operational
530	NtfsSetObjectIdExtendedInfo: Caller does not have write access.	Operational
531	NtfsDeleteObjectId: Caller does not have write access.	Operational
532	%1: Setting RM at 0x%2 ({%3}) up for auto-restart.	Operational
533	NtfsFsQuotaSetInfo: Denying access due to administrator limit.	Operational
534	NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not …	Operational
535	Unexpected Paging-Read on DAX mappable stream, Scb=.	Operational
536	NtfsSetReparsePoint: Caller does not have write access.	Operational
537	NtfsSetReparsePointEx: Caller does not have write access.	Operational
538	NtfsDeleteReparsePoint: Caller does not have write access.	Operational
539	NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling …	Operational
540	NtfsReleaseVcbCheckDelete - deleted Vcb.	Operational
541	NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb.	Operational
542	NtfsAbortTransaction IC.	Operational
543	NtfsAbortTransaction IC.	Operational
544	DoAction::InitializeFRS IC.	Operational
545	DoAction::DeallocateFRS IC.	Operational
546	DoAction::WriteEndOfFRS IC.	Operational
547	DoAction::CreateAttribute IC.	Operational
548	NtfsRestartChangeValue IC.	Operational
549	DoAction::SetNewAttributeSizes IC.	Operational
550	DoAction(SetBitsInNonresidentBitMap) IC.	Operational
551	DoAction(ClearBitsInNonresidentBitMap) IC.	Operational
552	NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf.	Operational
553	NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.	Operational
554	NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.	Operational
555	NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to …	Operational
556	NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.	Operational
557	NtfsCheckFileForDelete: Denying access due to superseding view indexes are not …	Operational
558	NtfsCheckFileForDelete: Denying access due to non-posix delete of target …	Operational
559	NtfsCheckFileForDelete: Denying access due to file is not deleteable.	Operational
560	NtfsCheckFileForDelete: Denying access due to target file is read only.	Operational
561	NtfsCheckFileForDelete: Caller does not have write attributes access …	Operational
562	NtfsCheckFileForDelete: Denying access due to failing to remove image section.	Operational
563	NtfsGlobalSdUpdate: Caller does not have manage volume privilege.	Operational
564	NtfsRepairItem: Denying access due to volume is locked.	Operational
565	NtfsSetRepairState: Caller does not have manage volume privilege.	Operational
566	NtfsInitiateRepair: Caller does not have manage volume privilege.	Operational
567	NTFS ETW tracing is shutting down.	Operational
568	NtfsDefineStorageReserve: Caller does not have manage volume privilege.	Operational
569	NtfsDeleteStorageReserve: Caller does not have manage volume privilege.	Operational
570	NtfsRepairStorageReserve: Caller does not have manage volume privilege.	Operational
571	NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a …	Operational
572	NtfsSetStorageReserveIdInfo: Caller does not have appropriate access.	Operational
573	NtfsChangeStorageReserveId: Caller does not have manage volume privilege.	Operational
574	NtfsChangeStorageReserveId: Caller does not have manage volume privilege to …	Operational
575	Failed to get a non-volatile token for Vcb.	Operational
576	Failed to free non-volatile token for Vcb.	Operational
577	NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb.	Operational
578	NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters.	Operational
579	ClustersLinkAsHead.	Operational
580	Clusters.	Operational
581	Matching cluster.	Operational
582	Clusters.	Operational
583	Allocated new deallocated clusters	Operational
584	Need to add Range.	Operational
585	Added range.	Operational
586	TxfCheckForLockConflict: File locked for modify transaction.	Operational
587	TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans …	Operational
588	TxfCheckForLockConflict: Modification access desired.	Operational
589	TxfCheckForLockConflict: File has user handle opened on one of the versions or …	Operational
590	%1: from %2 (%3:%4) RM at 0x%5 {%6}, Tx at 0x%7 {%8}, Status was 0x%9.	Operational
591	%1: from %2 (%3:%4) RM at 0x%5 {%6}, Tx at 0x%7 {%8}, Status was 0x%9.	Operational
592	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.	Operational
593	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.	Operational
594	%1: RM at 0x%2 {%3}: Unexpected exception code of 0x%4 received.	Operational
595	%1: TxfStartRm reports RM will be reset: RM metadata corrupt.	Operational
596	%1: TxfStartRm reports RM will be reset: TM could not be initialized.	Operational
597	%1: TxfStartRm reports RM will be reset: RM log corrupt.	Operational
598	%1: TxfStartRm reports RM will be reset: log version changed.	Operational
599	%1: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed.	Operational
600	%1: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated.	Operational
601	%1: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.	Operational
602	%1: TxfStartRm reports RM will be reset: 0x%2.	Operational
603	%1: RM did not start and WILL NOT be reset, status code is 0x%2!	Operational
604	%1: Could not initialize IrpContext: 0x%2.	Operational
605	TxfInitializeVolume: Denying access due to Txf start is not allowed (possible …	Operational
606	%1: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x%2 for default RM on VCB at 0x%3.	Operational
607	%1: Exception code 0x%2, Status 0x%3 for default RM on VCB at 0x%4.	Operational
608	%1: Couldn't reset default RM on VCB at 0x%2 after %3 tries: 0x%4.	Operational
609	%1: Exception 0x%2 raised from TxfConvertRmStartFailureStatusCode for default RM …	Operational
610	%1: %2 auto-restart of RM at 0x%3 ({%4}): 0x%5.	Operational
611	%1: Attempting auto-restart of RM at 0x%2 ({%3}).	Operational
612	%1: Volume too small to start RM at 0x%2 ({%3}).	Operational
613	%1: Corrupt RM at 0x%2 {%3}: invalid flags in $Tops.	Operational
614	TxfStartRm: Denying access due to Txf start is not allowed (possible racing with …	Operational
615	%1: Raising to reset RM at 0x%2 ({%3}): Explicit reset requested.	Operational
616	TxfStartRm: Denying access due to Txf start is not allowed (possible racing with …	Operational
617	%1: Corrupt RM at 0x%2 {%3}: no TXF_DATA in root.	Operational
618	%1: RM at 0x%2 {%3}: Different nesting levels of 0x%4 and 0x%5.	Operational
619	%1: Corrupt RM at 0x%2 {%3}: restart area already exists.	Operational
620	%1: Corrupt RM at 0x%2 {%3}: restart area already exists.	Operational
621	%1: Corrupt RM at 0x%2 {%3}: RmID in restart area does not match {%4}.	Operational
622	%1: Got %2 from ClfsGetLogFileInformation for RM at 0x%3 {%4}.	Operational
623	%1: Corrupt RM at 0x%2 {%3}: Restart LSN is before beginning of log.	Operational
624	%1: Corrupt RM at 0x%2 {%3}: MinRollforwardEndLsn is beyond end of log.	Operational
625	%1: TxF RM at 0x%2 {%3} started successfully.	Operational
626	%1: TxF RM at 0x%2 {%3} failed to start with Status 0x%4 %5.	Operational
627	%1: Shutting down %2 RM at 0x%3 {%4}.	Operational
628	%1: Setting RM at 0x%2 {%3} up for auto-restart.	Operational
629	TxfFlushAndInvalidateExistingStructures: File has open user handles.	Operational
630	(%1:%2) - TXF_HARD_ERROR on RM at 0x%3 ({%4}): %5).	Operational
631	%1: Renamed RM at 0x%2 from {%3} to {%4}.	Operational
632	%1: RM at 0x%2 {%3}, rolling back Tx at 0x%4 {%5}, Status was 0x%6.	Operational
633	%1: Renamed RM at 0x%2 from {%3} to {%4}.	Operational
634	TxfFsctlStartRm: Denying access due starting default RM is not allowed.	Operational
635	TxfFsctlWriteBackupInformation: Denying access due RM is active.	Operational
636	%1: Corrupt RM at 0x%2 {%3}: Found too high of a TxF ID in log.	Operational
637	%1: Error Setting Delete Disposition: 0x%2 FileObject: 0x%3.	Operational
638	%1: Corrupt RM at 0x%2 {%3}: Got a RECOVER notification for a transaction that …	Operational
639	TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a …	Operational
640	TxfSetupTransactionContextFromCcb: Invalid TxF structure.	Operational
641	TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a …	Operational
642	%1: RM at 0x%2 {%3} raising 0x%4 to KTM!	Operational
643	%1: Commit (0x%2) of%3tx {%4} on RM at 0x%5 {%6} failed with 0x%7.	Operational
644	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5} (notify commit).	Operational
645	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5} (notify rollback).	Operational
646	%1: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x%2 {%3}: 0x%4.	Operational
647	%1: RM at 0x%2 {%3} trying to abort transaction at 0x%4 {%5}.	Operational
648	%1: Aborting call stack: 0x%2 0x%3 0x%4 0x%5 0x%6.	Operational
649	%1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.	Operational
650	%1: 0x%2 initializing IrpContext for tx at %3 {%4}, RM at %5 {%6}.	Operational
651	%1: 0x%2 writing log record for RM at 0x%3 {%4}, Tx at 0x%5 {%6}.	Operational
652	%1: About to force aborts on RM at 0x%2 {%3}.	Operational
653	%1: BaseLsn is greater than TargetLsn on RM at 0x%2 {%3}.	Operational
654	%1: No transactions remain on RM at 0x%2 {%3}.	Operational
655	%1: Transaction's first undo LSN greater than TargetLsn on RM at 0x%2 {%3}.	Operational
656	%1: RM at 0x%2 {%3} surprise-aborting transaction at 0x%4 {%5}.	Operational
657	%1: RM at 0x%2 {%3} got 0x%4 from TxfTryAbortTransaction on Tx 0x%5 {%6}.	Operational
658	%1: Inactive RM at 0x%2 {%3}.	Operational
659	%1: Log is pinned on RM at 0x%2 {%3}.	Operational
660	%1: RM at 0x%2 {%3}, rolling back KTM Tx at 0x%4 {%5}, Status was 0x%6.	Operational
661	%1: Log pinned trying to advance RestartLsn on RM at 0x%2 {%3}.	Operational
662	%1: Log pinned by doomed transaction on RM at 0x%2 {%3}.	Operational
663	%1: Reporting 0x%2 to CLFS from RM at 0x%3 {%4}: 0x%5.	Operational
664	%1: Done forcing aborts on RM at 0x%2 {%3}.	Operational
665	%1: Corrupt RM at 0x%2 {%3}: $Txf directory is missing in pre-existing RM.	Operational
666	%1: Corrupt RM at 0x%2 {%3}: Found $Txf without …	Operational
667	%1: Corrupt RM at 0x%2 {%3}: Found non-empty $Txf but there is no log.	Operational
668	%1: Corrupt RM at 0x%2 {%3}: Couldn't find $INDEX_ROOT on $Txf.	Operational
669	%1: Corrupt RM at 0x%2 {%3}: Couldn't find TXF_DATA_ATTR on $Txf.	Operational
670	%1: Corrupt RM at 0x%2 {%3}: Found TXF_DATA_ATTR for normal file on $Txf.	Operational
671	%1: Corrupt RM at 0x%2 {%3}: Expected a secondary RM here.	Operational
672	%1: Corrupt RM at 0x%2 {%3}: $Tops is missing but $Txf is non-empty.	Operational
673	%1: Corrupt RM at 0x%2 {%3}: $Tops is missing but there is already a log.	Operational
674	%1: Corrupt RM at 0x%2 {%3}: $Tops is %4.	Operational
675	%1: Corrupt RM at 0x%2 {%3}: Missing $STANDARD_INFORMATION.	Operational
676	%1: Corrupt RM at 0x%2 {%3}: Couldn't find file attributes.	Operational
677	%1: Corrupt RM at 0x%2 {%3}: $Tops is corrupt.	Operational
678	%1: Corrupt RM at 0x%2 {%3}: Could not find unnamed data stream.	Operational
679	%1: Corrupt RM at 0x%2 {%3}: $Tops metadata is the wrong version or records …	Operational
680	%1: Corrupt RM at 0x%2 {%3}: $Tops metadata is the wrong size.	Operational
681	%1: Corrupt RM at 0x%2 {%3}: Non-NULL RM ID found in $Tops and there is no log.	Operational
682	%1: Corrupt RM at 0x%2 {%3}: Epoch in $Tops metadata doesn't match RM.	Operational
683	%1: Corrupt RM at 0x%2 {%3}: Couldn't find $T stream.	Operational
684	NtfsReadUsnJournal: Caller does not have manage volume privilege.	Operational
685	TrimUsnJournal.	Operational
686	TrimUsnJournal.	Operational
687	TrimUsnJournal.	Operational
688	TrimUsnJournal.	Operational
689	TrimUsnJournal.	Operational
690	TrimUsnJournal.	Operational
691	NtfsQueryUsnJournal: Denying access due to NULL Ccb.	Operational
692	NtfsDeleteUsnJournal: Caller does not have manage volume access.	Operational
693	NtfsRestartUsnJournal: Caller does not have manage volume privilege.	Operational
694	NtOfsCreateAttributeEx: Stream already has a open user handle.	Operational
695	OfsSetLength.	Operational
696	OfsSetLength.	Operational
697	OfsSetLength.	Operational
698	OfsSetLength.	Operational
699	NtOfsPostNewLength.	Operational
700	NtfsIsRegionDangling: RemainingClusterCount: 0x.	Operational
701	Vcb %1 - has no active PFNs.	Operational
702	Vcb %1 - failed to query active PFNs assuming there are some.	Operational
703	Vcb %1 - has active PFNs.	Operational
704	NtfsPerformDismountOnVcb: Vcb %1.	Operational
705	NtfsPerformDismountOnVcb: Vcb %1 - Found frozen deallocated clusters.	Operational
706	NtfsPerformDismountOnVcb: Vcb %1 - Wait for any on going trim to finish.	Operational
707	NtfsPerformDismountOnVcb: Vcb %1 - No more on going trim.	Operational
708	NtfsPerformDismountOnVcb: IC.	Operational
709	NtfsPostVcbIsCorrupt.	Operational
710	NtfsPostVcbIsCorrupt: Marking volume dirty.	Operational
711	NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for …	Operational
712	NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for …	Operational
713	Succeeding log write @ 0x.	Operational
714	Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=.	Operational
715	NtfsCommonWrite: Writing beyond highest writable sector on active volume is not …	Operational
716	Ignoring write to 0x.	Operational
717	Truncating write from 0x.	Operational

Event ID 10 — NtfsLookupRealAllocation: Vcn %1!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsLookupRealAllocation: Vcn %1!I64x!, LowestVcn %2!I64x!, HighestVcn %3!I64x!, AllocationClusters %4!I64x!

Fields

Name	Description
`A10_Vcn`	—
`A11_AttributeFormNonresidentLowestVcn`	—
`A12_AttributeFormNonresidentHighestVcn`	—
`A13_AllocationClusters`	—

Event ID 11 — NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:%1!p!, Scb:%2!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—

Event ID 12 — FileObject.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

FileObject: %1!p!, Scb: %2!p!, StaringVcn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!, CcbForWriteExtend: %6!p!

Fields

Name	Description
`A10_FileObject`	—
`A11_Scb`	—
`A12_StartingVcn`	—
`A13_ClusterCount`	—
`A14_Flags`	—
`A15_CcbForWriteExtend`	—

Event ID 13 — NtfsAddAllocation IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddAllocation IC:%1!p!, FileObject:%2!p!, Scb:%3!p!, StaringVcn:%4!I64x!, ClusterCount:%5!I64x!, Flags:%6!08x!, CcbForWriteExtend:%7!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileObject`	—
`A12_Scb`	—
`A13_StartingVcn`	—
`A14_ClusterCount`	—
`A15_Flags`	—
`A16_CcbForWriteExtend`	—

Event ID 14 — Purge failed: Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_PurgeOffset`	—

Event ID 15 — Purge failed: Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!, PurgeChunkLength: 0x%3!x!

Fields

Name	Description
`A10_Scb`	—
`A11_PurgeOffset`	—
`A12_PurgeChunkLength`	—

Event ID 16 — NtfsGetLastVcnForNewMappingPairSize IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGetLastVcnForNewMappingPairSize IC:%1!p!, Using LastVcn:%2!4I64x!, InstanceId:%3!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_LastVcn`	—
`A12_AttributeInstance`	—

Event ID 17 — Can't find StdInfo in FileRef %1!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Can't find StdInfo in FileRef %1!I64x!

Fields

Name	Description
`A10_NtfsFullFileRefNumber_FcbFileReference`	—

Event ID 18 — Can't find StdInfo in FileRef %1!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Can't find StdInfo in FileRef %1!I64x!

Fields

Name	Description
`A10_NtfsFullFileRefNumber_FcbFileReference`	—

Event ID 19 — NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:%1!p!ValueLength:%2!x!, AttrFlags=%3!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ValueLength`	—
`A12_AttributeFlags`	—

Event ID 20 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LastVcn %5!I64x!, NewHighestVcn %6!I64x!, PassCount %7!x! - step 6

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_LastVcn`	—
`A15_NewHighestVcn`	—
`A16_PassCount`	—

Event ID 21 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - try to merge backward

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn`	—
`A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn`	—
`A16_ContextAttributeListEntryLowestVcn`	—

Event ID 22 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after merge backward

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn`	—
`A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn`	—
`A16_ContextAttributeListEntryLowestVcn`	—

Event ID 23 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x!, PassCount %8!x! - before last merge after step 6

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn`	—
`A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn`	—
`A16_ContextAttributeListEntryLowestVcn`	—
`A17_PassCount`	—

Event ID 24 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after last merge after step 6

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn`	—
`A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn`	—
`A16_ContextAttributeListEntryLowestVcn`	—

Event ID 25 — NtfsAddAttributeAllocation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, MergeSkipCt %5!x! - done

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NtfsFrsConsolidationStatisticsMergeSkipCount`	—

Event ID 26 — NtfsRestartRemoveAttribute FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRestartRemoveAttribute FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields

Name	Description
`A10_FileRecordSegmentNumberHighPart`	—
`A11_FileRecordSegmentNumberLowPart`	—
`A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment`	—
`A13_AttributeTypeCode`	—

Event ID 27 — NtfsRestartChangeValue FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRestartChangeValue FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields

Name	Description
`A10_FileRecordSegmentNumberHighPart`	—
`A11_FileRecordSegmentNumberLowPart`	—
`A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment`	—
`A13_AttributeTypeCode`	—

Event ID 28 — AddToAttributeList.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

AddToAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields

Name	Description
`A10_FcbVcb`	—
`A11_IrpContext`	—
`A12_PULONGLONG_FcbFileReference`	—
`A13_StdInfoAttrListEntrySignature`	—
`A14_StdInfoAttrListEntryLastCompactedSize`	—
`A15_CurrentAttributeListSize`	—

Event ID 29 — DeleteFromAttributeList.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DeleteFromAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields

Name	Description
`A10_FcbVcb`	—
`A11_IrpContext`	—
`A12_PULONGLONG_FcbFileReference`	—
`A13_StdInfoAttrListEntrySignature`	—
`A14_StdInfoAttrListEntryLastCompactedSize`	—
`A15_NewStdInfoAttrListEntryLastCompactedSize`	—

Event ID 30 — MakeRoomForAttribute Moving Mft's attribute IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MakeRoomForAttribute Moving Mft's attribute IC:%1!p!, Moving Attrib %2!x!/%3!x!, Type=%4!x!, RecLengh=%5!x!, Instance:%6!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_i`	—
`A12_MAX_MOVEABLE_ATTRIBUTES`	—
`A13_AttributeTypeCode`	—
`A14_AttributeRecordLength`	—
`A15_AttributeInstance`	—

Event ID 31 — MoveAttributeToOwnRecord Moving Mft's $BITMAP IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:%1!p!, SizeNeeded:%2!x!, TypeCode:%3!x!, RecLen:%4!x!, Form:%5!x!, Instance:%6!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_SizeNeeded`	—
`A12_AttributeTypeCode`	—
`A13_AttributeRecordLength`	—
`A14_AttributeFormCode`	—
`A15_AttributeInstance`	—

Event ID 32 — MoveAttributeToOwnRecord IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MoveAttributeToOwnRecord IC:%1!p!, SizeNeeded:%2!x!, Bytes2Free:%3!x!, OldMappingSize:%4!x!, NewMappingSize:%5!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_SizeNeeded`	—
`A12_BytesToFree`	—
`A13_MappingPairSize`	—
`A14_NewMappingPairSize`	—

Event ID 33 — NtfsRestartZeroEndOfFileRecord FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRestartZeroEndOfFileRecord FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Start:0x%4!x!, Len:0x%5!x!

Fields

Name	Description
`A10_FileRecordSegmentNumberHighPart`	—
`A11_FileRecordSegmentNumberLowPart`	—
`A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment`	—
`A13_StartZero`	—
`A14_ZeroLength`	—

Event ID 34 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, LowVcn %7!I64x!, HalfWayVcn %8!I64x!, FinalVcn %9!I64x!, PackedMode %10!x!, TryPrior %11!x! - about to merge

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_ScbAttributeTypeCode`	—
`A15__ScbAttributeName`	—
`A16_NewStartVcn`	—
`A17_NewHalfWayVcn`	—
`A18_NewFinalVcn`	—
`A19_PackedMode`	—
`A20_TryPrior`	—

Event ID 35 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - all fit in one so get rid of the second one

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_ScbAttributeTypeCode`	—
`A15__ScbAttributeName`	—
`A16_FileRecordSequenceNumber`	—
`A17_FileRecordSegmentNumberLowPart`	—
`A18_NewStartVcn`	—
`A19_LastVcn`	—
`A20_NewFinalVcn`	—

Event ID 36 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - should all fit into one so get rid of the second one FIRST

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_ScbAttributeTypeCode`	—
`A15__ScbAttributeName`	—
`A16_FileRecordSequenceNumber`	—
`A17_FileRecordSegmentNumberLowPart`	—
`A18_NewStartVcn`	—
`A19_LastVcn`	—
`A20_NewFinalVcn`	—

Event ID 37 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x! - initial RangePtr query

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NewFinalVcn`	—

Event ID 38 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - secondary RangePtr query

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NewHalfWayVcn`	—
`A15_RangePtr`	—

Event ID 39 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - calling lookup runs range

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NewHalfWayVcn`	—
`A15_RangePtr`	—

Event ID 40 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - current McbArray

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NtfsMcbArray`	—
`A15_NtfsMcbArrayStartingVcn`	—
`A16_NtfsMcbArrayEndingVcn`	—

Event ID 41 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - previous McbArray

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NtfsMcbArray`	—
`A15_NtfsMcbArrayStartingVcn`	—
`A16_NtfsMcbArrayEndingVcn`	—

Event ID 42 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - prev prev McbArray

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NtfsMcbArray`	—
`A15_NtfsMcbArrayStartingVcn`	—
`A16_NtfsMcbArrayEndingVcn`	—

Event ID 43 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - next McbArray

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NtfsMcbArray`	—
`A15_NtfsMcbArrayStartingVcn`	—
`A16_NtfsMcbArrayEndingVcn`	—

Event ID 44 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewFinalVcnInMcb %5!I64x! > NewFinalVcn %6!I64x! - NewFinalVcn is smaller

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NewFinalVcnInMcb`	—
`A15_NewFinalVcn`	—

Event ID 45 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewStartVcn %5!I64x!, LastVcn %6!I64x!, NewFinalVcn %7!I64x!, NewFinalVcnInMcb %8!I64x!, #Ranges %9!x!, DeletedNextAttribute %10!x!, Mcb1(%11!x!,%12!x!), Mcb2(%13!x!,%14!x!), McbArraySizeInUseChange %15!d! - final vcn in mcb

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NewStartVcn`	—
`A15_LastVcn`	—
`A16_NewFinalVcn`	—
`A17_NewFinalVcnInMcb`	—
`A18_NumberOfRanges`	—
`A19_DeletedNextAttribute`	—
`A20_Mcb1StartWithNewStartVcn`	—
`A21_Mcb1HoldNewStartVcn`	—
`A22_Mcb2StartWithNewStartVcn`	—
`A23_Mcb2HoldNewStartVcn`	—
`A24_McbArraySizeInUseChange`	—

Event ID 46 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range1

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_NewStartVcn`	—
`A15_DeletedNextAttributeNewFinalVcnInMcbLastVcn1`	—

Event ID 47 — MergeFRS2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range2

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_LastVcn`	—
`A15_NewFinalVcnInMcb`	—

Event ID 48 — RedoAttribute.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, FileRef %7!I64x!, OldLowVcn %8!I64x!, NewLowVcn %9!I64x!, Instance %10!x! - updating LowestVcn in attribute list entry

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_ScbAttributeTypeCode`	—
`A15__ScbAttributeName`	—
`A16_PULONGLONG_ContextAttributeListEntrySegmentReference`	—
`A17_OldLowestVcn`	—
`A18_StartVcn`	—
`A19_NewAttributeInstance`	—

Event ID 49 — RedoAttribute.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, OldLowVcn %7!I64x!, NewLowVcn %8!I64x!, OldHighVcn %9!I64x!, NewHighVcn %10!I64x!, ChildRef %11!x!0000%12!08x! - done

Fields

Name	Description
`A10_ScbVcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_PULONGLONG_ScbFcbFileReference`	—
`A14_ScbAttributeTypeCode`	—
`A15__ScbAttributeName`	—
`A16_OldLowestVcn`	—
`A17_StartVcn`	—
`A18_OldHighestVcn`	—
`A19_LastVcn`	—
`A20_FileRecordSequenceNumber`	—
`A21_FileRecordSegmentNumberLowPart`	—

Event ID 50 — NtfsConsolidateAllFileRecords: Invalid Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: %1!p!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—

Event ID 51 — NtfsConsolidateAllFileRecords: Volume is locked.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords: Volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume Id: %5!S!, Vcb State: 0x%6!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14__VolumeId`	—
`A15_VcbVcbState`	—

Event ID 52 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, FirstRequest %5!x! - opened fcb

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—
`A14_AllFlagsFirstRequest`	—

Event ID 53 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - already in progress so get out

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—

Event ID 54 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - set in progress flag

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—

Event ID 55 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RstrTypeCode %5!x!, RstrAttrName %6!S!, RstrVcn %7!I64x!, RstrAttrListEntryOffset %8!x!, AttrListEntryOffset %9!x!, AttrListLength %10!I64x!, AttrListGrowBy %11!x!(%12!d!) - adjust FinalCompactedSizeDeduction

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—
`A14_FrsConsolidationContextRestartAttributeTypeCode`	—
`A15__FrsConsolidationContextRestartAttributeName`	—
`A16_FrsConsolidationContextRestartVcn`	—
`A17_FrsConsolidationContextRestartAttributeListEntryOffset`	—
`A18_AttributeListEntryOffset`	—
`A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength`	—
`A20_AttributeListGrowBy`	—
`A21_AttributeListGrowBy`	—

Event ID 56 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 1

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—
`A14_FrsConsolidationContextRestartAttributeTypeCode`	—
`A15__FrsConsolidationContextRestartAttributeName`	—
`A16_FrsConsolidationContextRestartVcn`	—
`A17_FrsConsolidationContextInstance`	—
`A18_FrsConsolidationContextRestartAttributeListEntryOffset`	—
`A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength`	—

Event ID 57 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 2

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—
`A14_FrsConsolidationContextRestartAttributeTypeCode`	—
`A15__FrsConsolidationContextRestartAttributeName`	—
`A16_FrsConsolidationContextRestartVcn`	—
`A17_FrsConsolidationContextInstance`	—
`A18_FrsConsolidationContextRestartAttributeListEntryOffset`	—
`A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength`	—

Event ID 58 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, Scb %5!p! - completed this Scb

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—
`A14_Scb`	—

Event ID 59 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - going into finally

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—

Event ID 60 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): FileRef %3!I64x!, Status %4!x! - Abnormal Termination

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_PULONGLONG_FrsConsolidationContextFileReference`	—
`A13_IrpContextExceptionStatus`	—

Event ID 61 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - decremented close counts

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—

Event ID 62 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - clearing in progress flag

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_PULONGLONG_FcbFileReference`	—

Event ID 63 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, ExceptionStatus %5!x!- released

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_FileRef`	—
`A14_ExceptionStatus`	—

Event ID 64 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RemovedFcb %5!x!, AllFlags.FcbAcquired %6!x!, TransId %7!x! - no release

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Fcb`	—
`A13_FileRef`	—
`A14_RemovedFcb`	—
`A15_AllFlagsFcbAcquired`	—
`A16_IrpContextTransactionId`	—

Event ID 65 — NtfsConsolidateAllFileRecords.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): DeltaTime %3!I64d! (ms), TotalTime %4!I64d! (ms)

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_EndTimeQuadPart1000NtfsPerformanceFrequencyQuadPart`	—
`A13_FrsConsolidationContextTotalTime1000NtfsPerformanceFrequencyQuadPart`	—

Event ID 66 — UpdateLCS: Vcb %1, IC %2, FRef %3!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

UpdateLCS: Vcb %1!p!, IC %2!p!, FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields

Name	Description
`A10_FcbVcb`	—
`A11_IrpContext`	—
`A12_PULONGLONG_FcbFileReference`	—
`A13_StdInfoAttrListEntrySignature`	—
`A14_StdInfoAttrListEntryLastCompactedSize`	—
`A15_AttributeListSize`	—

Event ID 67 — NtfsAllocateClustersPriv IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A13__ScbMcb`	—
`A14_OriginalStartingVcn`	—
`A15_ClusterCount`	—
`A16_AllocateAll`	—
`A17_TargetLcnNULLTargetLcnULONGLONG1`	—
`A18_PreAllocated`	—
`A19_UseDelayedAllocation`	—

Event ID 68 — NtfsAllocateClustersPriv IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A13__ScbMcb`	—
`A14_OriginalStartingVcn`	—
`A15_ClusterCount`	—
`A16_AllocateAll`	—
`A17_TargetLcnNULLTargetLcnULONGLONG1`	—
`A18_PreAllocated`	—
`A19_UseDelayedAllocation`	—

Event ID 69 — NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!

Fields

Name	Description
`A10_FoundClusterCount`	—
`A11_Scb`	—
`A12_ScbTotalAllocated`	—

Event ID 70 — NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!ScbState: %4!08x!, IrpContextState2: %5!08x!, AllocateWithNoHole: %6!d!

Fields

Name	Description
`A10_FoundClusterCount`	—
`A11_Scb`	—
`A12_ScbTotalAllocated`	—
`A13_ScbState`	—
`A14_IrpContextState2`	—
`A15_AllocateWithNoHole`	—

Event ID 71 — NtfsAllocateClustersPriv IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersAllocated`	—

Event ID 72 — NtfsAllocateClustersPriv IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersAllocated`	—

Event ID 73 — NtfsDeallocateClusters IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A13__ScbMcb`	—
`A14_StartingVcn`	—
`A15_EndingVcn`	—

Event ID 74 — NtfsDeallocateClusters: Vcb %1 - deleting FR %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! from clusters %3!I64x! to %4!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_PULONGLONG_ScbFcbFileReference`	—
`A12_StartingVcn`	—
`A13_EndingVcn`	—

Event ID 75 — NtfsDeallocateClusters IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Scb`	—
`A13__ScbMcb`	—
`A14_StartingVcn`	—
`A15_EndingVcn`	—

Event ID 76 — NtfsDeallocateClusters: Vcb %1 - deleting FR %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! starting at %3!I64x! for %4!I64x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_PULONGLONG_ScbFcbFileReference`	—
`A12_AdjLcn`	—
`A13_AdjClusterCount`	—

Event ID 77 — NtfsDeallocateClusters: Vcb %1 - raising logfile full.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - raising logfile full

Fields

Name	Description
`A10_Vcb`	—

Event ID 78 — NtfsDeallocateClusters: Vcb %1 - adding clusters to DeallocatedClusters: %2 ==> Lsn: %3!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - adding clusters to DeallocatedClusters: %2!p! ==> Lsn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!; Vcb's DeallocatedClustersCount old: %6!I64x! new: %7!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—
`A12_DeallocatedClustersLsnQuadPart`	—
`A13_DeallocatedClustersClusterCount`	—
`A14_DeallocatedClustersFlags`	—
`A15_VcbDeallocatedClusters`	—
`A16_VcbDeallocatedClustersAdjClusterCount`	—

Event ID 79 — NtfsDeallocateClusters: Decremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters: Decremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!Addr(TotalAllocated): %4!p!

Fields

Name	Description
`A10_ClusterCount`	—
`A11_Scb`	—
`A12_TotalAllocated`	—
`A13_TotalAllocated`	—

Event ID 80 — NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!Addr(TotalAllocated): %3!p!, ScbState: %4!08x!, IrpContextState2: %5!08x!

Fields

Name	Description
`A10_ClusterCount`	—
`A11_Scb`	—
`A12_TotalAllocated`	—
`A13_ScbState`	—
`A14_IrpContextState2`	—

Event ID 81 — NtfsDeallocateClusters: Vcb %1 - Undoing some changes to DeallocatedClustersCount from %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters: Vcb %1!p! - Undoing some changes to DeallocatedClustersCount from %2!I64x! to %3!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbDeallocatedClusters`	—
`A12_VcbDeallocatedClustersClustersRemoved`	—

Event ID 82 — NtfsDeallocateClusters IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersDeallocated`	—

Event ID 83 — NtfsDeallocateClusters IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ClustersDeallocated`	—

Event ID 84 — NtfsModifyBitsInBitmap IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsModifyBitsInBitmap IC: %1!p!, Vcb: %2!p!, FirstBit: 0x%3!I64x!, BeyondLastBit: 0x%4!I64x!, Redo: 0x%5!x!, Undo: 0x%6!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_FirstBit`	—
`A13_BeyondFinalBit`	—
`A14_RedoOperation`	—
`A15_UndoOperation`	—

Event ID 85 — NtfsModifyBitsInBitmap IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsModifyBitsInBitmap IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, CurrentLcn: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11__Bitmap`	—
`A12_BaseLcn`	—
`A13_CurrentLcn`	—

Event ID 86 — NtfsAllocateBitmapRun IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAllocateBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_StartingLcn`	—
`A13_ClusterCount`	—

Event ID 87 — NtfsAllocateBitmapRun IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAllocateBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11__Bitmap`	—
`A12_BaseLcn`	—
`A13_StartingLcn`	—

Event ID 88 — NtfsRestartSetBitsInBitMap IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRestartSetBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Bitmap`	—
`A12_BitMapOffset`	—
`A13_NumberOfBits`	—

Event ID 89 — NtfsFreeBitmapRun IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_StartingLcn`	—
`A13_ClusterCount`	—

Event ID 90 — NtfsFreeBitmapRun IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11__Bitmap`	—
`A12_BaseLcn`	—
`A13_StartingLcn`	—

Event ID 91 — NtfsRestartClearBitsInBitMap IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRestartClearBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Bitmap`	—
`A12_BitMapOffset`	—
`A13_NumberOfBits`	—

Event ID 92 — NtfsSetOrClearBitsUsingBaseMcb IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!, StartingBitmapLcn: 0x%4!I64x!, SetBits: %5!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_Bitmap`	—
`A13_StartingBitmapLcn`	—
`A14_SetBits`	—

Event ID 93 — NtfsSetOrClearBitsUsingBaseMcb IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Bitmap: %2!p!, StartLcn: 0x%3!I64x!, EndLcn: 0x%4!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Bitmap`	—
`A12_StartingBit`	—
`A13_EndingBit`	—

Event ID 94 — NtfsSetOrClearBitsUsingBaseMcb IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Result: %2!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Results`	—

Event ID 95 — System files not marked as in use in the MFT bitmap.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

System files not marked as in use in the MFT bitmap.  DWord offset %1!x!, value %2!x!.

Fields

Name	Description
`A10_i`	—
`A11_OriginalSystemBitmapisizeofOriginalSystemBitmap0`	—

Event ID 96 — Length: 0 --> BinIndex : 0 - Unexpected length

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Length:        0 --> BinIndex :        0    - Unexpected length

Event ID 97 — Length.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Length: %1!8I64d! --> BinIndex : %2!8u!    - Key: %3!u!, BitPosition: %4!ld!, GroupIndex: %5!ld!, GroupShiftFactor: %6!ld!

Fields

Name	Description
`A10_Length`	—
`A11_BinIndex`	—
`A12_Key`	—
`A13_BitPosition`	—
`A14_GroupIndex`	—
`A15_GroupShiftFactor`	—

Event ID 98 — Length.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Length: %1!8I64d! --> BinIndex : %2!8u!    - BinIndex was beyond TotalBins: %3!u! hence brought down

Fields

Name	Description
`A10_Length`	—
`A11_BinIndex`	—
`A12_TotalBins`	—

Event ID 99 — BinIndex.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - BinIndex is set to last bin or beyond, TotalBins: %3!u!

Fields

Name	Description
`A10_BinIndex`	—
`A11_MAXLONGLONG`	—
`A12_TotalBins`	—

Event ID 100 — BinIndex.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - GroupIndex: %3!ld!, RelativeBinIndex: %4!ld!, MaxKey: %5!u!

Fields

Name	Description
`A10_BinIndex`	—
`A11_MaxLength`	—
`A12_GroupIndex`	—
`A13_RelativeBinIndex`	—
`A14_MaxKey`	—

Event ID 101 — BinGroupShift.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

BinGroupShift: %1!8ld!, BinGroupSize: %2!8u!, BinGroupMask: %3!8x!

Fields

Name	Description
`A10_NtfsCachedRunBinGroupShift`	—
`A11_NtfsCachedRunBinGroupSize`	—
`A12_NtfsCachedRunBinGroupMask`	—

Event ID 102 — BinIndex.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

BinIndex: %1!8u! --> MaxLength: %2!8I64u! (0x%3!8I64x!)

Fields

Name	Description
`A10_BinIndex`	—
`A11_MaxLength`	—
`A12_MaxLength`	—

Event ID 103 — Searched committed allocations but didnt find enough free space.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Searched committed allocations but didnt find enough free space.  StartingCluster %1!I64x!, ClusterCount %2!I64x!, Committed %3!I64x!, Total %4!I64x!, Free %5!I64x!

Fields

Name	Description
`A10_StartingCluster`	—
`A11_ClusterCount`	—
`A12_VcbTotalClustersCommitted`	—
`A13_VcbTotalClusters`	—
`A14_VcbFreeClusters`	—

Event ID 104 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): first bit 0x%2, last bit 0x%3.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): first bit 0x%2!X!, last bit 0x%3!X!

Fields

Name	Description
`A10_Vcb`	—
`A11_FirstBitToClear`	—
`A12_BeyondLastBitToClear1`	—

Event ID 105 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): no leading partial slab.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no leading partial slab

Fields

Name	Description
`A10_Vcb`	—

Event ID 106 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): leading partial slab returned - LCN %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): leading partial slab returned - LCN %2!I64X!, len %3!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_FreeClusterBase1`	—
`A12_FreeClusterCount1`	—

Event ID 107 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): no trailing partial slab.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no trailing partial slab

Fields

Name	Description
`A10_Vcb`	—

Event ID 108 — NtfsRemoveClustersFromTPMap: Vcb %1 - Clearing TP map bit(s): trailing partial slab returned - lcn %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): trailing partial slab returned - lcn %2!I64X!, len %3!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_FreeClusterBase2`	—
`A12_FreeClusterCount2`	—

Event ID 109 — NtfsValidateTotalClustersCommitted.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsValidateTotalClustersCommitted(%1!p!,%2!p!): TCC %3!I64x!, TC %4!I64x!, BMSize %5!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread`	—
`A12_VcbTotalClustersCommitted`	—
`A13_VcbTotalClusters`	—
`A14_VcbTPMapSizeOfBitMap`	—

Event ID 110 — Illegal MDL Complete for major code %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Illegal MDL Complete for major code %1!u!

Fields

Name	Description
`A10_IrpContextMajorFunction`	—

Event ID 111 — Entering: Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, ByteCount: 0x%3!016I64x!, ExtentsDescriptor: %4!p!, ExtentsDescriptorIndex: %5!d!, ExtentsDescriptorStartOffset: 0x%6!016I64x!, Offset: 0x%7!016I64x!, MaxRuns: %8!d!,

Fields

Name	Description
`A10_Scb`	—
`A11_StartingZero`	—
`A12_ByteCount`	—
`A13_ExtentsDescriptor`	—
`A14_ExtentsDescriptorIndex`	—
`A15_ExtentsDescriptorStartOffset`	—
`A16_Offset`	—
`A17_MaxRuns`	—

Event ID 112 — RunEntry ==> %1!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

RunEntry ==> %1!4d!: [0x%2!016I64x!, 0x%3!016I64x!], ExtentLength: 0x%4!016I64x!, Offset: 0x%5!016I64x!, RunIndexStartOffset: 0x%6!016I64x!

Fields

Name	Description
`A10_RunIndex`	—
`A11_ExtentsDescriptorRunRunIndexBasePage`	—
`A12_ExtentsDescriptorRunRunIndexPageCount`	—
`A13_ExtentLength`	—
`A14_Offset`	—
`A15_RunIndexStartOffset`	—

Event ID 113 — Offset is beyond this extent skipping the extent.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Offset is beyond this extent skipping the extent.

Event ID 114 — Shrinking LengthInExtent.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Shrinking LengthInExtent (0x%1!016I64x!) to ByteCount (0x%2!016I64x!) that we have to zero

Fields

Name	Description
`A10_LengthInExtent`	—
`A11_ByteCount`	—

Event ID 115 — Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields

Name	Description
`A10_StartingPhysicalAddrQuadPart`	—
`A11_LengthInExtent`	—

Event ID 116 — Exiting: ExtentsDescriptorIndex.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Exiting: ExtentsDescriptorIndex: %1!d! ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields

Name	Description
`A10_ExtentsDescriptorIndex`	—
`A11_ExtentsDescriptorStartOffset`	—

Event ID 117 — Entering: Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingOffset`	—
`A12_BeyondEndOffset`	—

Event ID 118 — Dsm Ranges[.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Dsm Ranges[%1!d!]: StartingOffset: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields

Name	Description
`A10_DataSetRangeIndex`	—
`A11_DsmBufferDataSetRangesDataSetRangeIndexStartingOffset`	—
`A12_DsmBufferDataSetRangesDataSetRangeIndexLengthInBytes`	—

Event ID 119 — RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_DataSetRangeIndex`	—

Event ID 120 — Dsm: TotalNumberOfRanges.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Dsm: TotalNumberOfRanges: %1!d!, NumberOfRangesReturned: %2!d!

Fields

Name	Description
`A10_DsmByteAddressRangesTotalNumberOfRanges`	—
`A11_DsmByteAddressRangesNumberOfRangesReturned`	—

Event ID 121 — DsmOut Ranges[.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DsmOut Ranges[%1!d!]: StartingAddress: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields

Name	Description
`A10_Index`	—
`A11_DsmByteAddressRangesRangesIndexStartAddress`	—
`A12_DsmByteAddressRangesRangesIndexLengthInBytes`	—

Event ID 122 — Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields

Name	Description
`A10_StartingPhysicalAddrQuadPart`	—
`A11_LengthInExtent`	—

Event ID 123 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields

Name	Description
`A10_ExtentsDescriptorIndex`	—
`A11_ExtentsDescriptorStartOffset`	—

Event ID 124 — Entering: Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!, ByteCount: 0x%4!016I64x!, ExtentsDescriptor: %5!p!, ExtentsDescriptorIndex: %6!d!, ExtentsDescriptorStartOffset: 0x%7!016I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingZero`	—
`A12_BeyondEndOffset`	—
`A13_ByteCount`	—
`A14_ExtentsDescriptor`	—
`A15_ExtentsDescriptorIndexExtentsDescriptorIndex0`	—
`A16_ExtentsDescriptorStartOffsetExtentsDescriptorStartOffset0`	—

Event ID 125 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields

Name	Description
`A10_ExtentsDescriptorIndex`	—
`A11_ExtentsDescriptorStartOffset`	—

Event ID 126 — IrpContext.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

IrpContext: %1!p!; Scb: %2!p!; StartOffset: 0x%3!I64x!; ByteCount: 0x%4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—
`A12_StartOffset`	—
`A13_ByteCount`	—

Event ID 127 — Return.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Return. IrpContext: %1!p!

Fields

Name	Description
`A10_IrpContext`	—

Event ID 128 — Unexpected open type received.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Unexpected open type received: %1!u!

Fields

Name	Description
`A10_TypeOfOpen`	—

Event ID 129 — Raising STATUS_SUCCESS from NtfsCommonCleanup.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Raising STATUS_SUCCESS from NtfsCommonCleanup: %1

Fields

Name	Description
`A10_Status`	—

Event ID 130 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields

Name	Description
`A10_Status`	—

Event ID 131 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields

Name	Description
`A10_Status`	—

Event ID 132 — Irp.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, FileIdBuffer: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Fields

Name	Description
`A10_Irp`	—
`A11_IrpContext`	—
`A12_Vcb`	—
`A13_CreateContextFileObject`	—
`A14_CreateContextFileObjectRelatedFileObject`	—
`A15__CreateContextFileObjectFileName`	—
`A16_CreateContextIrpSpParametersCreateOptions`	—
`A17_CreateContextIrpSpParametersCreateFileAttributes`	—
`A18_CreateContextDesiredAccess`	—
`A19_CreateContextIrpSpParametersCreateShareAccess`	—
`A20_CreateContextIrpSpParametersCreateEaLength`	—

Event ID 133 — Irp.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, Path: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Fields

Name	Description
`A10_Irp`	—
`A11_IrpContext`	—
`A12_Vcb`	—
`A13_CreateContextFileObject`	—
`A14_CreateContextFileObjectRelatedFileObject`	—
`A15__CreateContextFileObjectFileName`	—
`A16_CreateContextIrpSpParametersCreateOptions`	—
`A17_CreateContextIrpSpParametersCreateFileAttributes`	—
`A18_CreateContextDesiredAccess`	—
`A19_CreateContextIrpSpParametersCreateShareAccess`	—
`A20_CreateContextIrpSpParametersCreateEaLength`	—

Event ID 134 — NtfsCommonCreate: Volume is locked.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonCreate: Volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: %5!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—

Event ID 135 — NtfsCommonVolumeOpen: Invalid create disposition for volume open.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: %1!p!, CreateDisposition: 0x%2!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_CreateDisposition`	—

Event ID 136 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—

Event ID 137 — NtfsCommonVolumeOpen: Thread.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonVolumeOpen: Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->CleanupCount: %6!d!, BiasedCleanupCount: %7!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_IrpSpParametersCreateShareAccess`	—
`A15_ReadULongNoFence_VcbCleanupCount`	—
`A16_BiasedCleanupCount`	—

Event ID 138 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—

Event ID 139 — NtfsCommonVolumeOpen: Conlicting file objects.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonVolumeOpen: Conlicting file objects. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->ReadOnlyCloseCount: %6!d!, Vcb->CloseCount: %7!d!, Vcb->SystemFileCloseCount: %8!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_IrpSpParametersCreateShareAccess`	—
`A15_VcbReadOnlyCloseCount`	—
`A16_VcbCloseCount`	—
`A17_VcbSystemFileCloseCount`	—

Event ID 140 — NtfsHandlePagingFile: Paging file already open, paging files can only be opened once.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsHandlePagingFile: Paging file already open, paging files can only be opened once. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->CleanupCount: %7!d!, Fcb->FcbState: 0x%8!08x!, IrpSp->Flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_FcbCleanupCount`	—
`A17_FcbFcbState`	—
`A18_IrpSpFlags`	—

Event ID 141 — NtfsHandlePagingFile: Cannot open system file as paging file.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->FcbState: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_FcbFcbState`	—
`A17_IrpSpFlags`	—

Event ID 142 — NtfsHandlePagingFile: Persisted paging file already exists.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsHandlePagingFile: Persisted paging file already exists. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, IrpContext->State: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_IrpContextState`	—
`A17_IrpSpFlags`	—

Event ID 143 — NtfsOpenFcbById: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenFcbById: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbFcbState`	—
`A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff`	—
`A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess`	—

Event ID 144 — NtfsOpenExistingPrefixFcb: Can not directly open txf directory.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_CreateContextCurrentFcbVcb`	—
`A12__CreateContextCurrentFcbVcbVolumeName`	—
`A13_WppCountedStringWCreateContextCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCreateContextCurrentFcbVcbVpb`	—
`A14_CreateContextCurrentFcb`	—
`A15_NtfsFullFileRefNumber_CreateContextCurrentFcbFileReference`	—
`A16_CreateContextCurrentFcbInfoFileAttributes`	—
`A17_CreateContextCurrentFcbTxfRmcbRmState`	—

Event ID 145 — NtfsOpenExistingPrefixFcb: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenExistingPrefixFcb: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_CreateContextCurrentFcbVcb`	—
`A12__CreateContextCurrentFcbVcbVolumeName`	—
`A13_WppCountedStringWCreateContextCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCreateContextCurrentFcbVcbVpb`	—
`A14_CreateContextCurrentFcb`	—
`A15_NtfsFullFileRefNumber_CreateContextCurrentFcbFileReference`	—
`A16_CreateContextCurrentFcbFcbState`	—
`A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff`	—
`A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess`	—

Event ID 146 — NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbFcbState`	—

Event ID 147 — NtfsOpenFile: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenFile: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbFcbState`	—
`A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff`	—
`A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess`	—

Event ID 148 — NtfsOpenFile: Deny open when txf rm is active.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenFile: Deny open when txf rm is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb Rmstate: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbTxfRmcbRmState`	—

Event ID 149 — NtfsCreateNewFile: Deny creation in system directory (except root).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCreateNewFile: Deny creation in system directory (except root). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb): Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!, AttrTypeCode: 0x%9!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ParentScbFcbVcb`	—
`A12__ParentScbFcbVcbVolumeName`	—
`A13_WppCountedStringWParentScbFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHParentScbFcbVcbVpb`	—
`A14_ParentScbFcb`	—
`A15_NtfsFullFileRefNumber_ParentScbFcbFileReference`	—
`A16_ParentScbFcbFcbState`	—
`A17_ParentScbFcbTxfRmcbRmState`	—
`A18_AttrTypeCode`	—

Event ID 150 — NtfsCreateNewFile: Unable to create Ea for the file.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCreateNewFile: Unable to create Ea for the file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Create options: 0x%7!08x!, Ccb flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_CreateContextIrpSpParametersCreateOptions`	—
`A17_CcbFlags`	—

Event ID 151 — NtfsCreateNewFile: Unable to create in the $txf directory.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCreateNewFile: Unable to create in the $txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb) Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ParentScbVcb`	—
`A12__ParentScbVcbVolumeName`	—
`A13_WppCountedStringWParentScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHParentScbVcbVpb`	—
`A14_ParentScbFcb`	—
`A15_NtfsFullFileRefNumber_ParentScbFcbFileReference`	—
`A16_ParentScbFcbFcbState`	—
`A17_ParentScbFcbTxfRmcbRmState`	—

Event ID 152 — NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb state: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbTxfRmcbRmState`	—

Event ID 153 — NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NeedEaCount: %7!d!, CreateOptions: 0x%8!08x!, CcbFlags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisEaInformationNeedEaCount`	—
`A17_CreateContextIrpSpParametersCreateOptions`	—
`A18_CcbFlags`	—

Event ID 154 — NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttrTypeCode to create: 0x%7!x!, CreateDisposition: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_AttrTypeCode`	—
`A17_CreateDisposition`	—

Event ID 155 — NtfsOpenAttributeInExistingFile: Denying access for volume root directory.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CreateDisposition: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_CreateDisposition`	—

Event ID 156 — NtfsCreateNewFile: Not allowed to create streams on system files.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, AttrTypeCode: 0x%8!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbFcbState`	—
`A17_AttrTypeCode`	—

Event ID 157 — NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, DuplicateInfo attributes: 0x%7!08x!, FileAttributes: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbInfoFileAttributes`	—
`A17_FileAttributes`	—

Event ID 158 — NtfsOverwriteAttr: Denying access due to user being Ea blind.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Create options: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_CreateContextIrpSpParametersCreateOptions`	—

Event ID 159 — NtfsOverwriteAttr: Deny access due to encryption happening on the stream.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttributeTypeCode: 0x%7!x!, Scb state: 0x%8!08x!, Scb HighWaterMark: %9!I64d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_CreateContextThisScbAttributeTypeCode`	—
`A17_CreateContextThisScbState`	—
`A18_CreateContextThisScbScbTypeDataHighWaterMark`	—

Event ID 160 — NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, CreateDisposition: 0x%6!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_AttrCode`	—
`A15_CreateDisposition`	—

Event ID 161 — NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, DesiredAccess: 0x%6!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_AttrCode`	—
`A15_IrpSpParametersCreateSecurityContextAccessStateOriginalDesiredAccess`	—

Event ID 162 — NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: %1!p!, AttributeTypeCode: %2!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_AttrCode`	—

Event ID 163 — NtfsOpenAttributeCheck: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttributeCheck: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisScbVcb`	—
`A12__ThisScbVcbVolumeName`	—
`A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb`	—
`A14_ThisScbFcb`	—
`A15_NtfsFullFileRefNumber_ThisScbFcbFileReference`	—
`A16_ThisScb`	—
`A17_ThisScbAttributeTypeCode`	—
`A18__ThisScbAttributeName`	—
`A19_IrpSpParametersCreateShareAccess`	—
`A20_IrpSpParametersCreateSecurityContextAccessStatePreviouslyGrantedAccess`	—

Event ID 164 — NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisScbVcb`	—
`A12__ThisScbVcbVolumeName`	—
`A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb`	—
`A14_ThisScbFcb`	—
`A15_NtfsFullFileRefNumber_ThisScbFcbFileReference`	—
`A16_ThisScb`	—
`A17_ThisScbAttributeTypeCode`	—
`A18__ThisScbAttributeName`	—

Event ID 165 — NtfsOpenAttributeCheck: File was granted write access but has image section.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttributeCheck: File was granted write access but has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Previously granted access: 0x%10!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisScbVcb`	—
`A12__ThisScbVcbVolumeName`	—
`A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb`	—
`A14_ThisScbFcb`	—
`A15_NtfsFullFileRefNumber_ThisScbFcbFileReference`	—
`A16_ThisScb`	—
`A17_ThisScbAttributeTypeCode`	—
`A18__ThisScbAttributeName`	—
`A19_IrpSpParametersCreateSecurityContextAccessStatePreviouslyGrantedAccess`	—

Event ID 166 — NtfsOpenAttribute: Denying write access on disallowed writes.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttribute: Denying write access on disallowed writes. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Disallow write count: %8!d!, Desired Access: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisScbVcb`	—
`A12__ThisScbVcbVolumeName`	—
`A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb`	—
`A14_ThisScbFcb`	—
`A15_NtfsFullFileRefNumber_ThisScbFcbFileReference`	—
`A16_ThisScb`	—
`A17_ThisScbMarkHandleDisallowWritesCount`	—
`A18_IrpSpParametersCreateSecurityContextDesiredAccess`	—

Event ID 167 — NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisScbVcb`	—
`A12__ThisScbVcbVolumeName`	—
`A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb`	—
`A14_ThisScbFcb`	—
`A15_NtfsFullFileRefNumber_ThisScbFcbFileReference`	—
`A16_ThisScb`	—
`A17_ThisScbAttributeTypeCode`	—
`A18__ThisScbAttributeName`	—
`A19_IrpSpParametersCreateShareAccess`	—
`A20_GrantedAccess`	—

Event ID 168 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisScbVcb`	—
`A12__ThisScbVcbVolumeName`	—
`A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb`	—
`A14_ThisScbFcb`	—
`A15_NtfsFullFileRefNumber_ThisScbFcbFileReference`	—
`A16_IrpSpParametersCreateShareAccess`	—
`A17_IrpSpFileObjectFlags`	—

Event ID 169 — NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisScbVcb`	—
`A12__ThisScbVcbVolumeName`	—
`A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb`	—
`A14_ThisScbFcb`	—
`A15_NtfsFullFileRefNumber_ThisScbFcbFileReference`	—
`A16_ThisScb`	—
`A17_ThisScbAttributeTypeCode`	—
`A18__ThisScbAttributeName`	—
`A19_IrpSpParametersCreateShareAccess`	—
`A20_GrantedAccess`	—

Event ID 170 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_IrpSpParametersCreateShareAccess`	—
`A17_IrpSpFileObjectFlags`	—

Event ID 171 — NtfsCheckExistingFile: Desired access conflicts with read-only state.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Desired Access: 0x%7!08x!, FileAttributes: 0x%8!08x!, SL control flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_IrpSpParametersCreateSecurityContextDesiredAccess`	—
`A17_ThisFcbInfoFileAttributes`	—
`A18_IrpSpFlags`	—

Event ID 172 — NtfsOpenExistingEncryptedStream: No encryption driver found.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, NtfsData flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_CurrentFcbVcb`	—
`A12__CurrentFcbVcbVolumeName`	—
`A13_WppCountedStringWCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCurrentFcbVcbVpb`	—
`A14_CurrentFcb`	—
`A15_NtfsFullFileRefNumber_CurrentFcbFileReference`	—
`A16_CurrentFcbInfoFileAttributes`	—
`A17_NtfsDataFlags`	—

Event ID 173 — NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Stream attribute flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_CurrentFcbVcb`	—
`A12__CurrentFcbVcbVolumeName`	—
`A13_WppCountedStringWCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCurrentFcbVcbVpb`	—
`A14_CurrentFcb`	—
`A15_NtfsFullFileRefNumber_CurrentFcbFileReference`	—
`A16_CurrentFcbInfoFileAttributes`	—
`A17_ThisScbAttributeFlags`	—

Event ID 174 — NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb cleanup count: %7!d!, EncryptionCallBackTable flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisScbVcb`	—
`A12__ThisScbVcbVolumeName`	—
`A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb`	—
`A14_ThisScbFcb`	—
`A15_NtfsFullFileRefNumber_ThisScbFcbFileReference`	—
`A16_CreateContextCurrentFcbCleanupCount`	—
`A17_NtfsDataEncryptionCallBackTableImplementationFlags`	—

Event ID 175 — NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: %1!p!, Fcb: %2!p!, FileRef: 0x%3!I64x!, TxfRmcb RM state: %4!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_CurrentFcb`	—
`A12_NtfsFullFileRefNumber_CurrentFcbFileReference`	—
`A13_CurrentFcbTxfRmcbRmState`	—

Event ID 176 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Link Name: %7!S!, DesiredAccess: 0x%8!08x!, DesiredShareAccess: 0x%9!08x!, IoShareAccessFlags: 0x%10!08x!, LinkShareAccess->OpenCount: %11!d!, LinkShareAccess->Deleters: %12!d!, LinkShareAccess->SharedDelete: %13!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_LcbFcbVcb`	—
`A12__LcbFcbVcbVolumeName`	—
`A13_WppCountedStringWLcbFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHLcbFcbVcbVpb`	—
`A14_LcbFcb`	—
`A15_NtfsFullFileRefNumber_LcbFcbFileReference`	—
`A16_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength`	—
`A17_DesiredAccess`	—
`A18_DesiredShareAccess`	—
`A19_IoShareAccessFlags`	—
`A20_LinkShareAccessOpenCount`	—
`A21_LinkShareAccessDeleters`	—
`A22_LinkShareAccessSharedDelete`	—

Event ID 177 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, DesiredAccess: 0x%9!08x!, DesiredShareAccess: 0x%10!08x!, IoShareAccessFlags: 0x%11!08x!, ShareAccess->OpenCount: %12!d!, ShareAccess->Readers: %13!d!, ShareAccess->Writers: %14!d!, ShareAccess->->Deleters: %15!d!, ShareAccess->SharedRead: %16!d!, ShareAccess->SharedWrite: %17!d!, ShareAccess->SharedDelete: %18!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_ScbAttributeTypeCode`	—
`A17__ScbAttributeName`	—
`A18_DesiredAccess`	—
`A19_DesiredShareAccess`	—
`A20_IoShareAccessFlags`	—
`A21_ShareAccessOpenCount`	—
`A22_ShareAccessReaders`	—
`A23_ShareAccessWriters`	—
`A24_ShareAccessDeleters`	—
`A25_ShareAccessSharedRead`	—
`A26_ShareAccessSharedWrite`	—
`A27_ShareAccessSharedDelete`	—

Event ID 178 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, DesiredAccess: 0x%10!08x!, DesiredShareAccess: 0x%11!08x!, IoShareAccessFlags: 0x%12!08x!, ShareAccess->OpenCount: %13!d!, ShareAccess->Readers: %14!d!, ShareAccess->Writers: %15!d!, ShareAccess->->Deleters: %16!d!, ShareAccess->SharedRead: %17!d!, ShareAccess->SharedWrite: %18!d!, ShareAccess->SharedDelete: %19!d!, LinkShareAccess->OpenCount: %20!d!, LinkShareAccess->Deleters: %21!d!, LinkShareAccess->SharedDelete: %22!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_ScbAttributeTypeCode`	—
`A17__ScbAttributeName`	—
`A18_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength`	—
`A19_DesiredAccess`	—
`A20_DesiredShareAccess`	—
`A21_IoShareAccessFlags`	—
`A22_ShareAccessOpenCount`	—
`A23_ShareAccessReaders`	—
`A24_ShareAccessWriters`	—
`A25_ShareAccessDeleters`	—
`A26_ShareAccessSharedRead`	—
`A27_ShareAccessSharedWrite`	—
`A28_ShareAccessSharedDelete`	—
`A29_LinkShareAccessOpenCount`	—
`A30_LinkShareAccessDeleters`	—
`A31_LinkShareAccessSharedDelete`	—

Event ID 179 — NtfsReCheckShareAccess: Does not meet allow open requirement.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsReCheckShareAccess: Does not meet allow open requirement. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, Previously granted access: 0x%10!08x!, AccessState->Flags: 0x%11!08x!, DesiredShareAccess: 0x%12!08x!, CreateDisposition: 0x%13!08x!, OpenCount: %14!d!, Readers: %15!d!, Writers: %16!d!, Deleters: %17!d!, SharedRead: %18!d!, Lcb Deleters: %19!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_ScbAttributeTypeCode`	—
`A17__ScbAttributeName`	—
`A18_ARGUMENT_PRESENTLcbWppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLengthWppCountedStringWNULL0`	—
`A19_AccessStatePreviouslyGrantedAccess`	—
`A20_AccessStateFlags`	—
`A21_DesiredShareAccess`	—
`A22_CreateDisposition`	—
`A23_ScbShareAccessOpenCount`	—
`A24_ScbShareAccessReaders`	—
`A25_ScbShareAccessWriters`	—
`A26_ScbShareAccessDeleters`	—
`A27_ScbShareAccessSharedRead`	—
`A28_ARGUMENT_PRESENTLcbLcbLinkShareAccessDeleters0`	—

Event ID 180 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields

Name	Description
`A10_FILEID_FROM_SOURCEFileNLine`	—
`A11_LINENUM_FROM_SOURCEFileNLine`	—
`A12_Status`	—
`A13__ProcessName`	—

Event ID 181 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields

Name	Description
`A10_FILEID_FROM_SOURCEFileNLine`	—
`A11_LINENUM_FROM_SOURCEFileNLine`	—
`A12_Status`	—
`A13__ProcessName`	—

Event ID 182 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields

Name	Description
`A10_FILEID_FROM_SOURCEFileNLine`	—
`A11_LINENUM_FROM_SOURCEFileNLine`	—
`A12_Status`	—
`A13__ProcessName`	—

Event ID 183 — %1:%2 Status: %3 ProcessName: %4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields

Name	Description
`A10_FILEID_FROM_SOURCEFileNLine`	—
`A11_LINENUM_FROM_SOURCEFileNLine`	—
`A12_Status`	—
`A13__ProcessName`	—

Event ID 184 — NtfsSendUnusedClustersHint: Vcb %1 - Will tell storage we are freeing at %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - Will tell storage we are freeing at %2!I64x! for %3!x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingCluster`	—
`A12_RunLength`	—

Event ID 185 — NtfsSendUnusedClustersHint: Vcb %1 - Flush requested.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - Flush requested

Fields

Name	Description
`A10_Vcb`	—

Event ID 186 — NtfsSendUnusedClustersHint: Vcb %1 - Created new MarkUnusedContext %2, DEALLOCATED_CLUSTERS %3, MCB %4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! -  Created new MarkUnusedContext %2!p!, DEALLOCATED_CLUSTERS %3!p!, MCB %4!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_MarkUnusedContextDeallocatedClusters`	—
`A13__MarkUnusedContextDeallocatedClustersMcb`	—

Event ID 187 — NtfsSendUnusedClustersHint: Vcb %1 - Successfully added clusters starting at %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - Successfully added clusters starting at %2!I64x! for %3!x! into MCB %4!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingCluster`	—
`A12_RunLength`	—
`A13__MarkUnusedContextDeallocatedClustersMcb`	—

Event ID 188 — NtfsSendUnusedClustersHint: Vcb %1 - MCB %2 is full.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - MCB %2!p! is full

Fields

Name	Description
`A10_Vcb`	—
`A11__MarkUnusedContextDeallocatedClustersMcb`	—

Event ID 189 — NtfsSendUnusedClustersHint: Vcb %1 - Queuing request to IC pre-trim list, MUC %2, IC %3.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! - Queuing request to IC pre-trim list, MUC %2!p!, IC %3!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_IrpContext`	—

Event ID 190 — NtfsSendUnusedClustersHint: Vcb %1 - Failed to allocate/initial MarkUnusedContext.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSendUnusedClustersHint: Vcb %1!p! -  Failed to allocate/initial MarkUnusedContext

Fields

Name	Description
`A10_Vcb`	—

Event ID 191 — NtfsTransferMaxDataSetRanges: Src %1, Dst %2, SrcRemainClusCt %3!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, SrcOrigClusCt %4!I64x!, SrcDSRL %5!x! - Entering

Fields

Name	Description
`A10_Src`	—
`A11_Dst`	—
`A12_SrcClustersCount`	—
`A13_SrcDeallocatedClustersClusterCount`	—
`A14_SrcDsmAttrDataSetRangesLength`	—

Event ID 192 — NtfsTransferMaxDataSetRanges: Src %1, Dst %2, SrcRemainClusCt %3!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, DstClusCt %4!I64x!, DstDSRL %5!x!, DstLIB %6!I64x!, DstSOff %7!I64x! - Leaving

Fields

Name	Description
`A10_Src`	—
`A11_Dst`	—
`A12_SrcClustersCount`	—
`A13_DstClustersCount`	—
`A14_DstDsmAttrDataSetRangesLength`	—
`A15_DstFirstDataSetRangePtrLengthInBytes`	—
`A16_DstFirstDataSetRangePtrStartingOffset`	—

Event ID 193 — NtfsMarkUnusedContextPostTrimProcessing: Entering

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Entering

Event ID 194 — NtfsMarkUnusedContextPostTrimProcessing: Vcb %1, MUC %2 - DC %3!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - DC %3!I64x!, DCIT %4!x!, DCTD %5!x!, CC %6!I64x!, IR %7!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_VcbDeallocatedClusters`	—
`A13_VcbDeallocatedClustersListLengthInTrim`	—
`A14_VcbDeallocatedClustersListLengthToDrain`	—
`A15_ClustersClusterCount`	—
`A16_InitialRanges`	—

Event ID 195 — NtfsMarkUnusedContextPostTrimProcessing: Vcb %1, MUC %2 - Removed interior slab(s) from TP map - [LCN %3!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - Removed interior slab(s) from TP map - [LCN %3!I64X!, len %4!I64X!] => [LCN %5!I64X!, len %6!I64X!], [LCN %7!I64X!, len %8!I64X!]

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_StartingLcn`	—
`A13_ClusterCount`	—
`A14_FreeClusterBase1`	—
`A15_FreeClusterCount1`	—
`A16_FreeClusterBase2`	—
`A17_FreeClusterCount2`	—

Event ID 196 — NtfsMarkUnusedContextPostTrimProcessing: Vcb %1 - Releasing bitmap.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - Releasing bitmap

Fields

Name	Description
`A10_Vcb`	—

Event ID 197 — NtfsMarkUnusedContextPostTrimProcessing: Vcb %1 - CloseCount %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - CloseCount %2!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbCloseCount`	—

Event ID 198 — NtfsMarkUnusedContextPostTrimProcessing: Leaving

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPostTrimProcessing: Leaving

Event ID 199 — NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp %1!p!

Fields

Name	Description
`A10_Irp`	—

Event ID 200 — NtfsMarkUnusedContextPreTrimProcessing: Vcb %1, IC %2 - Entering.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p!, IC %2!p! - Entering

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 201 — NtfsMarkUnusedContextPreTrimProcessing: Vcb %1 - Kicked off DelayedWorkQueue.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Kicked off DelayedWorkQueue

Fields

Name	Description
`A10_Vcb`	—

Event ID 202 — NtfsMarkUnusedContextPreTrimProcessing: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 203 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb %1!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 204 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Small MUC %2 instead of MUC %3.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Small MUC %2!p! instead of MUC %3!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_SmallMarkUnusedContext`	—
`A12_MarkUnusedContext`	—

Event ID 205 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Failed to allocate small MUC so use MUC %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Failed to allocate small MUC so use MUC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 206 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Sending storage ioctl down.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down.  MUC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 207 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2 - [%3] Offset %4!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - [%3!x!] Offset %4!I64x!, Length %5!I64x! - trim entry

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_TrimEntryCount`	—
`A13_DataSetRangePtrStartingOffset`	—
`A14_DataSetRangePtrLengthInBytes`	—

Event ID 208 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2, Irp %3 - Completed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p!, Irp %3!p! - Completed

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_IrpUsed`	—

Event ID 209 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1, MUC %2 - %3 - failed to send.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - %3!x! - failed to send

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_Status`	—

Event ID 210 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Add MUC %2 to post trim list.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Add MUC %2!p! to post trim list

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 211 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Free small MUC %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Free small MUC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 212 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1 - Sending storage ioctl down failed with %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down failed with %2!x!.  MUC %3!p!, Count %4!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—
`A12_MarkUnusedContext`	—
`A13_MarkUnusedContextNULL__MarkUnusedContextDeallocatedClustersNULLMarkUnusedContextDeallocatedClustersClusterCount1LL`	—

Event ID 213 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Event ID 214 — NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - There are waiters for DC %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - There are waiters for DC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 215 — NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - Waking up waiter for DC %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Waking up waiter for DC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 216 — NtfsWakeupDeallocatedClustersWaiters: Vcb %1 - Done waking up DC %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Done waking up DC %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClusters`	—

Event ID 217 — NtfsWaitForDeallocatedClustersToDrain: Vcb %1, All %2 - Entering.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p!, All %2!x! - Entering

Fields

Name	Description
`A10_Vcb`	—
`A11_All`	—

Event ID 218 — NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Waiting to drain.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting to drain

Fields

Name	Description
`A10_Vcb`	—

Event ID 219 — NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Waiting for partial drain.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting for partial drain

Fields

Name	Description
`A10_Vcb`	—

Event ID 220 — NtfsWaitForDeallocatedClustersToDrain: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 221 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Entering.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Entering

Fields

Name	Description
`A10_Vcb`	—

Event ID 222 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Inserted %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Inserted %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DeallocatedClustersToWaitForDeallocatedClusters`	—

Event ID 223 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 224 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb %1 - Wait for DC %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb %1!p! - Wait for DC %2!p!

Fields

Name	Description
`A10_IrpContextVcb`	—
`A11_DeallocatedClustersToWaitForDeallocatedClusters`	—

Event ID 225 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1 (s), Exceeded by %2 (s), IC %3, Vcb %4, DC %5.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields

Name	Description
`A10_WaitInSeconds`	—
`A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartNtfsDataSystemTimeIncrementINTERVAL_ONE_SECOND0`	—
`A12_IrpContext`	—
`A13_IrpContextVcb`	—
`A14_DeallocatedClusters`	—

Event ID 226 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1 (s), Exceeded by %2 (s), IC %3, Vcb %4, DC %5.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields

Name	Description
`A10_WaitInSeconds`	—
`A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartNtfsDataSystemTimeIncrementINTERVAL_ONE_SECOND0`	—
`A12_IrpContext`	—
`A13_IrpContextVcb`	—
`A14_DeallocatedClusters`	—

Event ID 227 — NtfsCheckForTrimThrottling: Vcb %1 - hitting trim threshold %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckForTrimThrottling: Vcb %1!p! - hitting trim threshold %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbDeallocatedClustersListLengthInTrim`	—

Event ID 228 — NtfsUpdateSmartTrimState: Vcb %1 - Entering.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Entering

Fields

Name	Description
`A10_Vcb`	—

Event ID 229 — NtfsUpdateSmartTrimState: Vcb %1 - Precondition checks failed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields

Name	Description
`A10_Vcb`	—

Event ID 230 — NtfsUpdateSmartTrimState: Vcb %1 - Precondition checks failed; AcquiredSyncResource %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredSyncResource %2!u!

Fields

Name	Description
`A10_Vcb`	—
`A11_AcquiredVcb`	—

Event ID 231 — NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - Skipping deallocated clusters gen'd by smart trim.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - Skipping deallocated clusters gen'd by smart trim

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 232 — NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - MCB run %3; offs 0x%4!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - MCB run %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_RunIndex`	—
`A13_StartingOffset`	—
`A14_LengthInBytes`	—

Event ID 233 — NtfsUpdateSmartTrimState: Vcb %1 - MUC %2, DSR count %3, MCB count %4, ST free slots %5.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - MUC %2!p!, DSR count %3!u!, MCB count %4!u!, ST free slots %5!u!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_DataSetRangeCount`	—
`A13_McbRunCount`	—
`A14_SmartTrimFreeRangeCount`	—

Event ID 234 — NtfsUpdateSmartTrimState: Vcb %1, MUC %2 - DSR range %3; offs 0x%4!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - DSR range %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—
`A12_RunIndex`	—
`A13_DataSetRangeStartingOffset`	—
`A14_DataSetRangeLengthInBytes`	—

Event ID 235 — NtfsUpdateSmartTrimState: Vcb %1 - MCB lcn %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - MCB lcn %2!I64X! len %3!I64X! maps to TP map bits [0x%4!X!, 0x%5!X!]

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingLcn`	—
`A12_ClusterCount`	—
`A13_FirstTpMapBit`	—
`A14_LastTpMapBit`	—

Event ID 236 — NtfsUpdateSmartTrimState: Vcb %1 - Smart trim state on exit; %2 ranges.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Smart trim state on exit; %2!u! ranges:

Fields

Name	Description
`A10_Vcb`	—
`A11_SmartTrimStateSlabRangesCount`	—

Event ID 237 — NtfsUpdateSmartTrimState: Vcb %1 - Range %2: FirstTPMapBit 0x%3, LastTPMapBit 0x%4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Range %2!u!: FirstTPMapBit 0x%3!X!, LastTPMapBit 0x%4!X!

Fields

Name	Description
`A10_Vcb`	—
`A11_SlabRangeIndex`	—
`A12_SlabRangeFirstTPMapBit`	—
`A13_SlabRangeLastTPMapBit`	—

Event ID 238 — NtfsUpdateSmartTrimState: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpdateSmartTrimState: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 239 — NtfsEvalSmartTrimState: Vcb %1 - Entering.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Entering

Fields

Name	Description
`A10_Vcb`	—

Event ID 240 — NtfsEvalSmartTrimState: Vcb %1 - Precondition checks failed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields

Name	Description
`A10_Vcb`	—

Event ID 241 — NtfsEvalSmartTrimState: Vcb %1 - Precondition checks failed; AcquiredBitmap %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredBitmap %2!u!

Fields

Name	Description
`A10_Vcb`	—
`A11_AcquiredBitmap`	—

Event ID 242 — NtfsEvalSmartTrimState: Vcb %1 - Checking slab 0x%2 for allocations.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Checking slab 0x%2!X! for allocations

Fields

Name	Description
`A10_Vcb`	—
`A11_TpMapBit`	—

Event ID 243 — NtfsEvalSmartTrimState: Vcb %1 - Slab 0x%2 has allocations, will not trim.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Slab 0x%2!X! has allocations, will not trim

Fields

Name	Description
`A10_Vcb`	—
`A11_TpMapBit`	—

Event ID 244 — NtfsEvalSmartTrimState: Vcb %1 - Free slab found - TP map bit 0x%2, lcn %3!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Free slab found - TP map bit 0x%2!X!, lcn %3!I64X!, len %4!I64X!

Fields

Name	Description
`A10_Vcb`	—
`A11_TpMapBit`	—
`A12_SlabBaseLcn`	—
`A13_SlabLengthInClusters`	—

Event ID 245 — NtfsEvalSmartTrimState: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEvalSmartTrimState: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 246 — NtfsFlushAllTrimHintsSynchronous.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFlushAllTrimHintsSynchronous (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 247 — NtfsFlushAllTrimHintsSynchronous.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFlushAllTrimHintsSynchronous (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 248 — NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, SL control flags: 0x%6!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—
`A15_IrpSpFlags`	—

Event ID 249 — NtfsVolumeDasdIo: Data section blocking flush.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsVolumeDasdIo: Data section blocking flush. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush status: %5!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Status`	—

Event ID 250 — Could not find paging file run.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Could not find paging file run.

Event ID 251 — Could not find paging file MCB entry.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Could not find paging file MCB entry.

Event ID 252 — Could not find paging file run.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Could not find paging file run.

Event ID 253 — Writing to $Bitmap.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Writing to $Bitmap. Vcb: %1!p!, Offset: 0x%2!I64x!, Length: 0x%3!x!

Fields

Name	Description
`A10_ScbVcb`	—
`A11_StartingVbo`	—
`A12_ByteCount`	—

Event ID 254 — NTFS: Posting hotfix on file object.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NTFS: Posting hotfix on file object: %1!p!

Fields

Name	Description
`A10_FileObject`	—

Event ID 255 — NTFS: Freeing Bad Vcn.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NTFS:     Freeing Bad Vcn: %1!08x!, %2!08x!

Fields

Name	Description
`A10_ULONGBadVcn`	—
`A11_PLARGE_INTEGER_BadVcnHighPart`	—

Event ID 256 — NTFS: Retiring Bad Lcn.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NTFS:     Retiring Bad Lcn: %1!08x!, %2!08x!

Fields

Name	Description
`A10_ULONGBadLcn`	—
`A11_PLARGE_INTEGER_BadLcnHighPart`	—

Event ID 257 — NTFS: Reallocating Bad Vcn

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NTFS:     Reallocating Bad Vcn

Event ID 258 — NTFS: Bad Cluster replaced

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NTFS:     Bad Cluster replaced

Event ID 259 — IrpContext.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_NewBufferSize`	—

Event ID 260 — Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields

Name	Description
`A10_NewBufferSize`	—
`A11_NtfsGetCompressionBufferSize`	—

Event ID 261 —

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1

Fields

Name	Description
`A10_Status`	—

Event ID 262 — IrpContext.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12_NewBufferSize`	—

Event ID 263 — Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields

Name	Description
`A10_NewBufferSize`	—
`A11_NtfsGetUsaBufferSizeVcb`	—

Event ID 264 —

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1

Fields

Name	Description
`A10_Status`	—

Event ID 265 — NtfsDefragFileInternal: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbPersist`	—
`A20_CcbFlags`	—

Event ID 266 — NtfsDefragFileInternal: Vcb %1 - Calling FRD.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal: Vcb %1!p! - Calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 267 — NtfsDefragFileInternal: Vcb %1 - Done calling FRD.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal: Vcb %1!p! - Done calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 268 — NtfsDefragFileInternal: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbPersist`	—
`A20_CcbFlags`	—

Event ID 269 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x! - copy offload

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A14_MoveDataStartingVcnQuadPart`	—
`A15_TransferClusters`	—
`A16_Lcn`	—
`A17_MoveDataStartingLcnQuadPart`	—
`A18_CopyLength`	—
`A19_FlagsUseDelayedAllocation`	—
`A20_Status`	—

Event ID 270 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A14_MoveDataStartingVcnQuadPart`	—
`A15_TransferClusters`	—
`A16_Lcn`	—
`A17_MoveDataStartingLcnQuadPart`	—
`A18_CopyLength`	—
`A19_FlagsUseDelayedAllocation`	—
`A20_MyStatus`	—

Event ID 271 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, CurrLcn %5!I64x!, Len %6!x!, Status %7!x! - read completed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A14_Lcn`	—
`A15_CopyLength`	—
`A16_MyStatus`	—

Event ID 272 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, NewLcn %5!I64x!, Len %6!x!, Status %7!x! - write completed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A14_MoveDataStartingLcnQuadPart`	—
`A15_CopyLength`	—
`A16_MyStatus`	—

Event ID 273 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, DA %9!d!, ValidClusters %10!I64x! - beyond VDL

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A14_MoveDataStartingVcnQuadPart`	—
`A15_TransferClusters`	—
`A16_Lcn`	—
`A17_MoveDataStartingLcnQuadPart`	—
`A18_FlagsUseDelayedAllocation`	—
`A19_ValidClusters`	—

Event ID 274 — NtfsDefragFileInternal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x! - committed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A14_MoveDataStartingVcnQuadPart`	—
`A15_TransferClusters`	—

Event ID 275 — NtfsDefragFile: Defrag is denied without manage volume access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefragFile: Defrag is denied without manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_FcbNULLNtfsFullFileRefNumber_FcbFileReference0`	—
`A16_CcbNULLCcbFlags0`	—

Event ID 276 — NtfsEncryptDecryptOnline: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18_ScbAttributeNameBuffer`	—
`A19_ScbPersist`	—
`A20_CcbFlags`	—

Event ID 277 — NtfsEncryptDecryptOnline: Vcb %1 - Calling FRD.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEncryptDecryptOnline: Vcb %1!p! - Calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 278 — NtfsEncryptDecryptOnline: Vcb %1 - Done calling FRD.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEncryptDecryptOnline: Vcb %1!p! - Done calling FRD

Fields

Name	Description
`A10_Vcb`	—

Event ID 279 — NtfsEncryptDecryptOnline: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbPersist`	—
`A20_CcbNULLCcbFlags0`	—

Event ID 280 — SCB.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

SCB: %1!p!, VDL=0x%2!I64x!, FS=0x%3!I64x!, StartOff=0x%4!I64x!, StartVcn=0x%5!I64x!, Length=0x%6!I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_ScbHeaderValidDataLengthQuadPart`	—
`A12_ScbHeaderFileSizeQuadPart`	—
`A13_QueryDaxExtentsFileOffset`	—
`A14_StartingVcn`	—
`A15_QueryDaxExtentsLength`	—

Event ID 281 — StartOff=0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

StartOff=0x%1!I64x!, Length=0x%2!I64x!, EffectiveLength=0x%3!I64x! StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!, Clusters=0x%6!I64x!, LastVcnInFile=0x%7!I64x!

Fields

Name	Description
`A10_QueryDaxExtentsFileOffset`	—
`A11_QueryDaxExtentsLength`	—
`A12_EffectiveInputFileRegionLength`	—
`A13_StartingVcn`	—
`A14_BeyondEndVcn`	—
`A15_RemainingClusterCount`	—
`A16_LastVcnInFile`	—

Event ID 282 — NumberOfValidRuns: 0

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NumberOfValidRuns: 0

Event ID 283 — RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!, OutputBufferLength: 0x%3!d!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_DataSetRangeIndex`	—
`A12_OutputBufferLength`	—

Event ID 284 — STATUS_BUFFER_TOO_SMALL from FsLib.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0x%1!x!, MaxRuns: 0x%2!x!, BytesReturned: 0x%3!I64x!

Fields

Name	Description
`A10_ExtentsDescriptorNumberOfValidRuns`	—
`A11_MaxRuns`	—
`A12_BytesReturned`	—

Event ID 285 — Made an educated guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Made an educated guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_ExtentsDescriptorNumberOfValidRuns`	—

Event ID 286 — Made a wild guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Made a wild guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_ExtentsDescriptorNumberOfValidRuns`	—

Event ID 287 — NumberOfValidRuns: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NumberOfValidRuns: 0x%1!08x!, MaxRuns: 0x%2!08x!, Status: 0x%3!08x!, BytesReturned: 0x%4!I64x!

Fields

Name	Description
`A10_ExtentsDescriptorNumberOfValidRuns`	—
`A11_MaxRuns`	—
`A12_Status`	—
`A13_BytesReturned`	—

Event ID 288 — BasePage: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

BasePage: 0x%1!-16I64x!, PageCount: 0x%2!-16I64x!

Fields

Name	Description
`A10_ExtentsDescriptorRunIndexBasePage`	—
`A11_ExtentsDescriptorRunIndexPageCount`	—

Event ID 289 — About to zero range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

About to zero range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields

Name	Description
`A10_ZeroStart`	—
`A11_ZeroEnd`	—

Event ID 290 — Zeroed range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Zeroed range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields

Name	Description
`A10_ZeroStart`	—
`A11_ZeroEnd`	—

Event ID 291 — NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_CcbFlags`	—

Event ID 292 — NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb access flags: 0x%10!08x!, Granted access: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ARGUMENT_PRESENTCcbCcbAccessFlags0`	—
`A20_ARGUMENT_PRESENTCreateContextCreateContextPreviouslyGrantedAccess0`	—

Event ID 293 — NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_CcbFlags`	—

Event ID 294 — NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_CcbNULLCcbFlags0`	—

Event ID 295 — NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Device Object flags: 0x%10!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbVcbVpbRealDeviceFlags`	—

Event ID 296 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: %7!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_RenameCleanupTargetLinkFcb`	—
`A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference`	—
`A16_RenameCleanupTargetLinkFcbFcbState`	—

Event ID 297 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfNumWriters count: %7!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_RenameCleanupTargetLinkFcb`	—
`A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference`	—
`A16_RenameCleanupTargetLinkFcbTxfFcbTxfNumWriters`	—

Event ID 298 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, TxfNumWriters count: %9!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_LcbToDeleteFcb`	—
`A15_NtfsFullFileRefNumber_LcbToDeleteFcbFileReference`	—
`A16_LcbToDelete`	—
`A17_WppCountedStringWLcbToDeleteFileNameAttrFileNameUSHORTLcbToDeleteFileNameAttrFileNameLength`	—
`A18_LcbToDeleteTxfNumWriters`	—

Event ID 299 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Cleanup count: %7!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_RenameCleanupTargetLinkFcb`	—
`A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference`	—
`A16_RenameCleanupTargetLinkFcbCleanupCount`	—

Event ID 300 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, Link cleanup count: %9!d!, SplitPrimaryLcb: %10!p!, Split link name: %11!S!, Split link cleanup count: %12!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_LcbToDeleteFcb`	—
`A15_NtfsFullFileRefNumber_LcbToDeleteFcbFileReference`	—
`A16_LcbToDelete`	—
`A17_WppCountedStringWLcbToDeleteFileNameAttrFileNameUSHORTLcbToDeleteFileNameAttrFileNameLength`	—
`A18_LcbToDeleteCleanupCount`	—
`A19_SplitPrimaryLcb`	—
`A20_SplitPrimaryLcbNULLWppCountedStringWSplitPrimaryLcbFileNameAttrFileNameUSHORTSplitPrimaryLcbFileNameAttrFileNameLengthWppCountedStringWNULL0`	—
`A21_SplitPrimaryLcbNULLSplitPrimaryLcbCleanupCount0`	—

Event ID 301 — NtfsSetRenameInfo: Can not rename a file marked for deletion.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: 0x%7!08x!, Lcb: %8!p!, link name: %9!S!, link name flag: 0x%10!08x!, link state: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_LcbFcb`	—
`A15_NtfsFullFileRefNumber_LcbFcbFileReference`	—
`A16_LcbFcbFcbState`	—
`A17_Lcb`	—
`A18_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength`	—
`A19_LcbFileNameAttrFlags`	—
`A20_LcbLcbState`	—

Event ID 302 — NtfsSetRenameInfo: Can not rename a txf directory.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, File attributes: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_ScbFcbInfoFileAttributes`	—

Event ID 303 — NtfsSetRenameInfo: Can not rename into a system directory.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename into a system directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TargetParentScbFcb`	—
`A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference`	—
`A16_TargetParentScbFcbFcbState`	—

Event ID 304 — NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TargetParentScbFcb`	—
`A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference`	—
`A16_TargetParentScbFcbInfoFileAttributes`	—
`A17_TargetParentScbFcbFcbState`	—

Event ID 305 — NtfsSetRenameInfo: The file should not have in-memory directory descendents.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—

Event ID 306 — NtfsSetRenameInfo: Child Scb mismatch.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetRenameInfo: Child Scb mismatch. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Potential child FileRef: %7!I64x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_NtfsFullFileRefNumber_TargetParentScbFcbFileReference`	—

Event ID 307 — NtfsSetLinkInfo: Set link info is not allowed on txf directory.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16__CcbFullFileName`	—

Event ID 308 — NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, TxfVisibleLinks: %8!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_TxfVisibleLinks`	—

Event ID 309 — NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, SeAccessCheck status: %8!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_AccessStatus`	—

Event ID 310 — NtfsSetLinkInfo: Creating a link in system directory is not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TargetParentScbFcb`	—
`A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference`	—
`A16__NewLinkName`	—

Event ID 311 — NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!, Target RM state: %8!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TargetParentScbFcb`	—
`A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference`	—
`A16__NewLinkName`	—
`A17_TargetParentScbFcbTxfRmcbRmState`	—

Event ID 312 — NtfsSetShortNameInfo: Can not set a short name on a deleted file.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_LcbFcb`	—
`A15_NtfsFullFileRefNumber_LcbFcbFileReference`	—
`A16_Lcb`	—
`A17_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength`	—

Event ID 313 — NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!, Parent FileRef: %9!I64x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_LcbFcb`	—
`A15_NtfsFullFileRefNumber_LcbFcbFileReference`	—
`A16_Lcb`	—
`A17_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength`	—
`A18_NtfsFullFileRefNumber_ParentScbFcbFileReference`	—

Event ID 314 — NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Stream cleanup count: %7!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_NextScbVcb`	—
`A12__NextScbVcbVolumeName`	—
`A13_WppCountedStringWNextScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHNextScbVcbVpb`	—
`A14_NextScbFcb`	—
`A15_NtfsFullFileRefNumber_NextScbFcbFileReference`	—
`A16_NextScbCleanupCount`	—

Event ID 315 — NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, ByID opens: %7!d!, Stream cleanup count: %8!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_NextScbVcb`	—
`A12__NextScbVcbVolumeName`	—
`A13_WppCountedStringWNextScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHNextScbVcbVpb`	—
`A14_NextScbFcb`	—
`A15_NtfsFullFileRefNumber_NextScbFcbFileReference`	—
`A16_ByIdCcbs`	—
`A17_NextScbCleanupCount`	—

Event ID 316 — NtfsStreamRename: Deny access due to encryption happening on source stream.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsStreamRename: Deny access due to encryption happening on source stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb state: 0x%10!08x! Scb HighWaterMark: %11!I64d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbState`	—
`A20_ScbScbTypeDataHighWaterMark`	—

Event ID 317 — NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Previous batch oplock count: %7!d!, current batch oplock count: %8!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_DirectoryScbVcb`	—
`A12__DirectoryScbVcbVolumeName`	—
`A13_WppCountedStringWDirectoryScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHDirectoryScbVcbVpb`	—
`A14_DirectoryScbFcb`	—
`A15_NtfsFullFileRefNumber_DirectoryScbFcbFileReference`	—
`A16_ULONGIrpIoStatusInformation`	—
`A17_BatchOplockCount`	—

Event ID 318 — NtfsFlushVolumeFlushSingleFcb: Thread.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Vcb: %2!p!, Fcb: %3!p!, LocalFlags: %4!#08x!

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12_Fcb`	—
`A13_LocalFlagsEntireFlags`	—

Event ID 319 — NtfsFlushVolumeFlushSingleFcb: Thread.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Scb: %2!p!

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Scb`	—

Event ID 320 — NtfsFlushVolume: Thread.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFlushVolume: Thread: %1!p!, Vcb: %2!p!, LocalFlags: %3!#08x!

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12_LocalFlagsEntireFlags`	—

Event ID 321 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: %1!p! Vcb: %2!p!

Fields

Name	Description
`A10_VcbBitmapScb`	—
`A11_Vcb`	—

Event ID 322 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: %1!p! Vcb: %2!p!

Fields

Name	Description
`A10_VcbMftScb`	—
`A11_Vcb`	—

Event ID 323 — NtfsFlushCompletionRoutine: Vcb %1 - Add context %2 into completion queue.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into completion queue

Fields

Name	Description
`A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb`	—
`A11_Context`	—

Event ID 324 — NtfsFlushCompletionRoutine: Vcb %1 - Add context %2 into WorkQueue - Flink %3.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into WorkQueue - Flink %3!p!

Fields

Name	Description
`A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb`	—
`A11_Context`	—
`A12_NtfsDataDiskFlushContextCompletedWorkItemListFlink`	—

Event ID 325 — NtfsDiskFlushContextWorkItemProcessing: Process work item

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDiskFlushContextWorkItemProcessing: Process work item

Event ID 326 — NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Event ID 327 — Irp.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, MinorCode: %4!02x!, FsControlCode: 0x%5!08x!

Fields

Name	Description
`A10_Irp`	—
`A11_IrpContext`	—
`A12_IrpContextVcb`	—
`A13_IrpSpMinorFunction`	—
`A14_FsControlCode`	—

Event ID 328 — NtfsLockVolumeInternal: Cannot lock the volume.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsLockVolumeInternal: Cannot lock the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!, DisallowDismountCount: %6!d!, ExplicitLock: %7!d!, Volume CleanupCount: %8!d!, Handle count: %9!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—
`A15_VcbDisallowDismountCount`	—
`A16_ExplicitLock10`	—
`A17_ReadULongNoFence_VcbCleanupCount`	—
`A18_UserHandleCountSystemHandleCountVcbExternalMetadataCleanupCount`	—

Event ID 329 — NtfsLockVolumeInternal: Volume is already locked.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsLockVolumeInternal: Volume is already locked.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—

Event ID 330 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Status`	—

Event ID 331 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Status`	—

Event ID 332 — NtfsLockVolumeInternal: Outstanding user files open after flush and retry.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume close count: %5!d!, System file close count: %6!d!, User handle count: %7!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbCloseCount`	—
`A15_VcbSystemFileCloseCount`	—
`A16_UserHandleCount`	—

Event ID 333 — NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 334 — NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Active RM count: %5!d!, Default RM Active: %6!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ActiveRmCount`	—
`A15_DefaultRmActive10`	—

Event ID 335 — %1: Setting RM at 0x%2 ({%3}) up for auto-restart.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDVcbTxfVcbDefaultRm`	—
`A12_VcbTxfVcbDefaultRmNULL_VcbTxfVcbDefaultRmRmIdNULL`	—

Event ID 336 — NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 337 — NtfsDismountVolume: IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDismountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12__VolumeLabel`	—
`A13__VcbDeviceName`	—

Event ID 338 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 339 — NtfsDismountVolume: Cannot dismount volume due to volume being locked.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—

Event ID 340 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, ReadOnlyCloseCount: %6!d!, CloseCount: %7!d!, SystemFileCloseCount: %8!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—
`A15_VcbReadOnlyCloseCount`	—
`A16_VcbCloseCount`	—
`A17_VcbSystemFileCloseCount`	—

Event ID 341 — NtfsDismountVolume: Could not flush trim hints.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDismountVolume: Could not flush trim hints.  Couldn't make progress flushing log.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—

Event ID 342 — NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 343 — NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 344 — NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbAccessFlags`	—

Event ID 345 — NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbAccessFlags`	—

Event ID 346 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbAccessFlags`	—

Event ID 347 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, TypeOfOpen: %6!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—
`A15_TypeOfOpen`	—

Event ID 348 — NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Irp Request Mode: %6!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—
`A15_IrpRequestorMode`	—

Event ID 349 — NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 350 — NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 351 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbAccessFlags`	—
`A15_CcbFlags`	—

Event ID 352 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!, CallerId: %7!d!, Context owner ID: %8!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbAccessFlags`	—
`A15_CcbFlags`	—
`A16_CallerId`	—
`A17_ContextOwnerId`	—

Event ID 353 — NtfsSetSparse: Caller does not have appropriate write access to the stream.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetSparse: Caller does not have appropriate write access to the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, FileObject write access: %9!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—
`A18_FileObjectWriteAccess10`	—

Event ID 354 — NtfsSetSparse: Cannot desparse encrypted file without write data access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetSparse: Cannot desparse encrypted file without write data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Scb attributes: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—
`A18_ScbAttributeFlags`	—

Event ID 355 — NtfsZeroRange: User mode caller not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsZeroRange: User mode caller not allowed. Thread: %1!p!, Zero flags: 0x%2!08x!, Irp Requestor Mode: %3!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ZeroFlags`	—
`A12_IrpRequestorMode`	—

Event ID 356 — IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

IC: %1!p!, Scb: %2!p!, FileObject: %3!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Scb`	—
`A12_IrpSpFileObject`	—

Event ID 357 — IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

IC: %1!p!, EncryptionOperation: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_EncryptionOperation`	—

Event ID 358 — NtfsReadRawEncrypted: Caller does not have backup access or read data access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—

Event ID 359 — NtfsWriteRawEncrypted: Caller does not have write data access or restore access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—

Event ID 360 — NtfsWriteRawEncrypted: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 361 — NtfsLookupStreamFromCluster: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 362 — NtfsChangeVolumeSize: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 363 — NtfsChangeVolumeSize.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsChangeVolumeSize (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 364 — NtfsChangeVolumeSize.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsChangeVolumeSize (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields

Name	Description
`A10_Vcb`	—

Event ID 365 — NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, HandleInfo flags: 0x%9!08x!, Irp Requestor Mode: %10!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—
`A18_HandleInfoHandleInfo`	—
`A19_IrpRequestorMode`	—

Event ID 366 — NtfsMarkHandle: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkHandle: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_DasdCcbNULLDasdCcbAccessFlags0`	—

Event ID 367 — NtfsMarkHandle: Cannot deny defrag.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkHandle: Cannot deny defrag. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, HandleInfo flags: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbPersist`	—
`A20_HandleInfoHandleInfo`	—

Event ID 368 — NtfsMarkHandle: Cannot deny Frs consolidation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkHandle: Cannot deny Frs consolidation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState2: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_FcbFcbState2`	—
`A17_Scb`	—
`A18_ScbAttributeTypeCode`	—
`A19__ScbAttributeName`	—
`A20_ScbPersist`	—
`A21_HandleInfoHandleInfo`	—

Event ID 369 — NtfsMarkHandle: Cannot filter metadata.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkHandle: Cannot filter metadata. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!, Irp RequestorMode: %13!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_FcbFcbState`	—
`A17_Scb`	—
`A18_ScbAttributeTypeCode`	—
`A19__ScbAttributeName`	—
`A20_ScbPersist`	—
`A21_HandleInfoHandleInfo`	—
`A22_IrpRequestorMode`	—

Event ID 370 — NtfsMarkHandle: Mark handle is not allowed on system files.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, HandleInfo flags: %8!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_ScbFcbFcbState`	—
`A17_HandleInfoHandleInfo`	—

Event ID 371 — NtfsMarkHandle: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkHandle: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, HandleInfo: 0x%10!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_HandleInfoHandleInfo`	—

Event ID 372 — NtfsMarkHandle: File was granted write access previously but no oplocks were broken.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Writers: %10!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbShareAccessWriters`	—

Event ID 373 — NtfsPrefetchFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPrefetchFile: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—

Event ID 374 — NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, WriteAccess: %6!d!, Fcb: %7!p!, FileRef: 0x%8!I64x!, FcbState: %9!x!, Scb AttributeTypeCode: 0x%10!x!, Ccb FullFileName: %11!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TypeOfOpen`	—
`A15_IrpSpFileObjectWriteAccess10`	—
`A16_ScbFcb`	—
`A17_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A18_ScbAttributeTypeCode`	—
`A19_ScbFcbFcbState`	—
`A20_CcbNULL_CcbFullFileNameNULL`	—

Event ID 375 — NtfsSetShortNameBehavior: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 376 — Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x%1!p! to %2!u!.

Fields

Name	Description
`A10_PVOIDVcb`	—
`A11_InputParameter`	—

Event ID 377 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 378 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 379 — NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, NtfsData Flags: %5!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_IrpContextVcb`	—
`A12__IrpContextVcbVolumeName`	—
`A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb`	—
`A14_NtfsDataFlags`	—

Event ID 380 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 381 — Resetting Volsnap behavior for VCB = 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Resetting Volsnap behavior for VCB = 0x%1!p!.  New state is 0x%2!x!.

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbVcbState`	—

Event ID 382 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 383 — NtfsCorruptionHandling: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCorruptionHandling: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_CcbNULLCcbAccessFlags0`	—

Event ID 384 — NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_IrpContextVcb`	—
`A12__IrpContextVcbVolumeName`	—
`A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb`	—

Event ID 385 — Scrub resume from SystemScbIndex.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scrub resume from SystemScbIndex: %1!u! Vcn: %2!#I64x! + %3!#x!

Fields

Name	Description
`A10_ScrubResumeContextSystemScbIndex`	—
`A11_ScrubResumeContextResumeVcn`	—
`A12_ScrubResumeContextResumeVcnOffset`	—

Event ID 386 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! Scrub resume from Vcn: %2!#I64x! + %3!#x!

Fields

Name	Description
`A10_Scb`	—
`A11_ScrubResumeContextResumeVcn`	—
`A12_ScrubResumeContextResumeVcnOffset`	—

Event ID 387 — Scrub SystemScbIndex.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scrub SystemScbIndex: %1!u!

Fields

Name	Description
`A10_ScrubResumeContextSystemScbIndex`	—

Event ID 388 — NtfsScrubData: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsScrubData: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TypeOfOpen`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17__CcbFullFileName`	—
`A18_CcbAccessFlags`	—

Event ID 389 — Scrub not supported for Txf file, Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scrub not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields

Name	Description
`A10_Scb`	—
`A11_ScbTxfScb`	—

Event ID 390 — Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request. noop

Event ID 391 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! ScrubInternal OperationStatus: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! FileOffset: %5!#I64x! Length: %6!#I64x! ParityExtentCount: %7!u!

Fields

Name	Description
`A10_Scb`	—
`A11_ScrubContextOperationStatus`	—
`A12_ScrubContextNumberOfBytesRepaired`	—
`A13_ScrubContextNumberOfBytesFailed`	—
`A14_ScrubContextErrorFileOffset`	—
`A15_ScrubContextErrorLength`	—
`A16_ScrubContextParityExtentDataNumberOfParityExtents`	—

Event ID 392 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! ScrubInternal Status: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! ParityExtentCount: %5!u!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—
`A12_ScrubContextNumberOfBytesRepaired`	—
`A13_ScrubContextNumberOfBytesFailed`	—
`A14_ScrubContextParityExtentDataNumberOfParityExtents`	—

Event ID 393 — InternalFileReference.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

InternalFileReference: %1!u!

Fields

Name	Description
`A10_InternalFileReference`	—

Event ID 394 — InternalFileReference.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

InternalFileReference:%1!u!

Fields

Name	Description
`A10_InternalFileReference`	—

Event ID 395 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! Incomplete IoCount:%2!u! Cancel:%3!u! ParityExtentCount:%4!u!

Fields

Name	Description
`A10_Scb`	—
`A11_ScrubIoCount`	—
`A12_IrpCancel`	—
`A13_ScrubContextParityExtentDataNumberOfParityExtents`	—

Event ID 396 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! Scrub skipping resident attribute (d) (%2!S!)

Fields

Name	Description
`A10_Scb`	—
`A11__ScbAttributeName`	—

Event ID 397 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! Scrub skipping resident attribute (%2!S!)

Fields

Name	Description
`A10_Scb`	—
`A11__ScbAttributeName`	—

Event ID 398 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! Scrub StartingVcn(%2!#I64d!) is negative

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 399 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! Scrub starting vcn is beyond VDL (FileOffset: %2!#I64x!, SectorAlignedVdl: %3!#I64x!)

Fields

Name	Description
`A10_Scb`	—
`A11_FileScrubOffset`	—
`A12_SectorAlignedVdl`	—

Event ID 400 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! Scrub no more Mcb entries from StartingVcn:%2!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 401 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! Scrub skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—
`A12_ClusterCount`	—

Event ID 402 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! StartingVcn:%2!#I64x! is beyond Vdl

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 403 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! ScrubDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) StartingVcn:%5!#I64x! + %6!#x! SectorAlignedVdl:%7!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_DsmRangeStartingOffset`	—
`A12_DsmRangeStartingOffsetDsmRangeLengthInBytes`	—
`A13_DsmRangeLengthInBytes`	—
`A14_StartingVcn`	—
`A15_StartingVcnOffset`	—
`A16_SectorAlignedVdl`	—

Event ID 404 — Scrub found problems Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scrub found problems Scb: %1!p! Vcn %2!#I64x! FileOffset: %3!#I64x! Length: %4!#I64x! Status: %5!S! BytesFailed: %6!#I64x! BytesRepaired: %7!#I64x! NewParityExtents: %8!u!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—
`A12_ScrubContextErrorFileOffset`	—
`A13_ScrubbedLength`	—
`A14_ScrubContextOperationStatus`	—
`A15_ScrubContextNumberOfBytesFailed`	—
`A16_ScrubContextNumberOfBytesRepaired`	—
`A17_NewParityExtentCount`	—

Event ID 405 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! DsmAction_Scrub call failed, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 406 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! DsmAction_Scrub operation failed, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 407 — FSCTL_REPAIR_COPIES not supported for Txf file, Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

FSCTL_REPAIR_COPIES not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields

Name	Description
`A10_Scb`	—
`A11_ScbTxfScb`	—

Event ID 408 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2!S!)

Fields

Name	Description
`A10_Scb`	—
`A11__ScbAttributeName`	—

Event ID 409 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (%2!S!)

Fields

Name	Description
`A10_Scb`	—
`A11__ScbAttributeName`	—

Event ID 410 — FSCTL_REPAIR_COPIES interrupted by thread termination.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

FSCTL_REPAIR_COPIES interrupted by thread termination.

Event ID 411 — FSCTL_REPAIR_COPIES canceled

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

FSCTL_REPAIR_COPIES canceled

Event ID 412 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:%2!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 413 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:%2!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—

Event ID 414 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartingVcn`	—
`A12_ClusterCount`	—

Event ID 415 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! RepairDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) FileOffset: %5!#I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_RepairDataSetRangeStartingOffset`	—
`A12_RepairDataSetRangeStartingOffsetRepairDataSetRangeLengthInBytes`	—
`A13_RepairDataSetRangeLengthInBytes`	—
`A14_RepairFileOffset`	—

Event ID 416 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! DsmAction_Repair call failed, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 417 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! DsmAction_Repair operation failed, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_IrpStatus`	—

Event ID 418 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb:%1!p! DsmAction_Repair completed, IrpStatus: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_RepairCopiesOutputStatus`	—

Event ID 419 — NtfsQueryCachedRuns: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TypeOfOpen`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17__CcbFullFileName`	—
`A18_CcbAccessFlags`	—

Event ID 420 — NtfsQueryStorageClasses: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TypeOfOpen`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—

Event ID 421 — NtfsQueryRegionInfo: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TypeOfOpen`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—

Event ID 422 — NtfsUnloadFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUnloadFile: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TypeOfOpen`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—

Event ID 423 — NtfsCheckForSection: File already has image section.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckForSection: File already has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—

Event ID 424 — NtfsShuffleFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsShuffleFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Irp RequestorMode: %9!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_TypeOfOpen`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_IrpRequestorMode`	—

Event ID 425 — NtfsShuffleFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsShuffleFile: Denying access due to volume is locked. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, VcbState: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_VcbVcbState`	—

Event ID 426 — NtfsShuffleFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsShuffleFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbPersist`	—
`A20_CcbNULLCcbFlags0`	—

Event ID 427 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_FcbInfoFileAttributes`	—
`A17_IrpSpFlags`	—

Event ID 428 — NtfsRearrangeFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRearrangeFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Irp RequestorMode: %8!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_IrpRequestorMode`	—

Event ID 429 — NtfsRearrangeFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRearrangeFile: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, VcbState: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_VcbVcbState`	—

Event ID 430 — NtfsRearrangeFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRearrangeFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbPersist`	—
`A20_CcbNULLCcbFlags0`	—

Event ID 431 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_FcbInfoFileAttributes`	—
`A17_IrpSpFlags`	—

Event ID 432 — NtfsSparseOverAllocate: Caller does not have appropriate write access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FileRef: %5!I64x!, FullFileName: %6!S!, Ccb access flags: %7!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_NtfsFullFileRefNumber_FcbFileReference`	—
`A15_CcbNULL_CcbFullFileNameNULL`	—
`A16_CcbNULLCcbAccessFlags0`	—

Event ID 433 — NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Scb AttributeTypeCode: %8!x!, FcbState2: %9!x!, Ccb FullFileName: %10!S!, Ccb Access flags: %11!x!, Ccb Flags2: %12!x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_ScbAttributeTypeCode`	—
`A18_ScbFcbFcbState2`	—
`A19_CcbNULL_CcbFullFileNameNULL`	—
`A20_CcbNULLCcbAccessFlags0`	—
`A21_CcbNULLCcbFlags20`	—

Event ID 434 — NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Scb AttributeTypeCode: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb Access flags: 0x%10!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_ScbAttributeTypeCode`	—
`A18_CcbNULL_CcbFullFileNameNULL`	—
`A19_CcbNULLCcbAccessFlags0`	—

Event ID 435 — NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_CcbNULLCcbAccessFlags0`	—

Event ID 436 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Open status=0x%3!x!, path="%4!S!"

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread`	—
`A12_Status`	—
`A13__DeletedFiles`	—

Event ID 437 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Enumerate status=0x%3!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread`	—
`A12_Status`	—

Event ID 438 — NtfsEnumMountWorker.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEnumMountWorker(%1!p!,%2!p!): Open status=0x%3!x!, file="%4!S!"

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread`	—
`A12_Status`	—
`A13__FileNameToDelete`	—

Event ID 439 — NtfsEnumMountWorker.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEnumMountWorker(%1!p!,%2!p!): Close status=0x%3!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread`	—
`A12_Status`	—

Event ID 440 — NtfsEnumOnMountToDeleteWorker.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Close dir status=0x%3!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_PsGetCurrentThread`	—
`A12_Status`	—

Event ID 441 — NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, EffectiveMode: %10!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—
`A19_EffectiveMode`	—

Event ID 442 — SCB.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

SCB: %1!p!, StartOffset: 0x%2!I64x!, Length: 0x%3!I64x!, StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_StartOffset`	—
`A12_Length`	—
`A13_StartVcn`	—
`A14_BeyondEndVcn`	—

Event ID 443 — FsLibGetBadAddressRanges returned Status: %1, NumBadRanges: 0x%2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

FsLibGetBadAddressRanges returned Status: %1, NumBadRanges: 0x%2!x!

Fields

Name	Description
`A10_Status`	—
`A11_OutputNumBadRanges`	—

Event ID 444 — FsInputRangeIndex.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

FsInputRangeIndex: %1!u!, FileOffset: 0x%2!I64x!, VolumeOffset: 0x%3!I64x!, LengthInBytes: 0x%4!I64x!

Fields

Name	Description
`A10_FsInputRangeIndex`	—
`A11_FsInputRangesFsInputRangeIndexFileOffset`	—
`A12_FsInputRangesFsInputRangeIndexVolumeOffset`	—
`A13_FsInputRangesFsInputRangeIndexLengthInBytes`	—

Event ID 445 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb: %1!p!, Status: %2!S!, AbnormalTermination: %3!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—
`A12_BOOLEANAbnormalTermination`	—

Event ID 446 — Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Scb: %1!p!, Status: %2!S!

Fields

Name	Description
`A10_Scb`	—
`A11_Status`	—

Event ID 447 — NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_IrpContextVcb`	—
`A12__IrpContextVcbVolumeName`	—
`A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb`	—

Event ID 448 — Logic error of posting close to work queue.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Logic error of posting close to work queue.

Event ID 449 — NtfsFindPrefixHashEntry: {Hash table.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Hash table: %1!p!} {ParentScb: %2!p!, '%3!S!'} {RemainingName: '%4!S!'}

Fields

Name	Description
`A10_Table`	—
`A11_ParentScb`	—
`A12__ParentScbScbTypeIndexNormalizedName`	—
`A13_RemainingName`	—

Event ID 450 — NtfsFindPrefixHashEntry: {Lcb: NULL}

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Lcb: NULL}

Event ID 451 — NtfsFindPrefixHashEntry: {Lcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Lcb: %1!p!, '%2!S!'}

Fields

Name	Description
`A10_FoundLcb`	—
`A11__FoundLcbExactCaseLinkLinkName`	—

Event ID 452 — NtfsFindPrefixHashEntry: {Lcb not found}

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFindPrefixHashEntry: {Lcb not found}

Event ID 453 — NtfsInsertHashEntry: {Hash table.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsInsertHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {FullNameLength: %3!d!} {Lcb: %4!p!, '%5!S!'}

Fields

Name	Description
`A10_Table`	—
`A11_NewHashEntryHashValue`	—
`A12_NewHashEntryFullNameLength`	—
`A13_NewHashEntryHashLcb`	—
`A14__NewHashEntryHashLcbExactCaseLinkLinkName`	—

Event ID 454 — NtfsRemoveHashEntry: {Hash table.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {HashLcb: %3!p!, '%4!S!'}

Fields

Name	Description
`A10_Table`	—
`A11_HashValue`	—
`A12_HashLcb`	—
`A13__HashLcbExactCaseLinkLinkName`	—

Event ID 455 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Checkpoint injection.  Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbCheckpointInjectionCount`	—

Event ID 456 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Log %2!d!%!PCT! full.  Wait for CC to flush metadata first. Count %3!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_PercentFull`	—
`A12_VcbWaitForCcLoggedDataActivityCount`	—

Event ID 457 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Done waiting for CC to flush metadata

Fields

Name	Description
`A10_Vcb`	—

Event ID 458 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Injected checkpoint.

Fields

Name	Description
`A10_Vcb`	—

Event ID 459 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Start of checkpoint

Fields

Name	Description
`A10_Vcb`	—

Event ID 460 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Clean checkpoint. Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbCleanCheckpointCount`	—

Event ID 461 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Overflowed DPT. Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbOverflowedDPTCount`	—

Event ID 462 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Fuzzy checkpoint. Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbFuzzyCheckpointCount`	—

Event ID 463 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Flush oldest FO.  Count %2!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbFlushOldestFOCount`	—

Event ID 464 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Flush starts with FRef %2!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_NtfsFullSegmentNumber_ScbFcbFileReference`	—

Event ID 465 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Flush ends.  FO %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_DirtyPageContextOldestFileObject`	—

Event ID 466 — NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—

Event ID 467 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Checkpoint completed.

Fields

Name	Description
`A10_Vcb`	—

Event ID 468 — Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p!.  Leaving NtfsCheckpointVolume.

Fields

Name	Description
`A10_Vcb`	—

Event ID 469 — NtfsCommitCurrentTransaction IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextTransactionId`	—

Event ID 470 — NtfsCommitCurrentTransaction IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextTransactionId`	—

Event ID 471 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsWriteLog failure %4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextOriginatingIrp`	—
`A12_PsGetCurrentThread`	—
`A13_IrpContextExceptionStatus`	—

Event ID 472 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsWriteLog failure %4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextOriginatingIrp`	—
`A12_PsGetCurrentThread`	—
`A13_IrpContextExceptionStatus`	—

Event ID 473 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): LfsFlushToLsn failure %4!x! Count %5!d!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextOriginatingIrp`	—
`A12_PsGetCurrentThread`	—
`A13_IrpContextExceptionStatus`	—
`A14_FailedFlushCount`	—

Event ID 474 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsProcessNewLengthQueue failure %4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextOriginatingIrp`	—
`A12_PsGetCurrentThread`	—
`A13_IrpContextExceptionStatus`	—

Event ID 475 — NtfsCommitCurrentTransaction.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsProcessNewLengthQueue failure %4!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextOriginatingIrp`	—
`A12_PsGetCurrentThread`	—
`A13_IrpContextExceptionStatus`	—

Event ID 476 — NtfsCommitCurrentTransaction IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextTransactionId`	—

Event ID 477 — NtfsCommitCurrentTransaction IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextTransactionId`	—

Event ID 478 — NtfsFreeRecentlyDeallocated: Vcb %1 - Entering - ActiveLsn: %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Entering - ActiveLsn: %2!I64x!, ClearAll: %3!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_ActiveLsnQuadPart`	—
`A12_ClearAll`	—

Event ID 479 — NtfsFreeRecentlyDeallocated: Vcb %1 empty list - Leaving.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 480 — NtfsFreeRecentlyDeallocated: Vcb %1 empty list - Leaving.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list  - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 481 — NtfsFreeRecentlyDeallocated: Vcb %1 - Found frozen deallocated clusters with %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found frozen deallocated clusters with %2!I64x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_ClustersClusterCount`	—

Event ID 482 — NtfsFreeRecentlyDeallocated: Vcb %1 - No actionable deallocated clusters.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 483 — NtfsFreeRecentlyDeallocated: Vcb %1 - No actionable deallocated clusters.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 484 — NtfsFreeRecentlyDeallocated: Vcb %1 - Found a deallocated clusters %2 with %3!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found a deallocated clusters %2!p! with %3!I64x! clusters, Lsn: %4!I64x!, Flags: %5!08x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Clusters`	—
`A12_ClustersClusterCount`	—
`A13_ClustersLsnQuadPart`	—
`A14_ClustersFlags`	—

Event ID 485 — Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb: %1!p!, Processing range. DeallocatedClusters: %2!p!, RunIndex: %3!d!, StartingLcn: %4!I64x!, ClusterCount: %5!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_Clusters`	—
`A12_i`	—
`A13_StartingLcn`	—
`A14_ClusterCount`	—

Event ID 486 — Looking for dangling MDLs

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Looking for dangling MDLs

Event ID 487 — FsLibGroupSubExtentsByDanglingMdl failed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

FsLibGroupSubExtentsByDanglingMdl failed: %1

Fields

Name	Description
`A10_Status`	—

Event ID 488 — FsLibAddBaseMcbEntryEx failed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

FsLibAddBaseMcbEntryEx failed: %1

Fields

Name	Description
`A10_Status`	—

Event ID 489 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: %1

Fields

Name	Description
`A10_Status`	—

Event ID 490 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: %1

Fields

Name	Description
`A10_Status`	—

Event ID 491 — No sub extents has dangling MDL

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

No sub extents has dangling MDL

Event ID 492 — NtfsFreeRecentlyDeallocated: Vcb %1 - Telling volsnap freeing at %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Telling volsnap freeing at %2!I64x! for %3!x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingLcn`	—
`A12_ULONGClusterCount`	—

Event ID 493 — NtfsFreeRecentlyDeallocated: Vcb %1 - Volsnap responsed with freeing at %2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Volsnap responsed with freeing at %2!I64x! for %3!x! clusters

Fields

Name	Description
`A10_Vcb`	—
`A11_StartingLcnStartingIndex`	—
`A12_runLength`	—

Event ID 494 — NtfsFreeRecentlyDeallocated: Vcb %1 - Got error 0x%2 from below.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Got error 0x%2!x! from below

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 495 — NtfsFreeRecentlyDeallocated: Vcb %1 - Deleting MarkUnusedContext %2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Deleting MarkUnusedContext %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_MarkUnusedContext`	—

Event ID 496 — NtfsFreeRecentlyDeallocated: Vcb %1 - Leaving.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Leaving

Fields

Name	Description
`A10_Vcb`	—

Event ID 497 — NtfsRemoveNtfsMcbEntry Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Length: 0x%4!I64x!

Fields

Name	Description
`A10_McbScb`	—
`A11_Mcb`	—
`A12_StartingVcn`	—
`A13_Count`	—

Event ID 498 — NtfsRemoveNtfsMcbEntry Mcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRemoveNtfsMcbEntry Mcb: %1!p! Completed.

Fields

Name	Description
`A10_Mcb`	—

Event ID 499 — NtfsAddNtfsMcbEntry Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Length: 0x%5!I64x!

Fields

Name	Description
`A10_McbScb`	—
`A11_Mcb`	—
`A12_Vcn`	—
`A13_Lcn`	—
`A14_RunCount`	—

Event ID 500 — NtfsAddNtfsMcbEntry Mcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAddNtfsMcbEntry Mcb: %1!p!, Result: %2!S!

Fields

Name	Description
`A10_Mcb`	—
`A11_Result`	—

Event ID 501 — NtfsUnloadNtfsMcbRange Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUnloadNtfsMcbRange Scb: %1!p!, Mcb: %2!p!, StartVcn: 0x%3!I64x!, EndVcn: 0x%4!I64x!, TruncateOnly: %5!S!

Fields

Name	Description
`A10_McbScb`	—
`A11_Mcb`	—
`A12_StartingVcn`	—
`A13_EndingVcn`	—
`A14_TruncateOnly`	—

Event ID 502 — NtfsUnloadNtfsMcbRange Mcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUnloadNtfsMcbRange Mcb: %1!p! Completed.

Fields

Name	Description
`A10_Mcb`	—

Event ID 503 — Valid NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Valid NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_BootSector`	—

Event ID 504 — Not an NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Not an NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!; CheckNumber: %3!d!

Fields

Name	Description
`A10_Vcb`	—
`A11_BootSector`	—
`A12_CheckNumber`	—

Event ID 505 — NtfsMountVolume: Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMountVolume: Vcb:%1!p!, IC:%2!p!, Growing allocation for Mft's Attribute List failed with exception:0x%3!x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContextExceptionStatus`	—

Event ID 506 — NtfsMountVolume: IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsMountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12__VolumeLabel`	—
`A13__VcbDeviceName`	—

Event ID 507 — Mounting DAX partition.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Mounting DAX partition. Vcb: %1!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 508 — DAX volume mounted without DAX support because storage is not DAX capable.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: %1!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 509 — NtfsGrowMftsAttributeListAllocation Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Mft AttributeList not found, skipping growth

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 510 — NtfsGrowMftsAttributeListAllocation Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Converting Resident AttributeList(size:0x%3!I64x!) to NonResident

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_AttrListAllocationSize`	—

Event ID 511 — NtfsGrowMftsAttributeListAllocation Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p!, AttrListScb:%3!p! Added Allocation for NonResident AttributeList (old size:0x%4!I64x!)

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_Scb`	—
`A13_AttrListAllocationSize`	—

Event ID 512 — Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Unexpected exception code of 0x%1!x! received

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 513 — Exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Exception code of 0x%1!x! received during mount.

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 514 — Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Unexpected exception code of 0x%1!x! received.

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 515 — LogFileFull %1 BackTrace: ln %2; ln %3; ln %4; ln %5; ln %6; ln %7; ln %8; ln %9; ln %10; ln %11; ln %12; ln %13; ln %14; ln %15; ln %16; ln %17; l...

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

LogFileFull %1 BackTrace: ln %2!p!; ln %3!p!; ln %4!p!; ln %5!p!; ln %6!p!; ln %7!p!; ln %8!p!; ln %9!p!; ln %10!p!; ln %11!p!; ln %12!p!; ln %13!p!; ln %14!p!; ln %15!p!; ln %16!p!; ln %17!p!; ln %18!p!; ln %19!p!; ln %20!p!; ln %21!p!;

Fields

Name	Description
`A10_IrpContextLogFullReason`	—
`A11_BackTrace0`	—
`A12_BackTrace1`	—
`A13_BackTrace2`	—
`A14_BackTrace3`	—
`A15_BackTrace4`	—
`A16_BackTrace5`	—
`A17_BackTrace6`	—
`A18_BackTrace7`	—
`A19_BackTrace8`	—
`A20_BackTrace9`	—
`A21_BackTrace10`	—
`A22_BackTrace11`	—
`A23_BackTrace12`	—
`A24_BackTrace13`	—
`A25_BackTrace14`	—
`A26_BackTrace15`	—
`A27_BackTrace16`	—
`A28_BackTrace17`	—
`A29_BackTrace18`	—
`A30_BackTrace19`	—

Event ID 516 — Unexpected raise of 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Unexpected raise of 0x%1!x! during critical non-raise code

Fields

Name	Description
`A10_ExceptionCode`	—

Event ID 517 — NtfsProcessException IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ExceptionCode`	—

Event ID 518 — NtfsProcessException IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_ExceptionCode`	—

Event ID 519 — Failed to abort - IrpContext %1, Irp %2, Vcb %3, Count %4, Status %5.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Count %4!x!, Status %5!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Irp`	—
`A12_IrpContextVcb`	—
`A13_NtfsFailedAborts`	—
`A14_GetExceptionCode`	—

Event ID 520 — Failed to abort - IrpContext %1, Irp %2, Vcb %3, Scb %4, FileRef %5!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Scb %4!p!, FileRef %5!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Irp`	—
`A12_IrpContextVcb`	—
`A13_NextScb`	—
`A14_PULONGLONG_NextScbFcbFileReference`	—

Event ID 521 — Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x%1!08x!%2!08x!

Fields

Name	Description
`A10_IrpSpParametersWriteByteOffsetHighPart`	—
`A11_IrpSpParametersWriteByteOffsetLowPart`	—

Event ID 522 — Setting 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Setting 0x%1!x! in top-level exception status for write @ 0x%2!08x!%3!08x!

Fields

Name	Description
`A10_ExceptionCode`	—
`A11_IrpSpParametersWriteByteOffsetHighPart`	—
`A12_IrpSpParametersWriteByteOffsetLowPart`	—

Event ID 523 — [.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields

Name	Description
`A10_IrpSpMajorFunction`	—
`A11_IrpSpMinorFunction`	—
`A12_Irp`	—
`A13_IrpContext`	—
`A14_Status`	—

Event ID 524 — [.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields

Name	Description
`A10_IrpSpMajorFunction`	—
`A11_IrpSpMinorFunction`	—
`A12_Irp`	—
`A13_IrpContext`	—
`A14_Status`	—

Event ID 525 — Can't handle invalid bitmap in a positive way.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Can't handle invalid bitmap in a positive way.

Event ID 526 — NTFS ETW tracing is now active.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NTFS ETW tracing is now active.

Event ID 527 — Updating NtfsMinTrimTotalSize to %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Updating NtfsMinTrimTotalSize to %1!x!.

Fields

Name	Description
`A10_MinTrimTotalSize`	—

Event ID 528 — Updating NtfsMaxTrimTotalSize to %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Updating NtfsMaxTrimTotalSize to %1!x!.

Fields

Name	Description
`A10_MaxTrimTotalSize`	—

Event ID 529 — NtfsSetObjectId: Caller does not have restore access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetObjectId: Caller does not have restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—
`A18_IrpSpMinorFunction`	—

Event ID 530 — NtfsSetObjectIdExtendedInfo: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetObjectIdExtendedInfo: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—
`A18_IrpSpMinorFunction`	—

Event ID 531 — NtfsDeleteObjectId: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeleteObjectId: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—
`A18_IrpSpMinorFunction`	—

Event ID 532 — %1: Setting RM at 0x%2 ({%3}) up for auto-restart.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDVcbTxfVcbDefaultRm`	—
`A12__VcbTxfVcbDefaultRmRmId`	—

Event ID 533 — NtfsFsQuotaSetInfo: Denying access due to administrator limit.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsFsQuotaSetInfo: Denying access due to administrator limit. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_IrpContextVcb`	—
`A12__IrpContextVcbVolumeName`	—
`A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb`	—

Event ID 534 — NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not quota file.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not quota file. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, Ccb Flags: 0x%10!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_ScbFcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17__CcbFullFileName`	—
`A18_CcbAccessFlags`	—
`A19_CcbFlags`	—

Event ID 535 — Unexpected Paging-Read on DAX mappable stream, Scb=.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Unexpected Paging-Read on DAX mappable stream, Scb=%1!p!

Fields

Name	Description
`A10_Scb`	—

Event ID 536 — NtfsSetReparsePoint: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—
`A18_IrpSpFileObjectWriteAccess`	—

Event ID 537 — NtfsSetReparsePointEx: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetReparsePointEx: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—
`A18_IrpSpFileObjectWriteAccess`	—

Event ID 538 — NtfsDeleteReparsePoint: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeleteReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—
`A18_IrpSpFileObjectWriteAccess`	—

Event ID 539 — NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbLogFileObject`	—
`A12_IrpContext`	—

Event ID 540 — NtfsReleaseVcbCheckDelete - deleted Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsReleaseVcbCheckDelete - deleted Vcb: %1!p!, IC: %2!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 541 — NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields

Name	Description
`A10_Vcb`	—
`A11_VcbLogFileObject`	—
`A12_IrpContext`	—

Event ID 542 — NtfsAbortTransaction IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextTransactionId`	—

Event ID 543 — NtfsAbortTransaction IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextTransactionId`	—

Event ID 544 — DoAction::InitializeFRS IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DoAction::InitializeFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecordSegmentNumberHighPart`	—
`A12_FileRecordSegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment`	—

Event ID 545 — DoAction::DeallocateFRS IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DoAction::DeallocateFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecordSegmentNumberHighPart`	—
`A12_FileRecordSegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment`	—

Event ID 546 — DoAction::WriteEndOfFRS IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DoAction::WriteEndOfFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x! Off:0x%6!x!, Len:0x%7!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecordSegmentNumberHighPart`	—
`A12_FileRecordSegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment`	—
`A14_AttributeTypeCode`	—
`A15_LogRecordRecordOffset`	—
`A16_Length`	—

Event ID 547 — DoAction::CreateAttribute IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DoAction::CreateAttribute IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecordSegmentNumberHighPart`	—
`A12_FileRecordSegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment`	—
`A14_PATTRIBUTE_RECORD_HEADERDataTypeCode`	—

Event ID 548 — NtfsRestartChangeValue IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRestartChangeValue IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, FileRef:0x%5!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecordSegmentNumberHighPart`	—
`A12_FileRecordSegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment`	—
`A14_NtfsFullSegmentNumber_FileReference`	—

Event ID 549 — DoAction::SetNewAttributeSizes IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DoAction::SetNewAttributeSizes IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x! OLD: Alloc:%5!I64x!, FileSize:%6!I64x!, VDL:%7!I64x!, TotalAlloc:%8!I64x! NEW: Alloc:%9!I64x!, FileSize:%10!I64x!, VDL:%11!I64x!, TotalAlloc:%12!I64x!

Fields

Name	Description
`A10_IrpContext`	—
`A11_FileRecordSegmentNumberHighPart`	—
`A12_FileRecordSegmentNumberLowPart`	—
`A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment`	—
`A14_AttributeFormNonresidentAllocatedLength`	—
`A15_AttributeFormNonresidentFileSize`	—
`A16_AttributeFormNonresidentValidDataLength`	—
`A17_AttributeFormNonresidentTotalAllocated`	—
`A18_SizesAllocationSize`	—
`A19_SizesFileSize`	—
`A20_SizesValidDataLength`	—
`A21_SizesTotalAllocated`	—

Event ID 550 — DoAction(SetBitsInNonresidentBitMap) IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DoAction(SetBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12__Bitmap`	—

Event ID 551 — DoAction(ClearBitsInNonresidentBitMap) IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

DoAction(ClearBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12__Bitmap`	—

Event ID 552 — NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—

Event ID 553 — NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16__CcbFullFileName`	—
`A17_CcbAccessFlags`	—

Event ID 554 — NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16__CcbFullFileName`	—

Event ID 555 — NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Txf Writers Count: %7!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbTxfFcbTxfNumWriters`	—

Event ID 556 — NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Original status: %7!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_Status`	—

Event ID 557 — NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbInfoFileAttributes`	—

Event ID 558 — NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbInfoFileAttributes`	—

Event ID 559 — NtfsCheckFileForDelete: Denying access due to file is not deleteable.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—

Event ID 560 — NtfsCheckFileForDelete: Denying access due to target file is read only.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to target file is read only. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_ThisFcbInfoFileAttributes`	—
`A17_IrpSpFlags`	—

Event ID 561 — NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb AccessFlags: 0x%7!08x!, TxfAccessCheck access status: %8!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_CcbAccessFlags`	—
`A17_AccessStatus`	—

Event ID 562 — NtfsCheckFileForDelete: Denying access due to failing to remove image section.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCheckFileForDelete: Denying access due to failing to remove image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ThisFcbVcb`	—
`A12__ThisFcbVcbVolumeName`	—
`A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb`	—
`A14_ThisFcb`	—
`A15_NtfsFullFileRefNumber_ThisFcbFileReference`	—
`A16_NextScb`	—
`A17_NextScbAttributeTypeCode`	—
`A18__NextScbAttributeName`	—

Event ID 563 — NtfsGlobalSdUpdate: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_CcbNULLCcbAccessFlags0`	—

Event ID 564 — NtfsRepairItem: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRepairItem: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbVcbState`	—

Event ID 565 — NtfsSetRepairState: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_CcbNULLCcbAccessFlags0`	—

Event ID 566 — NtfsInitiateRepair: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_CcbNULLCcbAccessFlags0`	—

Event ID 567 — NTFS ETW tracing is shutting down.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NTFS ETW tracing is shutting down.

Event ID 568 — NtfsDefineStorageReserve: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDefineStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_Fcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—

Event ID 569 — NtfsDeleteStorageReserve: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeleteStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_Fcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—

Event ID 570 — NtfsRepairStorageReserve: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRepairStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_Fcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—

Event ID 571 — NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a storage reserve.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a storage reserve. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Fcb State: 0x%7!08x!, Ccb FullFileName: %8!S!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_FcbFcbState`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—

Event ID 572 — NtfsSetStorageReserveIdInfo: Caller does not have appropriate access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsSetStorageReserveIdInfo: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_CcbNULLCcbAccessFlags0`	—

Event ID 573 — NtfsChangeStorageReserveId: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsChangeStorageReserveId: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Operation flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_CcbNULLCcbAccessFlags0`	—
`A18_Flags`	—

Event ID 574 — NtfsChangeStorageReserveId: Caller does not have manage volume privilege to explicitly setting reserve ID to/from a "restricted area".

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsChangeStorageReserveId: Caller does not have manage volume privilege to explicitly setting reserve ID to/from a "restricted area". Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_CcbNULLCcbAccessFlags0`	—

Event ID 575 — Failed to get a non-volatile token for Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Failed to get a non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 576 — Failed to free non-volatile token for Vcb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Failed to free non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields

Name	Description
`A10_Vcb`	—
`A11_Status`	—

Event ID 577 — NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: %1!p!, TotalAllocated: 0x%2!I64x!

Fields

Name	Description
`A10_Scb`	—
`A11_ScbTotalAllocated`	—

Event ID 578 — NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: %1!p!, Lsn: %2!I64x!

Fields

Name	Description
`A10_CurrentClusters`	—
`A11_CurrentClustersLsnQuadPart`	—

Event ID 579 — ClustersLinkAsHead.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

ClustersLinkAsHead: %1!p!, FlagsToMatch: 0x%2!x!, InsertAfter: %3!S!

Fields

Name	Description
`A10_ClustersLinkAsHead`	—
`A11_FlagsToMatch`	—
`A12_InsertAfter`	—

Event ID 580 — Clusters.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Clusters: %1!p!, Flags: 0x%2!x!

Fields

Name	Description
`A10_Clusters`	—
`A11_ClustersFlags`	—

Event ID 581 — Matching cluster.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Matching cluster: %1!p!, NumberOfRuns: 0x%2!x!

Fields

Name	Description
`A10_Clusters`	—
`A11_NumberOfRuns`	—

Event ID 582 — Clusters.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Clusters: %1!p!

Fields

Name	Description
`A10_Clusters`	—

Event ID 583 — Allocated new deallocated clusters

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Allocated new deallocated clusters

Event ID 584 — Need to add Range.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Need to add Range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields

Name	Description
`A10_FlagOnClustersFlagsDEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL`	—
`A11_Clusters`	—
`A12_Lcn`	—
`A13_ClusterCount`	—

Event ID 585 — Added range.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Added range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields

Name	Description
`A10_FlagOnClustersFlagsDEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL`	—
`A11_Clusters`	—
`A12_Lcn`	—
`A13_ClusterCount`	—

Event ID 586 — TxfCheckForLockConflict: File locked for modify transaction.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfCheckForLockConflict: File locked for modify transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!,Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfFcb Flags: 0x%7!08x!, ShareMode: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_TxfFcbFlags`	—
`A17_ShareMode`	—

Event ID 587 — TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans or different trans who wants to modify.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans or different trans who wants to modify. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_GrantedAccess`	—

Event ID 588 — TxfCheckForLockConflict: Modification access desired.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfCheckForLockConflict: Modification access desired. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_GrantedAccess`	—

Event ID 589 — TxfCheckForLockConflict: File has user handle opened on one of the versions or user-mapping on a section.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfCheckForLockConflict: File has user handle opened on one of the versions or user-mapping on a section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!, Reader cleanup count: %8!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_GrantedAccess`	—
`A17_NextTxfVscbReaderCleanupCount`	—

Event ID 590 — %1: from %2 (%3:%4) RM at 0x%5 {%6}, Tx at 0x%7 {%8}, Status was 0x%9.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_CallerFunction`	—
`A12_CallerFile`	—
`A13_CallerLineNumber`	—
`A14_PVOIDTxfRmcb`	—
`A15__TxfRmcbRmId`	—
`A16_PVOIDTxfTrans`	—
`A17__TxfTransKtmUow`	—
`A18_AbortReasonStatus`	—

Event ID 591 — %1: from %2 (%3:%4) RM at 0x%5 {%6}, Tx at 0x%7 {%8}, Status was 0x%9.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_CallerFunction`	—
`A12_CallerFile`	—
`A13_CallerLineNumber`	—
`A14_PVOIDTxfRmcb`	—
`A15__TxfRmcbRmId`	—
`A16_PVOIDTxfTrans`	—
`A17__TxfTransKtmUow`	—
`A18_Status`	—

Event ID 592 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_TxfTrans`	—
`A14__TxfTransKtmUow`	—

Event ID 593 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_TxfTrans`	—
`A14__TxfTransKtmUow`	—

Event ID 594 — %1: RM at 0x%2 {%3}: Unexpected exception code of 0x%4 received.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!}: Unexpected exception code of 0x%4!x! received.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDCalloutParametersTxfFlushTxfRmcb`	—
`A12__CalloutParametersTxfFlushTxfRmcbRmId`	—
`A13_GetExceptionCode`	—

Event ID 595 — %1: TxfStartRm reports RM will be reset: RM metadata corrupt.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: RM metadata corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 596 — %1: TxfStartRm reports RM will be reset: TM could not be initialized.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: TM could not be initialized

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 597 — %1: TxfStartRm reports RM will be reset: RM log corrupt.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: RM log corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 598 — %1: TxfStartRm reports RM will be reset: log version changed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: log version changed

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 599 — %1: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 600 — %1: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 601 — %1: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: CLFS log metadata corrupt

Fields

Name	Description
`A10___FUNCTION__`	—

Event ID 602 — %1: TxfStartRm reports RM will be reset: 0x%2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxfStartRm reports RM will be reset: 0x%2!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_FailureStatus`	—

Event ID 603 — %1: RM did not start and WILL NOT be reset, status code is 0x%2!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM did not start and WILL NOT be reset, status code is 0x%2!x!!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_FailureStatus`	—

Event ID 604 — %1: Could not initialize IrpContext: 0x%2.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Could not initialize IrpContext: 0x%2!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—

Event ID 605 — TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbTxfVcbFlags`	—

Event ID 606 — %1: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x%2 for default RM on VCB at 0x%3.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x%2!x! for default RM on VCB at 0x%3!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_TempStatus`	—
`A12_PVOIDVcb`	—

Event ID 607 — %1: Exception code 0x%2, Status 0x%3 for default RM on VCB at 0x%4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Exception code 0x%2!x!, Status 0x%3!x! for default RM on VCB at 0x%4!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_GetExceptionCode`	—
`A12_Status`	—
`A13_PVOIDVcb`	—

Event ID 608 — %1: Couldn't reset default RM on VCB at 0x%2 after %3 tries: 0x%4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Couldn't reset default RM on VCB at 0x%2!p! after %3!d! tries: 0x%4!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDVcb`	—
`A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT`	—
`A13_OldStatus`	—

Event ID 609 — %1: Exception 0x%2 raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x%3.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Exception 0x%2!x! raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x%3!p!.  RM will NOT be reset.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_GetExceptionCode`	—
`A12_PVOIDVcb`	—

Event ID 610 — %1: %2 auto-restart of RM at 0x%3 ({%4}): 0x%5.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: %2!S! auto-restart of RM at 0x%3!p! ({%4!S!}): 0x%5!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_NT_SUCCESSStatusSucceededFAILED`	—
`A12_PVOIDTxfRmcb`	—
`A13__TxfRmcbRmId`	—
`A14_Status`	—

Event ID 611 — %1: Attempting auto-restart of RM at 0x%2 ({%3}).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Attempting auto-restart of RM at 0x%2!p! ({%3!S!})

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 612 — %1: Volume too small to start RM at 0x%2 ({%3}).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Volume too small to start RM at 0x%2!p! ({%3!S!})

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 613 — %1: Corrupt RM at 0x%2 {%3}: invalid flags in $Tops.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: invalid flags in $Tops

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 614 — TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbTxfVcbFlags`	—

Event ID 615 — %1: Raising to reset RM at 0x%2 ({%3}): Explicit reset requested.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Raising to reset RM at 0x%2!p! ({%3!S!}): Explicit reset requested

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 616 — TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_VcbTxfVcbFlags`	—

Event ID 617 — %1: Corrupt RM at 0x%2 {%3}: no TXF_DATA in root.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: no TXF_DATA in root

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 618 — %1: RM at 0x%2 {%3}: Different nesting levels of 0x%4 and 0x%5.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!}: Different nesting levels of 0x%4!x! and 0x%5!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_LogNestingLevel`	—
`A14_DiskNestingLevel`	—

Event ID 619 — %1: Corrupt RM at 0x%2 {%3}: restart area already exists.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 620 — %1: Corrupt RM at 0x%2 {%3}: restart area already exists.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 621 — %1: Corrupt RM at 0x%2 {%3}: RmID in restart area does not match {%4}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: RmID in restart area does not match {%4!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13__ClfsRestartAreaRmId`	—

Event ID 622 — %1: Got %2 from ClfsGetLogFileInformation for RM at 0x%3 {%4}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Got %2!d! from ClfsGetLogFileInformation for RM at 0x%3!p! {%4!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—
`A12_PVOIDTxfRmcb`	—
`A13__TxfRmcbRmId`	—

Event ID 623 — %1: Corrupt RM at 0x%2 {%3}: Restart LSN is before beginning of log.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Restart LSN is before beginning of log.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 624 — %1: Corrupt RM at 0x%2 {%3}: MinRollforwardEndLsn is beyond end of log.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: MinRollforwardEndLsn is beyond end of log.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 625 — %1: TxF RM at 0x%2 {%3} started successfully.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxF RM at 0x%2!p! {%3!S!} started successfully.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 626 — %1: TxF RM at 0x%2 {%3} failed to start with Status 0x%4 %5.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: TxF RM at 0x%2!p! {%3!S!} failed to start with Status 0x%4!x! %5!S!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_Status`	—
`A14_AbnormalTerminationabnormaltermination`	—

Event ID 627 — %1: Shutting down %2 RM at 0x%3 {%4}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Shutting down %2!S! RM at 0x%3!p! {%4!S!}.  Shutdown is %5!S!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_TxfIsDefaultRmTxfRmcbdefaultsecondary`	—
`A12_PVOIDTxfRmcb`	—
`A13__TxfRmcbRmId`	—
`A14_ForceDirtyShutdownDIRTYCLEAN`	—

Event ID 628 — %1: Setting RM at 0x%2 {%3} up for auto-restart.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Setting RM at 0x%2!p! {%3!S!} up for auto-restart.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 629 — TxfFlushAndInvalidateExistingStructures: File has open user handles.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfFlushAndInvalidateExistingStructures: File has open user handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CleanupCount: %7!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_FcbFileReference`	—
`A16_FcbCleanupCount`	—

Event ID 630 — (%1:%2) - TXF_HARD_ERROR on RM at 0x%3 ({%4}): %5).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

(%1:%2!d!) - TXF_HARD_ERROR on RM at 0x%3!p! ({%4!S!}): %5!S!)

Fields

Name	Description
`A10_FILEID_FROM_SOURCEFileNLine`	—
`A11_LINENUM_FROM_SOURCEFileNLine`	—
`A12_TxfRmcb`	—
`A13__TxfRmcbRmId`	—
`A14_Status`	—

Event ID 631 — %1: Renamed RM at 0x%2 from {%3} to {%4}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__OldGuid`	—
`A13__TxfRmcbRmId`	—

Event ID 632 — %1: RM at 0x%2 {%3}, rolling back Tx at 0x%4 {%5}, Status was 0x%6.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!}, rolling back Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_PVOIDTxfTrans`	—
`A14__TxfTransKtmUow`	—
`A15_Status`	—

Event ID 633 — %1: Renamed RM at 0x%2 from {%3} to {%4}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__OldGuid`	—
`A13__TxfRmcbRmId`	—

Event ID 634 — TxfFsctlStartRm: Denying access due starting default RM is not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfFsctlStartRm: Denying access due starting default RM is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RmRootFcb: %5!p!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_RmRootFcbVcb`	—
`A12__RmRootFcbVcbVolumeName`	—
`A13_WppCountedStringWRmRootFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHRmRootFcbVcbVpb`	—
`A14_RmRootFcb`	—

Event ID 635 — TxfFsctlWriteBackupInformation: Denying access due RM is active.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, BackupInfo flags: 0x%5!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_FcbVcb`	—
`A12__FcbVcbVolumeName`	—
`A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb`	—
`A14_BackupInfoFlags`	—

Event ID 636 — %1: Corrupt RM at 0x%2 {%3}: Found too high of a TxF ID in log.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found too high of a TxF ID in log

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 637 — %1: Error Setting Delete Disposition: 0x%2 FileObject: 0x%3.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Error Setting Delete Disposition: 0x%2!x!  FileObject: 0x%3!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—
`A12_PVOIDFileObject`	—

Event ID 638 — %1: Corrupt RM at 0x%2 {%3}: Got a RECOVER notification for a transaction that isn't in-doubt.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Got a RECOVER notification for a transaction that isn't in-doubt

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 639 — TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a non-TxF modify handle.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a non-TxF modify handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Attribute Type Code: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb flags: 0x%10!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__CcbFullFileName`	—
`A19_CcbFlags`	—

Event ID 640 — TxfSetupTransactionContextFromCcb: Invalid TxF structure.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfSetupTransactionContextFromCcb: Invalid TxF structure. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, TxfFo: %8!p!, KtmTrans: %9!p!, TxfRmcb: %10!p!, Ccb FullFileName: %11!S!

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_CcbTxfFo`	—
`A18_CcbTxfFoKtmTrans`	—
`A19_ScbFcbTxfRmcb`	—
`A20_CcbFullFileNameBuffer`	—

Event ID 641 — TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a read-only handle.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a read-only handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, FO write access: %10!d!, FO delete access: %11!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17__CcbFullFileName`	—
`A18_CcbAccessFlags`	—
`A19_FileObjectWriteAccess`	—
`A20_FileObjectDeleteAccess`	—

Event ID 642 — %1: RM at 0x%2 {%3} raising 0x%4 to KTM!

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} raising 0x%4!x! to KTM!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_ExceptionCode`	—

Event ID 643 — %1: Commit (0x%2) of%3tx {%4} on RM at 0x%5 {%6} failed with 0x%7.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Commit (0x%2!x!) of%3!S!tx {%4!S!} on RM at 0x%5!p! {%6!S!} failed with 0x%7!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_TransactionNotification`	—
`A12_TransactionAlreadyPreparedPREPARED`	—
`A13__TxfTransKtmUow`	—
`A14_PVOIDTxfRmcb`	—
`A15__TxfRmcbRmId`	—
`A16_Status`	—

Event ID 644 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5} (notify commit).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify commit)

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_TxfTrans`	—
`A14__TxfTransKtmUow`	—

Event ID 645 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5} (notify rollback).

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify rollback)

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_TxfTrans`	—
`A14__TxfTransKtmUow`	—

Event ID 646 — %1: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x%2 {%3}: 0x%4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x%2!p! {%3!S!}: 0x%4!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTransTxfRmcb`	—
`A12__TransTxfRmcbRmId`	—
`A13_FlushStatus`	—

Event ID 647 — %1: RM at 0x%2 {%3} trying to abort transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} trying to abort transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_Trans`	—
`A14__TransKtmUow`	—

Event ID 648 — %1: Aborting call stack: 0x%2 0x%3 0x%4 0x%5 0x%6.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Aborting call stack: 0x%2!p! 0x%3!p! 0x%4!p! 0x%5!p! 0x%6!p!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_CallStack0`	—
`A12_CallStack1`	—
`A13_CallStack2`	—
`A14_CallStack3`	—
`A15_CallStack4`	—

Event ID 649 — %1: RM at 0x%2 {%3} aborting transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_Trans`	—
`A14__TransKtmUow`	—

Event ID 650 — %1: 0x%2 initializing IrpContext for tx at %3 {%4}, RM at %5 {%6}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: 0x%2!x! initializing IrpContext for tx at %3!p! {%4!S!}, RM at %5!p! {%6!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—
`A12_PVOIDTrans`	—
`A13__TransKtmUow`	—
`A14_PVOIDTxfRmcb`	—
`A15__TxfRmcbRmId`	—

Event ID 651 — %1: 0x%2 writing log record for RM at 0x%3 {%4}, Tx at 0x%5 {%6}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: 0x%2!x! writing log record for RM at 0x%3!p! {%4!S!}, Tx at 0x%5!p! {%6!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_Status`	—
`A12_PVOIDTxfRmcb`	—
`A13__TxfRmcbRmId`	—
`A14_PVOIDTrans`	—
`A15__TransKtmUow`	—

Event ID 652 — %1: About to force aborts on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: About to force aborts on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 653 — %1: BaseLsn is greater than TargetLsn on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: BaseLsn is greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 654 — %1: No transactions remain on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: No transactions remain on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 655 — %1: Transaction's first undo LSN greater than TargetLsn on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Transaction's first undo LSN greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 656 — %1: RM at 0x%2 {%3} surprise-aborting transaction at 0x%4 {%5}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} surprise-aborting transaction at 0x%4!p! {%5!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_OldestTrans`	—
`A14__OldestTransKtmUow`	—

Event ID 657 — %1: RM at 0x%2 {%3} got 0x%4 from TxfTryAbortTransaction on Tx 0x%5 {%6}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!} got 0x%4!x! from TxfTryAbortTransaction on Tx 0x%5!p! {%6!S!}

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_Status`	—
`A14_OldestTrans`	—
`A15__OldestTransKtmUow`	—

Event ID 658 — %1: Inactive RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Inactive RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 659 — %1: Log is pinned on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Log is pinned on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 660 — %1: RM at 0x%2 {%3}, rolling back KTM Tx at 0x%4 {%5}, Status was 0x%6.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: RM at 0x%2!p! {%3!S!}, rolling back KTM Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_PVOIDTransToDereference`	—
`A14__TransToDereferenceKtmUow`	—
`A15_Status`	—

Event ID 661 — %1: Log pinned trying to advance RestartLsn on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Log pinned trying to advance RestartLsn on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 662 — %1: Log pinned by doomed transaction on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Log pinned by doomed transaction on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 663 — %1: Reporting 0x%2 to CLFS from RM at 0x%3 {%4}: 0x%5.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Reporting 0x%2!X! to CLFS from RM at 0x%3!p! {%4!S!}: 0x%5!x!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PinnedStatus`	—
`A12_PVOIDTxfRmcb`	—
`A13__TxfRmcbRmId`	—
`A14_Status`	—

Event ID 664 — %1: Done forcing aborts on RM at 0x%2 {%3}.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Done forcing aborts on RM at 0x%2!p! {%3!S!}.

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 665 — %1: Corrupt RM at 0x%2 {%3}: $Txf directory is missing in pre-existing RM.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Txf directory is missing in pre-existing RM

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 666 — %1: Corrupt RM at 0x%2 {%3}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 667 — %1: Corrupt RM at 0x%2 {%3}: Found non-empty $Txf but there is no log.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found non-empty $Txf but there is no log

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 668 — %1: Corrupt RM at 0x%2 {%3}: Couldn't find $INDEX_ROOT on $Txf.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find $INDEX_ROOT on $Txf

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 669 — %1: Corrupt RM at 0x%2 {%3}: Couldn't find TXF_DATA_ATTR on $Txf.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find TXF_DATA_ATTR on $Txf

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 670 — %1: Corrupt RM at 0x%2 {%3}: Found TXF_DATA_ATTR for normal file on $Txf.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found TXF_DATA_ATTR for normal file on $Txf

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 671 — %1: Corrupt RM at 0x%2 {%3}: Expected a secondary RM here.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Expected a secondary RM here

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 672 — %1: Corrupt RM at 0x%2 {%3}: $Tops is missing but $Txf is non-empty.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but $Txf is non-empty

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 673 — %1: Corrupt RM at 0x%2 {%3}: $Tops is missing but there is already a log.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but there is already a log

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 674 — %1: Corrupt RM at 0x%2 {%3}: $Tops is %4.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is %4!S!

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—
`A13_IsEncrypted_TopsFcbInfoencryptedcompressed`	—

Event ID 675 — %1: Corrupt RM at 0x%2 {%3}: Missing $STANDARD_INFORMATION.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Missing $STANDARD_INFORMATION

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 676 — %1: Corrupt RM at 0x%2 {%3}: Couldn't find file attributes.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find file attributes

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 677 — %1: Corrupt RM at 0x%2 {%3}: $Tops is corrupt.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is corrupt

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 678 — %1: Corrupt RM at 0x%2 {%3}: Could not find unnamed data stream.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Could not find unnamed data stream

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 679 — %1: Corrupt RM at 0x%2 {%3}: $Tops metadata is the wrong version or records wrong size.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong version or records wrong size

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 680 — %1: Corrupt RM at 0x%2 {%3}: $Tops metadata is the wrong size.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong size

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 681 — %1: Corrupt RM at 0x%2 {%3}: Non-NULL RM ID found in $Tops and there is no log.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Non-NULL RM ID found in $Tops and there is no log

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 682 — %1: Corrupt RM at 0x%2 {%3}: Epoch in $Tops metadata doesn't match RM.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Epoch in $Tops metadata doesn't match RM

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 683 — %1: Corrupt RM at 0x%2 {%3}: Couldn't find $T stream.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find $T stream

Fields

Name	Description
`A10___FUNCTION__`	—
`A11_PVOIDTxfRmcb`	—
`A12__TxfRmcbRmId`	—

Event ID 684 — NtfsReadUsnJournal: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsReadUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_Fcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—

Event ID 685 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): Decided to trim usn journal.  FirstValidUsn %3!I64x!, new FirstValidUsn %4!I64x!, FS %5!I64x!, AS %6!I64x!, MaxSize %7!I64x!, DeltaSize %8!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_VcbFirstValidUsn`	—
`A13_FirstValidUsn`	—
`A14_TrackUsnJournalFileSize`	—
`A15_TrackUsnJournalAllocationSize`	—
`A16_TrackUsnJournalMaxSize`	—
`A17_TrackUsnJournalDeltaAllocation`	—

Event ID 686 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): About to delete allocation till %3!I64x!, SavedReserve %4!I64x!, RequiredReserve %5!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_FirstValidUsn1`	—
`A13_SavedReserved`	—
`A14_RequiredReserved`	—

Event ID 687 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): Before trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_UsnJournalHeaderAllocationSizeQuadPart`	—
`A13_UsnJournalHeaderFileSizeQuadPart`	—
`A14_UsnJournalHeaderValidDataLengthQuadPart`	—
`A15_UsnJournalTotalAllocated`	—

Event ID 688 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): After trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_UsnJournalHeaderAllocationSizeQuadPart`	—
`A13_UsnJournalHeaderFileSizeQuadPart`	—
`A14_UsnJournalHeaderValidDataLengthQuadPart`	—
`A15_UsnJournalTotalAllocated`	—

Event ID 689 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): Mapping pairs validated

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 690 — TrimUsnJournal.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

TrimUsnJournal (%1!p!, %2!p!): Checkpointed

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—

Event ID 691 — NtfsQueryUsnJournal: Denying access due to NULL Ccb.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsQueryUsnJournal: Denying access due to NULL Ccb. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_Fcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—

Event ID 692 — NtfsDeleteUsnJournal: Caller does not have manage volume access.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsDeleteUsnJournal: Caller does not have manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_Fcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_CcbNULL_CcbFullFileNameNULL`	—
`A17_CcbNULLCcbAccessFlags0`	—

Event ID 693 — NtfsRestartUsnJournal: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsRestartUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_Fcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_CcbNULL_CcbFullFileNameNULL`	—
`A18_CcbNULLCcbAccessFlags0`	—

Event ID 694 — NtOfsCreateAttributeEx: Stream already has a open user handle.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtOfsCreateAttributeEx: Stream already has a open user handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb CleanupCount: %10!d!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_ScbVcb`	—
`A12__ScbVcbVolumeName`	—
`A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb`	—
`A14_ScbFcb`	—
`A15_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A16_Scb`	—
`A17_ScbAttributeTypeCode`	—
`A18__ScbAttributeName`	—
`A19_ScbCleanupCount`	—

Event ID 695 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Extending journal from AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, to AS %8!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContextOriginatingIrp`	—
`A13_PsGetCurrentThread`	—
`A14_ScbHeaderAllocationSizeQuadPart`	—
`A15_ScbHeaderFileSizeQuadPart`	—
`A16_ScbHeaderValidDataLengthQuadPart`	—
`A17_NewAllocationSize`	—

Event ID 696 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Done extending journal AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, TA %8!I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContextOriginatingIrp`	—
`A13_PsGetCurrentThread`	—
`A14_ScbHeaderAllocationSizeQuadPart`	—
`A15_ScbHeaderFileSizeQuadPart`	—
`A16_ScbHeaderValidDataLengthQuadPart`	—
`A17_ScbTotalAllocated`	—

Event ID 697 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsWriteFileSizes

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContextOriginatingIrp`	—
`A13_PsGetCurrentThread`	—

Event ID 698 — OfsSetLength.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsSetCcFileSizesUsnBiasAware

Fields

Name	Description
`A10_Vcb`	—
`A11_IrpContext`	—
`A12_IrpContextOriginatingIrp`	—
`A13_PsGetCurrentThread`	—

Event ID 699 — NtOfsPostNewLength.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtOfsPostNewLength (%1!p!,%2!p!,%3!p!): Status %4!x! before calling NtfsReadUsnJournal

Fields

Name	Description
`A10_IrpContext`	—
`A11_IrpContextOriginatingIrp`	—
`A12_PsGetCurrentThread`	—
`A13_IrpContextExceptionStatus`	—

Event ID 700 — NtfsIsRegionDangling: RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsIsRegionDangling: RemainingClusterCount: 0x%1!I64x!, Scb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Clusters: 0x%5!I64x!

Fields

Name	Description
`A10_RemainingClusterCount`	—
`A11_Scb`	—
`A12_Vcn`	—
`A13_Lcn`	—
`A14_ClusterCount`	—

Event ID 701 — Vcb %1 - has no active PFNs.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p! - has *no* active PFNs

Fields

Name	Description
`A10_Vcb`	—

Event ID 702 — Vcb %1 - failed to query active PFNs assuming there are some.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p! - failed to query active PFNs assuming there are some

Fields

Name	Description
`A10_Vcb`	—

Event ID 703 — Vcb %1 - has active PFNs.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Vcb %1!p! - has active PFNs

Fields

Name	Description
`A10_Vcb`	—

Event ID 704 — NtfsPerformDismountOnVcb: Vcb %1.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb %1!p!

Fields

Name	Description
`A10_Vcb`	—

Event ID 705 — NtfsPerformDismountOnVcb: Vcb %1 - Found frozen deallocated clusters.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb %1!p! - Found frozen deallocated clusters

Fields

Name	Description
`A10_Vcb`	—

Event ID 706 — NtfsPerformDismountOnVcb: Vcb %1 - Wait for any on going trim to finish.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb %1!p! - Wait for any on going trim to finish

Fields

Name	Description
`A10_Vcb`	—

Event ID 707 — NtfsPerformDismountOnVcb: Vcb %1 - No more on going trim.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPerformDismountOnVcb: Vcb %1!p! - No more on going trim

Fields

Name	Description
`A10_Vcb`	—

Event ID 708 — NtfsPerformDismountOnVcb: IC.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPerformDismountOnVcb: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Fields

Name	Description
`A10_IrpContext`	—
`A11_Vcb`	—
`A12__VolumeLabel`	—
`A13__VcbDeviceName`	—

Event ID 709 — NtfsPostVcbIsCorrupt.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPostVcbIsCorrupt(%1!p!, %2!x!, %3!p!, %4!p!, %5!016I64x!): IrpContext->TopLevelIrpContext->ExceptionStatus == %6!x! before NtfsSetVcbDirtyFlag.

Fields

Name	Description
`A10_IrpContext`	—
`A11_Status`	—
`A12_FileReference`	—
`A13_Fcb`	—
`A14_Source`	—
`A15_TopLevelExceptionStatus`	—

Event ID 710 — NtfsPostVcbIsCorrupt: Marking volume dirty.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsPostVcbIsCorrupt: Marking volume dirty.  Vcb %1!p!, WasDirty: %2!x!, FileReference %3!I64x!, Source %4!016I64x!

Fields

Name	Description
`A10_Vcb`	—
`A11_WasDirty`	—
`A12_NtfsFullSegmentNumber_BugCheckFileReference`	—
`A13_Source`	—

Event ID 711 — NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_Fcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_FsInformationClass`	—
`A18_Scb`	—

Event ID 712 — NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_TypeOfOpen`	—
`A12_Vcb`	—
`A13__VcbVolumeName`	—
`A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A15_Fcb`	—
`A16_NtfsFullFileRefNumber_ScbFcbFileReference`	—
`A17_FsInformationClass`	—
`A18_Scb`	—

Event ID 713 — Succeeding log write @ 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Succeeding log write @ 0x%1!08x!%2!08x! after getting 0x%3!x! in top-level irpcontext

Fields

Name	Description
`A10_IrpSpParametersWriteByteOffsetHighPart`	—
`A11_IrpSpParametersWriteByteOffsetLowPart`	—
`A12_IrpContextTopLevelIrpContextExceptionStatus`	—

Event ID 714 — Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=%1!p!

Fields

Name	Description
`A10_Scb`	—

Event ID 715 — NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RequestedRange: 0x%5!I64x!, AllowedRange: 0x%6!I64x!.

Fields

Name	Description
`A10_PsGetCurrentThread`	—
`A11_Vcb`	—
`A12__VcbVolumeName`	—
`A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb`	—
`A14_ByteRange`	—
`A15_HIGHEST_WRITABLE_SECTOR_ON_ACTIVE_VOLUMEVcbSectorSizeInfoLogicalBytesPerSector`	—

Event ID 716 — Ignoring write to 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Ignoring write to 0x%1!I64x!, SCB length is 0x%2!I64x! for SCB 0x%3!Ix!

Fields

Name	Description
`A10_StartingVbo`	—
`A11_ScbHeaderValidDataLengthQuadPart`	—
`A12_ptrdiff_tScb`	—

Event ID 717 — Truncating write from 0x.

Provider: Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel: Operational

Message

Truncating write from 0x%1!I64x! to 0x%2!I64x! for SCB 0x%3!Ix!

Fields

Name	Description
`A10_ByteRange`	—
`A11_SectorAlignedVdl`	—
`A12_ptrdiff_tScb`	—