detection.wiki

Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f

708 events across 1 channel

Event IDTitleChannel
10NtfsLookupRealAllocation: Vcn A10_Vcn!Operational
11NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:A10_IrpContext, …Operational
12FileObject: A10_FileObject, Scb: A11_Scb, StaringVcn: A12_StartingVcn!Operational
13NtfsAddAllocation IC:A10_IrpContext, FileObject:A11_FileObject, Scb:A12_Scb, …Operational
14Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!Operational
15Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!Operational
16NtfsGetLastVcnForNewMappingPairSize IC:A10_IrpContext, Using …Operational
17Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!Operational
18Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!Operational
19NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List …Operational
20NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
21NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
22NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
23NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
24NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
25NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
26NtfsRestartRemoveAttribute FileRef:0xA10_FileRecordSegmentNumberHighPart!Operational
27NtfsRestartChangeValue FileRef:0xA10_FileRecordSegmentNumberHighPart!Operational
28AddToAttributeList(A10_FcbVcb,A11_IrpContext): FRef …Operational
29DeleteFromAttributeList(A10_FcbVcb,A11_IrpContext): FRef …Operational
30MakeRoomForAttribute Moving Mft's attribute IC:A10_IrpContext, Moving Attrib …Operational
31MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:A10_IrpContext, …Operational
32MoveAttributeToOwnRecord IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, …Operational
33NtfsRestartZeroEndOfFileRecord FileRef:0xA10_FileRecordSegmentNumberHighPart!Operational
34MergeFRS2(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
35MergeFRS2(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
36MergeFRS2.Operational
37MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
38MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
39MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
40MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
41MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
42MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
43MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
44MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
45MergeFRS2.Operational
46MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
47MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
48RedoAttribute(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
49RedoAttribute(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …Operational
50NtfsConsolidateAllFileRecords: Invalid Vcb.Operational
51NtfsConsolidateAllFileRecords: Volume is locked.Operational
52NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
53NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
54NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
55NtfsConsolidateAllFileRecords.Operational
56NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
57NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
58NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
59NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
60NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): FileRef …Operational
61NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
62NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
63NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
64NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …Operational
65NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): DeltaTime …Operational
66UpdateLCS: Vcb A10_FcbVcb, IC A11_IrpContext, FRef …Operational
67NtfsAllocateClustersPriv IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: …Operational
68NtfsAllocateClustersPriv IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: …Operational
69NtfsAllocateClustersPriv: Incremented TotalAllocated by 0xA10_FoundClusterCount!Operational
70NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by …Operational
71NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: …Operational
72NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: …Operational
73NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: …Operational
74NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR …Operational
75NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: …Operational
76NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR …Operational
77NtfsDeallocateClusters: Vcb A10_Vcb - raising logfile full.Operational
78NtfsDeallocateClusters: Vcb A10_Vcb - adding clusters to DeallocatedClusters: …Operational
79NtfsDeallocateClusters: Decremented TotalAllocated by 0xA10_ClusterCount!Operational
80NtfsDeallocateClusters: Skipped decrementing TotalAllocated by …Operational
81NtfsDeallocateClusters: Vcb A10_Vcb - Undoing some changes to …Operational
82NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: …Operational
83NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: …Operational
84NtfsModifyBitsInBitmap IC: A10_IrpContext, Vcb: A11_Vcb, FirstBit: …Operational
85NtfsModifyBitsInBitmap IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: …Operational
86NtfsAllocateBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: …Operational
87NtfsAllocateBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: …Operational
88NtfsRestartSetBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: …Operational
89NtfsFreeBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: …Operational
90NtfsFreeBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: …Operational
91NtfsRestartClearBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, …Operational
92NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: …Operational
93NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Bitmap: A11_Bitmap, StartLcn: …Operational
94NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Result: A11_Results.Operational
95System files not marked as in use in the MFT bitmap.Operational
96Length: 0 --> BinIndex : 0 - Unexpected lengthOperational
97Length: A10_Length!Operational
98Length: A10_Length!Operational
99BinIndex: A10_BinIndex!Operational
100BinIndex: A10_BinIndex!Operational
101BinGroupShift: A10_NtfsCachedRunBinGroupShift!Operational
102BinIndex: A10_BinIndex!Operational
103Searched committed allocations but didnt find enough free space.Operational
104NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): first bit …Operational
105NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no leading …Operational
106NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): leading …Operational
107NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no trailing …Operational
108NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): trailing …Operational
109NtfsValidateTotalClustersCommitted(A10_Vcb,A11_PsGetCurrentThread): TCC …Operational
110Illegal MDL Complete for major code A10_IrpContextMajorFunction.Operational
111Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingZero!Operational
112RunEntry ==> A10_RunIndex!Operational
113Offset is beyond this extent skipping the extent.Operational
114Shrinking LengthInExtent.Operational
115Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!Operational
116Exiting: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex …Operational
117Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingOffset!Operational
118Dsm Ranges[A10_DataSetRangeIndex]: StartingOffset: …Operational
119RemainingClusterCount: 0xA10_RemainingClusterCount!Operational
120Dsm: TotalNumberOfRanges: A10_DsmByteAddressRangesTotalNumberOfRanges, …Operational
121DsmOut Ranges[A10_Index]: StartingAddress: …Operational
122Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!Operational
123Updating ExtentsDescriptor Index and StartOffset from Locals: …Operational
124Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingZero!Operational
125Updating ExtentsDescriptor Index and StartOffset from Locals: …Operational
126IrpContext: A10_IrpContext; Scb: A11_Scb; StartOffset: 0xA12_StartOffset!Operational
127Return.Operational
128Unexpected open type received: A10_TypeOfOpen.Operational
129Raising STATUS_SUCCESS from NtfsCommonCleanup: A10_Status.Operational
130Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.Operational
131Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.Operational
132Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_Vcb, FileObject: …Operational
133Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_Vcb, FileObject: …Operational
134NtfsCommonCreate: Volume is locked.Operational
135NtfsCommonVolumeOpen: Invalid create disposition for volume open.Operational
136NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Operational
137NtfsCommonVolumeOpen: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: …Operational
138NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Operational
139NtfsCommonVolumeOpen: Conlicting file objects.Operational
140NtfsHandlePagingFile: Paging file already open, paging files can only be opened …Operational
141NtfsHandlePagingFile: Cannot open system file as paging file.Operational
142NtfsHandlePagingFile: Persisted paging file already exists.Operational
143NtfsOpenFcbById: Invalid system file access.Operational
144NtfsOpenExistingPrefixFcb: Can not directly open txf directory.Operational
145NtfsOpenExistingPrefixFcb: Invalid system file access.Operational
146NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system …Operational
147NtfsOpenFile: Invalid system file access.Operational
148NtfsOpenFile: Deny open when txf rm is active.Operational
149NtfsCreateNewFile: Deny creation in system directory (except root).Operational
150NtfsCreateNewFile: Unable to create Ea for the file.Operational
151NtfsCreateNewFile: Unable to create in the $txf directory.Operational
152NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.Operational
153NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.Operational
154NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.Operational
155NtfsOpenAttributeInExistingFile: Denying access for volume root directory.Operational
156NtfsCreateNewFile: Not allowed to create streams on system files.Operational
157NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging …Operational
158NtfsOverwriteAttr: Denying access due to user being Ea blind.Operational
159NtfsOverwriteAttr: Deny access due to encryption happening on the stream.Operational
160NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this …Operational
161NtfsCheckValidAttributeAccess: Only read attributes access is supported on this …Operational
162NtfsCheckValidAttributeAccess: Deny access for protected system attributes.Operational
163NtfsOpenAttributeCheck: File already has user writable references.Operational
164NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.Operational
165NtfsOpenAttributeCheck: File was granted write access but has image section.Operational
166NtfsOpenAttribute: Denying write access on disallowed writes.Operational
167NtfsOpenAttribute: File already has user writable references.Operational
168NtfsOpenAttribute: Open for exclusive read access is not allowed.Operational
169NtfsOpenAttribute: File already has user writable references.Operational
170NtfsOpenAttribute: Open for exclusive read access is not allowed.Operational
171NtfsCheckExistingFile: Desired access conflicts with read-only state.Operational
172NtfsOpenExistingEncryptedStream: No encryption driver found.Operational
173NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on …Operational
174NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for …Operational
175NtfsFindStartingNode: Opening not allowed for txf name when RM is active.Operational
176NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.Operational
177NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.Operational
178NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.Operational
179NtfsReCheckShareAccess: Does not meet allow open requirement.Operational
180A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: …Operational
181A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: …Operational
182A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: …Operational
183A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: …Operational
184NtfsSendUnusedClustersHint: Vcb A10_Vcb - Will tell storage we are freeing at …Operational
185NtfsSendUnusedClustersHint: Vcb A10_Vcb - Flush requested.Operational
186NtfsSendUnusedClustersHint: Vcb A10_Vcb - Created new MarkUnusedContext …Operational
187NtfsSendUnusedClustersHint: Vcb A10_Vcb - Successfully added clusters starting …Operational
188NtfsSendUnusedClustersHint: Vcb A10_Vcb - MCB …Operational
189NtfsSendUnusedClustersHint: Vcb A10_Vcb - Queuing request to IC pre-trim list, …Operational
190NtfsSendUnusedClustersHint: Vcb A10_Vcb - Failed to allocate/initial …Operational
191NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt …Operational
192NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt …Operational
193NtfsMarkUnusedContextPostTrimProcessing: EnteringOperational
194NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext …Operational
195NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext …Operational
196NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - Releasing bitmap.Operational
197NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - CloseCount …Operational
198NtfsMarkUnusedContextPostTrimProcessing: LeavingOperational
199NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp A10_Irp.Operational
200NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb, IC A11_IrpContext - …Operational
201NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Kicked off …Operational
202NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Leaving.Operational
203NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb A10_Vcb.Operational
204NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Small MUC …Operational
205NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Failed to allocate …Operational
206NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage …Operational
207NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC …Operational
208NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC …Operational
209NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC …Operational
210NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Add MUC …Operational
211NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Free small MUC …Operational
212NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage …Operational
213NtfsMarkUnusedContextPreTrimWorkItemProcessing: LeavingOperational
214NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - There are waiters for DC …Operational
215NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Waking up waiter for DC …Operational
216NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Done waking up DC …Operational
217NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb, All A11_All - Entering.Operational
218NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting to drain.Operational
219NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting for partial drain.Operational
220NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.Operational
221NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Entering.Operational
222NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Inserted …Operational
223NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.Operational
224NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb A10_IrpContextVcb - Wait …Operational
225NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for A10_WaitInSeconds …Operational
226NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for A10_WaitInSeconds …Operational
227NtfsCheckForTrimThrottling: Vcb A10_Vcb - hitting trim threshold …Operational
228NtfsUpdateSmartTrimState: Vcb A10_Vcb - Entering.Operational
229NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed.Operational
230NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed; …Operational
231NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - Skipping …Operational
232NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - MCB run …Operational
233NtfsUpdateSmartTrimState: Vcb A10_Vcb - MUC A11_MarkUnusedContext, DSR count …Operational
234NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DSR range …Operational
235NtfsUpdateSmartTrimState: Vcb A10_Vcb - MCB lcn A11_StartingLcn!Operational
236NtfsUpdateSmartTrimState: Vcb A10_Vcb - Smart trim state on exit; …Operational
237NtfsUpdateSmartTrimState: Vcb A10_Vcb - Range A11_SlabRangeIndex: FirstTPMapBit …Operational
238NtfsUpdateSmartTrimState: Vcb A10_Vcb - Leaving.Operational
239NtfsEvalSmartTrimState: Vcb A10_Vcb - Entering.Operational
240NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed.Operational
241NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredBitmap …Operational
242NtfsEvalSmartTrimState: Vcb A10_Vcb - Checking slab 0xA11_TpMapBit for …Operational
243NtfsEvalSmartTrimState: Vcb A10_Vcb - Slab 0xA11_TpMapBit has allocations, will …Operational
244NtfsEvalSmartTrimState: Vcb A10_Vcb - Free slab found - TP map bit …Operational
245NtfsEvalSmartTrimState: Vcb A10_Vcb - Leaving.Operational
246NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.Operational
247NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Done calling …Operational
248NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.Operational
249NtfsVolumeDasdIo: Data section blocking flush.Operational
250Could not find paging file run.Operational
251Could not find paging file MCB entry.Operational
252Could not find paging file run.Operational
253Writing to $Bitmap.Operational
254NTFS: Posting hotfix on file object: A10_FileObject.Operational
255NTFS: Freeing Bad Vcn: A10_ULONGBadVcn!Operational
256NTFS: Retiring Bad Lcn: A10_ULONGBadLcn!Operational
257NTFS: Reallocating Bad VcnOperational
258NTFS: Bad Cluster replacedOperational
259IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!Operational
260Compression buffers are already big enough.Operational
261Operational
262IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!Operational
263Compression buffers are already big enough.Operational
264Operational
265NtfsDefragFileInternal: Defrag is denied.Operational
266NtfsDefragFileInternal: Vcb A10_Vcb - Calling FRD.Operational
267NtfsDefragFileInternal: Vcb A10_Vcb - Done calling FRD.Operational
268NtfsDefragFileInternal: Defrag is denied.Operational
269NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …Operational
270NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …Operational
271NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …Operational
272NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …Operational
273NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …Operational
274NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …Operational
275NtfsDefragFile: Defrag is denied without manage volume access.Operational
276NtfsEncryptDecryptOnline: Defrag is denied.Operational
277NtfsEncryptDecryptOnline: Vcb A10_Vcb - Calling FRD.Operational
278NtfsEncryptDecryptOnline: Vcb A10_Vcb - Done calling FRD.Operational
279NtfsEncryptDecryptOnline: Defrag is denied.Operational
280SCB: A10_Scb, VDL=0xA11_ScbHeaderValidDataLengthQuadPart!Operational
281StartOff=0xA10_QueryDaxExtentsFileOffset!Operational
282NumberOfValidRuns: 0Operational
283RemainingClusterCount: 0xA10_RemainingClusterCount!Operational
284STATUS_BUFFER_TOO_SMALL from FsLib.Operational
285Made an educated guess for remaining runs.Operational
286Made a wild guess for remaining runs.Operational
287NumberOfValidRuns: 0xA10_ExtentsDescriptorNumberOfValidRuns!Operational
288BasePage: 0xA10_ExtentsDescriptorRunIndexBasePage!Operational
289About to zero range - ZeroStart: 0xA10_ZeroStart!Operational
290Zeroed range - ZeroStart: 0xA10_ZeroStart!Operational
291NtfsCommonQueryInformation: File information query not allowed as file was …Operational
292NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read …Operational
293NtfsQueryNameInfo: Name info query not allowed as file was opened without …Operational
294NtfsQueryLinksInfo: Link info query not allowed as file was opened without …Operational
295NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.Operational
296NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.Operational
297NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …Operational
298NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …Operational
299NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened …Operational
300NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …Operational
301NtfsSetRenameInfo: Can not rename a file marked for deletion.Operational
302NtfsSetRenameInfo: Can not rename a txf directory.Operational
303NtfsSetRenameInfo: Can not rename into a system directory.Operational
304NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.Operational
305NtfsSetRenameInfo: The file should not have in-memory directory descendents.Operational
306NtfsSetRenameInfo: Child Scb mismatch.Operational
307NtfsSetLinkInfo: Set link info is not allowed on txf directory.Operational
308NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.Operational
309NtfsSetLinkInfo: Set link info failed due to caller not having …Operational
310NtfsSetLinkInfo: Creating a link in system directory is not allowed.Operational
311NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.Operational
312NtfsSetShortNameInfo: Can not set a short name on a deleted file.Operational
313NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF …Operational
314NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction …Operational
315NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.Operational
316NtfsStreamRename: Deny access due to encryption happening on source stream.Operational
317NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.Operational
318NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, …Operational
319NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Scb: A11_Scb.Operational
320NtfsFlushVolume: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, LocalFlags: …Operational
321NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: …Operational
322NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: …Operational
323NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add …Operational
324NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add …Operational
325NtfsDiskFlushContextWorkItemProcessing: Process work itemOperational
326NtfsDiskFlushContextWorkItemProcessing: Nothing to work onOperational
327Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_IrpContextVcb, MinorCode: …Operational
328NtfsLockVolumeInternal: Cannot lock the volume.Operational
329NtfsLockVolumeInternal: Volume is already locked.Operational
330NtfsLockVolumeInternal: Failed to flush system files on the volume.Operational
331NtfsLockVolumeInternal: Failed to flush system files on the volume.Operational
332NtfsLockVolumeInternal: Outstanding user files open after flush and retry.Operational
333NtfsLockVolume: Cannot lock volume due to caller does not have manage volume …Operational
334NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.Operational
335A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm …Operational
336NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume …Operational
337NtfsDismountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, …Operational
338NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …Operational
339NtfsDismountVolume: Cannot dismount volume due to volume being locked.Operational
340NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …Operational
341NtfsDismountVolume: Could not flush trim hints.Operational
342NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage …Operational
343NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage …Operational
344NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage …Operational
345NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having …Operational
346NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …Operational
347NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …Operational
348NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage …Operational
349NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not …Operational
350NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage …Operational
351NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup …Operational
352NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup …Operational
353NtfsSetSparse: Caller does not have appropriate write access to the stream.Operational
354NtfsSetSparse: Cannot desparse encrypted file without write data access.Operational
355NtfsZeroRange: User mode caller not allowed.Operational
356IC: A10_IrpContext, Scb: A11_Scb, FileObject: A12_IrpSpFileObject.Operational
357IC: A10_IrpContext, EncryptionOperation: 0xA11_EncryptionOperation!Operational
358NtfsReadRawEncrypted: Caller does not have backup access or read data access.Operational
359NtfsWriteRawEncrypted: Caller does not have write data access or restore access.Operational
360NtfsWriteRawEncrypted: Caller not having manage volume privilege.Operational
361NtfsLookupStreamFromCluster: Caller not having manage volume privilege.Operational
362NtfsChangeVolumeSize: Caller not having manage volume privilege.Operational
363NtfsChangeVolumeSize (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.Operational
364NtfsChangeVolumeSize (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.Operational
365NtfsMarkHandle: Caller does not have a valid volume handle or manage volume …Operational
366NtfsMarkHandle: Caller not having manage volume privilege.Operational
367NtfsMarkHandle: Cannot deny defrag.Operational
368NtfsMarkHandle: Cannot deny Frs consolidation.Operational
369NtfsMarkHandle: Cannot filter metadata.Operational
370NtfsMarkHandle: Mark handle is not allowed on system files.Operational
371NtfsMarkHandle: File already has user writable references.Operational
372NtfsMarkHandle: File was granted write access previously but no oplocks were …Operational
373NtfsPrefetchFile: Caller not having manage volume privilege.Operational
374NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.Operational
375NtfsSetShortNameBehavior: Caller not having manage volume privilege.Operational
376Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0xA10_PVOIDVcb to …Operational
377NtfsQueryPagefileEncryption: Caller not having manage volume privilege.Operational
378NtfsQueryPagefileEncryption: Caller not having manage volume privilege.Operational
379NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.Operational
380NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.Operational
381Resetting Volsnap behavior for VCB = 0xA10_Vcb.Operational
382NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.Operational
383NtfsCorruptionHandling: Caller not having manage volume privilege.Operational
384NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.Operational
385Scrub resume from SystemScbIndex: A10_ScrubResumeContextSystemScbIndex Vcn: …Operational
386Scb:A10_Scb Scrub resume from Vcn: A11_ScrubResumeContextResumeVcn!Operational
387Scrub SystemScbIndex: A10_ScrubResumeContextSystemScbIndex.Operational
388NtfsScrubData: Caller not having manage volume privilege.Operational
389Scrub not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.Operational
390Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.Operational
391Scb:A10_Scb ScrubInternal OperationStatus: A11_ScrubContextOperationStatus …Operational
392Scb:A10_Scb ScrubInternal Status: A11_Status Repaired: …Operational
393InternalFileReference: A10_InternalFileReference.Operational
394InternalFileReference:A10_InternalFileReference.Operational
395Scb:A10_Scb Incomplete IoCount:A11_ScrubIoCount Cancel:A12_IrpCancel …Operational
396Scb:A10_Scb Scrub skipping resident attribute (d) (A11__ScbAttributeName).Operational
397Scb:A10_Scb Scrub skipping resident attribute (A11__ScbAttributeName).Operational
398Scb:A10_Scb Scrub StartingVcn.Operational
399Scb:A10_Scb Scrub starting vcn is beyond VDL.Operational
400Scb:A10_Scb Scrub no more Mcb entries from StartingVcn:A11_StartingVcn!Operational
401Scb:A10_Scb Scrub skipping UNUSED_LCN Vcn: A11_StartingVcn!Operational
402Scb:A10_Scb StartingVcn:A11_StartingVcn!Operational
403Scb:A10_Scb ScrubDsmRange [A11_DsmRangeStartingOffset!Operational
404Scrub found problems Scb: A10_Scb Vcn A11_StartingVcn!Operational
405Scb:A10_Scb DsmAction_Scrub call failed, Status: A11_Status.Operational
406Scb:A10_Scb DsmAction_Scrub operation failed, Status: A11_Status.Operational
407FSCTL_REPAIR_COPIES not supported for Txf file, Scb: A10_Scb, TxfScb: …Operational
408Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (d) …Operational
409Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute …Operational
410FSCTL_REPAIR_COPIES interrupted by thread termination.Operational
411FSCTL_REPAIR_COPIES canceledOperational
412Scb:A10_Scb FSCTL_REPAIR_COPIES no more Mcb entries from …Operational
413Scb:A10_Scb FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from …Operational
414Scb:A10_Scb FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: A11_StartingVcn!Operational
415Scb:A10_Scb RepairDsmRange [A11_RepairDataSetRangeStartingOffset!Operational
416Scb:A10_Scb DsmAction_Repair call failed, Status: A11_Status.Operational
417Scb:A10_Scb DsmAction_Repair operation failed, Status: A11_IrpStatus.Operational
418Scb:A10_Scb DsmAction_Repair completed, IrpStatus: A11_RepairCopiesOutputStatus.Operational
419NtfsQueryCachedRuns: Caller not having manage volume privilege.Operational
420NtfsQueryStorageClasses: Caller not having manage volume privilege.Operational
421NtfsQueryRegionInfo: Caller not having manage volume privilege.Operational
422NtfsUnloadFile: Caller not having manage volume privilege.Operational
423NtfsCheckForSection: File already has image section.Operational
424NtfsShuffleFile: User mode caller is not allowed.Operational
425NtfsShuffleFile: Denying access due to volume is locked.Operational
426NtfsShuffleFile: Defrag is denied.Operational
427NtfsShuffleFile: Denying access due to conflicting with read-only state.Operational
428NtfsRearrangeFile: User mode caller is not allowed.Operational
429NtfsRearrangeFile: Denying access due to volume is locked.Operational
430NtfsRearrangeFile: Defrag is denied.Operational
431NtfsShuffleFile: Denying access due to conflicting with read-only state.Operational
432NtfsSparseOverAllocate: Caller does not have appropriate write access.Operational
433NtfsInitiateFileMetadataOptimization: Only allowed on regular user …Operational
434NtfsQueryFileMetadataOptimization: Only allowed on regular user …Operational
435NtfsCleanVolumeMetadata: Caller not having manage volume privilege.Operational
436NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Open …Operational
437NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Enumerate …Operational
438NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, …Operational
439NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Close status=0xA12_Status.Operational
440NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Close dir …Operational
441NtfsCleanVolumeMetadata: Caller not having manage volume privilege.Operational
442SCB: A10_Scb, StartOffset: 0xA11_StartOffset!Operational
443FsLibGetBadAddressRanges returned Status: A10_Status, NumBadRanges: …Operational
444FsInputRangeIndex: A10_FsInputRangeIndex, FileOffset: …Operational
445Scb: A10_Scb, Status: A11_Status, AbnormalTermination: …Operational
446Scb: A10_Scb, Status: A11_Status.Operational
447NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.Operational
448Logic error of posting close to work queue.Operational
449NtfsFindPrefixHashEntry: {Hash table: A10_Table} {ParentScb: A11_ParentScb, …Operational
450NtfsFindPrefixHashEntry: {Lcb: NULL}Operational
451NtfsFindPrefixHashEntry: {Lcb: A10_FoundLcb, …Operational
452NtfsFindPrefixHashEntry: {Lcb not found}Operational
453NtfsInsertHashEntry: {Hash table: A10_Table} {HashValue: …Operational
454NtfsRemoveHashEntry: {Hash table: A10_Table} {HashValue: A11_HashValue!Operational
455Vcb A10_Vcb.Operational
456Vcb A10_Vcb.Operational
457Vcb A10_Vcb.Operational
458Vcb A10_Vcb.Operational
459Vcb A10_Vcb.Operational
460Vcb A10_Vcb.Operational
461Vcb A10_Vcb.Operational
462Vcb A10_Vcb.Operational
463Vcb A10_Vcb.Operational
464Vcb A10_Vcb.Operational
465Vcb A10_Vcb.Operational
466NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked.Operational
467Vcb A10_Vcb.Operational
468Vcb A10_Vcb.Operational
469NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: …Operational
470NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: …Operational
471NtfsCommitCurrentTransaction …Operational
472NtfsCommitCurrentTransaction …Operational
473NtfsCommitCurrentTransaction …Operational
474NtfsCommitCurrentTransaction …Operational
475NtfsCommitCurrentTransaction …Operational
476NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: …Operational
477NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: …Operational
478NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Entering - ActiveLsn: …Operational
479NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.Operational
480NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.Operational
481NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found frozen deallocated clusters …Operational
482NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.Operational
483NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.Operational
484NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found a deallocated clusters …Operational
485Vcb: A10_Vcb, Processing range.Operational
486Looking for dangling MDLsOperational
487FsLibGroupSubExtentsByDanglingMdl failed: A10_Status.Operational
488FsLibAddBaseMcbEntryEx failed: A10_Status.Operational
489NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: …Operational
490NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: …Operational
491No sub extents has dangling MDLOperational
492NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Telling volsnap freeing at …Operational
493NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Volsnap responsed with freeing at …Operational
494NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Got error 0xA11_Status from below.Operational
495NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Deleting MarkUnusedContext …Operational
496NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Leaving.Operational
497NtfsRemoveNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_StartingVcn!Operational
498NtfsRemoveNtfsMcbEntry Mcb: A10_Mcb Completed.Operational
499NtfsAddNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_Vcn!Operational
500NtfsAddNtfsMcbEntry Mcb: A10_Mcb, Result: A11_Result.Operational
501NtfsUnloadNtfsMcbRange Scb: A10_McbScb, Mcb: A11_Mcb, StartVcn: …Operational
502NtfsUnloadNtfsMcbRange Mcb: A10_Mcb Completed.Operational
503Valid NTFS boot sector.Operational
504Not an NTFS boot sector.Operational
505NtfsMountVolume: Vcb:A10_Vcb, IC:A11_IrpContext, Growing allocation for Mft's …Operational
506NtfsMountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, …Operational
507Mounting DAX partition.Operational
508DAX volume mounted without DAX support because storage is not DAX capable.Operational
509NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Mft …Operational
510NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Converting …Operational
511NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext, …Operational
512Unexpected exception code of 0xA10_ExceptionCode received.Operational
513Exception code of 0xA10_ExceptionCode received during mount.Operational
514Unexpected exception code of 0xA10_ExceptionCode received.Operational
515LogFileFull A10_IrpContextLogFullReason BackTrace: ln A11_BackTrace0; ln …Operational
516Unexpected raise of 0xA10_ExceptionCode during critical non-raise code.Operational
517NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!Operational
518NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!Operational
519Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, …Operational
520Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, …Operational
521Setting STATUS_CANT_WAIT in top-level exception status for write @ …Operational
522Setting 0xA10_ExceptionCode in top-level exception status for write @ …Operational
523[A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!Operational
524[A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!Operational
525Can't handle invalid bitmap in a positive way.Operational
526NTFS ETW tracing is now active.Operational
527Updating NtfsMinTrimTotalSize to A10_MinTrimTotalSize.Operational
528Updating NtfsMaxTrimTotalSize to A10_MaxTrimTotalSize.Operational
529NtfsSetObjectId: Caller does not have restore access.Operational
530NtfsSetObjectIdExtendedInfo: Caller does not have write access.Operational
531NtfsDeleteObjectId: Caller does not have write access.Operational
532A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm …Operational
533NtfsFsQuotaSetInfo: Denying access due to administrator limit.Operational
534NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not …Operational
535Unexpected Paging-Read on DAX mappable stream, Scb=A10_Scb.Operational
536NtfsSetReparsePoint: Caller does not have write access.Operational
537NtfsSetReparsePointEx: Caller does not have write access.Operational
538NtfsDeleteReparsePoint: Caller does not have write access.Operational
539NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling …Operational
540NtfsReleaseVcbCheckDelete - deleted Vcb: A10_Vcb, IC: A11_IrpContext.Operational
541NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: …Operational
542NtfsAbortTransaction IC: A10_IrpContext, TransactionId: …Operational
543NtfsAbortTransaction IC: A10_IrpContext, TransactionId: …Operational
544DoAction::InitializeFRS IC:A10_IrpContext, …Operational
545DoAction::DeallocateFRS IC:A10_IrpContext, …Operational
546DoAction::WriteEndOfFRS IC:A10_IrpContext, …Operational
547DoAction::CreateAttribute IC:A10_IrpContext, …Operational
548NtfsRestartChangeValue IC:A10_IrpContext, …Operational
549DoAction::SetNewAttributeSizes IC.Operational
550DoAction(SetBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: …Operational
551DoAction(ClearBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: …Operational
552NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf.Operational
553NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.Operational
554NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.Operational
555NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to …Operational
556NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.Operational
557NtfsCheckFileForDelete: Denying access due to superseding view indexes are not …Operational
558NtfsCheckFileForDelete: Denying access due to non-posix delete of target …Operational
559NtfsCheckFileForDelete: Denying access due to file is not deleteable.Operational
560NtfsCheckFileForDelete: Denying access due to target file is read only.Operational
561NtfsCheckFileForDelete: Caller does not have write attributes access …Operational
562NtfsCheckFileForDelete: Denying access due to failing to remove image section.Operational
563NtfsGlobalSdUpdate: Caller does not have manage volume privilege.Operational
564NtfsRepairItem: Denying access due to volume is locked.Operational
565NtfsSetRepairState: Caller does not have manage volume privilege.Operational
566NtfsInitiateRepair: Caller does not have manage volume privilege.Operational
567NTFS ETW tracing is shutting down.Operational
568NtfsDefineStorageReserve: Caller does not have manage volume privilege.Operational
569NtfsDeleteStorageReserve: Caller does not have manage volume privilege.Operational
570NtfsRepairStorageReserve: Caller does not have manage volume privilege.Operational
571NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a …Operational
572NtfsSetStorageReserveIdInfo: Caller does not have appropriate access.Operational
573NtfsChangeStorageReserveId: Caller does not have manage volume privilege.Operational
574NtfsChangeStorageReserveId: Caller does not have manage volume privilege to …Operational
575Failed to get a non-volatile token for Vcb: A10_Vcb, Status: A11_Status.Operational
576Failed to free non-volatile token for Vcb: A10_Vcb, Status: A11_Status.Operational
577NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: A10_Scb, TotalAllocated: …Operational
578NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: …Operational
579ClustersLinkAsHead: A10_ClustersLinkAsHead, FlagsToMatch: 0xA11_FlagsToMatch, …Operational
580Clusters: A10_Clusters, Flags: 0xA11_ClustersFlags.Operational
581Matching cluster: A10_Clusters, NumberOfRuns: 0xA11_NumberOfRuns.Operational
582Clusters: A10_Clusters.Operational
583Allocated new deallocated clustersOperational
584Need to add Range.Operational
585Added range.Operational
586TxfCheckForLockConflict: File locked for modify transaction.Operational
587TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans …Operational
588TxfCheckForLockConflict: Modification access desired.Operational
589TxfCheckForLockConflict: File has user handle opened on one of the versions or …Operational
590A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) …Operational
591A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) …Operational
592A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …Operational
593A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …Operational
594A10___FUNCTION__: RM at 0xA11_PVOIDCalloutParametersTxfFlushTxfRmcb …Operational
595A10___FUNCTION__: TxfStartRm reports RM will be reset: RM metadata corrupt.Operational
596A10___FUNCTION__: TxfStartRm reports RM will be reset: TM could not be …Operational
597A10___FUNCTION__: TxfStartRm reports RM will be reset: RM log corrupt.Operational
598A10___FUNCTION__: TxfStartRm reports RM will be reset: log version changed.Operational
599A10___FUNCTION__: TxfStartRm reports RM will be reset: dedicated log found, need …Operational
600A10___FUNCTION__: TxfStartRm reports RM will be reset: multiplexed log found, …Operational
601A10___FUNCTION__: TxfStartRm reports RM will be reset: CLFS log metadata …Operational
602A10___FUNCTION__: TxfStartRm reports RM will be reset: 0xA11_FailureStatus.Operational
603A10___FUNCTION__: RM did not start and WILL NOT be reset, status code is …Operational
604A10___FUNCTION__: Could not initialize IrpContext: 0xA11_Status.Operational
605TxfInitializeVolume: Denying access due to Txf start is not allowed (possible …Operational
606A10___FUNCTION__: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0xA11_TempStatus for …Operational
607A10___FUNCTION__: Exception code 0xA11_GetExceptionCode, Status 0xA12_Status for …Operational
608A10___FUNCTION__: Couldn't reset default RM on VCB at 0xA11_PVOIDVcb after …Operational
609A10___FUNCTION__: Exception 0xA11_GetExceptionCode raised from …Operational
610A10___FUNCTION__: A11_NT_SUCCESSStatusSucceededFAILED auto-restart of RM at …Operational
611A10___FUNCTION__: Attempting auto-restart of RM at 0xA11_PVOIDTxfRmcb …Operational
612A10___FUNCTION__: Volume too small to start RM at 0xA11_PVOIDTxfRmcb …Operational
613A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: invalid …Operational
614TxfStartRm: Denying access due to Txf start is not allowed (possible racing with …Operational
615A10___FUNCTION__: Raising to reset RM at 0xA11_PVOIDTxfRmcb …Operational
616TxfStartRm: Denying access due to Txf start is not allowed (possible racing with …Operational
617A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: no …Operational
618A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Different nesting …Operational
619A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart …Operational
620A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart …Operational
621A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: RmID in …Operational
622A10___FUNCTION__: Got A11_Status from ClfsGetLogFileInformation for RM at …Operational
623A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Restart …Operational
624A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: …Operational
625A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} started …Operational
626A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} failed to …Operational
627A10___FUNCTION__: Shutting down A11_TxfIsDefaultRmTxfRmcbdefaultsecondary RM at …Operational
628A10___FUNCTION__: Setting RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} up for …Operational
629TxfFlushAndInvalidateExistingStructures: File has open user handles.Operational
630(A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine) - …Operational
631A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to …Operational
632A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back Tx …Operational
633A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to …Operational
634TxfFsctlStartRm: Denying access due starting default RM is not allowed.Operational
635TxfFsctlWriteBackupInformation: Denying access due RM is active.Operational
636A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found too …Operational
637A10___FUNCTION__: Error Setting Delete Disposition: 0xA11_Status FileObject: …Operational
638A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Got a …Operational
639TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a …Operational
640TxfSetupTransactionContextFromCcb: Invalid TxF structure.Operational
641TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a …Operational
642A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} raising …Operational
643A10___FUNCTION__: Commit (0xA11_TransactionNotification) …Operational
644A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …Operational
645A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …Operational
646A10___FUNCTION__: Error doing IRP_MJ_FLUSH_BUFFERS on RM at …Operational
647A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} trying to abort …Operational
648A10___FUNCTION__: Aborting call stack: 0xA11_CallStack0 0xA12_CallStack1 …Operational
649A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …Operational
650A10___FUNCTION__: 0xA11_Status initializing IrpContext for tx at A12_PVOIDTrans …Operational
651A10___FUNCTION__: 0xA11_Status writing log record for RM at 0xA12_PVOIDTxfRmcb …Operational
652A10___FUNCTION__: About to force aborts on RM at 0xA11_PVOIDTxfRmcb …Operational
653A10___FUNCTION__: BaseLsn is greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb …Operational
654A10___FUNCTION__: No transactions remain on RM at 0xA11_PVOIDTxfRmcb …Operational
655A10___FUNCTION__: Transaction's first undo LSN greater than TargetLsn on RM at …Operational
656A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} surprise-aborting …Operational
657A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} got 0xA13_Status …Operational
658A10___FUNCTION__: Inactive RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.Operational
659A10___FUNCTION__: Log is pinned on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.Operational
660A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back KTM …Operational
661A10___FUNCTION__: Log pinned trying to advance RestartLsn on RM at …Operational
662A10___FUNCTION__: Log pinned by doomed transaction on RM at 0xA11_PVOIDTxfRmcb …Operational
663A10___FUNCTION__: Reporting 0xA11_PinnedStatus to CLFS from RM at …Operational
664A10___FUNCTION__: Done forcing aborts on RM at 0xA11_PVOIDTxfRmcb …Operational
665A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Txf …Operational
666A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found …Operational
667A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found …Operational
668A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't …Operational
669A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't …Operational
670A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found …Operational
671A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Expected …Operational
672A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is …Operational
673A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is …Operational
674A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is …Operational
675A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Missing …Operational
676A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't …Operational
677A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is …Operational
678A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Could not …Operational
679A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops …Operational
680A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops …Operational
681A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Non-NULL …Operational
682A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Epoch in …Operational
683A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't …Operational
684NtfsReadUsnJournal: Caller does not have manage volume privilege.Operational
685TrimUsnJournal (A10_Vcb, A11_IrpContext): Decided to trim usn journal.Operational
686TrimUsnJournal (A10_Vcb, A11_IrpContext): About to delete allocation till …Operational
687TrimUsnJournal (A10_Vcb, A11_IrpContext): Before trimming journal AS …Operational
688TrimUsnJournal (A10_Vcb, A11_IrpContext): After trimming journal AS …Operational
689TrimUsnJournal (A10_Vcb, A11_IrpContext): Mapping pairs validated.Operational
690TrimUsnJournal (A10_Vcb, A11_IrpContext): Checkpointed.Operational
691NtfsQueryUsnJournal: Denying access due to NULL Ccb.Operational
692NtfsDeleteUsnJournal: Caller does not have manage volume access.Operational
693NtfsRestartUsnJournal: Caller does not have manage volume privilege.Operational
694NtOfsCreateAttributeEx: Stream already has a open user handle.Operational
695OfsSetLength …Operational
696OfsSetLength …Operational
697OfsSetLength …Operational
698OfsSetLength …Operational
699NtOfsPostNewLength …Operational
700NtfsIsRegionDangling: RemainingClusterCount: 0xA10_RemainingClusterCount!Operational
701Vcb A10_Vcb - has *no* active PFNs.Operational
702Vcb A10_Vcb - failed to query active PFNs assuming there are some.Operational
703Vcb A10_Vcb - has active PFNs.Operational
704NtfsPerformDismountOnVcb: Vcb A10_Vcb.Operational
705NtfsPerformDismountOnVcb: Vcb A10_Vcb - Found frozen deallocated clusters.Operational
706NtfsPerformDismountOnVcb: Vcb A10_Vcb - Wait for any on going trim to finish.Operational
707NtfsPerformDismountOnVcb: Vcb A10_Vcb - No more on going trim.Operational
708NtfsPerformDismountOnVcb: IC: A10_IrpContext, Vcb: A11_Vcb, Label: …Operational
709NtfsPostVcbIsCorrupt.Operational
710NtfsPostVcbIsCorrupt: Marking volume dirty.Operational
711NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for …Operational
712NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for …Operational
713Succeeding log write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!Operational
714Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=A10_Scb.Operational
715NtfsCommonWrite: Writing beyond highest writable sector on active volume is not …Operational
716Ignoring write to 0xA10_StartingVbo!Operational
717Truncating write from 0xA10_ByteRange!Operational

Event ID 10 — NtfsLookupRealAllocation: Vcn A10_Vcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLookupRealAllocation: Vcn A10_Vcn!I64x!, LowestVcn A11_AttributeFormNonresidentLowestVcn!I64x!, HighestVcn A12_AttributeFormNonresidentHighestVcn!I64x!, AllocationClusters A13_AllocationClusters!I64x!

Message #

NtfsLookupRealAllocation: Vcn %1!I64x!, LowestVcn %2!I64x!, HighestVcn %3!I64x!, AllocationClusters %4!I64x!

Fields #

NameDescription
A10_Vcn HexInt64
A11_AttributeFormNonresidentLowestVcn HexInt64
A12_AttributeFormNonresidentHighestVcn HexInt64
A13_AllocationClusters HexInt64

Event ID 11 — NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:A10_IrpContext, Scb:A11_Scb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:A10_IrpContext, Scb:A11_Scb.

Message #

NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:%1!p!, Scb:%2!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Scb Pointer

Event ID 12 — FileObject: A10_FileObject, Scb: A11_Scb, StaringVcn: A12_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FileObject: A10_FileObject, Scb: A11_Scb, StaringVcn: A12_StartingVcn!I64x!, ClusterCount: A13_ClusterCount!I64x!, Flags: A14_Flags!08x!, CcbForWriteExtend: A15_CcbForWriteExtend.

Message #

FileObject: %1!p!, Scb: %2!p!, StaringVcn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!, CcbForWriteExtend: %6!p!

Fields #

NameDescription
A10_FileObject Pointer
A11_Scb Pointer
A12_StartingVcn HexInt64
A13_ClusterCount HexInt64
A14_Flags HexInt32
A15_CcbForWriteExtend Pointer

Event ID 13 — NtfsAddAllocation IC:A10_IrpContext, FileObject:A11_FileObject, Scb:A12_Scb, StaringVcn:A13_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAllocation IC:A10_IrpContext, FileObject:A11_FileObject, Scb:A12_Scb, StaringVcn:A13_StartingVcn!I64x!, ClusterCount:A14_ClusterCount!I64x!, Flags:A15_Flags!08x!, CcbForWriteExtend:A16_CcbForWriteExtend.

Message #

NtfsAddAllocation IC:%1!p!, FileObject:%2!p!, Scb:%3!p!, StaringVcn:%4!I64x!, ClusterCount:%5!I64x!, Flags:%6!08x!, CcbForWriteExtend:%7!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileObject Pointer
A12_Scb Pointer
A13_StartingVcn HexInt64
A14_ClusterCount HexInt64
A15_Flags HexInt32
A16_CcbForWriteExtend Pointer

Event ID 14 — Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!016I64x!

Message #

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_PurgeOffset HexInt64

Event ID 15 — Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!016I64x!, PurgeChunkLength: 0xA12_PurgeChunkLength.

Message #

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!, PurgeChunkLength: 0x%3!x!

Fields #

NameDescription
A10_Scb Pointer
A11_PurgeOffset HexInt64
A12_PurgeChunkLength HexInt32

Event ID 16 — NtfsGetLastVcnForNewMappingPairSize IC:A10_IrpContext, Using LastVcn:A11_LastVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetLastVcnForNewMappingPairSize IC:A10_IrpContext, Using LastVcn:A11_LastVcn!4I64x!, InstanceId:A12_AttributeInstance.

Message #

NtfsGetLastVcnForNewMappingPairSize IC:%1!p!, Using LastVcn:%2!4I64x!, InstanceId:%3!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_LastVcn HexInt64
A12_AttributeInstance HexInt32

Event ID 17 — Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!I64x!

Message #

Can't find StdInfo in FileRef %1!I64x!

Fields #

NameDescription
A10_NtfsFullFileRefNumber_FcbFileReference HexInt64

Event ID 18 — Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!I64x!

Message #

Can't find StdInfo in FileRef %1!I64x!

Fields #

NameDescription
A10_NtfsFullFileRefNumber_FcbFileReference HexInt64

Event ID 19 — NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:A10_IrpContextValueLength:A11_ValueLength, AttrFlags=A12_AttributeFlags.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:A10_IrpContextValueLength:A11_ValueLength, AttrFlags=A12_AttributeFlags.

Message #

NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:%1!p!ValueLength:%2!x!, AttrFlags=%3!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ValueLength HexInt32
A12_AttributeFlags HexInt32

Event ID 20 — NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, LastVcn A14_LastVcn!I64x!, NewHighestVcn A15_NewHighestVcn!I64x!, PassCount A16_PassCount - step 6.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LastVcn %5!I64x!, NewHighestVcn %6!I64x!, PassCount %7!x! - step 6

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_LastVcn HexInt64
A15_NewHighestVcn HexInt64
A16_PassCount HexInt32

Event ID 21 — NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(!p!,!p!): Scb !p!, FileRef !I64x!, LowestVcn !I64x!, HighestVcn !I64x!, ALE.LowestVcn !I64x! - try to merge backward.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - try to merge backward

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn HexInt64
A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn HexInt64
A16_ContextAttributeListEntryLowestVcn HexInt64

Event ID 22 — NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(!p!,!p!): Scb !p!, FileRef !I64x!, LowestVcn !I64x!, HighestVcn !I64x!, ALE.LowestVcn !I64x! - after merge backward.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after merge backward

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn HexInt64
A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn HexInt64
A16_ContextAttributeListEntryLowestVcn HexInt64

Event ID 23 — NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(!p!,!p!): Scb !p!, FileRef !I64x!, LowestVcn !I64x!, HighestVcn !I64x!, ALE.LowestVcn !I64x!, PassCount !x! - before last merge after step 6.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x!, PassCount %8!x! - before last merge after step 6

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn HexInt64
A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn HexInt64
A16_ContextAttributeListEntryLowestVcn HexInt64
A17_PassCount HexInt32

Event ID 24 — NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(!p!,!p!): Scb !p!, FileRef !I64x!, LowestVcn !I64x!, HighestVcn !I64x!, ALE.LowestVcn !I64x! - after last merge after step 6.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after last merge after step 6

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn HexInt64
A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn HexInt64
A16_ContextAttributeListEntryLowestVcn HexInt64

Event ID 25 — NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, MergeSkipCt A14_NtfsFrsConsolidationStatisticsMergeSkipCount - done.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, MergeSkipCt %5!x! - done

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsFrsConsolidationStatisticsMergeSkipCount HexInt32

Event ID 26 — NtfsRestartRemoveAttribute FileRef:0xA10_FileRecordSegmentNumberHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartRemoveAttribute FileRef:0xA10_FileRecordSegmentNumberHighPart!04x!_A11_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Attrib:0xA13_AttributeTypeCode.

Message #

NtfsRestartRemoveAttribute FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields #

NameDescription
A10_FileRecordSegmentNumberHighPart HexInt32
A11_FileRecordSegmentNumberLowPart HexInt32
A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A13_AttributeTypeCode HexInt32

Event ID 27 — NtfsRestartChangeValue FileRef:0xA10_FileRecordSegmentNumberHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartChangeValue FileRef:0xA10_FileRecordSegmentNumberHighPart!04x!_A11_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Attrib:0xA13_AttributeTypeCode.

Message #

NtfsRestartChangeValue FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields #

NameDescription
A10_FileRecordSegmentNumberHighPart HexInt32
A11_FileRecordSegmentNumberLowPart HexInt32
A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A13_AttributeTypeCode HexInt32

Event ID 28 — AddToAttributeList(A10_FcbVcb,A11_IrpContext): FRef A12_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

AddToAttributeList(A10_FcbVcb,A11_IrpContext): FRef A12_PULONGLONG_FcbFileReference!I64x!, OldSig A13_StdInfoAttrListEntrySignature, OldLCS A14_StdInfoAttrListEntryLastCompactedSize, NewLCS A15_CurrentAttributeListSize.

Message #

AddToAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields #

NameDescription
A10_FcbVcb Pointer
A11_IrpContext Pointer
A12_PULONGLONG_FcbFileReference HexInt64
A13_StdInfoAttrListEntrySignature HexInt32
A14_StdInfoAttrListEntryLastCompactedSize HexInt32
A15_CurrentAttributeListSize HexInt32

Event ID 29 — DeleteFromAttributeList(A10_FcbVcb,A11_IrpContext): FRef A12_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DeleteFromAttributeList(A10_FcbVcb,A11_IrpContext): FRef A12_PULONGLONG_FcbFileReference!I64x!, OldSig A13_StdInfoAttrListEntrySignature, OldLCS A14_StdInfoAttrListEntryLastCompactedSize, NewLCS A15_NewStdInfoAttrListEntryLastCompactedSize.

Message #

DeleteFromAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields #

NameDescription
A10_FcbVcb Pointer
A11_IrpContext Pointer
A12_PULONGLONG_FcbFileReference HexInt64
A13_StdInfoAttrListEntrySignature HexInt32
A14_StdInfoAttrListEntryLastCompactedSize HexInt32
A15_NewStdInfoAttrListEntryLastCompactedSize HexInt32

Event ID 30 — MakeRoomForAttribute Moving Mft's attribute IC:A10_IrpContext, Moving Attrib A11_i/A12_MAX_MOVEABLE_ATTRIBUTES, Type=A13_AttributeTypeCode, RecLengh=A14_AttributeRecordLength, Instance:A15_Attribut...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MakeRoomForAttribute Moving Mft's attribute IC:A10_IrpContext, Moving Attrib A11_i/A12_MAX_MOVEABLE_ATTRIBUTES, Type=A13_AttributeTypeCode, RecLengh=A14_AttributeRecordLength, Instance:A15_AttributeInstance.

Message #

MakeRoomForAttribute Moving Mft's attribute IC:%1!p!, Moving Attrib %2!x!/%3!x!, Type=%4!x!, RecLengh=%5!x!, Instance:%6!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_i HexInt32
A12_MAX_MOVEABLE_ATTRIBUTES HexInt32
A13_AttributeTypeCode HexInt32
A14_AttributeRecordLength HexInt32
A15_AttributeInstance HexInt32

Event ID 31 — MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, TypeCode:A12_AttributeTypeCode, RecLen:A13_AttributeRecordLength, Form:A14_AttributeFormCode, Instance:A1...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, TypeCode:A12_AttributeTypeCode, RecLen:A13_AttributeRecordLength, Form:A14_AttributeFormCode, Instance:A15_AttributeInstance.

Message #

MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:%1!p!, SizeNeeded:%2!x!, TypeCode:%3!x!, RecLen:%4!x!, Form:%5!x!, Instance:%6!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_SizeNeeded HexInt32
A12_AttributeTypeCode HexInt32
A13_AttributeRecordLength HexInt32
A14_AttributeFormCode HexInt32
A15_AttributeInstance HexInt32

Event ID 32 — MoveAttributeToOwnRecord IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, Bytes2Free:A12_BytesToFree, OldMappingSize:A13_MappingPairSize, NewMappingSize:A14_NewMappingPairSize.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MoveAttributeToOwnRecord IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, Bytes2Free:A12_BytesToFree, OldMappingSize:A13_MappingPairSize, NewMappingSize:A14_NewMappingPairSize.

Message #

MoveAttributeToOwnRecord IC:%1!p!, SizeNeeded:%2!x!, Bytes2Free:%3!x!, OldMappingSize:%4!x!, NewMappingSize:%5!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_SizeNeeded HexInt32
A12_BytesToFree HexInt32
A13_MappingPairSize HexInt32
A14_NewMappingPairSize HexInt32

Event ID 33 — NtfsRestartZeroEndOfFileRecord FileRef:0xA10_FileRecordSegmentNumberHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartZeroEndOfFileRecord FileRef:0xA10_FileRecordSegmentNumberHighPart!04x!_A11_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Start:0xA13_StartZero, Len:0xA14_ZeroLength.

Message #

NtfsRestartZeroEndOfFileRecord FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Start:0x%4!x!, Len:0x%5!x!

Fields #

NameDescription
A10_FileRecordSegmentNumberHighPart HexInt32
A11_FileRecordSegmentNumberLowPart HexInt32
A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A13_StartZero HexInt32
A14_ZeroLength HexInt32

Event ID 34 — MergeFRS2(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(!p!,!p!): Scb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, LowVcn !I64x!, HalfWayVcn !I64x!, FinalVcn !I64x!, PackedMode !x!, TryPrior !x! - about to merge.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, LowVcn %7!I64x!, HalfWayVcn %8!I64x!, FinalVcn %9!I64x!, PackedMode %10!x!, TryPrior %11!x! - about to merge

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_NewStartVcn HexInt64
A17_NewHalfWayVcn HexInt64
A18_NewFinalVcn HexInt64
A19_PackedMode HexInt32
A20_TryPrior HexInt32

Event ID 35 — MergeFRS2(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(!p!,!p!): Scb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, DeleteFileRef !x!0000!08x!, LowVcn !I64x!, LastVcn !I64x!, FinalVcn !I64x! - all fit in one so get rid of the second one.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - all fit in one so get rid of the second one

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_FileRecordSequenceNumber HexInt32
A17_FileRecordSegmentNumberLowPart HexInt32
A18_NewStartVcn HexInt64
A19_LastVcn HexInt64
A20_NewFinalVcn HexInt64

Event ID 36 — MergeFRS2.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - should all fit into one so get rid of the second one FIRST

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_FileRecordSequenceNumber HexInt32
A17_FileRecordSegmentNumberLowPart HexInt32
A18_NewStartVcn HexInt64
A19_LastVcn HexInt64
A20_NewFinalVcn HexInt64

Event ID 37 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, Vcn A14_NewFinalVcn!I64x! - initial RangePtr query.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x! - initial RangePtr query

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewFinalVcn HexInt64

Event ID 38 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, Vcn A14_NewHalfWayVcn!I64x!, Rptr A15_RangePtr - secondary RangePtr query.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - secondary RangePtr query

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewHalfWayVcn HexInt64
A15_RangePtr Pointer

Event ID 39 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, Vcn A14_NewHalfWayVcn!I64x!, Rptr A15_RangePtr - calling lookup runs range.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - calling lookup runs range

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewHalfWayVcn HexInt64
A15_RangePtr Pointer

Event ID 40 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, McbArray A14_NtfsMcbArray (A15_NtfsMcbArrayStartingVcn!I64x!, A16_NtfsMcbArrayEndingVcn!I64x!) - current McbArray.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - current McbArray

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsMcbArray Pointer
A15_NtfsMcbArrayStartingVcn HexInt64
A16_NtfsMcbArrayEndingVcn HexInt64

Event ID 41 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, McbArray A14_NtfsMcbArray (A15_NtfsMcbArrayStartingVcn!I64x!, A16_NtfsMcbArrayEndingVcn!I64x!) - previous McbArray.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - previous McbArray

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsMcbArray Pointer
A15_NtfsMcbArrayStartingVcn HexInt64
A16_NtfsMcbArrayEndingVcn HexInt64

Event ID 42 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, McbArray A14_NtfsMcbArray (A15_NtfsMcbArrayStartingVcn!I64x!, A16_NtfsMcbArrayEndingVcn!I64x!) - prev prev McbArray.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - prev prev McbArray

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsMcbArray Pointer
A15_NtfsMcbArrayStartingVcn HexInt64
A16_NtfsMcbArrayEndingVcn HexInt64

Event ID 43 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, McbArray A14_NtfsMcbArray (A15_NtfsMcbArrayStartingVcn!I64x!, A16_NtfsMcbArrayEndingVcn!I64x!) - next McbArray.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - next McbArray

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsMcbArray Pointer
A15_NtfsMcbArrayStartingVcn HexInt64
A16_NtfsMcbArrayEndingVcn HexInt64

Event ID 44 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, NewFinalVcnInMcb A14_NewFinalVcnInMcb!I64x! > NewFinalVcn A15_NewFinalVcn!I64x! - NewFinalVcn is smaller.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewFinalVcnInMcb %5!I64x! > NewFinalVcn %6!I64x! - NewFinalVcn is smaller

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewFinalVcnInMcb HexInt64
A15_NewFinalVcn HexInt64

Event ID 45 — MergeFRS2.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewStartVcn %5!I64x!, LastVcn %6!I64x!, NewFinalVcn %7!I64x!, NewFinalVcnInMcb %8!I64x!, #Ranges %9!x!, DeletedNextAttribute %10!x!, Mcb1(%11!x!,%12!x!), Mcb2(%13!x!,%14!x!), McbArraySizeInUseChange %15!d! - final vcn in mcb

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewStartVcn HexInt64
A15_LastVcn HexInt64
A16_NewFinalVcn HexInt64
A17_NewFinalVcnInMcb HexInt64
A18_NumberOfRanges HexInt32
A19_DeletedNextAttribute HexInt32
A20_Mcb1StartWithNewStartVcn HexInt32
A21_Mcb1HoldNewStartVcn HexInt32
A22_Mcb2StartWithNewStartVcn HexInt32
A23_Mcb2HoldNewStartVcn HexInt32
A24_McbArraySizeInUseChange Int32

Event ID 46 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, StartingVcn A14_NewStartVcn!I64x!, EndingVcn A15_DeletedNextAttributeNewFinalVcnInMcbLastVcn1!I64x! - redefined mcb range1.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range1

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewStartVcn HexInt64
A15_DeletedNextAttributeNewFinalVcnInMcbLastVcn1 HexInt64

Event ID 47 — MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, StartingVcn A14_LastVcn!I64x!, EndingVcn A15_NewFinalVcnInMcb!I64x! - redefined mcb range2.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range2

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_LastVcn HexInt64
A15_NewFinalVcnInMcb HexInt64

Event ID 48 — RedoAttribute(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RedoAttribute(!p!,!p!): Scb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, FileRef !I64x!, OldLowVcn !I64x!, NewLowVcn !I64x!, Instance !x! - updating LowestVcn in attribute list entry.

Message #

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, FileRef %7!I64x!, OldLowVcn %8!I64x!, NewLowVcn %9!I64x!, Instance %10!x! - updating LowestVcn in attribute list entry

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_PULONGLONG_ContextAttributeListEntrySegmentReference HexInt64
A17_OldLowestVcn HexInt64
A18_StartVcn HexInt64
A19_NewAttributeInstance HexInt32

Event ID 49 — RedoAttribute(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RedoAttribute(!p!,!p!): Scb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, OldLowVcn !I64x!, NewLowVcn !I64x!, OldHighVcn !I64x!, NewHighVcn !I64x!, ChildRef !x!0000!08x! - done.

Message #

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, OldLowVcn %7!I64x!, NewLowVcn %8!I64x!, OldHighVcn %9!I64x!, NewHighVcn %10!I64x!, ChildRef %11!x!0000%12!08x! - done

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_OldLowestVcn HexInt64
A17_StartVcn HexInt64
A18_OldHighestVcn HexInt64
A19_LastVcn HexInt64
A20_FileRecordSequenceNumber HexInt32
A21_FileRecordSegmentNumberLowPart HexInt32

Event ID 50 — NtfsConsolidateAllFileRecords: Invalid Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: A10_PsGetCurrentThread.

Message #

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: %1!p!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer

Event ID 51 — NtfsConsolidateAllFileRecords: Volume is locked.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords: Volume is locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Volume Id: A14__VolumeId, Vcb State: 0xA15_VcbVcbState!08x!.

Message #

NtfsConsolidateAllFileRecords: Volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume Id: %5!S!, Vcb State: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14__VolumeId CountedUtf16String
A15_VcbVcbState HexInt32

Event ID 52 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x!, FirstRequest A14_AllFlagsFirstRequest - opened fcb.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, FirstRequest %5!x! - opened fcb

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_AllFlagsFirstRequest HexInt32

Event ID 53 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - already in progress so get out.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - already in progress so get out

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 54 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - set in progress flag.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - set in progress flag

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 55 — NtfsConsolidateAllFileRecords.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RstrTypeCode %5!x!, RstrAttrName %6!S!, RstrVcn %7!I64x!, RstrAttrListEntryOffset %8!x!, AttrListEntryOffset %9!x!, AttrListLength %10!I64x!, AttrListGrowBy %11!x!(%12!d!) - adjust FinalCompactedSizeDeduction

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_FrsConsolidationContextRestartAttributeTypeCode HexInt32
A15__FrsConsolidationContextRestartAttributeName CountedUtf16String
A16_FrsConsolidationContextRestartVcn HexInt64
A17_FrsConsolidationContextRestartAttributeListEntryOffset HexInt32
A18_AttributeListEntryOffset HexInt32
A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength HexInt64
A20_AttributeListGrowBy HexInt32
A21_AttributeListGrowBy Int32

Event ID 56 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(!p!,!p!): Fcb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, Vcn !I64x!, Instance !x!, RstrAttrListEntryOffset !x!, AttrListLength !I64x! - breaking up 1.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 1

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_FrsConsolidationContextRestartAttributeTypeCode HexInt32
A15__FrsConsolidationContextRestartAttributeName CountedUtf16String
A16_FrsConsolidationContextRestartVcn HexInt64
A17_FrsConsolidationContextInstance HexInt32
A18_FrsConsolidationContextRestartAttributeListEntryOffset HexInt32
A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength HexInt64

Event ID 57 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(!p!,!p!): Fcb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, Vcn !I64x!, Instance !x!, RstrAttrListEntryOffset !x!, AttrListLength !I64x! - breaking up 2.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 2

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_FrsConsolidationContextRestartAttributeTypeCode HexInt32
A15__FrsConsolidationContextRestartAttributeName CountedUtf16String
A16_FrsConsolidationContextRestartVcn HexInt64
A17_FrsConsolidationContextInstance HexInt32
A18_FrsConsolidationContextRestartAttributeListEntryOffset HexInt32
A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength HexInt64

Event ID 58 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x!, Scb A14_Scb - completed this Scb.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, Scb %5!p! - completed this Scb

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_Scb Pointer

Event ID 59 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - going into finally.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - going into finally

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 60 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): FileRef A12_PULONGLONG_FrsConsolidationContextFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): FileRef A12_PULONGLONG_FrsConsolidationContextFileReference!I64x!, Status A13_IrpContextExceptionStatus - Abnormal Termination.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): FileRef %3!I64x!, Status %4!x! - Abnormal Termination

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_PULONGLONG_FrsConsolidationContextFileReference HexInt64
A13_IrpContextExceptionStatus HexInt32

Event ID 61 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - decremented close counts.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - decremented close counts

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 62 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - clearing in progress flag.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - clearing in progress flag

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 63 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_FileRef!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_FileRef!I64x!, ExceptionStatus A14_ExceptionStatus- released.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, ExceptionStatus %5!x!- released

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_FileRef HexInt64
A14_ExceptionStatus HexInt32

Event ID 64 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_FileRef!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_FileRef!I64x!, RemovedFcb A14_RemovedFcb, AllFlags.FcbAcquired A15_AllFlagsFcbAcquired, TransId A16_IrpContextTransactionId - no release.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RemovedFcb %5!x!, AllFlags.FcbAcquired %6!x!, TransId %7!x! - no release

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_FileRef HexInt64
A14_RemovedFcb HexInt32
A15_AllFlagsFcbAcquired HexInt32
A16_IrpContextTransactionId HexInt32

Event ID 65 — NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): DeltaTime A12_EndTimeQuadPart1000NtfsPerformanceFrequencyQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): DeltaTime A12_EndTimeQuadPart1000NtfsPerformanceFrequencyQuadPart!I64d! (ms), TotalTime A13_FrsConsolidationContextTotalTime1000NtfsPerformanceFrequencyQuadPart!I64d! (ms).

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): DeltaTime %3!I64d! (ms), TotalTime %4!I64d! (ms)

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_EndTimeQuadPart1000NtfsPerformanceFrequencyQuadPart Int64
A13_FrsConsolidationContextTotalTime1000NtfsPerformanceFrequencyQuadPart Int64

Event ID 66 — UpdateLCS: Vcb A10_FcbVcb, IC A11_IrpContext, FRef A12_PULONGLONG_FcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

UpdateLCS: Vcb A10_FcbVcb, IC A11_IrpContext, FRef A12_PULONGLONG_FcbFileReference!I64x!, OldSig A13_StdInfoAttrListEntrySignature, OldLCS A14_StdInfoAttrListEntryLastCompactedSize, NewLCS A15_AttributeListSize.

Message #

UpdateLCS: Vcb %1!p!, IC %2!p!, FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields #

NameDescription
A10_FcbVcb Pointer
A11_IrpContext Pointer
A12_PULONGLONG_FcbFileReference HexInt64
A13_StdInfoAttrListEntrySignature HexInt32
A14_StdInfoAttrListEntryLastCompactedSize HexInt32
A15_AttributeListSize HexInt32

Event ID 67 — NtfsAllocateClustersPriv IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, Vcn: 0xA14_OriginalStartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv IC: !p!, Vcb: !p!, Scb: !p!, Mcb: !p!, Vcn: 0x!I64x!, Length: 0x!I64x!, AllocateAll: !S!, TargetLcn: 0x!I64x!, PreAllocated: !S!, DelayedAllocation: !S!

Message #

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Scb Pointer
A13__ScbMcb Pointer
A14_OriginalStartingVcn HexInt64
A15_ClusterCount HexInt64
A16_AllocateAll UInt32
A17_TargetLcnNULLTargetLcnULONGLONG1 HexInt64
A18_PreAllocated UInt32
A19_UseDelayedAllocation UInt32

Event ID 68 — NtfsAllocateClustersPriv IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, Vcn: 0xA14_OriginalStartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv IC: !p!, Vcb: !p!, Scb: !p!, Mcb: !p!, Vcn: 0x!I64x!, Length: 0x!I64x!, AllocateAll: !S!, TargetLcn: 0x!I64x!, PreAllocated: !S!, DelayedAllocation: !S!

Message #

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Scb Pointer
A13__ScbMcb Pointer
A14_OriginalStartingVcn HexInt64
A15_ClusterCount HexInt64
A16_AllocateAll UInt32
A17_TargetLcnNULLTargetLcnULONGLONG1 HexInt64
A18_PreAllocated UInt32
A19_UseDelayedAllocation UInt32

Event ID 69 — NtfsAllocateClustersPriv: Incremented TotalAllocated by 0xA10_FoundClusterCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0xA10_FoundClusterCount!I64x! clusters, Scb: A11_Scb, TotalAllocated: 0xA12_ScbTotalAllocated!I64x!

Message #

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!

Fields #

NameDescription
A10_FoundClusterCount HexInt64
A11_Scb Pointer
A12_ScbTotalAllocated HexInt64

Event ID 70 — NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0xA10_FoundClusterCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0xA10_FoundClusterCount!I64x! clusters, Scb: A11_Scb, TotalAllocated: 0xA12_ScbTotalAllocated!I64x!ScbState: A13_ScbState!08x!, IrpContextState2: A14_IrpContextState2!08x!, AllocateWithNoHole: A15_AllocateWithNoHole.

Message #

NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!ScbState: %4!08x!, IrpContextState2: %5!08x!, AllocateWithNoHole: %6!d!

Fields #

NameDescription
A10_FoundClusterCount HexInt64
A11_Scb Pointer
A12_ScbTotalAllocated HexInt64
A13_ScbState HexInt32
A14_IrpContextState2 HexInt32
A15_AllocateWithNoHole Int32

Event ID 71 — NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: A11_ClustersAllocated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: A11_ClustersAllocated.

Message #

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ClustersAllocated UInt32

Event ID 72 — NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: A11_ClustersAllocated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: A11_ClustersAllocated.

Message #

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ClustersAllocated UInt32

Event ID 73 — NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, StartVcn: 0xA14_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, StartVcn: 0xA14_StartingVcn!I64x!, EndVcn: 0xA15_EndingVcn!I64x!

Message #

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Scb Pointer
A13__ScbMcb Pointer
A14_StartingVcn HexInt64
A15_EndingVcn HexInt64

Event ID 74 — NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR A11_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR A11_PULONGLONG_ScbFcbFileReference!I64x! from clusters A12_StartingVcn!I64x! to A13_EndingVcn!I64x!

Message #

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! from clusters %3!I64x! to %4!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PULONGLONG_ScbFcbFileReference HexInt64
A12_StartingVcn HexInt64
A13_EndingVcn HexInt64

Event ID 75 — NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, StartVcn: 0xA14_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, StartVcn: 0xA14_StartingVcn!I64x!, EndVcn: 0xA15_EndingVcn!I64x!

Message #

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Scb Pointer
A13__ScbMcb Pointer
A14_StartingVcn HexInt64
A15_EndingVcn HexInt64

Event ID 76 — NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR A11_PULONGLONG_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR A11_PULONGLONG_ScbFcbFileReference!I64x! starting at A12_AdjLcn!I64x! for A13_AdjClusterCount!I64x! clusters.

Message #

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! starting at %3!I64x! for %4!I64x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_PULONGLONG_ScbFcbFileReference HexInt64
A12_AdjLcn HexInt64
A13_AdjClusterCount HexInt64

Event ID 77 — NtfsDeallocateClusters: Vcb A10_Vcb - raising logfile full.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb A10_Vcb - raising logfile full.

Message #

NtfsDeallocateClusters: Vcb %1!p! - raising logfile full

Fields #

NameDescription
A10_Vcb Pointer

Event ID 78 — NtfsDeallocateClusters: Vcb A10_Vcb - adding clusters to DeallocatedClusters: A11_DeallocatedClusters ==> Lsn: A12_DeallocatedClustersLsnQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb !p! - adding clusters to DeallocatedClusters: !p! ==> Lsn: !I64x!, ClusterCount: !I64x!, Flags: !08x!; Vcb's DeallocatedClustersCount old: !I64x! new: !I64x!

Message #

NtfsDeallocateClusters: Vcb %1!p! - adding clusters to DeallocatedClusters: %2!p! ==> Lsn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!; Vcb's DeallocatedClustersCount old: %6!I64x! new: %7!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClusters Pointer
A12_DeallocatedClustersLsnQuadPart HexInt64
A13_DeallocatedClustersClusterCount HexInt64
A14_DeallocatedClustersFlags HexInt32
A15_VcbDeallocatedClusters HexInt64
A16_VcbDeallocatedClustersAdjClusterCount HexInt64

Event ID 79 — NtfsDeallocateClusters: Decremented TotalAllocated by 0xA10_ClusterCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Decremented TotalAllocated by 0xA10_ClusterCount!I64x! clusters, Scb: A11_Scb, TotalAllocated: 0xA12_TotalAllocated!I64x!Addr(TotalAllocated): A13_TotalAllocated.

Message #

NtfsDeallocateClusters: Decremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!Addr(TotalAllocated): %4!p!

Fields #

NameDescription
A10_ClusterCount HexInt64
A11_Scb Pointer
A12_TotalAllocated HexInt64
A13_TotalAllocated Pointer

Event ID 80 — NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0xA10_ClusterCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0xA10_ClusterCount!I64x! clusters, Scb: A11_ScbAddr(TotalAllocated): A12_TotalAllocated, ScbState: A13_ScbState!08x!, IrpContextState2: A14_IrpContextState2!08x!

Message #

NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!Addr(TotalAllocated): %3!p!, ScbState: %4!08x!, IrpContextState2: %5!08x!

Fields #

NameDescription
A10_ClusterCount HexInt64
A11_Scb Pointer
A12_TotalAllocated Pointer
A13_ScbState HexInt32
A14_IrpContextState2 HexInt32

Event ID 81 — NtfsDeallocateClusters: Vcb A10_Vcb - Undoing some changes to DeallocatedClustersCount from A11_VcbDeallocatedClusters!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb A10_Vcb - Undoing some changes to DeallocatedClustersCount from A11_VcbDeallocatedClusters!I64x! to A12_VcbDeallocatedClustersClustersRemoved!I64x!

Message #

NtfsDeallocateClusters: Vcb %1!p! - Undoing some changes to DeallocatedClustersCount from %2!I64x! to %3!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbDeallocatedClusters HexInt64
A12_VcbDeallocatedClustersClustersRemoved HexInt64

Event ID 82 — NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: A11_ClustersDeallocated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: A11_ClustersDeallocated.

Message #

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ClustersDeallocated UInt32

Event ID 83 — NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: A11_ClustersDeallocated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: A11_ClustersDeallocated.

Message #

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ClustersDeallocated UInt32

Event ID 84 — NtfsModifyBitsInBitmap IC: A10_IrpContext, Vcb: A11_Vcb, FirstBit: 0xA12_FirstBit!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsModifyBitsInBitmap IC: A10_IrpContext, Vcb: A11_Vcb, FirstBit: 0xA12_FirstBit!I64x!, BeyondLastBit: 0xA13_BeyondFinalBit!I64x!, Redo: 0xA14_RedoOperation, Undo: 0xA15_UndoOperation.

Message #

NtfsModifyBitsInBitmap IC: %1!p!, Vcb: %2!p!, FirstBit: 0x%3!I64x!, BeyondLastBit: 0x%4!I64x!, Redo: 0x%5!x!, Undo: 0x%6!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_FirstBit HexInt64
A13_BeyondFinalBit HexInt64
A14_RedoOperation HexInt32
A15_UndoOperation HexInt32

Event ID 85 — NtfsModifyBitsInBitmap IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsModifyBitsInBitmap IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!I64x!, CurrentLcn: 0xA13_CurrentLcn!I64x!

Message #

NtfsModifyBitsInBitmap IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, CurrentLcn: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11__Bitmap Pointer
A12_BaseLcn HexInt64
A13_CurrentLcn HexInt64

Event ID 86 — NtfsAllocateBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: 0xA12_StartingLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: 0xA12_StartingLcn!I64x!, ClusterCount: 0xA13_ClusterCount!I64x!

Message #

NtfsAllocateBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_StartingLcn HexInt64
A13_ClusterCount HexInt64

Event ID 87 — NtfsAllocateBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!I64x!, StartingLcn: 0xA13_StartingLcn!I64x!

Message #

NtfsAllocateBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11__Bitmap Pointer
A12_BaseLcn HexInt64
A13_StartingLcn HexInt64

Event ID 88 — NtfsRestartSetBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: 0xA12_BitMapOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartSetBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: 0xA12_BitMapOffset!08x!, NumBits: 0xA13_NumberOfBits!08x!

Message #

NtfsRestartSetBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Bitmap Pointer
A12_BitMapOffset HexInt32
A13_NumberOfBits HexInt32

Event ID 89 — NtfsFreeBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: 0xA12_StartingLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: 0xA12_StartingLcn!I64x!, ClusterCount: 0xA13_ClusterCount!I64x!

Message #

NtfsFreeBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_StartingLcn HexInt64
A13_ClusterCount HexInt64

Event ID 90 — NtfsFreeBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!I64x!, StartingLcn: 0xA13_StartingLcn!I64x!

Message #

NtfsFreeBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11__Bitmap Pointer
A12_BaseLcn HexInt64
A13_StartingLcn HexInt64

Event ID 91 — NtfsRestartClearBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: 0xA12_BitMapOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartClearBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: 0xA12_BitMapOffset!08x!, NumBits: 0xA13_NumberOfBits!08x!

Message #

NtfsRestartClearBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Bitmap Pointer
A12_BitMapOffset HexInt32
A13_NumberOfBits HexInt32

Event ID 92 — NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12_Bitmap, StartingBitmapLcn: 0xA13_StartingBitmapLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12_Bitmap, StartingBitmapLcn: 0xA13_StartingBitmapLcn!I64x!, SetBits: A14_SetBits.

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!, StartingBitmapLcn: 0x%4!I64x!, SetBits: %5!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Bitmap Pointer
A13_StartingBitmapLcn HexInt64
A14_SetBits UInt32

Event ID 93 — NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Bitmap: A11_Bitmap, StartLcn: 0xA12_StartingBit!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Bitmap: A11_Bitmap, StartLcn: 0xA12_StartingBit!I64x!, EndLcn: 0xA13_EndingBit!I64x!

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Bitmap: %2!p!, StartLcn: 0x%3!I64x!, EndLcn: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Bitmap Pointer
A12_StartingBit HexInt64
A13_EndingBit HexInt64

Event ID 94 — NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Result: A11_Results.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Result: A11_Results.

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Result: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Results UInt32

Event ID 95 — System files not marked as in use in the MFT bitmap.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

System files not marked as in use in the MFT bitmap. DWord offset A10_i, value A11_OriginalSystemBitmapisizeofOriginalSystemBitmap0.

Message #

System files not marked as in use in the MFT bitmap.  DWord offset %1!x!, value %2!x!.

Fields #

NameDescription
A10_i HexInt32
A11_OriginalSystemBitmapisizeofOriginalSystemBitmap0 HexInt32

Event ID 96 — Length: 0 --> BinIndex : 0 - Unexpected length

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Length: 0 --> BinIndex : 0 - Unexpected length.

Message #

Length:        0 --> BinIndex :        0    - Unexpected length

Event ID 97 — Length: A10_Length!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Length: A10_Length!8I64d! --> BinIndex : A11_BinIndex!8u! - Key: A12_Key, BitPosition: A13_BitPosition, GroupIndex: A14_GroupIndex, GroupShiftFactor: A15_GroupShiftFactor.

Message #

Length: %1!8I64d! --> BinIndex : %2!8u!    - Key: %3!u!, BitPosition: %4!ld!, GroupIndex: %5!ld!, GroupShiftFactor: %6!ld!

Fields #

NameDescription
A10_Length Int64
A11_BinIndex UInt32
A12_Key UInt32
A13_BitPosition Int32
A14_GroupIndex Int32
A15_GroupShiftFactor Int32

Event ID 98 — Length: A10_Length!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Length: A10_Length!8I64d! --> BinIndex : A11_BinIndex!8u! - BinIndex was beyond TotalBins: A12_TotalBins hence brought down.

Message #

Length: %1!8I64d! --> BinIndex : %2!8u!    - BinIndex was beyond TotalBins: %3!u! hence brought down

Fields #

NameDescription
A10_Length Int64
A11_BinIndex UInt32
A12_TotalBins UInt32

Event ID 99 — BinIndex: A10_BinIndex!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BinIndex: A10_BinIndex!8u! --> MaxLength: A11_MAXLONGLONG!8I64d! - BinIndex is set to last bin or beyond, TotalBins: A12_TotalBins.

Message #

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - BinIndex is set to last bin or beyond, TotalBins: %3!u!

Fields #

NameDescription
A10_BinIndex UInt32
A11_MAXLONGLONG Int64
A12_TotalBins UInt32

Event ID 100 — BinIndex: A10_BinIndex!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BinIndex: A10_BinIndex!8u! --> MaxLength: A11_MaxLength!8I64d! - GroupIndex: A12_GroupIndex, RelativeBinIndex: A13_RelativeBinIndex, MaxKey: A14_MaxKey.

Message #

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - GroupIndex: %3!ld!, RelativeBinIndex: %4!ld!, MaxKey: %5!u!

Fields #

NameDescription
A10_BinIndex UInt32
A11_MaxLength Int64
A12_GroupIndex Int32
A13_RelativeBinIndex Int32
A14_MaxKey UInt32

Event ID 101 — BinGroupShift: A10_NtfsCachedRunBinGroupShift!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BinGroupShift: A10_NtfsCachedRunBinGroupShift!8ld!, BinGroupSize: A11_NtfsCachedRunBinGroupSize!8u!, BinGroupMask: A12_NtfsCachedRunBinGroupMask!8x!

Message #

BinGroupShift: %1!8ld!, BinGroupSize: %2!8u!, BinGroupMask: %3!8x!

Fields #

NameDescription
A10_NtfsCachedRunBinGroupShift Int32
A11_NtfsCachedRunBinGroupSize UInt32
A12_NtfsCachedRunBinGroupMask HexInt32

Event ID 102 — BinIndex: A10_BinIndex!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BinIndex: A10_BinIndex!8u! --> MaxLength: A11_MaxLength!8I64u! (0xA12_MaxLength!8I64x!).

Message #

BinIndex: %1!8u! --> MaxLength: %2!8I64u! (0x%3!8I64x!)

Fields #

NameDescription
A10_BinIndex UInt32
A11_MaxLength UInt64
A12_MaxLength HexInt64

Event ID 103 — Searched committed allocations but didnt find enough free space.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Searched committed allocations but didnt find enough free space. StartingCluster A10_StartingCluster!I64x!, ClusterCount A11_ClusterCount!I64x!, Committed A12_VcbTotalClustersCommitted!I64x!, Total A13_VcbTotalClusters!I64x!, Free A14_VcbFreeClusters!I64x!

Message #

Searched committed allocations but didnt find enough free space.  StartingCluster %1!I64x!, ClusterCount %2!I64x!, Committed %3!I64x!, Total %4!I64x!, Free %5!I64x!

Fields #

NameDescription
A10_StartingCluster HexInt64
A11_ClusterCount HexInt64
A12_VcbTotalClustersCommitted HexInt64
A13_VcbTotalClusters HexInt64
A14_VcbFreeClusters HexInt64

Event ID 104 — NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): first bit 0xA11_FirstBitToClear, last bit 0xA12_BeyondLastBitToClear1.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): first bit 0xA11_FirstBitToClear, last bit 0xA12_BeyondLastBitToClear1.

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): first bit 0x%2!X!, last bit 0x%3!X!

Fields #

NameDescription
A10_Vcb Pointer
A11_FirstBitToClear HexInt32
A12_BeyondLastBitToClear1 HexInt32

Event ID 105 — NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no leading partial slab.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no leading partial slab.

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no leading partial slab

Fields #

NameDescription
A10_Vcb Pointer

Event ID 106 — NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): leading partial slab returned - LCN A11_FreeClusterBase1!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): leading partial slab returned - LCN A11_FreeClusterBase1!I64X!, len A12_FreeClusterCount1!I64X!

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): leading partial slab returned - LCN %2!I64X!, len %3!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_FreeClusterBase1 HexInt64
A12_FreeClusterCount1 HexInt64

Event ID 107 — NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no trailing partial slab.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no trailing partial slab.

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no trailing partial slab

Fields #

NameDescription
A10_Vcb Pointer

Event ID 108 — NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): trailing partial slab returned - lcn A11_FreeClusterBase2!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): trailing partial slab returned - lcn A11_FreeClusterBase2!I64X!, len A12_FreeClusterCount2!I64X!

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): trailing partial slab returned - lcn %2!I64X!, len %3!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_FreeClusterBase2 HexInt64
A12_FreeClusterCount2 HexInt64

Event ID 109 — NtfsValidateTotalClustersCommitted(A10_Vcb,A11_PsGetCurrentThread): TCC A12_VcbTotalClustersCommitted!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsValidateTotalClustersCommitted(A10_Vcb,A11_PsGetCurrentThread): TCC A12_VcbTotalClustersCommitted!I64x!, TC A13_VcbTotalClusters!I64x!, BMSize A14_VcbTPMapSizeOfBitMap.

Message #

NtfsValidateTotalClustersCommitted(%1!p!,%2!p!): TCC %3!I64x!, TC %4!I64x!, BMSize %5!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_VcbTotalClustersCommitted HexInt64
A13_VcbTotalClusters HexInt64
A14_VcbTPMapSizeOfBitMap HexInt32

Event ID 110 — Illegal MDL Complete for major code A10_IrpContextMajorFunction.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Illegal MDL Complete for major code A10_IrpContextMajorFunction.

Message #

Illegal MDL Complete for major code %1!u!

Fields #

NameDescription
A10_IrpContextMajorFunction UInt32

Event ID 111 — Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingZero!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Entering: Scb: !p!, StartingZero: 0x!016I64x!, ByteCount: 0x!016I64x!, ExtentsDescriptor: !p!, ExtentsDescriptorIndex: !d!, ExtentsDescriptorStartOffset: 0x!016I64x!, Offset: 0x!016I64x!, MaxRuns: !d!

Message #

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, ByteCount: 0x%3!016I64x!, ExtentsDescriptor: %4!p!, ExtentsDescriptorIndex: %5!d!, ExtentsDescriptorStartOffset: 0x%6!016I64x!, Offset: 0x%7!016I64x!, MaxRuns: %8!d!,

Fields #

NameDescription
A10_Scb Pointer
A11_StartingZero HexInt64
A12_ByteCount HexInt64
A13_ExtentsDescriptor Pointer
A14_ExtentsDescriptorIndex Int32
A15_ExtentsDescriptorStartOffset HexInt64
A16_Offset HexInt64
A17_MaxRuns Int32

Event ID 112 — RunEntry ==> A10_RunIndex!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RunEntry ==> A10_RunIndex!4d!: [0xA11_ExtentsDescriptorRunRunIndexBasePage!016I64x!, 0xA12_ExtentsDescriptorRunRunIndexPageCount!016I64x!], ExtentLength: 0xA13_ExtentLength!016I64x!, Offset: 0xA14_Offset!016I64x!, RunIndexStartOffset: 0xA15_RunIndexStartOffset!016I64x!

Message #

RunEntry ==> %1!4d!: [0x%2!016I64x!, 0x%3!016I64x!], ExtentLength: 0x%4!016I64x!, Offset: 0x%5!016I64x!, RunIndexStartOffset: 0x%6!016I64x!

Fields #

NameDescription
A10_RunIndex Int32
A11_ExtentsDescriptorRunRunIndexBasePage HexInt64
A12_ExtentsDescriptorRunRunIndexPageCount HexInt64
A13_ExtentLength HexInt64
A14_Offset HexInt64
A15_RunIndexStartOffset HexInt64

Event ID 113 — Offset is beyond this extent skipping the extent.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Offset is beyond this extent skipping the extent.

Message #

Offset is beyond this extent skipping the extent.

Event ID 114 — Shrinking LengthInExtent.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Shrinking LengthInExtent (0xA10_LengthInExtent!016I64x!) to ByteCount (0xA11_ByteCount!016I64x!) that we have to zero.

Message #

Shrinking LengthInExtent (0x%1!016I64x!) to ByteCount (0x%2!016I64x!) that we have to zero

Fields #

NameDescription
A10_LengthInExtent HexInt64
A11_ByteCount HexInt64

Event ID 115 — Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!016I64x!, LengthInExtent: 0xA11_LengthInExtent!016I64x!

Message #

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields #

NameDescription
A10_StartingPhysicalAddrQuadPart HexInt64
A11_LengthInExtent HexInt64

Event ID 116 — Exiting: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Exiting: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!016I64x!

Message #

Exiting: ExtentsDescriptorIndex: %1!d! ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields #

NameDescription
A10_ExtentsDescriptorIndex Int32
A11_ExtentsDescriptorStartOffset HexInt64

Event ID 117 — Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingOffset!016I64x!, BeyondEndOffset: 0xA12_BeyondEndOffset!016I64x!

Message #

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingOffset HexInt64
A12_BeyondEndOffset HexInt64

Event ID 118 — Dsm Ranges[A10_DataSetRangeIndex]: StartingOffset: 0xA11_DsmBufferDataSetRangesDataSetRangeIndexStartingOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Dsm Ranges[A10_DataSetRangeIndex]: StartingOffset: 0xA11_DsmBufferDataSetRangesDataSetRangeIndexStartingOffset!016I64x!, LengthInBytes: 0xA12_DsmBufferDataSetRangesDataSetRangeIndexLengthInBytes!016I64x!

Message #

Dsm Ranges[%1!d!]: StartingOffset: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields #

NameDescription
A10_DataSetRangeIndex Int32
A11_DsmBufferDataSetRangesDataSetRangeIndexStartingOffset HexInt64
A12_DsmBufferDataSetRangesDataSetRangeIndexLengthInBytes HexInt64

Event ID 119 — RemainingClusterCount: 0xA10_RemainingClusterCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, DataSetRangeIndex: A11_DataSetRangeIndex.

Message #

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_DataSetRangeIndex Int32

Event ID 120 — Dsm: TotalNumberOfRanges: A10_DsmByteAddressRangesTotalNumberOfRanges, NumberOfRangesReturned: A11_DsmByteAddressRangesNumberOfRangesReturned.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Dsm: TotalNumberOfRanges: A10_DsmByteAddressRangesTotalNumberOfRanges, NumberOfRangesReturned: A11_DsmByteAddressRangesNumberOfRangesReturned.

Message #

Dsm: TotalNumberOfRanges: %1!d!, NumberOfRangesReturned: %2!d!

Fields #

NameDescription
A10_DsmByteAddressRangesTotalNumberOfRanges Int32
A11_DsmByteAddressRangesNumberOfRangesReturned Int32

Event ID 121 — DsmOut Ranges[A10_Index]: StartingAddress: 0xA11_DsmByteAddressRangesRangesIndexStartAddress!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DsmOut Ranges[A10_Index]: StartingAddress: 0xA11_DsmByteAddressRangesRangesIndexStartAddress!016I64x!, LengthInBytes: 0xA12_DsmByteAddressRangesRangesIndexLengthInBytes!016I64x!

Message #

DsmOut Ranges[%1!d!]: StartingAddress: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields #

NameDescription
A10_Index Int32
A11_DsmByteAddressRangesRangesIndexStartAddress HexInt64
A12_DsmByteAddressRangesRangesIndexLengthInBytes HexInt64

Event ID 122 — Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!016I64x!, LengthInExtent: 0xA11_LengthInExtent!016I64x!

Message #

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields #

NameDescription
A10_StartingPhysicalAddrQuadPart HexInt64
A11_LengthInExtent HexInt64

Event ID 123 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex, ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex, ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!016I64x!

Message #

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields #

NameDescription
A10_ExtentsDescriptorIndex Int32
A11_ExtentsDescriptorStartOffset HexInt64

Event ID 124 — Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingZero!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Entering: Scb: !p!, StartingZero: 0x!016I64x!, BeyondEndOffset: 0x!016I64x!, ByteCount: 0x!016I64x!, ExtentsDescriptor: !p!, ExtentsDescriptorIndex: !d!, ExtentsDescriptorStartOffset: 0x!016I64x!

Message #

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!, ByteCount: 0x%4!016I64x!, ExtentsDescriptor: %5!p!, ExtentsDescriptorIndex: %6!d!, ExtentsDescriptorStartOffset: 0x%7!016I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingZero HexInt64
A12_BeyondEndOffset HexInt64
A13_ByteCount HexInt64
A14_ExtentsDescriptor Pointer
A15_ExtentsDescriptorIndexExtentsDescriptorIndex0 Int32
A16_ExtentsDescriptorStartOffsetExtentsDescriptorStartOffset0 HexInt64

Event ID 125 — Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex, ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex, ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!016I64x!

Message #

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields #

NameDescription
A10_ExtentsDescriptorIndex Int32
A11_ExtentsDescriptorStartOffset HexInt64

Event ID 126 — IrpContext: A10_IrpContext; Scb: A11_Scb; StartOffset: 0xA12_StartOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IrpContext: A10_IrpContext; Scb: A11_Scb; StartOffset: 0xA12_StartOffset!I64x!; ByteCount: 0xA13_ByteCount.

Message #

IrpContext: %1!p!; Scb: %2!p!; StartOffset: 0x%3!I64x!; ByteCount: 0x%4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Scb Pointer
A12_StartOffset HexInt64
A13_ByteCount HexInt32

Event ID 127 — Return.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Return. IrpContext: A10_IrpContext.

Message #

Return. IrpContext: %1!p!

Fields #

NameDescription
A10_IrpContext Pointer

Event ID 128 — Unexpected open type received: A10_TypeOfOpen.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected open type received: A10_TypeOfOpen.

Message #

Unexpected open type received: %1!u!

Fields #

NameDescription
A10_TypeOfOpen UInt32

Event ID 129 — Raising STATUS_SUCCESS from NtfsCommonCleanup: A10_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Raising STATUS_SUCCESS from NtfsCommonCleanup: A10_Status.

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 130 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields #

NameDescription
A10_Status HexInt32

Event ID 131 — Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields #

NameDescription
A10_Status HexInt32

Event ID 132 — Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_Vcb, FileObject: A13_CreateContextFileObject, RelatedFileObject: A14_CreateContextFileObjectRelatedFileObject, FileIdBuffer: A15__CreateContextFileObjectF...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Irp: !p!, IC: !p!, Vcb: !p!, FileObject: !p!, RelatedFileObject: !p!, FileIdBuffer: !S!, Options: 0x!08x!, FileAttributes: 0x!04x!, DesiredAccess: 0x!08x!, ShareAccess: 0x!04x!, EaLength: 0x!08x!

Message #

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, FileIdBuffer: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Fields #

NameDescription
A10_Irp Pointer
A11_IrpContext Pointer
A12_Vcb Pointer
A13_CreateContextFileObject Pointer
A14_CreateContextFileObjectRelatedFileObject Pointer
A15__CreateContextFileObjectFileName 25
A16_CreateContextIrpSpParametersCreateOptions HexInt32
A17_CreateContextIrpSpParametersCreateFileAttributes HexInt32
A18_CreateContextDesiredAccess HexInt32
A19_CreateContextIrpSpParametersCreateShareAccess HexInt32
A20_CreateContextIrpSpParametersCreateEaLength HexInt32

Event ID 133 — Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_Vcb, FileObject: A13_CreateContextFileObject, RelatedFileObject: A14_CreateContextFileObjectRelatedFileObject, Path: A15__CreateContextFileObjectFileName,...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Irp: !p!, IC: !p!, Vcb: !p!, FileObject: !p!, RelatedFileObject: !p!, Path: !S!, Options: 0x!08x!, FileAttributes: 0x!04x!, DesiredAccess: 0x!08x!, ShareAccess: 0x!04x!, EaLength: 0x!08x!

Message #

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, Path: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Fields #

NameDescription
A10_Irp Pointer
A11_IrpContext Pointer
A12_Vcb Pointer
A13_CreateContextFileObject Pointer
A14_CreateContextFileObjectRelatedFileObject Pointer
A15__CreateContextFileObjectFileName CountedUtf16String
A16_CreateContextIrpSpParametersCreateOptions HexInt32
A17_CreateContextIrpSpParametersCreateFileAttributes HexInt32
A18_CreateContextDesiredAccess HexInt32
A19_CreateContextIrpSpParametersCreateShareAccess HexInt32
A20_CreateContextIrpSpParametersCreateEaLength HexInt32

Event ID 134 — NtfsCommonCreate: Volume is locked.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonCreate: Volume is locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Vcb State: A14_VcbVcbState.

Message #

NtfsCommonCreate: Volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: %5!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 135 — NtfsCommonVolumeOpen: Invalid create disposition for volume open.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: A10_PsGetCurrentThread, CreateDisposition: 0xA11_CreateDisposition.

Message #

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: %1!p!, CreateDisposition: 0x%2!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CreateDisposition HexInt32

Event ID 136 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Vcb State: 0xA14_VcbVcbState!08x!.

Message #

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 137 — NtfsCommonVolumeOpen: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Requested ...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonVolumeOpen: Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Requested ShareAccess: 0x!08x!, Vcb->CleanupCount: !d!, BiasedCleanupCount: !d!.

Message #

NtfsCommonVolumeOpen: Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->CleanupCount: %6!d!, BiasedCleanupCount: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_IrpSpParametersCreateShareAccess HexInt32
A15_ReadULongNoFence_VcbCleanupCount Int32
A16_BiasedCleanupCount Int32

Event ID 138 — NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Vcb State: 0xA14_VcbVcbState!08x!.

Message #

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 139 — NtfsCommonVolumeOpen: Conlicting file objects.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonVolumeOpen: Conlicting file objects. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->ReadOnlyCloseCount: %6!d!, Vcb->CloseCount: %7!d!, Vcb->SystemFileCloseCount: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_IrpSpParametersCreateShareAccess HexInt32
A15_VcbReadOnlyCloseCount Int32
A16_VcbCloseCount Int32
A17_VcbSystemFileCloseCount Int32

Event ID 140 — NtfsHandlePagingFile: Paging file already open, paging files can only be opened once.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsHandlePagingFile: Paging file already open, paging files can only be opened once. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->CleanupCount: %7!d!, Fcb->FcbState: 0x%8!08x!, IrpSp->Flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbCleanupCount Int32
A17_FcbFcbState HexInt32
A18_IrpSpFlags HexInt32

Event ID 141 — NtfsHandlePagingFile: Cannot open system file as paging file.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Fcb->FcbState: 0x!08x!, IrpSp->Flags: 0x!08x!.

Message #

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->FcbState: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbFcbState HexInt32
A17_IrpSpFlags HexInt32

Event ID 142 — NtfsHandlePagingFile: Persisted paging file already exists.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsHandlePagingFile: Persisted paging file already exists. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, IrpContext->State: 0x!08x!, IrpSp->Flags: 0x!08x!.

Message #

NtfsHandlePagingFile: Persisted paging file already exists. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, IrpContext->State: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_IrpContextState HexInt32
A17_IrpSpFlags HexInt32

Event ID 143 — NtfsOpenFcbById: Invalid system file access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenFcbById: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbFcbState HexInt32
A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff HexInt32
A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess HexInt32

Event ID 144 — NtfsOpenExistingPrefixFcb: Can not directly open txf directory.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FileAttributes: 0x!08x!, Rmstate: 0x!08x!.

Message #

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CreateContextCurrentFcbVcb Pointer
A12__CreateContextCurrentFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWCreateContextCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCreateContextCurrentFcbVcbVpb CountedUtf16String
A14_CreateContextCurrentFcb Pointer
A15_NtfsFullFileRefNumber_CreateContextCurrentFcbFileReference HexInt64
A16_CreateContextCurrentFcbInfoFileAttributes HexInt32
A17_CreateContextCurrentFcbTxfRmcbRmState HexInt32

Event ID 145 — NtfsOpenExistingPrefixFcb: Invalid system file access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenExistingPrefixFcb: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CreateContextCurrentFcbVcb Pointer
A12__CreateContextCurrentFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWCreateContextCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCreateContextCurrentFcbVcbVpb CountedUtf16String
A14_CreateContextCurrentFcb Pointer
A15_NtfsFullFileRefNumber_CreateContextCurrentFcbFileReference HexInt64
A16_CreateContextCurrentFcbFcbState HexInt32
A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff HexInt32
A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess HexInt32

Event ID 146 — NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!.

Message #

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbFcbState HexInt32

Event ID 147 — NtfsOpenFile: Invalid system file access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenFile: Invalid system file access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!, CreateDisposition: 0x!08x!, DesiredAccess: 0x!08x!.

Message #

NtfsOpenFile: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbFcbState HexInt32
A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff HexInt32
A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess HexInt32

Event ID 148 — NtfsOpenFile: Deny open when txf rm is active.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenFile: Deny open when txf rm is active. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, TxfRmcb Rmstate: 0x!08x!.

Message #

NtfsOpenFile: Deny open when txf rm is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb Rmstate: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbTxfRmcbRmState HexInt32

Event ID 149 — NtfsCreateNewFile: Deny creation in system directory (except root).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCreateNewFile: Deny creation in system directory (except root). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb): Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!, AttrTypeCode: 0x%9!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ParentScbFcbVcb Pointer
A12__ParentScbFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWParentScbFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHParentScbFcbVcbVpb CountedUtf16String
A14_ParentScbFcb Pointer
A15_NtfsFullFileRefNumber_ParentScbFcbFileReference HexInt64
A16_ParentScbFcbFcbState HexInt32
A17_ParentScbFcbTxfRmcbRmState HexInt32
A18_AttrTypeCode HexInt32

Event ID 150 — NtfsCreateNewFile: Unable to create Ea for the file.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCreateNewFile: Unable to create Ea for the file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Create options: 0x!08x!, Ccb flags: 0x!08x!.

Message #

NtfsCreateNewFile: Unable to create Ea for the file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Create options: 0x%7!08x!, Ccb flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CreateContextIrpSpParametersCreateOptions HexInt32
A17_CcbFlags HexInt32

Event ID 151 — NtfsCreateNewFile: Unable to create in the $txf directory.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCreateNewFile: Unable to create in the $txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb) Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ParentScbVcb Pointer
A12__ParentScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWParentScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHParentScbVcbVpb CountedUtf16String
A14_ParentScbFcb Pointer
A15_NtfsFullFileRefNumber_ParentScbFcbFileReference HexInt64
A16_ParentScbFcbFcbState HexInt32
A17_ParentScbFcbTxfRmcbRmState HexInt32

Event ID 152 — NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, TxfRmcb state: 0x!08x!.

Message #

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb state: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbTxfRmcbRmState HexInt32

Event ID 153 — NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NeedEaCount: %7!d!, CreateOptions: 0x%8!08x!, CcbFlags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisEaInformationNeedEaCount Int32
A17_CreateContextIrpSpParametersCreateOptions HexInt32
A18_CcbFlags HexInt32

Event ID 154 — NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttrTypeCode to create: 0x%7!x!, CreateDisposition: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_AttrTypeCode HexInt32
A17_CreateDisposition HexInt32

Event ID 155 — NtfsOpenAttributeInExistingFile: Denying access for volume root directory.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, CreateDisposition: 0x!08x!.

Message #

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CreateDisposition: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CreateDisposition HexInt32

Event ID 156 — NtfsCreateNewFile: Not allowed to create streams on system files.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!, AttrTypeCode: 0x!x!.

Message #

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, AttrTypeCode: 0x%8!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbFcbState HexInt32
A17_AttrTypeCode HexInt32

Event ID 157 — NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, DuplicateInfo attributes: 0x%7!08x!, FileAttributes: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbInfoFileAttributes HexInt32
A17_FileAttributes HexInt32

Event ID 158 — NtfsOverwriteAttr: Denying access due to user being Ea blind.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Create options: 0x!08x!.

Message #

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Create options: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CreateContextIrpSpParametersCreateOptions HexInt32

Event ID 159 — NtfsOverwriteAttr: Deny access due to encryption happening on the stream.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttributeTypeCode: 0x%7!x!, Scb state: 0x%8!08x!, Scb HighWaterMark: %9!I64d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CreateContextThisScbAttributeTypeCode HexInt32
A17_CreateContextThisScbState HexInt32
A18_CreateContextThisScbScbTypeDataHighWaterMark Int64

Event ID 160 — NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, CreateDisposition: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_AttrCode HexInt32
A15_CreateDisposition HexInt32

Event ID 161 — NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, AttributeTypeCode: 0x!x!, DesiredAccess: 0x!08x!.

Message #

NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, DesiredAccess: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_AttrCode HexInt32
A15_IrpSpParametersCreateSecurityContextAccessStateOriginalDesiredAccess HexInt32

Event ID 162 — NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: A10_PsGetCurrentThread, AttributeTypeCode: A11_AttrCode.

Message #

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: %1!p!, AttributeTypeCode: %2!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_AttrCode HexInt32

Event ID 163 — NtfsOpenAttributeCheck: File already has user writable references.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeCheck: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String
A19_IrpSpParametersCreateShareAccess HexInt32
A20_IrpSpParametersCreateSecurityContextAccessStatePreviouslyGrantedAccess HexInt32

Event ID 164 — NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String

Event ID 165 — NtfsOpenAttributeCheck: File was granted write access but has image section.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeCheck: File was granted write access but has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Previously granted access: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String
A19_IrpSpParametersCreateSecurityContextAccessStatePreviouslyGrantedAccess HexInt32

Event ID 166 — NtfsOpenAttribute: Denying write access on disallowed writes.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: Denying write access on disallowed writes. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Disallow write count: %8!d!, Desired Access: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbMarkHandleDisallowWritesCount Int32
A18_IrpSpParametersCreateSecurityContextDesiredAccess HexInt32

Event ID 167 — NtfsOpenAttribute: File already has user writable references.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String
A19_IrpSpParametersCreateShareAccess HexInt32
A20_GrantedAccess HexInt32

Event ID 168 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_IrpSpParametersCreateShareAccess HexInt32
A17_IrpSpFileObjectFlags HexInt32

Event ID 169 — NtfsOpenAttribute: File already has user writable references.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String
A19_IrpSpParametersCreateShareAccess HexInt32
A20_GrantedAccess HexInt32

Event ID 170 — NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_IrpSpParametersCreateShareAccess HexInt32
A17_IrpSpFileObjectFlags HexInt32

Event ID 171 — NtfsCheckExistingFile: Desired access conflicts with read-only state.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Desired Access: 0x%7!08x!, FileAttributes: 0x%8!08x!, SL control flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_IrpSpParametersCreateSecurityContextDesiredAccess HexInt32
A17_ThisFcbInfoFileAttributes HexInt32
A18_IrpSpFlags HexInt32

Event ID 172 — NtfsOpenExistingEncryptedStream: No encryption driver found.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FileAttributes: 0x!08x!, NtfsData flags: 0x!08x!.

Message #

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, NtfsData flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CurrentFcbVcb Pointer
A12__CurrentFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCurrentFcbVcbVpb CountedUtf16String
A14_CurrentFcb Pointer
A15_NtfsFullFileRefNumber_CurrentFcbFileReference HexInt64
A16_CurrentFcbInfoFileAttributes HexInt32
A17_NtfsDataFlags HexInt32

Event ID 173 — NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Stream attribute flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CurrentFcbVcb Pointer
A12__CurrentFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCurrentFcbVcbVpb CountedUtf16String
A14_CurrentFcb Pointer
A15_NtfsFullFileRefNumber_CurrentFcbFileReference HexInt64
A16_CurrentFcbInfoFileAttributes HexInt32
A17_ThisScbAttributeFlags HexInt32

Event ID 174 — NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb cleanup count: %7!d!, EncryptionCallBackTable flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_CreateContextCurrentFcbCleanupCount Int32
A17_NtfsDataEncryptionCallBackTableImplementationFlags HexInt32

Event ID 175 — NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: A10_PsGetCurrentThread, Fcb: A11_CurrentFcb, FileRef: 0xA12_NtfsFullFileRefNumber_CurrentFcbFileReference!I64x!, TxfRmcb RM state: A13_CurrentFcbTxfRmcbRmState.

Message #

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: %1!p!, Fcb: %2!p!, FileRef: 0x%3!I64x!, TxfRmcb RM state: %4!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CurrentFcb Pointer
A12_NtfsFullFileRefNumber_CurrentFcbFileReference HexInt64
A13_CurrentFcbTxfRmcbRmState HexInt32

Event ID 176 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Link Name: %7!S!, DesiredAccess: 0x%8!08x!, DesiredShareAccess: 0x%9!08x!, IoShareAccessFlags: 0x%10!08x!, LinkShareAccess->OpenCount: %11!d!, LinkShareAccess->Deleters: %12!d!, LinkShareAccess->SharedDelete: %13!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_LcbFcbVcb Pointer
A12__LcbFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWLcbFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHLcbFcbVcbVpb CountedUtf16String
A14_LcbFcb Pointer
A15_NtfsFullFileRefNumber_LcbFcbFileReference HexInt64
A16_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String
A17_DesiredAccess HexInt32
A18_DesiredShareAccess HexInt32
A19_IoShareAccessFlags HexInt32
A20_LinkShareAccessOpenCount Int32
A21_LinkShareAccessDeleters Int32
A22_LinkShareAccessSharedDelete Int32

Event ID 177 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, DesiredAccess: 0x%9!08x!, DesiredShareAccess: 0x%10!08x!, IoShareAccessFlags: 0x%11!08x!, ShareAccess->OpenCount: %12!d!, ShareAccess->Readers: %13!d!, ShareAccess->Writers: %14!d!, ShareAccess->->Deleters: %15!d!, ShareAccess->SharedRead: %16!d!, ShareAccess->SharedWrite: %17!d!, ShareAccess->SharedDelete: %18!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbAttributeTypeCode HexInt32
A17__ScbAttributeName CountedUtf16String
A18_DesiredAccess HexInt32
A19_DesiredShareAccess HexInt32
A20_IoShareAccessFlags HexInt32
A21_ShareAccessOpenCount Int32
A22_ShareAccessReaders Int32
A23_ShareAccessWriters Int32
A24_ShareAccessDeleters Int32
A25_ShareAccessSharedRead Int32
A26_ShareAccessSharedWrite Int32
A27_ShareAccessSharedDelete Int32

Event ID 178 — NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, DesiredAccess: 0x%10!08x!, DesiredShareAccess: 0x%11!08x!, IoShareAccessFlags: 0x%12!08x!, ShareAccess->OpenCount: %13!d!, ShareAccess->Readers: %14!d!, ShareAccess->Writers: %15!d!, ShareAccess->->Deleters: %16!d!, ShareAccess->SharedRead: %17!d!, ShareAccess->SharedWrite: %18!d!, ShareAccess->SharedDelete: %19!d!, LinkShareAccess->OpenCount: %20!d!, LinkShareAccess->Deleters: %21!d!, LinkShareAccess->SharedDelete: %22!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbAttributeTypeCode HexInt32
A17__ScbAttributeName CountedUtf16String
A18_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String
A19_DesiredAccess HexInt32
A20_DesiredShareAccess HexInt32
A21_IoShareAccessFlags HexInt32
A22_ShareAccessOpenCount Int32
A23_ShareAccessReaders Int32
A24_ShareAccessWriters Int32
A25_ShareAccessDeleters Int32
A26_ShareAccessSharedRead Int32
A27_ShareAccessSharedWrite Int32
A28_ShareAccessSharedDelete Int32
A29_LinkShareAccessOpenCount Int32
A30_LinkShareAccessDeleters Int32
A31_LinkShareAccessSharedDelete Int32

Event ID 179 — NtfsReCheckShareAccess: Does not meet allow open requirement.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsReCheckShareAccess: Does not meet allow open requirement. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, Previously granted access: 0x%10!08x!, AccessState->Flags: 0x%11!08x!, DesiredShareAccess: 0x%12!08x!, CreateDisposition: 0x%13!08x!, OpenCount: %14!d!, Readers: %15!d!, Writers: %16!d!, Deleters: %17!d!, SharedRead: %18!d!, Lcb Deleters: %19!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbAttributeTypeCode HexInt32
A17__ScbAttributeName CountedUtf16String
A18_ARGUMENT_PRESENTLcbWppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLengthWppCountedStringWNULL0 CountedUtf16String
A19_AccessStatePreviouslyGrantedAccess HexInt32
A20_AccessStateFlags HexInt32
A21_DesiredShareAccess HexInt32
A22_CreateDisposition HexInt32
A23_ScbShareAccessOpenCount Int32
A24_ScbShareAccessReaders Int32
A25_ScbShareAccessWriters Int32
A26_ScbShareAccessDeleters Int32
A27_ScbShareAccessSharedRead Int32
A28_ARGUMENT_PRESENTLcbLcbLinkShareAccessDeleters0 Int32

Event ID 180 — A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_Status HexInt32
A13__ProcessName CountedMbcsString

Event ID 181 — A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_Status HexInt32
A13__ProcessName CountedMbcsString

Event ID 182 — A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_Status HexInt32
A13__ProcessName CountedMbcsString

Event ID 183 — A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_Status HexInt32
A13__ProcessName CountedMbcsString

Event ID 184 — NtfsSendUnusedClustersHint: Vcb A10_Vcb - Will tell storage we are freeing at A11_StartingCluster!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Will tell storage we are freeing at A11_StartingCluster!I64x! for A12_RunLength clusters.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Will tell storage we are freeing at %2!I64x! for %3!x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingCluster HexInt64
A12_RunLength HexInt32

Event ID 185 — NtfsSendUnusedClustersHint: Vcb A10_Vcb - Flush requested.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Flush requested.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Flush requested

Fields #

NameDescription
A10_Vcb Pointer

Event ID 186 — NtfsSendUnusedClustersHint: Vcb A10_Vcb - Created new MarkUnusedContext A11_MarkUnusedContext, DEALLOCATED_CLUSTERS A12_MarkUnusedContextDeallocatedClusters, MCB A13__MarkUnusedContextDeallocatedCl...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Created new MarkUnusedContext A11_MarkUnusedContext, DEALLOCATED_CLUSTERS A12_MarkUnusedContextDeallocatedClusters, MCB A13__MarkUnusedContextDeallocatedClustersMcb.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! -  Created new MarkUnusedContext %2!p!, DEALLOCATED_CLUSTERS %3!p!, MCB %4!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_MarkUnusedContextDeallocatedClusters Pointer
A13__MarkUnusedContextDeallocatedClustersMcb Pointer

Event ID 187 — NtfsSendUnusedClustersHint: Vcb A10_Vcb - Successfully added clusters starting at A11_StartingCluster!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Successfully added clusters starting at A11_StartingCluster!I64x! for A12_RunLength into MCB A13__MarkUnusedContextDeallocatedClustersMcb.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Successfully added clusters starting at %2!I64x! for %3!x! into MCB %4!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingCluster HexInt64
A12_RunLength HexInt32
A13__MarkUnusedContextDeallocatedClustersMcb Pointer

Event ID 188 — NtfsSendUnusedClustersHint: Vcb A10_Vcb - MCB A11__MarkUnusedContextDeallocatedClustersMcb is full.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - MCB A11__MarkUnusedContextDeallocatedClustersMcb is full.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - MCB %2!p! is full

Fields #

NameDescription
A10_Vcb Pointer
A11__MarkUnusedContextDeallocatedClustersMcb Pointer

Event ID 189 — NtfsSendUnusedClustersHint: Vcb A10_Vcb - Queuing request to IC pre-trim list, MUC A11_MarkUnusedContext, IC A12_IrpContext.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Queuing request to IC pre-trim list, MUC A11_MarkUnusedContext, IC A12_IrpContext.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Queuing request to IC pre-trim list, MUC %2!p!, IC %3!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_IrpContext Pointer

Event ID 190 — NtfsSendUnusedClustersHint: Vcb A10_Vcb - Failed to allocate/initial MarkUnusedContext.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Failed to allocate/initial MarkUnusedContext.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! -  Failed to allocate/initial MarkUnusedContext

Fields #

NameDescription
A10_Vcb Pointer

Event ID 191 — NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt A12_SrcClustersCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt A12_SrcClustersCount!I64x!, SrcOrigClusCt A13_SrcDeallocatedClustersClusterCount!I64x!, SrcDSRL A14_SrcDsmAttrDataSetRangesLength - Entering.

Message #

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, SrcOrigClusCt %4!I64x!, SrcDSRL %5!x! - Entering

Fields #

NameDescription
A10_Src Pointer
A11_Dst Pointer
A12_SrcClustersCount HexInt64
A13_SrcDeallocatedClustersClusterCount HexInt64
A14_SrcDsmAttrDataSetRangesLength HexInt32

Event ID 192 — NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt A12_SrcClustersCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsTransferMaxDataSetRanges: Src !p!, Dst !p!, SrcRemainClusCt !I64x!, DstClusCt !I64x!, DstDSRL !x!, DstLIB !I64x!, DstSOff !I64x! - Leaving.

Message #

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, DstClusCt %4!I64x!, DstDSRL %5!x!, DstLIB %6!I64x!, DstSOff %7!I64x! - Leaving

Fields #

NameDescription
A10_Src Pointer
A11_Dst Pointer
A12_SrcClustersCount HexInt64
A13_DstClustersCount HexInt64
A14_DstDsmAttrDataSetRangesLength HexInt32
A15_DstFirstDataSetRangePtrLengthInBytes HexInt64
A16_DstFirstDataSetRangePtrStartingOffset HexInt64

Event ID 193 — NtfsMarkUnusedContextPostTrimProcessing: Entering

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Entering.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Entering

Event ID 194 — NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DC A12_VcbDeallocatedClusters!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DC A12_VcbDeallocatedClusters!I64x!, DCIT A13_VcbDeallocatedClustersListLengthInTrim, DCTD A14_VcbDeallocatedClustersListLengthToDrain, CC A15_ClustersClusterCount!I64x!, IR A16_InitialRanges.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - DC %3!I64x!, DCIT %4!x!, DCTD %5!x!, CC %6!I64x!, IR %7!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_VcbDeallocatedClusters HexInt64
A13_VcbDeallocatedClustersListLengthInTrim HexInt32
A14_VcbDeallocatedClustersListLengthToDrain HexInt32
A15_ClustersClusterCount HexInt64
A16_InitialRanges HexInt32

Event ID 195 — NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - Removed interior slab(s) from TP map - [LCN A12_StartingLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb !p!, MUC !p! - Removed interior slab(s) from TP map - [LCN !I64X!, len !I64X!] => [LCN !I64X!, len !I64X!], [LCN !I64X!, len !I64X!].

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - Removed interior slab(s) from TP map - [LCN %3!I64X!, len %4!I64X!] => [LCN %5!I64X!, len %6!I64X!], [LCN %7!I64X!, len %8!I64X!]

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_StartingLcn HexInt64
A13_ClusterCount HexInt64
A14_FreeClusterBase1 HexInt64
A15_FreeClusterCount1 HexInt64
A16_FreeClusterBase2 HexInt64
A17_FreeClusterCount2 HexInt64

Event ID 196 — NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - Releasing bitmap.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - Releasing bitmap.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - Releasing bitmap

Fields #

NameDescription
A10_Vcb Pointer

Event ID 197 — NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - CloseCount A11_VcbCloseCount.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - CloseCount A11_VcbCloseCount.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - CloseCount %2!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbCloseCount HexInt32

Event ID 198 — NtfsMarkUnusedContextPostTrimProcessing: Leaving

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Leaving.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Leaving

Event ID 199 — NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp A10_Irp.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp A10_Irp.

Message #

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp %1!p!

Fields #

NameDescription
A10_Irp Pointer

Event ID 200 — NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb, IC A11_IrpContext - Entering.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb, IC A11_IrpContext - Entering.

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p!, IC %2!p! - Entering

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 201 — NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Kicked off DelayedWorkQueue.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Kicked off DelayedWorkQueue.

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Kicked off DelayedWorkQueue

Fields #

NameDescription
A10_Vcb Pointer

Event ID 202 — NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Leaving.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Leaving.

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 203 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb A10_Vcb.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb %1!p!

Fields #

NameDescription
A10_Vcb Pointer

Event ID 204 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Small MUC A11_SmallMarkUnusedContext instead of MUC A12_MarkUnusedContext.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Small MUC A11_SmallMarkUnusedContext instead of MUC A12_MarkUnusedContext.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Small MUC %2!p! instead of MUC %3!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_SmallMarkUnusedContext Pointer
A12_MarkUnusedContext Pointer

Event ID 205 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Failed to allocate small MUC so use MUC A11_MarkUnusedContext.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Failed to allocate small MUC so use MUC A11_MarkUnusedContext.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Failed to allocate small MUC so use MUC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 206 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage ioctl down.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage ioctl down. MUC A11_MarkUnusedContext.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down.  MUC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 207 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - [A12_TrimEntryCount] Offset A13_DataSetRangePtrStartingOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - [A12_TrimEntryCount] Offset A13_DataSetRangePtrStartingOffset!I64x!, Length A14_DataSetRangePtrLengthInBytes!I64x! - trim entry.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - [%3!x!] Offset %4!I64x!, Length %5!I64x! - trim entry

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_TrimEntryCount HexInt32
A13_DataSetRangePtrStartingOffset HexInt64
A14_DataSetRangePtrLengthInBytes HexInt64

Event ID 208 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext, Irp A12_IrpUsed - Completed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext, Irp A12_IrpUsed - Completed.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p!, Irp %3!p! - Completed

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_IrpUsed Pointer

Event ID 209 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - A12_Status - failed to send.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - A12_Status - failed to send.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - %3!x! - failed to send

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_Status HexInt32

Event ID 210 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Add MUC A11_MarkUnusedContext to post trim list.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Add MUC A11_MarkUnusedContext to post trim list.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Add MUC %2!p! to post trim list

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 211 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Free small MUC A11_MarkUnusedContext.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Free small MUC A11_MarkUnusedContext.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Free small MUC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 212 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage ioctl down failed with A11_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage ioctl down failed with A11_Status. MUC A12_MarkUnusedContext, Count A13_MarkUnusedContextNULL__MarkUnusedContextDeallocatedClustersNULLMarkUnusedContextDeallocatedClustersClusterCount1LL!I64x!

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down failed with %2!x!.  MUC %3!p!, Count %4!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_Status HexInt32
A12_MarkUnusedContext Pointer
A13_MarkUnusedContextNULL__MarkUnusedContextDeallocatedClustersNULLMarkUnusedContextDeallocatedClustersClusterCount1LL HexInt64

Event ID 213 — NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Event ID 214 — NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - There are waiters for DC A11_DeallocatedClusters.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - There are waiters for DC A11_DeallocatedClusters.

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - There are waiters for DC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClusters Pointer

Event ID 215 — NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Waking up waiter for DC A11_DeallocatedClusters.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Waking up waiter for DC A11_DeallocatedClusters.

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Waking up waiter for DC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClusters Pointer

Event ID 216 — NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Done waking up DC A11_DeallocatedClusters.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Done waking up DC A11_DeallocatedClusters.

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Done waking up DC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClusters Pointer

Event ID 217 — NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb, All A11_All - Entering.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb, All A11_All - Entering.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p!, All %2!x! - Entering

Fields #

NameDescription
A10_Vcb Pointer
A11_All HexInt32

Event ID 218 — NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting to drain.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting to drain.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting to drain

Fields #

NameDescription
A10_Vcb Pointer

Event ID 219 — NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting for partial drain.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting for partial drain.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting for partial drain

Fields #

NameDescription
A10_Vcb Pointer

Event ID 220 — NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 221 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Entering.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Entering.

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Entering

Fields #

NameDescription
A10_Vcb Pointer

Event ID 222 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Inserted A11_DeallocatedClustersToWaitForDeallocatedClusters.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Inserted A11_DeallocatedClustersToWaitForDeallocatedClusters.

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Inserted %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClustersToWaitForDeallocatedClusters Pointer

Event ID 223 — NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 224 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb A10_IrpContextVcb - Wait for DC A11_DeallocatedClustersToWaitForDeallocatedClusters.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb A10_IrpContextVcb - Wait for DC A11_DeallocatedClustersToWaitForDeallocatedClusters.

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb %1!p! - Wait for DC %2!p!

Fields #

NameDescription
A10_IrpContextVcb Pointer
A11_DeallocatedClustersToWaitForDeallocatedClusters Pointer

Event ID 225 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for A10_WaitInSeconds (s), Exceeded by A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocate...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for !d! (s), Exceeded by !d! (s), IC !p!, Vcb !p!, DC !p!

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields #

NameDescription
A10_WaitInSeconds Int32
A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartNtfsDataSystemTimeIncrementINTERVAL_ONE_SECOND0 Int32
A12_IrpContext Pointer
A13_IrpContextVcb Pointer
A14_DeallocatedClusters Pointer

Event ID 226 — NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for A10_WaitInSeconds (s), Exceeded by A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocate...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for !d! (s), Exceeded by !d! (s), IC !p!, Vcb !p!, DC !p!

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields #

NameDescription
A10_WaitInSeconds Int32
A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartNtfsDataSystemTimeIncrementINTERVAL_ONE_SECOND0 Int32
A12_IrpContext Pointer
A13_IrpContextVcb Pointer
A14_DeallocatedClusters Pointer

Event ID 227 — NtfsCheckForTrimThrottling: Vcb A10_Vcb - hitting trim threshold A11_VcbDeallocatedClustersListLengthInTrim.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckForTrimThrottling: Vcb A10_Vcb - hitting trim threshold A11_VcbDeallocatedClustersListLengthInTrim.

Message #

NtfsCheckForTrimThrottling: Vcb %1!p! - hitting trim threshold %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbDeallocatedClustersListLengthInTrim Int32

Event ID 228 — NtfsUpdateSmartTrimState: Vcb A10_Vcb - Entering.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Entering.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Entering

Fields #

NameDescription
A10_Vcb Pointer

Event ID 229 — NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields #

NameDescription
A10_Vcb Pointer

Event ID 230 — NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredSyncResource A11_AcquiredVcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredSyncResource A11_AcquiredVcb.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredSyncResource %2!u!

Fields #

NameDescription
A10_Vcb Pointer
A11_AcquiredVcb UInt32

Event ID 231 — NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - Skipping deallocated clusters gen'd by smart trim.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - Skipping deallocated clusters gen'd by smart trim.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - Skipping deallocated clusters gen'd by smart trim

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 232 — NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - MCB run A12_RunIndex; offs 0xA13_StartingOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - MCB run A12_RunIndex; offs 0xA13_StartingOffset!I64X!, len 0xA14_LengthInBytes!I64X!

Message #

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - MCB run %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_RunIndex UInt32
A13_StartingOffset HexInt64
A14_LengthInBytes HexInt64

Event ID 233 — NtfsUpdateSmartTrimState: Vcb A10_Vcb - MUC A11_MarkUnusedContext, DSR count A12_DataSetRangeCount, MCB count A13_McbRunCount, ST free slots A14_SmartTrimFreeRangeCount.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - MUC A11_MarkUnusedContext, DSR count A12_DataSetRangeCount, MCB count A13_McbRunCount, ST free slots A14_SmartTrimFreeRangeCount.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - MUC %2!p!, DSR count %3!u!, MCB count %4!u!, ST free slots %5!u!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_DataSetRangeCount UInt32
A13_McbRunCount UInt32
A14_SmartTrimFreeRangeCount UInt32

Event ID 234 — NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DSR range A12_RunIndex; offs 0xA13_DataSetRangeStartingOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DSR range A12_RunIndex; offs 0xA13_DataSetRangeStartingOffset!I64X!, len 0xA14_DataSetRangeLengthInBytes!I64X!

Message #

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - DSR range %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_RunIndex UInt32
A13_DataSetRangeStartingOffset HexInt64
A14_DataSetRangeLengthInBytes HexInt64

Event ID 235 — NtfsUpdateSmartTrimState: Vcb A10_Vcb - MCB lcn A11_StartingLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - MCB lcn A11_StartingLcn!I64X! len A12_ClusterCount!I64X! maps to TP map bits [0xA13_FirstTpMapBit, 0xA14_LastTpMapBit].

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - MCB lcn %2!I64X! len %3!I64X! maps to TP map bits [0x%4!X!, 0x%5!X!]

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingLcn HexInt64
A12_ClusterCount HexInt64
A13_FirstTpMapBit HexInt32
A14_LastTpMapBit HexInt32

Event ID 236 — NtfsUpdateSmartTrimState: Vcb A10_Vcb - Smart trim state on exit; A11_SmartTrimStateSlabRangesCount ranges.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Smart trim state on exit; A11_SmartTrimStateSlabRangesCount ranges.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Smart trim state on exit; %2!u! ranges:

Fields #

NameDescription
A10_Vcb Pointer
A11_SmartTrimStateSlabRangesCount UInt32

Event ID 237 — NtfsUpdateSmartTrimState: Vcb A10_Vcb - Range A11_SlabRangeIndex: FirstTPMapBit 0xA12_SlabRangeFirstTPMapBit, LastTPMapBit 0xA13_SlabRangeLastTPMapBit.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Range A11_SlabRangeIndex: FirstTPMapBit 0xA12_SlabRangeFirstTPMapBit, LastTPMapBit 0xA13_SlabRangeLastTPMapBit.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Range %2!u!: FirstTPMapBit 0x%3!X!, LastTPMapBit 0x%4!X!

Fields #

NameDescription
A10_Vcb Pointer
A11_SlabRangeIndex UInt32
A12_SlabRangeFirstTPMapBit HexInt32
A13_SlabRangeLastTPMapBit HexInt32

Event ID 238 — NtfsUpdateSmartTrimState: Vcb A10_Vcb - Leaving.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Leaving.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 239 — NtfsEvalSmartTrimState: Vcb A10_Vcb - Entering.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Entering.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Entering

Fields #

NameDescription
A10_Vcb Pointer

Event ID 240 — NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields #

NameDescription
A10_Vcb Pointer

Event ID 241 — NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredBitmap A11_AcquiredBitmap.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredBitmap A11_AcquiredBitmap.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredBitmap %2!u!

Fields #

NameDescription
A10_Vcb Pointer
A11_AcquiredBitmap UInt32

Event ID 242 — NtfsEvalSmartTrimState: Vcb A10_Vcb - Checking slab 0xA11_TpMapBit for allocations.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Checking slab 0xA11_TpMapBit for allocations.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Checking slab 0x%2!X! for allocations

Fields #

NameDescription
A10_Vcb Pointer
A11_TpMapBit HexInt32

Event ID 243 — NtfsEvalSmartTrimState: Vcb A10_Vcb - Slab 0xA11_TpMapBit has allocations, will not trim.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Slab 0xA11_TpMapBit has allocations, will not trim.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Slab 0x%2!X! has allocations, will not trim

Fields #

NameDescription
A10_Vcb Pointer
A11_TpMapBit HexInt32

Event ID 244 — NtfsEvalSmartTrimState: Vcb A10_Vcb - Free slab found - TP map bit 0xA11_TpMapBit, lcn A12_SlabBaseLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Free slab found - TP map bit 0xA11_TpMapBit, lcn A12_SlabBaseLcn!I64X!, len A13_SlabLengthInClusters!I64X!

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Free slab found - TP map bit 0x%2!X!, lcn %3!I64X!, len %4!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_TpMapBit HexInt32
A12_SlabBaseLcn HexInt64
A13_SlabLengthInClusters HexInt64

Event ID 245 — NtfsEvalSmartTrimState: Vcb A10_Vcb - Leaving.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Leaving.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 246 — NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.

Message #

NtfsFlushAllTrimHintsSynchronous (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb Pointer

Event ID 247 — NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.

Message #

NtfsFlushAllTrimHintsSynchronous (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb Pointer

Event ID 248 — NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, VcbState: 0x!08x!, SL control flags: 0x!08x!.

Message #

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, SL control flags: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32
A15_IrpSpFlags HexInt32

Event ID 249 — NtfsVolumeDasdIo: Data section blocking flush.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsVolumeDasdIo: Data section blocking flush. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Flush status: A14_Status.

Message #

NtfsVolumeDasdIo: Data section blocking flush. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush status: %5!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Status HexInt32

Event ID 250 — Could not find paging file run.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Could not find paging file run.

Message #

Could not find paging file run.

Event ID 251 — Could not find paging file MCB entry.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Could not find paging file MCB entry.

Message #

Could not find paging file MCB entry.

Event ID 252 — Could not find paging file run.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Could not find paging file run.

Message #

Could not find paging file run.

Event ID 253 — Writing to $Bitmap.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Writing to $Bitmap. Vcb: A10_ScbVcb, Offset: 0xA11_StartingVbo!I64x!, Length: 0xA12_ByteCount.

Message #

Writing to $Bitmap. Vcb: %1!p!, Offset: 0x%2!I64x!, Length: 0x%3!x!

Fields #

NameDescription
A10_ScbVcb Pointer
A11_StartingVbo HexInt64
A12_ByteCount HexInt32

Event ID 254 — NTFS: Posting hotfix on file object: A10_FileObject.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Posting hotfix on file object: A10_FileObject.

Message #

NTFS: Posting hotfix on file object: %1!p!

Fields #

NameDescription
A10_FileObject Pointer

Event ID 255 — NTFS: Freeing Bad Vcn: A10_ULONGBadVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Freeing Bad Vcn: A10_ULONGBadVcn!08x!, A11_PLARGE_INTEGER_BadVcnHighPart!08x!

Message #

NTFS:     Freeing Bad Vcn: %1!08x!, %2!08x!

Fields #

NameDescription
A10_ULONGBadVcn HexInt32
A11_PLARGE_INTEGER_BadVcnHighPart HexInt32

Event ID 256 — NTFS: Retiring Bad Lcn: A10_ULONGBadLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Retiring Bad Lcn: A10_ULONGBadLcn!08x!, A11_PLARGE_INTEGER_BadLcnHighPart!08x!

Message #

NTFS:     Retiring Bad Lcn: %1!08x!, %2!08x!

Fields #

NameDescription
A10_ULONGBadLcn HexInt32
A11_PLARGE_INTEGER_BadLcnHighPart HexInt32

Event ID 257 — NTFS: Reallocating Bad Vcn

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Reallocating Bad Vcn.

Message #

NTFS:     Reallocating Bad Vcn

Event ID 258 — NTFS: Bad Cluster replaced

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Bad Cluster replaced.

Message #

NTFS:     Bad Cluster replaced

Event ID 259 — IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!08x!

Message #

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_NewBufferSize HexInt32

Event ID 260 — Compression buffers are already big enough.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Compression buffers are already big enough. NewBufferSize: 0xA10_NewBufferSize!08x!, ExistingBufferSize: 0xA11_NtfsGetCompressionBufferSize!08x!

Message #

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields #

NameDescription
A10_NewBufferSize HexInt32
A11_NtfsGetCompressionBufferSize HexInt32

Event ID 261 —

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

%1

Fields #

NameDescription
A10_Status HexInt32

Event ID 262 — IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!08x!

Message #

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_NewBufferSize HexInt32

Event ID 263 — Compression buffers are already big enough.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Compression buffers are already big enough. NewBufferSize: 0xA10_NewBufferSize!08x!, ExistingBufferSize: 0xA11_NtfsGetUsaBufferSizeVcb!08x!

Message #

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields #

NameDescription
A10_NewBufferSize HexInt32
A11_NtfsGetUsaBufferSizeVcb HexInt32

Event ID 264 —

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

%1

Fields #

NameDescription
A10_Status HexInt32

Event ID 265 — NtfsDefragFileInternal: Defrag is denied.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbFlags HexInt32

Event ID 266 — NtfsDefragFileInternal: Vcb A10_Vcb - Calling FRD.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal: Vcb A10_Vcb - Calling FRD.

Message #

NtfsDefragFileInternal: Vcb %1!p! - Calling FRD

Fields #

NameDescription
A10_Vcb Pointer

Event ID 267 — NtfsDefragFileInternal: Vcb A10_Vcb - Done calling FRD.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal: Vcb A10_Vcb - Done calling FRD.

Message #

NtfsDefragFileInternal: Vcb %1!p! - Done calling FRD

Fields #

NameDescription
A10_Vcb Pointer

Event ID 268 — NtfsDefragFileInternal: Defrag is denied.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbFlags HexInt32

Event ID 269 — NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(!p!,!p!): Scb !p!, FRef !I64x!, Vcn !I64x!, CC !I64x!, CurrLcn !I64x!, NewLcn !I64x!, Len !x!, DA !d!, Status !x! - copy offload.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x! - copy offload

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingVcnQuadPart HexInt64
A15_TransferClusters HexInt64
A16_Lcn HexInt64
A17_MoveDataStartingLcnQuadPart HexInt64
A18_CopyLength HexInt32
A19_FlagsUseDelayedAllocation Int32
A20_Status HexInt32

Event ID 270 — NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(!p!,!p!): Scb !p!, FRef !I64x!, Vcn !I64x!, CC !I64x!, CurrLcn !I64x!, NewLcn !I64x!, Len !x!, DA !d!, Status !x!

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingVcnQuadPart HexInt64
A15_TransferClusters HexInt64
A16_Lcn HexInt64
A17_MoveDataStartingLcnQuadPart HexInt64
A18_CopyLength HexInt32
A19_FlagsUseDelayedAllocation Int32
A20_MyStatus HexInt32

Event ID 271 — NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!I64x!, CurrLcn A14_Lcn!I64x!, Len A15_CopyLength, Status A16_MyStatus - read completed.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, CurrLcn %5!I64x!, Len %6!x!, Status %7!x! - read completed

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_Lcn HexInt64
A15_CopyLength HexInt32
A16_MyStatus HexInt32

Event ID 272 — NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!I64x!, NewLcn A14_MoveDataStartingLcnQuadPart!I64x!, Len A15_CopyLength, Status A16_MyStatus - write completed.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, NewLcn %5!I64x!, Len %6!x!, Status %7!x! - write completed

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingLcnQuadPart HexInt64
A15_CopyLength HexInt32
A16_MyStatus HexInt32

Event ID 273 — NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(!p!,!p!): Scb !p!, FRef !I64x!, Vcn !I64x!, CC !I64x!, CurrLcn !I64x!, NewLcn !I64x!, DA !d!, ValidClusters !I64x! - beyond VDL.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, DA %9!d!, ValidClusters %10!I64x! - beyond VDL

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingVcnQuadPart HexInt64
A15_TransferClusters HexInt64
A16_Lcn HexInt64
A17_MoveDataStartingLcnQuadPart HexInt64
A18_FlagsUseDelayedAllocation Int32
A19_ValidClusters HexInt64

Event ID 274 — NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!I64x!, Vcn A14_MoveDataStartingVcnQuadPart!I64x!, CC A15_TransferClusters!I64x! - committed.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x! - committed

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingVcnQuadPart HexInt64
A15_TransferClusters HexInt64

Event ID 275 — NtfsDefragFile: Defrag is denied without manage volume access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFile: Defrag is denied without manage volume access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Ccb flags: 0x!08x!.

Message #

NtfsDefragFile: Defrag is denied without manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_FcbNULLNtfsFullFileRefNumber_FcbFileReference0 HexInt64
A16_CcbNULLCcbFlags0 HexInt32

Event ID 276 — NtfsEncryptDecryptOnline: Defrag is denied.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18_ScbAttributeNameBuffer UnicodeString
A19_ScbPersist HexInt32
A20_CcbFlags HexInt32

Event ID 277 — NtfsEncryptDecryptOnline: Vcb A10_Vcb - Calling FRD.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEncryptDecryptOnline: Vcb A10_Vcb - Calling FRD.

Message #

NtfsEncryptDecryptOnline: Vcb %1!p! - Calling FRD

Fields #

NameDescription
A10_Vcb Pointer

Event ID 278 — NtfsEncryptDecryptOnline: Vcb A10_Vcb - Done calling FRD.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEncryptDecryptOnline: Vcb A10_Vcb - Done calling FRD.

Message #

NtfsEncryptDecryptOnline: Vcb %1!p! - Done calling FRD

Fields #

NameDescription
A10_Vcb Pointer

Event ID 279 — NtfsEncryptDecryptOnline: Defrag is denied.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbNULLCcbFlags0 HexInt32

Event ID 280 — SCB: A10_Scb, VDL=0xA11_ScbHeaderValidDataLengthQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

SCB: A10_Scb, VDL=0xA11_ScbHeaderValidDataLengthQuadPart!I64x!, FS=0xA12_ScbHeaderFileSizeQuadPart!I64x!, StartOff=0xA13_QueryDaxExtentsFileOffset!I64x!, StartVcn=0xA14_StartingVcn!I64x!, Length=0xA15_QueryDaxExtentsLength!I64x!

Message #

SCB: %1!p!, VDL=0x%2!I64x!, FS=0x%3!I64x!, StartOff=0x%4!I64x!, StartVcn=0x%5!I64x!, Length=0x%6!I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_ScbHeaderValidDataLengthQuadPart HexInt64
A12_ScbHeaderFileSizeQuadPart HexInt64
A13_QueryDaxExtentsFileOffset HexInt64
A14_StartingVcn HexInt64
A15_QueryDaxExtentsLength HexInt64

Event ID 281 — StartOff=0xA10_QueryDaxExtentsFileOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

StartOff=0x!I64x!, Length=0x!I64x!, EffectiveLength=0x!I64x! StartVcn=0x!I64x!, BeyondEndVcn=0x!I64x!, Clusters=0x!I64x!, LastVcnInFile=0x!I64x!

Message #

StartOff=0x%1!I64x!, Length=0x%2!I64x!, EffectiveLength=0x%3!I64x! StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!, Clusters=0x%6!I64x!, LastVcnInFile=0x%7!I64x!

Fields #

NameDescription
A10_QueryDaxExtentsFileOffset HexInt64
A11_QueryDaxExtentsLength HexInt64
A12_EffectiveInputFileRegionLength HexInt64
A13_StartingVcn HexInt64
A14_BeyondEndVcn HexInt64
A15_RemainingClusterCount HexInt64
A16_LastVcnInFile HexInt64

Event ID 282 — NumberOfValidRuns: 0

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NumberOfValidRuns: 0.

Message #

NumberOfValidRuns: 0

Event ID 283 — RemainingClusterCount: 0xA10_RemainingClusterCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, DataSetRangeIndex: A11_DataSetRangeIndex, OutputBufferLength: 0xA12_OutputBufferLength.

Message #

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!, OutputBufferLength: 0x%3!d!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_DataSetRangeIndex Int32
A12_OutputBufferLength Int32

Event ID 284 — STATUS_BUFFER_TOO_SMALL from FsLib.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0xA10_ExtentsDescriptorNumberOfValidRuns, MaxRuns: 0xA11_MaxRuns, BytesReturned: 0xA12_BytesReturned!I64x!

Message #

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0x%1!x!, MaxRuns: 0x%2!x!, BytesReturned: 0x%3!I64x!

Fields #

NameDescription
A10_ExtentsDescriptorNumberOfValidRuns HexInt32
A11_MaxRuns HexInt32
A12_BytesReturned HexInt64

Event ID 285 — Made an educated guess for remaining runs.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Made an educated guess for remaining runs. RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, NumberOfValidRuns: 0xA11_ExtentsDescriptorNumberOfValidRuns.

Message #

Made an educated guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_ExtentsDescriptorNumberOfValidRuns HexInt32

Event ID 286 — Made a wild guess for remaining runs.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Made a wild guess for remaining runs. RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, NumberOfValidRuns: 0xA11_ExtentsDescriptorNumberOfValidRuns.

Message #

Made a wild guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_ExtentsDescriptorNumberOfValidRuns HexInt32

Event ID 287 — NumberOfValidRuns: 0xA10_ExtentsDescriptorNumberOfValidRuns!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NumberOfValidRuns: 0xA10_ExtentsDescriptorNumberOfValidRuns!08x!, MaxRuns: 0xA11_MaxRuns!08x!, Status: 0xA12_Status!08x!, BytesReturned: 0xA13_BytesReturned!I64x!

Message #

NumberOfValidRuns: 0x%1!08x!, MaxRuns: 0x%2!08x!, Status: 0x%3!08x!, BytesReturned: 0x%4!I64x!

Fields #

NameDescription
A10_ExtentsDescriptorNumberOfValidRuns HexInt32
A11_MaxRuns HexInt32
A12_Status HexInt32
A13_BytesReturned HexInt64

Event ID 288 — BasePage: 0xA10_ExtentsDescriptorRunIndexBasePage!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BasePage: 0xA10_ExtentsDescriptorRunIndexBasePage!-16I64x!, PageCount: 0xA11_ExtentsDescriptorRunIndexPageCount!-16I64x!

Message #

BasePage: 0x%1!-16I64x!, PageCount: 0x%2!-16I64x!

Fields #

NameDescription
A10_ExtentsDescriptorRunIndexBasePage HexInt64
A11_ExtentsDescriptorRunIndexPageCount HexInt64

Event ID 289 — About to zero range - ZeroStart: 0xA10_ZeroStart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

About to zero range - ZeroStart: 0xA10_ZeroStart!016I64x!, ZeroEnd: 0xA11_ZeroEnd!016I64x!

Message #

About to zero range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields #

NameDescription
A10_ZeroStart HexInt64
A11_ZeroEnd HexInt64

Event ID 290 — Zeroed range - ZeroStart: 0xA10_ZeroStart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Zeroed range - ZeroStart: 0xA10_ZeroStart!016I64x!, ZeroEnd: 0xA11_ZeroEnd!016I64x!

Message #

Zeroed range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields #

NameDescription
A10_ZeroStart HexInt64
A11_ZeroEnd HexInt64

Event ID 291 — NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_CcbFlags HexInt32

Event ID 292 — NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb access flags: 0x%10!08x!, Granted access: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ARGUMENT_PRESENTCcbCcbAccessFlags0 HexInt32
A20_ARGUMENT_PRESENTCreateContextCreateContextPreviouslyGrantedAccess0 HexInt32

Event ID 293 — NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_CcbFlags HexInt32

Event ID 294 — NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_CcbNULLCcbFlags0 HexInt32

Event ID 295 — NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Device Object flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbVcbVpbRealDeviceFlags HexInt32

Event ID 296 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Fcb state: !x!.

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: %7!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_RenameCleanupTargetLinkFcb Pointer
A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference HexInt64
A16_RenameCleanupTargetLinkFcbFcbState HexInt32

Event ID 297 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfNumWriters count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_RenameCleanupTargetLinkFcb Pointer
A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference HexInt64
A16_RenameCleanupTargetLinkFcbTxfFcbTxfNumWriters Int32

Event ID 298 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, TxfNumWriters count: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbToDeleteFcb Pointer
A15_NtfsFullFileRefNumber_LcbToDeleteFcbFileReference HexInt64
A16_LcbToDelete Pointer
A17_WppCountedStringWLcbToDeleteFileNameAttrFileNameUSHORTLcbToDeleteFileNameAttrFileNameLength CountedUtf16String
A18_LcbToDeleteTxfNumWriters Int32

Event ID 299 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Cleanup count: !d!.

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Cleanup count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_RenameCleanupTargetLinkFcb Pointer
A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference HexInt64
A16_RenameCleanupTargetLinkFcbCleanupCount Int32

Event ID 300 — NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, Link cleanup count: %9!d!, SplitPrimaryLcb: %10!p!, Split link name: %11!S!, Split link cleanup count: %12!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbToDeleteFcb Pointer
A15_NtfsFullFileRefNumber_LcbToDeleteFcbFileReference HexInt64
A16_LcbToDelete Pointer
A17_WppCountedStringWLcbToDeleteFileNameAttrFileNameUSHORTLcbToDeleteFileNameAttrFileNameLength CountedUtf16String
A18_LcbToDeleteCleanupCount Int32
A19_SplitPrimaryLcb Pointer
A20_SplitPrimaryLcbNULLWppCountedStringWSplitPrimaryLcbFileNameAttrFileNameUSHORTSplitPrimaryLcbFileNameAttrFileNameLengthWppCountedStringWNULL0 CountedUtf16String
A21_SplitPrimaryLcbNULLSplitPrimaryLcbCleanupCount0 Int32

Event ID 301 — NtfsSetRenameInfo: Can not rename a file marked for deletion.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: 0x%7!08x!, Lcb: %8!p!, link name: %9!S!, link name flag: 0x%10!08x!, link state: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbFcb Pointer
A15_NtfsFullFileRefNumber_LcbFcbFileReference HexInt64
A16_LcbFcbFcbState HexInt32
A17_Lcb Pointer
A18_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String
A19_LcbFileNameAttrFlags HexInt32
A20_LcbLcbState HexInt32

Event ID 302 — NtfsSetRenameInfo: Can not rename a txf directory.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRenameInfo: Can not rename a txf directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, File attributes: 0x!08x!.

Message #

NtfsSetRenameInfo: Can not rename a txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, File attributes: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbFcbInfoFileAttributes HexInt32

Event ID 303 — NtfsSetRenameInfo: Can not rename into a system directory.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRenameInfo: Can not rename into a system directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!.

Message #

NtfsSetRenameInfo: Can not rename into a system directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TargetParentScbFcb Pointer
A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64
A16_TargetParentScbFcbFcbState HexInt32

Event ID 304 — NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TargetParentScbFcb Pointer
A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64
A16_TargetParentScbFcbInfoFileAttributes HexInt32
A17_TargetParentScbFcbFcbState HexInt32

Event ID 305 — NtfsSetRenameInfo: The file should not have in-memory directory descendents.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!.

Message #

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64

Event ID 306 — NtfsSetRenameInfo: Child Scb mismatch.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRenameInfo: Child Scb mismatch. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Potential child FileRef: !I64x!.

Message #

NtfsSetRenameInfo: Child Scb mismatch. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Potential child FileRef: %7!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64

Event ID 307 — NtfsSetLinkInfo: Set link info is not allowed on txf directory.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FileName: !S!.

Message #

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String

Event ID 308 — NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, TxfVisibleLinks: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String

Event ID 309 — NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, SeAccessCheck status: %8!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_AccessStatus HexInt32

Event ID 310 — NtfsSetLinkInfo: Creating a link in system directory is not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, NewLinkName: !S!.

Message #

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TargetParentScbFcb Pointer
A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64
A16__NewLinkName CountedUtf16String

Event ID 311 — NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!, Target RM state: %8!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TargetParentScbFcb Pointer
A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64
A16__NewLinkName CountedUtf16String
A17_TargetParentScbFcbTxfRmcbRmState HexInt32

Event ID 312 — NtfsSetShortNameInfo: Can not set a short name on a deleted file.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Lcb: !p!, Link Name: !S!.

Message #

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbFcb Pointer
A15_NtfsFullFileRefNumber_LcbFcbFileReference HexInt64
A16_Lcb Pointer
A17_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String

Event ID 313 — NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!, Parent FileRef: %9!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbFcb Pointer
A15_NtfsFullFileRefNumber_LcbFcbFileReference HexInt64
A16_Lcb Pointer
A17_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String
A18_NtfsFullFileRefNumber_ParentScbFcbFileReference HexInt64

Event ID 314 — NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Stream cleanup count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_NextScbVcb Pointer
A12__NextScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWNextScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHNextScbVcbVpb CountedUtf16String
A14_NextScbFcb Pointer
A15_NtfsFullFileRefNumber_NextScbFcbFileReference HexInt64
A16_NextScbCleanupCount Int32

Event ID 315 — NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, ByID opens: %7!d!, Stream cleanup count: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_NextScbVcb Pointer
A12__NextScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWNextScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHNextScbVcbVpb CountedUtf16String
A14_NextScbFcb Pointer
A15_NtfsFullFileRefNumber_NextScbFcbFileReference HexInt64
A16_ByIdCcbs Int32
A17_NextScbCleanupCount Int32

Event ID 316 — NtfsStreamRename: Deny access due to encryption happening on source stream.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsStreamRename: Deny access due to encryption happening on source stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb state: 0x%10!08x! Scb HighWaterMark: %11!I64d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbState HexInt32
A20_ScbScbTypeDataHighWaterMark Int64

Event ID 317 — NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Previous batch oplock count: %7!d!, current batch oplock count: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_DirectoryScbVcb Pointer
A12__DirectoryScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWDirectoryScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHDirectoryScbVcbVpb CountedUtf16String
A14_DirectoryScbFcb Pointer
A15_NtfsFullFileRefNumber_DirectoryScbFcbFileReference HexInt64
A16_ULONGIrpIoStatusInformation Int32
A17_BatchOplockCount Int32

Event ID 318 — NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, Fcb: A12_Fcb, LocalFlags: A13_LocalFlagsEntireFlags!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, Fcb: A12_Fcb, LocalFlags: A13_LocalFlagsEntireFlags!#08x!

Message #

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Vcb: %2!p!, Fcb: %3!p!, LocalFlags: %4!#08x!

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12_Fcb Pointer
A13_LocalFlagsEntireFlags HexInt32

Event ID 319 — NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Scb: A11_Scb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Scb: A11_Scb.

Message #

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Scb: %2!p!

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Scb Pointer

Event ID 320 — NtfsFlushVolume: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, LocalFlags: A12_LocalFlagsEntireFlags!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolume: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, LocalFlags: A12_LocalFlagsEntireFlags!#08x!

Message #

NtfsFlushVolume: Thread: %1!p!, Vcb: %2!p!, LocalFlags: %3!#08x!

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12_LocalFlagsEntireFlags HexInt32

Event ID 321 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: A10_VcbBitmapScb Vcb: A11_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: A10_VcbBitmapScb Vcb: A11_Vcb.

Message #

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: %1!p! Vcb: %2!p!

Fields #

NameDescription
A10_VcbBitmapScb Pointer
A11_Vcb Pointer

Event ID 322 — NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: A10_VcbMftScb Vcb: A11_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: A10_VcbMftScb Vcb: A11_Vcb.

Message #

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: %1!p! Vcb: %2!p!

Fields #

NameDescription
A10_VcbMftScb Pointer
A11_Vcb Pointer

Event ID 323 — NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add context A11_Context into completion queue.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add context A11_Context into completion queue.

Message #

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into completion queue

Fields #

NameDescription
A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb Pointer
A11_Context Pointer

Event ID 324 — NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add context A11_Context into WorkQueue - Flink A12_NtfsDataDiskFlushContextCompletedWorkItemListFlink.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add context A11_Context into WorkQueue - Flink A12_NtfsDataDiskFlushContextCompletedWorkItemListFlink.

Message #

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into WorkQueue - Flink %3!p!

Fields #

NameDescription
A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb Pointer
A11_Context Pointer

Event ID 325 — NtfsDiskFlushContextWorkItemProcessing: Process work item

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDiskFlushContextWorkItemProcessing: Process work item.

Message #

NtfsDiskFlushContextWorkItemProcessing: Process work item

Event ID 326 — NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDiskFlushContextWorkItemProcessing: Nothing to work on.

Message #

NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Event ID 327 — Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_IrpContextVcb, MinorCode: A13_IrpSpMinorFunction!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_IrpContextVcb, MinorCode: A13_IrpSpMinorFunction!02x!, FsControlCode: 0xA14_FsControlCode!08x!

Message #

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, MinorCode: %4!02x!, FsControlCode: 0x%5!08x!

Fields #

NameDescription
A10_Irp Pointer
A11_IrpContext Pointer
A12_IrpContextVcb Pointer
A13_IrpSpMinorFunction HexInt32
A14_FsControlCode HexInt32

Event ID 328 — NtfsLockVolumeInternal: Cannot lock the volume.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsLockVolumeInternal: Cannot lock the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!, DisallowDismountCount: %6!d!, ExplicitLock: %7!d!, Volume CleanupCount: %8!d!, Handle count: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32
A15_VcbDisallowDismountCount Int32
A16_ExplicitLock10 Int32
A17_ReadULongNoFence_VcbCleanupCount Int32
A18_UserHandleCountSystemHandleCountVcbExternalMetadataCleanupCount Int32

Event ID 329 — NtfsLockVolumeInternal: Volume is already locked.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolumeInternal: Volume is already locked.Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Vcb State: 0xA14_VcbVcbState!08x!.

Message #

NtfsLockVolumeInternal: Volume is already locked.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 330 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Flush Status: A14_Status.

Message #

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Status HexInt32

Event ID 331 — NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Flush Status: A14_Status.

Message #

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Status HexInt32

Event ID 332 — NtfsLockVolumeInternal: Outstanding user files open after flush and retry.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume close count: %5!d!, System file close count: %6!d!, User handle count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbCloseCount Int32
A15_VcbSystemFileCloseCount Int32
A16_UserHandleCount Int32

Event ID 333 — NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 334 — NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Active RM count: !d!, Default RM Active: !d!.

Message #

NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Active RM count: %5!d!, Default RM Active: %6!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ActiveRmCount Int32
A15_DefaultRmActive10 Int32

Event ID 335 — A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm ({A12_VcbTxfVcbDefaultRmNULL_VcbTxfVcbDefaultRmRmIdNULL}) up for auto-restart.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm ({A12_VcbTxfVcbDefaultRmNULL_VcbTxfVcbDefaultRmRmIdNULL}) up for auto-restart.

Message #

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDVcbTxfVcbDefaultRm Pointer
A12_VcbTxfVcbDefaultRmNULL_VcbTxfVcbDefaultRmRmIdNULL GUID

Event ID 336 — NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 337 — NtfsDismountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDismountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

Message #

NtfsDismountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__VolumeLabel CountedUtf16String
A13__VcbDeviceName CountedUtf16String

Event ID 338 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 339 — NtfsDismountVolume: Cannot dismount volume due to volume being locked.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, VcbState: 0xA14_VcbVcbState!08x!.

Message #

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 340 — NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, ReadOnlyCloseCount: %6!d!, CloseCount: %7!d!, SystemFileCloseCount: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32
A15_VcbReadOnlyCloseCount Int32
A16_VcbCloseCount Int32
A17_VcbSystemFileCloseCount Int32

Event ID 341 — NtfsDismountVolume: Could not flush trim hints.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDismountVolume: Could not flush trim hints. Couldn't make progress flushing log.Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, VcbState: 0xA14_VcbVcbState!08x!.

Message #

NtfsDismountVolume: Could not flush trim hints.  Couldn't make progress flushing log.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 342 — NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 343 — NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 344 — NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32

Event ID 345 — NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32

Event ID 346 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32

Event ID 347 — NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, TypeOfOpen: %6!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32
A15_TypeOfOpen Int32

Event ID 348 — NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Irp Request Mode: %6!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32
A15_IrpRequestorMode Int32

Event ID 349 — NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 350 — NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 351 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32
A15_CcbFlags HexInt32

Event ID 352 — NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!, CallerId: %7!d!, Context owner ID: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32
A15_CcbFlags HexInt32
A16_CallerId Int32
A17_ContextOwnerId Int32

Event ID 353 — NtfsSetSparse: Caller does not have appropriate write access to the stream.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetSparse: Caller does not have appropriate write access to the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, FileObject write access: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_FileObjectWriteAccess10 Int32

Event ID 354 — NtfsSetSparse: Cannot desparse encrypted file without write data access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetSparse: Cannot desparse encrypted file without write data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Scb attributes: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_ScbAttributeFlags HexInt32

Event ID 355 — NtfsZeroRange: User mode caller not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsZeroRange: User mode caller not allowed. Thread: A10_PsGetCurrentThread, Zero flags: 0xA11_ZeroFlags!08x!, Irp Requestor Mode: A12_IrpRequestorMode.

Message #

NtfsZeroRange: User mode caller not allowed. Thread: %1!p!, Zero flags: 0x%2!08x!, Irp Requestor Mode: %3!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ZeroFlags HexInt32
A12_IrpRequestorMode Int32

Event ID 356 — IC: A10_IrpContext, Scb: A11_Scb, FileObject: A12_IrpSpFileObject.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IC: A10_IrpContext, Scb: A11_Scb, FileObject: A12_IrpSpFileObject.

Message #

IC: %1!p!, Scb: %2!p!, FileObject: %3!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Scb Pointer
A12_IrpSpFileObject Pointer

Event ID 357 — IC: A10_IrpContext, EncryptionOperation: 0xA11_EncryptionOperation!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IC: A10_IrpContext, EncryptionOperation: 0xA11_EncryptionOperation!08x!

Message #

IC: %1!p!, EncryptionOperation: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_EncryptionOperation HexInt32

Event ID 358 — NtfsReadRawEncrypted: Caller does not have backup access or read data access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32

Event ID 359 — NtfsWriteRawEncrypted: Caller does not have write data access or restore access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32

Event ID 360 — NtfsWriteRawEncrypted: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 361 — NtfsLookupStreamFromCluster: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 362 — NtfsChangeVolumeSize: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 363 — NtfsChangeVolumeSize (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsChangeVolumeSize (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.

Message #

NtfsChangeVolumeSize (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb Pointer

Event ID 364 — NtfsChangeVolumeSize (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsChangeVolumeSize (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.

Message #

NtfsChangeVolumeSize (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb Pointer

Event ID 365 — NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, HandleInfo flags: 0x%9!08x!, Irp Requestor Mode: %10!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_HandleInfoHandleInfo HexInt32
A19_IrpRequestorMode Int32

Event ID 366 — NtfsMarkHandle: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkHandle: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_DasdCcbNULLDasdCcbAccessFlags0!08x!.

Message #

NtfsMarkHandle: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_DasdCcbNULLDasdCcbAccessFlags0 HexInt32

Event ID 367 — NtfsMarkHandle: Cannot deny defrag.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: Cannot deny defrag. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, HandleInfo flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_HandleInfoHandleInfo HexInt32

Event ID 368 — NtfsMarkHandle: Cannot deny Frs consolidation.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: Cannot deny Frs consolidation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState2: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbFcbState2 HexInt32
A17_Scb Pointer
A18_ScbAttributeTypeCode HexInt32
A19__ScbAttributeName CountedUtf16String
A20_ScbPersist HexInt32
A21_HandleInfoHandleInfo HexInt32

Event ID 369 — NtfsMarkHandle: Cannot filter metadata.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: Cannot filter metadata. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!, Irp RequestorMode: %13!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbFcbState HexInt32
A17_Scb Pointer
A18_ScbAttributeTypeCode HexInt32
A19__ScbAttributeName CountedUtf16String
A20_ScbPersist HexInt32
A21_HandleInfoHandleInfo HexInt32
A22_IrpRequestorMode Int32

Event ID 370 — NtfsMarkHandle: Mark handle is not allowed on system files.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!, HandleInfo flags: !x!.

Message #

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, HandleInfo flags: %8!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbFcbFcbState HexInt32
A17_HandleInfoHandleInfo HexInt32

Event ID 371 — NtfsMarkHandle: File already has user writable references.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, HandleInfo: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_HandleInfoHandleInfo HexInt32

Event ID 372 — NtfsMarkHandle: File was granted write access previously but no oplocks were broken.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Writers: %10!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbShareAccessWriters Int32

Event ID 373 — NtfsPrefetchFile: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsPrefetchFile: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 374 — NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, WriteAccess: %6!d!, Fcb: %7!p!, FileRef: 0x%8!I64x!, FcbState: %9!x!, Scb AttributeTypeCode: 0x%10!x!, Ccb FullFileName: %11!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_IrpSpFileObjectWriteAccess10 Int32
A16_ScbFcb Pointer
A17_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A18_ScbAttributeTypeCode HexInt32
A19_ScbFcbFcbState HexInt32
A20_CcbNULL_CcbFullFileNameNULL CountedUtf16String

Event ID 375 — NtfsSetShortNameBehavior: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 376 — Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0xA10_PVOIDVcb to A11_InputParameter.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0xA10_PVOIDVcb to A11_InputParameter.

Message #

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x%1!p! to %2!u!.

Fields #

NameDescription
A10_PVOIDVcb Pointer
A11_InputParameter UInt32

Event ID 377 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 378 — NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 379 — NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, NtfsData Flags: !x!.

Message #

NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, NtfsData Flags: %5!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_IrpContextVcb Pointer
A12__IrpContextVcbVolumeName CountedUtf16String
A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb CountedUtf16String
A14_NtfsDataFlags HexInt32

Event ID 380 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 381 — Resetting Volsnap behavior for VCB = 0xA10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Resetting Volsnap behavior for VCB = 0xA10_Vcb. New state is 0xA11_VcbVcbState.

Message #

Resetting Volsnap behavior for VCB = 0x%1!p!.  New state is 0x%2!x!.

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbVcbState HexInt32

Event ID 382 — NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 383 — NtfsCorruptionHandling: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCorruptionHandling: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsCorruptionHandling: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 384 — NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_IrpContextVcb, VolumeName: A12__IrpContextVcbVolumeName, VolumeLabel: A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb.

Message #

NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_IrpContextVcb Pointer
A12__IrpContextVcbVolumeName CountedUtf16String
A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb CountedUtf16String

Event ID 385 — Scrub resume from SystemScbIndex: A10_ScrubResumeContextSystemScbIndex Vcn: A11_ScrubResumeContextResumeVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub resume from SystemScbIndex: A10_ScrubResumeContextSystemScbIndex Vcn: A11_ScrubResumeContextResumeVcn!#I64x! + A12_ScrubResumeContextResumeVcnOffset!#x!

Message #

Scrub resume from SystemScbIndex: %1!u! Vcn: %2!#I64x! + %3!#x!

Fields #

NameDescription
A10_ScrubResumeContextSystemScbIndex UInt32
A11_ScrubResumeContextResumeVcn HexInt64
A12_ScrubResumeContextResumeVcnOffset HexInt32

Event ID 386 — Scb:A10_Scb Scrub resume from Vcn: A11_ScrubResumeContextResumeVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub resume from Vcn: A11_ScrubResumeContextResumeVcn!#I64x! + A12_ScrubResumeContextResumeVcnOffset!#x!

Message #

Scb:%1!p! Scrub resume from Vcn: %2!#I64x! + %3!#x!

Fields #

NameDescription
A10_Scb Pointer
A11_ScrubResumeContextResumeVcn HexInt64
A12_ScrubResumeContextResumeVcnOffset HexInt32

Event ID 387 — Scrub SystemScbIndex: A10_ScrubResumeContextSystemScbIndex.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub SystemScbIndex: A10_ScrubResumeContextSystemScbIndex.

Message #

Scrub SystemScbIndex: %1!u!

Fields #

NameDescription
A10_ScrubResumeContextSystemScbIndex UInt32

Event ID 388 — NtfsScrubData: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsScrubData: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17__CcbFullFileName CountedUtf16String
A18_CcbAccessFlags HexInt32

Event ID 389 — Scrub not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.

Message #

Scrub not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields #

NameDescription
A10_Scb Pointer
A11_ScbTxfScb Pointer

Event ID 390 — Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request. noop.

Message #

Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request. noop

Event ID 391 — Scb:A10_Scb ScrubInternal OperationStatus: A11_ScrubContextOperationStatus Repaired: A12_ScrubContextNumberOfBytesRepaired!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:!p! ScrubInternal OperationStatus: !S! Repaired: !#I64x! Failed: !#I64x! FileOffset: !#I64x! Length: !#I64x! ParityExtentCount: !u!

Message #

Scb:%1!p! ScrubInternal OperationStatus: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! FileOffset: %5!#I64x! Length: %6!#I64x! ParityExtentCount: %7!u!

Fields #

NameDescription
A10_Scb Pointer
A11_ScrubContextOperationStatus HexInt32
A12_ScrubContextNumberOfBytesRepaired HexInt64
A13_ScrubContextNumberOfBytesFailed HexInt64
A14_ScrubContextErrorFileOffset HexInt64
A15_ScrubContextErrorLength HexInt64
A16_ScrubContextParityExtentDataNumberOfParityExtents UInt32

Event ID 392 — Scb:A10_Scb ScrubInternal Status: A11_Status Repaired: A12_ScrubContextNumberOfBytesRepaired!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb ScrubInternal Status: A11_Status Repaired: A12_ScrubContextNumberOfBytesRepaired!#I64x! Failed: A13_ScrubContextNumberOfBytesFailed!#I64x! ParityExtentCount: A14_ScrubContextParityExtentDataNumberOfParityExtents.

Message #

Scb:%1!p! ScrubInternal Status: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! ParityExtentCount: %5!u!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32
A12_ScrubContextNumberOfBytesRepaired HexInt64
A13_ScrubContextNumberOfBytesFailed HexInt64
A14_ScrubContextParityExtentDataNumberOfParityExtents UInt32

Event ID 393 — InternalFileReference: A10_InternalFileReference.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

InternalFileReference: A10_InternalFileReference.

Message #

InternalFileReference: %1!u!

Fields #

NameDescription
A10_InternalFileReference UInt32

Event ID 394 — InternalFileReference:A10_InternalFileReference.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

InternalFileReference:A10_InternalFileReference.

Message #

InternalFileReference:%1!u!

Fields #

NameDescription
A10_InternalFileReference UInt32

Event ID 395 — Scb:A10_Scb Incomplete IoCount:A11_ScrubIoCount Cancel:A12_IrpCancel ParityExtentCount:A13_ScrubContextParityExtentDataNumberOfParityExtents.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Incomplete IoCount:A11_ScrubIoCount Cancel:A12_IrpCancel ParityExtentCount:A13_ScrubContextParityExtentDataNumberOfParityExtents.

Message #

Scb:%1!p! Incomplete IoCount:%2!u! Cancel:%3!u! ParityExtentCount:%4!u!

Fields #

NameDescription
A10_Scb Pointer
A11_ScrubIoCount UInt32
A12_IrpCancel UInt32
A13_ScrubContextParityExtentDataNumberOfParityExtents UInt32

Event ID 396 — Scb:A10_Scb Scrub skipping resident attribute (d) (A11__ScbAttributeName).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub skipping resident attribute (d) (A11__ScbAttributeName).

Message #

Scb:%1!p! Scrub skipping resident attribute (d) (%2!S!)

Fields #

NameDescription
A10_Scb Pointer
A11__ScbAttributeName CountedUtf16String

Event ID 397 — Scb:A10_Scb Scrub skipping resident attribute (A11__ScbAttributeName).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub skipping resident attribute (A11__ScbAttributeName).

Message #

Scb:%1!p! Scrub skipping resident attribute (%2!S!)

Fields #

NameDescription
A10_Scb Pointer
A11__ScbAttributeName CountedUtf16String

Event ID 398 — Scb:A10_Scb Scrub StartingVcn.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub StartingVcn(A11_StartingVcn!#I64d!) is negative.

Message #

Scb:%1!p! Scrub StartingVcn(%2!#I64d!) is negative

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn Int64

Event ID 399 — Scb:A10_Scb Scrub starting vcn is beyond VDL.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub starting vcn is beyond VDL (FileOffset: A11_FileScrubOffset!#I64x!, SectorAlignedVdl: A12_SectorAlignedVdl!#I64x!).

Message #

Scb:%1!p! Scrub starting vcn is beyond VDL (FileOffset: %2!#I64x!, SectorAlignedVdl: %3!#I64x!)

Fields #

NameDescription
A10_Scb Pointer
A11_FileScrubOffset HexInt64
A12_SectorAlignedVdl HexInt64

Event ID 400 — Scb:A10_Scb Scrub no more Mcb entries from StartingVcn:A11_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub no more Mcb entries from StartingVcn:A11_StartingVcn!#I64x!

Message #

Scb:%1!p! Scrub no more Mcb entries from StartingVcn:%2!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64

Event ID 401 — Scb:A10_Scb Scrub skipping UNUSED_LCN Vcn: A11_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub skipping UNUSED_LCN Vcn: A11_StartingVcn!#I64x!, ClusterCount: A12_ClusterCount!#I64x!

Message #

Scb:%1!p! Scrub skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64
A12_ClusterCount HexInt64

Event ID 402 — Scb:A10_Scb StartingVcn:A11_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb StartingVcn:A11_StartingVcn!#I64x! is beyond Vdl.

Message #

Scb:%1!p! StartingVcn:%2!#I64x! is beyond Vdl

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64

Event ID 403 — Scb:A10_Scb ScrubDsmRange [A11_DsmRangeStartingOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb ScrubDsmRange [A11_DsmRangeStartingOffset!#I64x!,A12_DsmRangeStartingOffsetDsmRangeLengthInBytes!#I64x!) Length:A13_DsmRangeLengthInBytes!#I64x! (Bytes) StartingVcn:A14_StartingVcn!#I64x! + A15_StartingVcnOffset!#x! SectorAlignedVdl:A16_SectorAlignedVdl!#I64x!

Message #

Scb:%1!p! ScrubDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) StartingVcn:%5!#I64x! + %6!#x! SectorAlignedVdl:%7!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_DsmRangeStartingOffset HexInt64
A12_DsmRangeStartingOffsetDsmRangeLengthInBytes HexInt64
A13_DsmRangeLengthInBytes HexInt64
A14_StartingVcn HexInt64
A15_StartingVcnOffset HexInt32
A16_SectorAlignedVdl HexInt64

Event ID 404 — Scrub found problems Scb: A10_Scb Vcn A11_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub found problems Scb: !p! Vcn !#I64x! FileOffset: !#I64x! Length: !#I64x! Status: !S! BytesFailed: !#I64x! BytesRepaired: !#I64x! NewParityExtents: !u!

Message #

Scrub found problems Scb: %1!p! Vcn %2!#I64x! FileOffset: %3!#I64x! Length: %4!#I64x! Status: %5!S! BytesFailed: %6!#I64x! BytesRepaired: %7!#I64x! NewParityExtents: %8!u!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64
A12_ScrubContextErrorFileOffset HexInt64
A13_ScrubbedLength HexInt64
A14_ScrubContextOperationStatus HexInt32
A15_ScrubContextNumberOfBytesFailed HexInt64
A16_ScrubContextNumberOfBytesRepaired HexInt64
A17_NewParityExtentCount UInt32

Event ID 405 — Scb:A10_Scb DsmAction_Scrub call failed, Status: A11_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Scrub call failed, Status: A11_Status.

Message #

Scb:%1!p! DsmAction_Scrub call failed, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32

Event ID 406 — Scb:A10_Scb DsmAction_Scrub operation failed, Status: A11_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Scrub operation failed, Status: A11_Status.

Message #

Scb:%1!p! DsmAction_Scrub operation failed, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32

Event ID 407 — FSCTL_REPAIR_COPIES not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FSCTL_REPAIR_COPIES not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.

Message #

FSCTL_REPAIR_COPIES not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields #

NameDescription
A10_Scb Pointer
A11_ScbTxfScb Pointer

Event ID 408 — Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (d) (A11__ScbAttributeName).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (d) (A11__ScbAttributeName).

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2!S!)

Fields #

NameDescription
A10_Scb Pointer
A11__ScbAttributeName CountedUtf16String

Event ID 409 — Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (A11__ScbAttributeName).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (A11__ScbAttributeName).

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (%2!S!)

Fields #

NameDescription
A10_Scb Pointer
A11__ScbAttributeName CountedUtf16String

Event ID 410 — FSCTL_REPAIR_COPIES interrupted by thread termination.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FSCTL_REPAIR_COPIES interrupted by thread termination.

Message #

FSCTL_REPAIR_COPIES interrupted by thread termination.

Event ID 411 — FSCTL_REPAIR_COPIES canceled

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FSCTL_REPAIR_COPIES canceled.

Message #

FSCTL_REPAIR_COPIES canceled

Event ID 412 — Scb:A10_Scb FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:A11_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:A11_StartingVcn!#I64x!

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:%2!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64

Event ID 413 — Scb:A10_Scb FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:A11_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:A11_StartingVcn!#I64x!

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:%2!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64

Event ID 414 — Scb:A10_Scb FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: A11_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: A11_StartingVcn!#I64x!, ClusterCount: A12_ClusterCount!#I64x!

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64
A12_ClusterCount HexInt64

Event ID 415 — Scb:A10_Scb RepairDsmRange [A11_RepairDataSetRangeStartingOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb RepairDsmRange [A11_RepairDataSetRangeStartingOffset!#I64x!,A12_RepairDataSetRangeStartingOffsetRepairDataSetRangeLengthInBytes!#I64x!) Length:A13_RepairDataSetRangeLengthInBytes!#I64x! (Bytes) FileOffset: A14_RepairFileOffset!#I64x!

Message #

Scb:%1!p! RepairDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) FileOffset: %5!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_RepairDataSetRangeStartingOffset HexInt64
A12_RepairDataSetRangeStartingOffsetRepairDataSetRangeLengthInBytes HexInt64
A13_RepairDataSetRangeLengthInBytes HexInt64
A14_RepairFileOffset HexInt64

Event ID 416 — Scb:A10_Scb DsmAction_Repair call failed, Status: A11_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Repair call failed, Status: A11_Status.

Message #

Scb:%1!p! DsmAction_Repair call failed, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32

Event ID 417 — Scb:A10_Scb DsmAction_Repair operation failed, Status: A11_IrpStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Repair operation failed, Status: A11_IrpStatus.

Message #

Scb:%1!p! DsmAction_Repair operation failed, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_IrpStatus HexInt32

Event ID 418 — Scb:A10_Scb DsmAction_Repair completed, IrpStatus: A11_RepairCopiesOutputStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Repair completed, IrpStatus: A11_RepairCopiesOutputStatus.

Message #

Scb:%1!p! DsmAction_Repair completed, IrpStatus: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_RepairCopiesOutputStatus HexInt32

Event ID 419 — NtfsQueryCachedRuns: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17__CcbFullFileName CountedUtf16String
A18_CcbAccessFlags HexInt32

Event ID 420 — NtfsQueryStorageClasses: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 421 — NtfsQueryRegionInfo: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 422 — NtfsUnloadFile: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsUnloadFile: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 423 — NtfsCheckForSection: File already has image section.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckForSection: File already has image section. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Scb: !p!, Scb Type Code: 0x!x!, Scb Name: !S!.

Message #

NtfsCheckForSection: File already has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String

Event ID 424 — NtfsShuffleFile: User mode caller is not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsShuffleFile: User mode caller is not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, TypeOfOpen: !d!, Fcb: !p!, FileRef: 0x!I64x!, Ccb FullFileName: !S!, Irp RequestorMode: !d!.

Message #

NtfsShuffleFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Irp RequestorMode: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_IrpRequestorMode Int32

Event ID 425 — NtfsShuffleFile: Denying access due to volume is locked.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsShuffleFile: Denying access due to volume is locked. Thread: !p!, TypeOfOpen: !d!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, VcbState: 0x!08x!.

Message #

NtfsShuffleFile: Denying access due to volume is locked. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, VcbState: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_VcbVcbState HexInt32

Event ID 426 — NtfsShuffleFile: Defrag is denied.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsShuffleFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbNULLCcbFlags0 HexInt32

Event ID 427 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbInfoFileAttributes HexInt32
A17_IrpSpFlags HexInt32

Event ID 428 — NtfsRearrangeFile: User mode caller is not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRearrangeFile: User mode caller is not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Ccb FullFileName: !S!, Irp RequestorMode: !d!.

Message #

NtfsRearrangeFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Irp RequestorMode: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_IrpRequestorMode Int32

Event ID 429 — NtfsRearrangeFile: Denying access due to volume is locked.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRearrangeFile: Denying access due to volume is locked. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Ccb FullFileName: !S!, VcbState: 0x!08x!.

Message #

NtfsRearrangeFile: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, VcbState: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_VcbVcbState HexInt32

Event ID 430 — NtfsRearrangeFile: Defrag is denied.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRearrangeFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbNULLCcbFlags0 HexInt32

Event ID 431 — NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbInfoFileAttributes HexInt32
A17_IrpSpFlags HexInt32

Event ID 432 — NtfsSparseOverAllocate: Caller does not have appropriate write access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, FileRef: !I64x!, FullFileName: !S!, Ccb access flags: !x!.

Message #

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FileRef: %5!I64x!, FullFileName: %6!S!, Ccb access flags: %7!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_NtfsFullFileRefNumber_FcbFileReference HexInt64
A15_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A16_CcbNULLCcbAccessFlags0 HexInt32

Event ID 433 — NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Scb AttributeTypeCode: %8!x!, FcbState2: %9!x!, Ccb FullFileName: %10!S!, Ccb Access flags: %11!x!, Ccb Flags2: %12!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_ScbAttributeTypeCode HexInt32
A18_ScbFcbFcbState2 HexInt32
A19_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A20_CcbNULLCcbAccessFlags0 HexInt32
A21_CcbNULLCcbFlags20 HexInt32

Event ID 434 — NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Scb AttributeTypeCode: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb Access flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_ScbAttributeTypeCode HexInt32
A18_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A19_CcbNULLCcbAccessFlags0 HexInt32

Event ID 435 — NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 436 — NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, path="A13__DeletedFiles".

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, path="A13__DeletedFiles".

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Open status=0x%3!x!, path="%4!S!"

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32
A13__DeletedFiles CountedUtf16String

Event ID 437 — NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Enumerate status=0xA12_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Enumerate status=0xA12_Status.

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Enumerate status=0x%3!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32

Event ID 438 — NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, file="A13__FileNameToDelete".

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, file="A13__FileNameToDelete".

Message #

NtfsEnumMountWorker(%1!p!,%2!p!): Open status=0x%3!x!, file="%4!S!"

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32
A13__FileNameToDelete CountedUtf16String

Event ID 439 — NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Close status=0xA12_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Close status=0xA12_Status.

Message #

NtfsEnumMountWorker(%1!p!,%2!p!): Close status=0x%3!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32

Event ID 440 — NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Close dir status=0xA12_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Close dir status=0xA12_Status.

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Close dir status=0x%3!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32

Event ID 441 — NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, EffectiveMode: %10!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32
A19_EffectiveMode Int32

Event ID 442 — SCB: A10_Scb, StartOffset: 0xA11_StartOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

SCB: A10_Scb, StartOffset: 0xA11_StartOffset!I64x!, Length: 0xA12_Length!I64x!, StartVcn=0xA13_StartVcn!I64x!, BeyondEndVcn=0xA14_BeyondEndVcn!I64x!

Message #

SCB: %1!p!, StartOffset: 0x%2!I64x!, Length: 0x%3!I64x!, StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartOffset HexInt64
A12_Length HexInt64
A13_StartVcn HexInt64
A14_BeyondEndVcn HexInt64

Event ID 443 — FsLibGetBadAddressRanges returned Status: A10_Status, NumBadRanges: 0xA11_OutputNumBadRanges.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FsLibGetBadAddressRanges returned Status: A10_Status, NumBadRanges: 0xA11_OutputNumBadRanges.

Message #

FsLibGetBadAddressRanges returned Status: %1, NumBadRanges: 0x%2!x!

Fields #

NameDescription
A10_Status HexInt32
A11_OutputNumBadRanges HexInt32

Event ID 444 — FsInputRangeIndex: A10_FsInputRangeIndex, FileOffset: 0xA11_FsInputRangesFsInputRangeIndexFileOffset!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FsInputRangeIndex: A10_FsInputRangeIndex, FileOffset: 0xA11_FsInputRangesFsInputRangeIndexFileOffset!I64x!, VolumeOffset: 0xA12_FsInputRangesFsInputRangeIndexVolumeOffset!I64x!, LengthInBytes: 0xA13_FsInputRangesFsInputRangeIndexLengthInBytes!I64x!

Message #

FsInputRangeIndex: %1!u!, FileOffset: 0x%2!I64x!, VolumeOffset: 0x%3!I64x!, LengthInBytes: 0x%4!I64x!

Fields #

NameDescription
A10_FsInputRangeIndex UInt32
A11_FsInputRangesFsInputRangeIndexFileOffset HexInt64
A12_FsInputRangesFsInputRangeIndexVolumeOffset HexInt64
A13_FsInputRangesFsInputRangeIndexLengthInBytes HexInt64

Event ID 445 — Scb: A10_Scb, Status: A11_Status, AbnormalTermination: A12_BOOLEANAbnormalTermination.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb: A10_Scb, Status: A11_Status, AbnormalTermination: A12_BOOLEANAbnormalTermination.

Message #

Scb: %1!p!, Status: %2!S!, AbnormalTermination: %3!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32
A12_BOOLEANAbnormalTermination UInt8

Event ID 446 — Scb: A10_Scb, Status: A11_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb: A10_Scb, Status: A11_Status.

Message #

Scb: %1!p!, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32

Event ID 447 — NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: A10_PsGetCurrentThread, Vcb: A11_IrpContextVcb, VolumeName: A12__IrpContextVcbVolumeName, VolumeLabel: A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb.

Message #

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_IrpContextVcb Pointer
A12__IrpContextVcbVolumeName CountedUtf16String
A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb CountedUtf16String

Event ID 448 — Logic error of posting close to work queue.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Logic error of posting close to work queue.

Message #

Logic error of posting close to work queue.

Event ID 449 — NtfsFindPrefixHashEntry: {Hash table: A10_Table} {ParentScb: A11_ParentScb, 'A12__ParentScbScbTypeIndexNormalizedName'} {RemainingName: 'A13_RemainingName'}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Hash table: A10_Table} {ParentScb: A11_ParentScb, 'A12__ParentScbScbTypeIndexNormalizedName'} {RemainingName: 'A13_RemainingName'}.

Message #

NtfsFindPrefixHashEntry: {Hash table: %1!p!} {ParentScb: %2!p!, '%3!S!'} {RemainingName: '%4!S!'}

Fields #

NameDescription
A10_Table Pointer
A11_ParentScb Pointer
A12__ParentScbScbTypeIndexNormalizedName CountedUtf16String
A13_RemainingName CountedUtf16String

Event ID 450 — NtfsFindPrefixHashEntry: {Lcb: NULL}

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Lcb: NULL}.

Message #

NtfsFindPrefixHashEntry: {Lcb: NULL}

Event ID 451 — NtfsFindPrefixHashEntry: {Lcb: A10_FoundLcb, 'A11__FoundLcbExactCaseLinkLinkName'}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Lcb: A10_FoundLcb, 'A11__FoundLcbExactCaseLinkLinkName'}.

Message #

NtfsFindPrefixHashEntry: {Lcb: %1!p!, '%2!S!'}

Fields #

NameDescription
A10_FoundLcb Pointer
A11__FoundLcbExactCaseLinkLinkName CountedUtf16String

Event ID 452 — NtfsFindPrefixHashEntry: {Lcb not found}

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Lcb not found}.

Message #

NtfsFindPrefixHashEntry: {Lcb not found}

Event ID 453 — NtfsInsertHashEntry: {Hash table: A10_Table} {HashValue: A11_NewHashEntryHashValue!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsInsertHashEntry: {Hash table: A10_Table} {HashValue: A11_NewHashEntryHashValue!08x!} {FullNameLength: A12_NewHashEntryFullNameLength} {Lcb: A13_NewHashEntryHashLcb, 'A14__NewHashEntryHashLcbExactCaseLinkLinkName'}.

Message #

NtfsInsertHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {FullNameLength: %3!d!} {Lcb: %4!p!, '%5!S!'}

Fields #

NameDescription
A10_Table Pointer
A11_NewHashEntryHashValue HexInt32
A12_NewHashEntryFullNameLength Int32
A13_NewHashEntryHashLcb Pointer
A14__NewHashEntryHashLcbExactCaseLinkLinkName CountedUtf16String

Event ID 454 — NtfsRemoveHashEntry: {Hash table: A10_Table} {HashValue: A11_HashValue!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveHashEntry: {Hash table: A10_Table} {HashValue: A11_HashValue!08x!} {HashLcb: A12_HashLcb, 'A13__HashLcbExactCaseLinkLinkName'}.

Message #

NtfsRemoveHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {HashLcb: %3!p!, '%4!S!'}

Fields #

NameDescription
A10_Table Pointer
A11_HashValue HexInt32
A12_HashLcb Pointer
A13__HashLcbExactCaseLinkLinkName CountedUtf16String

Event ID 455 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Checkpoint injection. Count A11_VcbCheckpointInjectionCount.

Message #

Vcb %1!p!.  Checkpoint injection.  Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbCheckpointInjectionCount Int32

Event ID 456 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb !p!. Log !d!%!PCT! full. Wait for CC to flush metadata first. Count !d!

Message #

Vcb %1!p!.  Log %2!d!%!PCT! full.  Wait for CC to flush metadata first. Count %3!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_PercentFull Int32
A12_VcbWaitForCcLoggedDataActivityCount Int32

Event ID 457 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Done waiting for CC to flush metadata.

Message #

Vcb %1!p!.  Done waiting for CC to flush metadata

Fields #

NameDescription
A10_Vcb Pointer

Event ID 458 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Injected checkpoint.

Message #

Vcb %1!p!.  Injected checkpoint.

Fields #

NameDescription
A10_Vcb Pointer

Event ID 459 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Start of checkpoint.

Message #

Vcb %1!p!.  Start of checkpoint

Fields #

NameDescription
A10_Vcb Pointer

Event ID 460 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Clean checkpoint. Count A11_VcbCleanCheckpointCount.

Message #

Vcb %1!p!.  Clean checkpoint. Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbCleanCheckpointCount Int32

Event ID 461 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Overflowed DPT. Count A11_VcbOverflowedDPTCount.

Message #

Vcb %1!p!.  Overflowed DPT. Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbOverflowedDPTCount Int32

Event ID 462 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Fuzzy checkpoint. Count A11_VcbFuzzyCheckpointCount.

Message #

Vcb %1!p!.  Fuzzy checkpoint. Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbFuzzyCheckpointCount Int32

Event ID 463 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Flush oldest FO. Count A11_VcbFlushOldestFOCount.

Message #

Vcb %1!p!.  Flush oldest FO.  Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbFlushOldestFOCount Int32

Event ID 464 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Flush starts with FRef A11_NtfsFullSegmentNumber_ScbFcbFileReference!I64x!

Message #

Vcb %1!p!.  Flush starts with FRef %2!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_NtfsFullSegmentNumber_ScbFcbFileReference HexInt64

Event ID 465 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Flush ends. FO A11_DirtyPageContextOldestFileObject.

Message #

Vcb %1!p!.  Flush ends.  FO %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DirtyPageContextOldestFileObject Pointer

Event ID 466 — NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, VcbState: 0xA14_VcbVcbState!08x!.

Message #

NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 467 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Checkpoint completed.

Message #

Vcb %1!p!.  Checkpoint completed.

Fields #

NameDescription
A10_Vcb Pointer

Event ID 468 — Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Leaving NtfsCheckpointVolume.

Message #

Vcb %1!p!.  Leaving NtfsCheckpointVolume.

Fields #

NameDescription
A10_Vcb Pointer

Event ID 469 — NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x!

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 470 — NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x!

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 471 — NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Pre NtfsWriteLog failure A13_IrpContextExceptionStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Pre NtfsWriteLog failure A13_IrpContextExceptionStatus.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsWriteLog failure %4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 472 — NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Post NtfsWriteLog failure A13_IrpContextExceptionStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Post NtfsWriteLog failure A13_IrpContextExceptionStatus.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsWriteLog failure %4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 473 — NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): LfsFlushToLsn failure A13_IrpContextExceptionStatus Count A14_FailedFlushCount.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): LfsFlushToLsn failure A13_IrpContextExceptionStatus Count A14_FailedFlushCount.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): LfsFlushToLsn failure %4!x! Count %5!d!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32
A14_FailedFlushCount Int32

Event ID 474 — NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Pre NtfsProcessNewLengthQueue failure A13_IrpContextExceptionStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Pre NtfsProcessNewLengthQueue failure A13_IrpContextExceptionStatus.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsProcessNewLengthQueue failure %4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 475 — NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Post NtfsProcessNewLengthQueue failure A13_IrpContextExceptionStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Post NtfsProcessNewLengthQueue failure A13_IrpContextExceptionStatus.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsProcessNewLengthQueue failure %4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 476 — NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x! Completed.

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 477 — NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x! Completed.

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 478 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Entering - ActiveLsn: A11_ActiveLsnQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Entering - ActiveLsn: A11_ActiveLsnQuadPart!I64x!, ClearAll: A12_ClearAll.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Entering - ActiveLsn: %2!I64x!, ClearAll: %3!S!

Fields #

NameDescription
A10_Vcb Pointer
A11_ActiveLsnQuadPart HexInt64
A12_ClearAll UInt32

Event ID 479 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 480 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list  - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 481 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found frozen deallocated clusters with A11_ClustersClusterCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found frozen deallocated clusters with A11_ClustersClusterCount!I64x! clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found frozen deallocated clusters with %2!I64x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_ClustersClusterCount HexInt64

Event ID 482 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields #

NameDescription
A10_Vcb Pointer

Event ID 483 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields #

NameDescription
A10_Vcb Pointer

Event ID 484 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found a deallocated clusters A11_Clusters with A12_ClustersClusterCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found a deallocated clusters A11_Clusters with A12_ClustersClusterCount!I64x! clusters, Lsn: A13_ClustersLsnQuadPart!I64x!, Flags: A14_ClustersFlags!08x!

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found a deallocated clusters %2!p! with %3!I64x! clusters, Lsn: %4!I64x!, Flags: %5!08x!

Fields #

NameDescription
A10_Vcb Pointer
A11_Clusters Pointer
A12_ClustersClusterCount HexInt64
A13_ClustersLsnQuadPart HexInt64
A14_ClustersFlags HexInt32

Event ID 485 — Vcb: A10_Vcb, Processing range.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb: A10_Vcb, Processing range. DeallocatedClusters: A11_Clusters, RunIndex: A12_i, StartingLcn: A13_StartingLcn!I64x!, ClusterCount: A14_ClusterCount!I64x!

Message #

Vcb: %1!p!, Processing range. DeallocatedClusters: %2!p!, RunIndex: %3!d!, StartingLcn: %4!I64x!, ClusterCount: %5!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_Clusters Pointer
A12_i Int32
A13_StartingLcn HexInt64
A14_ClusterCount HexInt64

Event ID 486 — Looking for dangling MDLs

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Looking for dangling MDLs.

Message #

Looking for dangling MDLs

Event ID 487 — FsLibGroupSubExtentsByDanglingMdl failed: A10_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FsLibGroupSubExtentsByDanglingMdl failed: A10_Status.

Message #

FsLibGroupSubExtentsByDanglingMdl failed: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 488 — FsLibAddBaseMcbEntryEx failed: A10_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FsLibAddBaseMcbEntryEx failed: A10_Status.

Message #

FsLibAddBaseMcbEntryEx failed: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 489 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: A10_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: A10_Status.

Message #

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 490 — NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: A10_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: A10_Status.

Message #

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 491 — No sub extents has dangling MDL

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

No sub extents has dangling MDL.

Message #

No sub extents has dangling MDL

Event ID 492 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Telling volsnap freeing at A11_StartingLcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Telling volsnap freeing at A11_StartingLcn!I64x! for A12_ULONGClusterCount clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Telling volsnap freeing at %2!I64x! for %3!x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingLcn HexInt64
A12_ULONGClusterCount HexInt32

Event ID 493 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Volsnap responsed with freeing at A11_StartingLcnStartingIndex!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Volsnap responsed with freeing at A11_StartingLcnStartingIndex!I64x! for A12_runLength clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Volsnap responsed with freeing at %2!I64x! for %3!x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingLcnStartingIndex HexInt64
A12_runLength HexInt32

Event ID 494 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Got error 0xA11_Status from below.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Got error 0xA11_Status from below.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Got error 0x%2!x! from below

Fields #

NameDescription
A10_Vcb Pointer
A11_Status HexInt32

Event ID 495 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Deleting MarkUnusedContext A11_MarkUnusedContext.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Deleting MarkUnusedContext A11_MarkUnusedContext.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Deleting MarkUnusedContext %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 496 — NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Leaving.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Leaving.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 497 — NtfsRemoveNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_StartingVcn!I64x!, Length: 0xA13_Count!I64x!

Message #

NtfsRemoveNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Length: 0x%4!I64x!

Fields #

NameDescription
A10_McbScb Pointer
A11_Mcb Pointer
A12_StartingVcn HexInt64
A13_Count HexInt64

Event ID 498 — NtfsRemoveNtfsMcbEntry Mcb: A10_Mcb Completed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveNtfsMcbEntry Mcb: A10_Mcb Completed.

Message #

NtfsRemoveNtfsMcbEntry Mcb: %1!p! Completed.

Fields #

NameDescription
A10_Mcb Pointer

Event ID 499 — NtfsAddNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_Vcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_Vcn!I64x!, Lcn: 0xA13_Lcn!I64x!, Length: 0xA14_RunCount!I64x!

Message #

NtfsAddNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Length: 0x%5!I64x!

Fields #

NameDescription
A10_McbScb Pointer
A11_Mcb Pointer
A12_Vcn HexInt64
A13_Lcn HexInt64
A14_RunCount HexInt64

Event ID 500 — NtfsAddNtfsMcbEntry Mcb: A10_Mcb, Result: A11_Result.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddNtfsMcbEntry Mcb: A10_Mcb, Result: A11_Result.

Message #

NtfsAddNtfsMcbEntry Mcb: %1!p!, Result: %2!S!

Fields #

NameDescription
A10_Mcb Pointer
A11_Result UInt32

Event ID 501 — NtfsUnloadNtfsMcbRange Scb: A10_McbScb, Mcb: A11_Mcb, StartVcn: 0xA12_StartingVcn!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUnloadNtfsMcbRange Scb: A10_McbScb, Mcb: A11_Mcb, StartVcn: 0xA12_StartingVcn!I64x!, EndVcn: 0xA13_EndingVcn!I64x!, TruncateOnly: A14_TruncateOnly.

Message #

NtfsUnloadNtfsMcbRange Scb: %1!p!, Mcb: %2!p!, StartVcn: 0x%3!I64x!, EndVcn: 0x%4!I64x!, TruncateOnly: %5!S!

Fields #

NameDescription
A10_McbScb Pointer
A11_Mcb Pointer
A12_StartingVcn HexInt64
A13_EndingVcn HexInt64
A14_TruncateOnly UInt32

Event ID 502 — NtfsUnloadNtfsMcbRange Mcb: A10_Mcb Completed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUnloadNtfsMcbRange Mcb: A10_Mcb Completed.

Message #

NtfsUnloadNtfsMcbRange Mcb: %1!p! Completed.

Fields #

NameDescription
A10_Mcb Pointer

Event ID 503 — Valid NTFS boot sector.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Valid NTFS boot sector. Vcb: A10_Vcb; BootSector: A11_BootSector.

Message #

Valid NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_BootSector Pointer

Event ID 504 — Not an NTFS boot sector.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Not an NTFS boot sector. Vcb: A10_Vcb; BootSector: A11_BootSector; CheckNumber: A12_CheckNumber.

Message #

Not an NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!; CheckNumber: %3!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_BootSector Pointer
A12_CheckNumber Int32

Event ID 505 — NtfsMountVolume: Vcb:A10_Vcb, IC:A11_IrpContext, Growing allocation for Mft's Attribute List failed with exception:0xA12_IrpContextExceptionStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMountVolume: Vcb:A10_Vcb, IC:A11_IrpContext, Growing allocation for Mft's Attribute List failed with exception:0xA12_IrpContextExceptionStatus.

Message #

NtfsMountVolume: Vcb:%1!p!, IC:%2!p!, Growing allocation for Mft's Attribute List failed with exception:0x%3!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextExceptionStatus HexInt32

Event ID 506 — NtfsMountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

Message #

NtfsMountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__VolumeLabel CountedUtf16String
A13__VcbDeviceName CountedUtf16String

Event ID 507 — Mounting DAX partition.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Mounting DAX partition. Vcb: A10_Vcb.

Message #

Mounting DAX partition. Vcb: %1!p!

Fields #

NameDescription
A10_Vcb Pointer

Event ID 508 — DAX volume mounted without DAX support because storage is not DAX capable.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: A10_Vcb.

Message #

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: %1!p!

Fields #

NameDescription
A10_Vcb Pointer

Event ID 509 — NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Mft AttributeList not found, skipping growth.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Mft AttributeList not found, skipping growth.

Message #

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Mft AttributeList not found, skipping growth

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 510 — NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Converting Resident AttributeList.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Converting Resident AttributeList(size:0xA12_AttrListAllocationSize!I64x!) to NonResident.

Message #

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Converting Resident AttributeList(size:0x%3!I64x!) to NonResident

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_AttrListAllocationSize HexInt64

Event ID 511 — NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext, AttrListScb:A12_Scb Added Allocation for NonResident AttributeList.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext, AttrListScb:A12_Scb Added Allocation for NonResident AttributeList (old size:0xA13_AttrListAllocationSize!I64x!).

Message #

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p!, AttrListScb:%3!p! Added Allocation for NonResident AttributeList (old size:0x%4!I64x!)

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_AttrListAllocationSize HexInt64

Event ID 512 — Unexpected exception code of 0xA10_ExceptionCode received.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected exception code of 0xA10_ExceptionCode received.

Message #

Unexpected exception code of 0x%1!x! received

Fields #

NameDescription
A10_ExceptionCode HexInt32

Event ID 513 — Exception code of 0xA10_ExceptionCode received during mount.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Exception code of 0xA10_ExceptionCode received during mount.

Message #

Exception code of 0x%1!x! received during mount.

Fields #

NameDescription
A10_ExceptionCode HexInt32

Event ID 514 — Unexpected exception code of 0xA10_ExceptionCode received.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected exception code of 0xA10_ExceptionCode received.

Message #

Unexpected exception code of 0x%1!x! received.

Fields #

NameDescription
A10_ExceptionCode HexInt32

Event ID 515 — LogFileFull A10_IrpContextLogFullReason BackTrace: ln A11_BackTrace0; ln A12_BackTrace1; ln A13_BackTrace2; ln A14_BackTrace3; ln A15_BackTrace4; ln A16_BackTrace5; ln A17_BackTrace6; ln A18_BackTr...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

LogFileFull BackTrace: ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!

Message #

LogFileFull %1 BackTrace: ln %2!p!; ln %3!p!; ln %4!p!; ln %5!p!; ln %6!p!; ln %7!p!; ln %8!p!; ln %9!p!; ln %10!p!; ln %11!p!; ln %12!p!; ln %13!p!; ln %14!p!; ln %15!p!; ln %16!p!; ln %17!p!; ln %18!p!; ln %19!p!; ln %20!p!; ln %21!p!;

Fields #

NameDescription
A10_IrpContextLogFullReason UInt32
A11_BackTrace0 Pointer
A12_BackTrace1 Pointer
A13_BackTrace2 Pointer
A14_BackTrace3 Pointer
A15_BackTrace4 Pointer
A16_BackTrace5 Pointer
A17_BackTrace6 Pointer
A18_BackTrace7 Pointer
A19_BackTrace8 Pointer
A20_BackTrace9 Pointer
A21_BackTrace10 Pointer
A22_BackTrace11 Pointer
A23_BackTrace12 Pointer
A24_BackTrace13 Pointer
A25_BackTrace14 Pointer
A26_BackTrace15 Pointer
A27_BackTrace16 Pointer
A28_BackTrace17 Pointer
A29_BackTrace18 Pointer
A30_BackTrace19 Pointer

Event ID 516 — Unexpected raise of 0xA10_ExceptionCode during critical non-raise code.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected raise of 0xA10_ExceptionCode during critical non-raise code.

Message #

Unexpected raise of 0x%1!x! during critical non-raise code

Fields #

NameDescription
A10_ExceptionCode HexInt32

Event ID 517 — NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!08x!

Message #

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ExceptionCode HexInt32

Event ID 518 — NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!08x!

Message #

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ExceptionCode HexInt32

Event ID 519 — Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, Count A13_NtfsFailedAborts, Status A14_GetExceptionCode.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, Count A13_NtfsFailedAborts, Status A14_GetExceptionCode.

Message #

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Count %4!x!, Status %5!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Irp Pointer
A12_IrpContextVcb Pointer
A13_NtfsFailedAborts HexInt32
A14_GetExceptionCode HexInt32

Event ID 520 — Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, Scb A13_NextScb, FileRef A14_PULONGLONG_NextScbFcbFileReference!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, Scb A13_NextScb, FileRef A14_PULONGLONG_NextScbFcbFileReference!I64x!

Message #

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Scb %4!p!, FileRef %5!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Irp Pointer
A12_IrpContextVcb Pointer
A13_NextScb Pointer
A14_PULONGLONG_NextScbFcbFileReference HexInt64

Event ID 521 — Setting STATUS_CANT_WAIT in top-level exception status for write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!08x!A11_IrpSpParametersWriteByteOffsetLowPart!08x!

Message #

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x%1!08x!%2!08x!

Fields #

NameDescription
A10_IrpSpParametersWriteByteOffsetHighPart HexInt32
A11_IrpSpParametersWriteByteOffsetLowPart HexInt32

Event ID 522 — Setting 0xA10_ExceptionCode in top-level exception status for write @ 0xA11_IrpSpParametersWriteByteOffsetHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Setting 0xA10_ExceptionCode in top-level exception status for write @ 0xA11_IrpSpParametersWriteByteOffsetHighPart!08x!A12_IrpSpParametersWriteByteOffsetLowPart!08x!

Message #

Setting 0x%1!x! in top-level exception status for write @ 0x%2!08x!%3!08x!

Fields #

NameDescription
A10_ExceptionCode HexInt32
A11_IrpSpParametersWriteByteOffsetHighPart HexInt32
A12_IrpSpParametersWriteByteOffsetLowPart HexInt32

Event ID 523 — [A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

[A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!02x!]: Irp: A12_Irp, IC: A13_IrpContext, Status: A14_Status.

Message #

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields #

NameDescription
A10_IrpSpMajorFunction UInt32
A11_IrpSpMinorFunction HexInt32
A12_Irp Pointer
A13_IrpContext Pointer
A14_Status HexInt32

Event ID 524 — [A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

[A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!02x!]: Irp: A12_Irp, IC: A13_IrpContext, Status: A14_Status.

Message #

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields #

NameDescription
A10_IrpSpMajorFunction UInt32
A11_IrpSpMinorFunction HexInt32
A12_Irp Pointer
A13_IrpContext Pointer
A14_Status HexInt32

Event ID 525 — Can't handle invalid bitmap in a positive way.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Can't handle invalid bitmap in a positive way.

Message #

Can't handle invalid bitmap in a positive way.

Event ID 526 — NTFS ETW tracing is now active.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS ETW tracing is now active.

Message #

NTFS ETW tracing is now active.

Event ID 527 — Updating NtfsMinTrimTotalSize to A10_MinTrimTotalSize.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Updating NtfsMinTrimTotalSize to A10_MinTrimTotalSize.

Message #

Updating NtfsMinTrimTotalSize to %1!x!.

Fields #

NameDescription
A10_MinTrimTotalSize HexInt32

Event ID 528 — Updating NtfsMaxTrimTotalSize to A10_MaxTrimTotalSize.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Updating NtfsMaxTrimTotalSize to A10_MaxTrimTotalSize.

Message #

Updating NtfsMaxTrimTotalSize to %1!x!.

Fields #

NameDescription
A10_MaxTrimTotalSize HexInt32

Event ID 529 — NtfsSetObjectId: Caller does not have restore access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetObjectId: Caller does not have restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpMinorFunction HexInt32

Event ID 530 — NtfsSetObjectIdExtendedInfo: Caller does not have write access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetObjectIdExtendedInfo: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpMinorFunction HexInt32

Event ID 531 — NtfsDeleteObjectId: Caller does not have write access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDeleteObjectId: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpMinorFunction HexInt32

Event ID 532 — A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm ({A12__VcbTxfVcbDefaultRmRmId}) up for auto-restart.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm ({A12__VcbTxfVcbDefaultRmRmId}) up for auto-restart.

Message #

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDVcbTxfVcbDefaultRm Pointer
A12__VcbTxfVcbDefaultRmRmId GUID

Event ID 533 — NtfsFsQuotaSetInfo: Denying access due to administrator limit.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFsQuotaSetInfo: Denying access due to administrator limit. Thread: A10_PsGetCurrentThread, Vcb: A11_IrpContextVcb, VolumeName: A12__IrpContextVcbVolumeName, VolumeLabel: A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb.

Message #

NtfsFsQuotaSetInfo: Denying access due to administrator limit. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_IrpContextVcb Pointer
A12__IrpContextVcbVolumeName CountedUtf16String
A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb CountedUtf16String

Event ID 534 — NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not quota file.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not quota file. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, Ccb Flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17__CcbFullFileName CountedUtf16String
A18_CcbAccessFlags HexInt32
A19_CcbFlags HexInt32

Event ID 535 — Unexpected Paging-Read on DAX mappable stream, Scb=A10_Scb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected Paging-Read on DAX mappable stream, Scb=A10_Scb.

Message #

Unexpected Paging-Read on DAX mappable stream, Scb=%1!p!

Fields #

NameDescription
A10_Scb Pointer

Event ID 536 — NtfsSetReparsePoint: Caller does not have write access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpFileObjectWriteAccess Int32

Event ID 537 — NtfsSetReparsePointEx: Caller does not have write access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetReparsePointEx: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpFileObjectWriteAccess Int32

Event ID 538 — NtfsDeleteReparsePoint: Caller does not have write access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDeleteReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpFileObjectWriteAccess Int32

Event ID 539 — NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: A10_Vcb, Vcb->LogFileObject: A11_VcbLogFileObject, IC: A12_IrpContext.

Message #

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbLogFileObject Pointer
A12_IrpContext Pointer

Event ID 540 — NtfsReleaseVcbCheckDelete - deleted Vcb: A10_Vcb, IC: A11_IrpContext.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsReleaseVcbCheckDelete - deleted Vcb: A10_Vcb, IC: A11_IrpContext.

Message #

NtfsReleaseVcbCheckDelete - deleted Vcb: %1!p!, IC: %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 541 — NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: A10_Vcb, Vcb->LogFileObject: A11_VcbLogFileObject, IC: A12_IrpContext.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: A10_Vcb, Vcb->LogFileObject: A11_VcbLogFileObject, IC: A12_IrpContext.

Message #

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbLogFileObject Pointer
A12_IrpContext Pointer

Event ID 542 — NtfsAbortTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAbortTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x!

Message #

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 543 — NtfsAbortTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAbortTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x!

Message #

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 544 — DoAction::InitializeFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction::InitializeFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!

Message #

DoAction::InitializeFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64

Event ID 545 — DoAction::DeallocateFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction::DeallocateFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!

Message #

DoAction::DeallocateFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64

Event ID 546 — DoAction::WriteEndOfFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction::WriteEndOfFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Attrib:0xA14_AttributeTypeCode Off:0xA15_LogRecordRecordOffset, Len:0xA16_Length.

Message #

DoAction::WriteEndOfFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x! Off:0x%6!x!, Len:0x%7!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A14_AttributeTypeCode HexInt32
A15_LogRecordRecordOffset HexInt32
A16_Length HexInt32

Event ID 547 — DoAction::CreateAttribute IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction::CreateAttribute IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Attrib:0xA14_PATTRIBUTE_RECORD_HEADERDataTypeCode.

Message #

DoAction::CreateAttribute IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A14_PATTRIBUTE_RECORD_HEADERDataTypeCode HexInt32

Event ID 548 — NtfsRestartChangeValue IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartChangeValue IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, FileRef:0xA14_NtfsFullSegmentNumber_FileReference!I64x!

Message #

NtfsRestartChangeValue IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, FileRef:0x%5!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A14_NtfsFullSegmentNumber_FileReference HexInt64

Event ID 549 — DoAction::SetNewAttributeSizes IC.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

DoAction::SetNewAttributeSizes IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x! OLD: Alloc:%5!I64x!, FileSize:%6!I64x!, VDL:%7!I64x!, TotalAlloc:%8!I64x! NEW: Alloc:%9!I64x!, FileSize:%10!I64x!, VDL:%11!I64x!, TotalAlloc:%12!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A14_AttributeFormNonresidentAllocatedLength HexInt64
A15_AttributeFormNonresidentFileSize HexInt64
A16_AttributeFormNonresidentValidDataLength HexInt64
A17_AttributeFormNonresidentTotalAllocated HexInt64
A18_SizesAllocationSize HexInt64
A19_SizesFileSize HexInt64
A20_SizesValidDataLength HexInt64
A21_SizesTotalAllocated HexInt64

Event ID 550 — DoAction(SetBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12__Bitmap.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction(SetBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12__Bitmap.

Message #

DoAction(SetBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__Bitmap Pointer

Event ID 551 — DoAction(ClearBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12__Bitmap.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction(ClearBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12__Bitmap.

Message #

DoAction(ClearBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__Bitmap Pointer

Event ID 552 — NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!.

Message #

NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64

Event ID 553 — NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32

Event ID 554 — NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!.

Message #

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String

Event ID 555 — NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Txf Writers Count: !d!.

Message #

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Txf Writers Count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbTxfFcbTxfNumWriters Int32

Event ID 556 — NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Original status: !S!.

Message #

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Original status: %7!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_Status HexInt32

Event ID 557 — NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, File Attributes: 0x!08x!.

Message #

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbInfoFileAttributes HexInt32

Event ID 558 — NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbInfoFileAttributes HexInt32

Event ID 559 — NtfsCheckFileForDelete: Denying access due to file is not deleteable.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!.

Message #

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64

Event ID 560 — NtfsCheckFileForDelete: Denying access due to target file is read only.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckFileForDelete: Denying access due to target file is read only. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbInfoFileAttributes HexInt32
A17_IrpSpFlags HexInt32

Event ID 561 — NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb AccessFlags: 0x%7!08x!, TxfAccessCheck access status: %8!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CcbAccessFlags HexInt32
A17_AccessStatus HexInt32

Event ID 562 — NtfsCheckFileForDelete: Denying access due to failing to remove image section.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckFileForDelete: Denying access due to failing to remove image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_NextScb Pointer
A17_NextScbAttributeTypeCode HexInt32
A18__NextScbAttributeName CountedUtf16String

Event ID 563 — NtfsGlobalSdUpdate: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 564 — NtfsRepairItem: Denying access due to volume is locked.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRepairItem: Denying access due to volume is locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, VcbState: 0xA14_VcbVcbState!08x!.

Message #

NtfsRepairItem: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 565 — NtfsSetRepairState: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 566 — NtfsInitiateRepair: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 567 — NTFS ETW tracing is shutting down.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS ETW tracing is shutting down.

Message #

NTFS ETW tracing is shutting down.

Event ID 568 — NtfsDefineStorageReserve: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDefineStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 569 — NtfsDeleteStorageReserve: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDeleteStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 570 — NtfsRepairStorageReserve: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRepairStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 571 — NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a storage reserve.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a storage reserve. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Fcb State: 0x%7!08x!, Ccb FullFileName: %8!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbFcbState HexInt32
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String

Event ID 572 — NtfsSetStorageReserveIdInfo: Caller does not have appropriate access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetStorageReserveIdInfo: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 573 — NtfsChangeStorageReserveId: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsChangeStorageReserveId: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Operation flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32
A18_Flags HexInt32

Event ID 574 — NtfsChangeStorageReserveId: Caller does not have manage volume privilege to explicitly setting reserve ID to/from a "restricted area".

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsChangeStorageReserveId: Caller does not have manage volume privilege to explicitly setting reserve ID to/from a "restricted area". Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 575 — Failed to get a non-volatile token for Vcb: A10_Vcb, Status: A11_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Failed to get a non-volatile token for Vcb: A10_Vcb, Status: A11_Status.

Message #

Failed to get a non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields #

NameDescription
A10_Vcb Pointer
A11_Status HexInt32

Event ID 576 — Failed to free non-volatile token for Vcb: A10_Vcb, Status: A11_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Failed to free non-volatile token for Vcb: A10_Vcb, Status: A11_Status.

Message #

Failed to free non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields #

NameDescription
A10_Vcb Pointer
A11_Status HexInt32

Event ID 577 — NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: A10_Scb, TotalAllocated: 0xA11_ScbTotalAllocated!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: A10_Scb, TotalAllocated: 0xA11_ScbTotalAllocated!I64x!

Message #

NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: %1!p!, TotalAllocated: 0x%2!I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_ScbTotalAllocated HexInt64

Event ID 578 — NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: A10_CurrentClusters, Lsn: A11_CurrentClustersLsnQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: A10_CurrentClusters, Lsn: A11_CurrentClustersLsnQuadPart!I64x!

Message #

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: %1!p!, Lsn: %2!I64x!

Fields #

NameDescription
A10_CurrentClusters Pointer
A11_CurrentClustersLsnQuadPart HexInt64

Event ID 579 — ClustersLinkAsHead: A10_ClustersLinkAsHead, FlagsToMatch: 0xA11_FlagsToMatch, InsertAfter: A12_InsertAfter.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

ClustersLinkAsHead: A10_ClustersLinkAsHead, FlagsToMatch: 0xA11_FlagsToMatch, InsertAfter: A12_InsertAfter.

Message #

ClustersLinkAsHead: %1!p!, FlagsToMatch: 0x%2!x!, InsertAfter: %3!S!

Fields #

NameDescription
A10_ClustersLinkAsHead Pointer
A11_FlagsToMatch HexInt32
A12_InsertAfter UInt32

Event ID 580 — Clusters: A10_Clusters, Flags: 0xA11_ClustersFlags.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Clusters: A10_Clusters, Flags: 0xA11_ClustersFlags.

Message #

Clusters: %1!p!, Flags: 0x%2!x!

Fields #

NameDescription
A10_Clusters Pointer
A11_ClustersFlags HexInt32

Event ID 581 — Matching cluster: A10_Clusters, NumberOfRuns: 0xA11_NumberOfRuns.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Matching cluster: A10_Clusters, NumberOfRuns: 0xA11_NumberOfRuns.

Message #

Matching cluster: %1!p!, NumberOfRuns: 0x%2!x!

Fields #

NameDescription
A10_Clusters Pointer
A11_NumberOfRuns HexInt32

Event ID 582 — Clusters: A10_Clusters.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Clusters: A10_Clusters.

Message #

Clusters: %1!p!

Fields #

NameDescription
A10_Clusters Pointer

Event ID 583 — Allocated new deallocated clusters

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Allocated new deallocated clusters.

Message #

Allocated new deallocated clusters

Event ID 584 — Need to add Range.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Need to add Range. DanglingMdl: DanglingMdl, DeallocatedClusters: A11_Clusters, Lcn: A12_Lcn!I64x!, ClusterCount: A13_ClusterCount!I64x!

Message #

Need to add Range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields #

NameDescription
A10_FlagOnClustersFlagsDEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL UInt32
A11_Clusters Pointer
A12_Lcn HexInt64
A13_ClusterCount HexInt64

Event ID 585 — Added range.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Added range. DanglingMdl: DanglingMdl, DeallocatedClusters: A11_Clusters, Lcn: A12_Lcn!I64x!, ClusterCount: A13_ClusterCount!I64x!

Message #

Added range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields #

NameDescription
A10_FlagOnClustersFlagsDEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL UInt32
A11_Clusters Pointer
A12_Lcn HexInt64
A13_ClusterCount HexInt64

Event ID 586 — TxfCheckForLockConflict: File locked for modify transaction.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfCheckForLockConflict: File locked for modify transaction. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!,Fcb: !p!, FileRef: 0x!I64x!, TxfFcb Flags: 0x!08x!, ShareMode: 0x!08x!.

Message #

TxfCheckForLockConflict: File locked for modify transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!,Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfFcb Flags: 0x%7!08x!, ShareMode: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_TxfFcbFlags HexInt32
A17_ShareMode HexInt32

Event ID 587 — TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans or different trans who wants to modify.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans or different trans who wants to modify. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_GrantedAccess HexInt32

Event ID 588 — TxfCheckForLockConflict: Modification access desired.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfCheckForLockConflict: Modification access desired. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Granted Access: 0x!08x!.

Message #

TxfCheckForLockConflict: Modification access desired. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_GrantedAccess HexInt32

Event ID 589 — TxfCheckForLockConflict: File has user handle opened on one of the versions or user-mapping on a section.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfCheckForLockConflict: File has user handle opened on one of the versions or user-mapping on a section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!, Reader cleanup count: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_GrantedAccess HexInt32
A17_NextTxfVscbReaderCleanupCount Int32

Event ID 590 — A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId}, Tx at 0xA16_PVOIDTxfTrans {A17__TxfTransKtmUow}, Status was 0xA18_AbortR...

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId}, Tx at 0xA16_PVOIDTxfTrans {A17__TxfTransKtmUow}, Status was 0xA18_AbortReasonStatus.

Message #

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_CallerFunction AnsiString
A12_CallerFile AnsiString
A13_CallerLineNumber Int32
A14_PVOIDTxfRmcb Pointer
A15__TxfRmcbRmId GUID
A16_PVOIDTxfTrans Pointer
A17__TxfTransKtmUow GUID
A18_AbortReasonStatus HexInt32

Event ID 591 — A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId}, Tx at 0xA16_PVOIDTxfTrans {A17__TxfTransKtmUow}, Status was 0xA18_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId}, Tx at 0xA16_PVOIDTxfTrans {A17__TxfTransKtmUow}, Status was 0xA18_Status.

Message #

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_CallerFunction AnsiString
A12_CallerFile AnsiString
A13_CallerLineNumber Int32
A14_PVOIDTxfRmcb Pointer
A15__TxfRmcbRmId GUID
A16_PVOIDTxfTrans Pointer
A17__TxfTransKtmUow GUID
A18_Status HexInt32

Event ID 592 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_TxfTrans Pointer
A14__TxfTransKtmUow GUID

Event ID 593 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_TxfTrans Pointer
A14__TxfTransKtmUow GUID

Event ID 594 — A10___FUNCTION__: RM at 0xA11_PVOIDCalloutParametersTxfFlushTxfRmcb {A12__CalloutParametersTxfFlushTxfRmcbRmId}: Unexpected exception code of 0xA13_GetExceptionCode received.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDCalloutParametersTxfFlushTxfRmcb {A12__CalloutParametersTxfFlushTxfRmcbRmId}: Unexpected exception code of 0xA13_GetExceptionCode received.

Message #

%1: RM at 0x%2!p! {%3!S!}: Unexpected exception code of 0x%4!x! received.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDCalloutParametersTxfFlushTxfRmcb Pointer
A12__CalloutParametersTxfFlushTxfRmcbRmId GUID
A13_GetExceptionCode HexInt32

Event ID 595 — A10___FUNCTION__: TxfStartRm reports RM will be reset: RM metadata corrupt.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: RM metadata corrupt.

Message #

%1: TxfStartRm reports RM will be reset: RM metadata corrupt

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 596 — A10___FUNCTION__: TxfStartRm reports RM will be reset: TM could not be initialized.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: TM could not be initialized.

Message #

%1: TxfStartRm reports RM will be reset: TM could not be initialized

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 597 — A10___FUNCTION__: TxfStartRm reports RM will be reset: RM log corrupt.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: RM log corrupt.

Message #

%1: TxfStartRm reports RM will be reset: RM log corrupt

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 598 — A10___FUNCTION__: TxfStartRm reports RM will be reset: log version changed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: log version changed.

Message #

%1: TxfStartRm reports RM will be reset: log version changed

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 599 — A10___FUNCTION__: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed.

Message #

%1: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 600 — A10___FUNCTION__: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated.

Message #

%1: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 601 — A10___FUNCTION__: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.

Message #

%1: TxfStartRm reports RM will be reset: CLFS log metadata corrupt

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 602 — A10___FUNCTION__: TxfStartRm reports RM will be reset: 0xA11_FailureStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: 0xA11_FailureStatus.

Message #

%1: TxfStartRm reports RM will be reset: 0x%2!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_FailureStatus HexInt32

Event ID 603 — A10___FUNCTION__: RM did not start and WILL NOT be reset, status code is 0xA11_FailureStatus!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM did not start and WILL NOT be reset, status code is 0xA11_FailureStatus!

Message #

%1: RM did not start and WILL NOT be reset, status code is 0x%2!x!!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_FailureStatus HexInt32

Event ID 604 — A10___FUNCTION__: Could not initialize IrpContext: 0xA11_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Could not initialize IrpContext: 0xA11_Status.

Message #

%1: Could not initialize IrpContext: 0x%2!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status HexInt32

Event ID 605 — TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, FxfVcb flags: 0x!08x!.

Message #

TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbTxfVcbFlags HexInt32

Event ID 606 — A10___FUNCTION__: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0xA11_TempStatus for default RM on VCB at 0xA12_PVOIDVcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0xA11_TempStatus for default RM on VCB at 0xA12_PVOIDVcb.

Message #

%1: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x%2!x! for default RM on VCB at 0x%3!p!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_TempStatus HexInt32
A12_PVOIDVcb Pointer

Event ID 607 — A10___FUNCTION__: Exception code 0xA11_GetExceptionCode, Status 0xA12_Status for default RM on VCB at 0xA13_PVOIDVcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Exception code 0xA11_GetExceptionCode, Status 0xA12_Status for default RM on VCB at 0xA13_PVOIDVcb.

Message #

%1: Exception code 0x%2!x!, Status 0x%3!x! for default RM on VCB at 0x%4!p!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_GetExceptionCode HexInt32
A12_Status HexInt32
A13_PVOIDVcb Pointer

Event ID 608 — A10___FUNCTION__: Couldn't reset default RM on VCB at 0xA11_PVOIDVcb after A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT tries: 0xA13_OldStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Couldn't reset default RM on VCB at 0xA11_PVOIDVcb after A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT tries: 0xA13_OldStatus.

Message #

%1: Couldn't reset default RM on VCB at 0x%2!p! after %3!d! tries: 0x%4!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDVcb Pointer
A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT Int32
A13_OldStatus HexInt32

Event ID 609 — A10___FUNCTION__: Exception 0xA11_GetExceptionCode raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0xA12_PVOIDVcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Exception 0xA11_GetExceptionCode raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0xA12_PVOIDVcb. RM will NOT be reset.

Message #

%1: Exception 0x%2!x! raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x%3!p!.  RM will NOT be reset.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_GetExceptionCode HexInt32
A12_PVOIDVcb Pointer

Event ID 610 — A10___FUNCTION__: A11_NT_SUCCESSStatusSucceededFAILED auto-restart of RM at 0xA12_PVOIDTxfRmcb ({A13__TxfRmcbRmId}): 0xA14_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: A11_NT_SUCCESSStatusSucceededFAILED auto-restart of RM at 0xA12_PVOIDTxfRmcb ({A13__TxfRmcbRmId}): 0xA14_Status.

Message #

%1: %2!S! auto-restart of RM at 0x%3!p! ({%4!S!}): 0x%5!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_NT_SUCCESSStatusSucceededFAILED AnsiString
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_Status HexInt32

Event ID 611 — A10___FUNCTION__: Attempting auto-restart of RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Attempting auto-restart of RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}).

Message #

%1: Attempting auto-restart of RM at 0x%2!p! ({%3!S!})

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 612 — A10___FUNCTION__: Volume too small to start RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Volume too small to start RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}).

Message #

%1: Volume too small to start RM at 0x%2!p! ({%3!S!})

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 613 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: invalid flags in $Tops.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: invalid flags in $Tops.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: invalid flags in $Tops

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 614 — TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, FxfVcb flags: 0x!08x!.

Message #

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbTxfVcbFlags HexInt32

Event ID 615 — A10___FUNCTION__: Raising to reset RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}): Explicit reset requested.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Raising to reset RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}): Explicit reset requested.

Message #

%1: Raising to reset RM at 0x%2!p! ({%3!S!}): Explicit reset requested

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 616 — TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, FxfVcb flags: 0x!08x!.

Message #

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbTxfVcbFlags HexInt32

Event ID 617 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: no TXF_DATA in root.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: no TXF_DATA in root.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: no TXF_DATA in root

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 618 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Different nesting levels of 0xA13_LogNestingLevel and 0xA14_DiskNestingLevel.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Different nesting levels of 0xA13_LogNestingLevel and 0xA14_DiskNestingLevel.

Message #

%1: RM at 0x%2!p! {%3!S!}: Different nesting levels of 0x%4!x! and 0x%5!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_LogNestingLevel HexInt32
A14_DiskNestingLevel HexInt32

Event ID 619 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart area already exists.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart area already exists.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 620 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart area already exists.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart area already exists.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 621 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: RmID in restart area does not match {A13__ClfsRestartAreaRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: RmID in restart area does not match {A13__ClfsRestartAreaRmId}.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: RmID in restart area does not match {%4!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13__ClfsRestartAreaRmId GUID

Event ID 622 — A10___FUNCTION__: Got A11_Status from ClfsGetLogFileInformation for RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Got A11_Status from ClfsGetLogFileInformation for RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}.

Message #

%1: Got %2!d! from ClfsGetLogFileInformation for RM at 0x%3!p! {%4!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status Int32
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID

Event ID 623 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Restart LSN is before beginning of log.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Restart LSN is before beginning of log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Restart LSN is before beginning of log.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 624 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: MinRollforwardEndLsn is beyond end of log.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: MinRollforwardEndLsn is beyond end of log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: MinRollforwardEndLsn is beyond end of log.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 625 — A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} started successfully.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} started successfully.

Message #

%1: TxF RM at 0x%2!p! {%3!S!} started successfully.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 626 — A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} failed to start with Status 0xA13_Status A14_AbnormalTerminationabnormaltermination.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} failed to start with Status 0xA13_Status A14_AbnormalTerminationabnormaltermination.

Message #

%1: TxF RM at 0x%2!p! {%3!S!} failed to start with Status 0x%4!x! %5!S!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_Status HexInt32
A14_AbnormalTerminationabnormaltermination AnsiString

Event ID 627 — A10___FUNCTION__: Shutting down A11_TxfIsDefaultRmTxfRmcbdefaultsecondary RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Shutting down A11_TxfIsDefaultRmTxfRmcbdefaultsecondary RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}. Shutdown is A14_ForceDirtyShutdownDIRTYCLEAN.

Message #

%1: Shutting down %2!S! RM at 0x%3!p! {%4!S!}.  Shutdown is %5!S!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_TxfIsDefaultRmTxfRmcbdefaultsecondary AnsiString
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_ForceDirtyShutdownDIRTYCLEAN AnsiString

Event ID 628 — A10___FUNCTION__: Setting RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} up for auto-restart.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Setting RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} up for auto-restart.

Message #

%1: Setting RM at 0x%2!p! {%3!S!} up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 629 — TxfFlushAndInvalidateExistingStructures: File has open user handles.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfFlushAndInvalidateExistingStructures: File has open user handles. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, CleanupCount: !d!.

Message #

TxfFlushAndInvalidateExistingStructures: File has open user handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CleanupCount: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbCleanupCount Int32

Event ID 630 — (A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine) - TXF_HARD_ERROR on RM at 0xA12_TxfRmcb ({A13__TxfRmcbRmId}): A14_Status).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

(A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine) - TXF_HARD_ERROR on RM at 0xA12_TxfRmcb ({A13__TxfRmcbRmId}): A14_Status).

Message #

(%1:%2!d!) - TXF_HARD_ERROR on RM at 0x%3!p! ({%4!S!}): %5!S!)

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_TxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_Status HexInt32

Event ID 631 — A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to {A13__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to {A13__TxfRmcbRmId}.

Message #

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__OldGuid GUID
A13__TxfRmcbRmId GUID

Event ID 632 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back Tx at 0xA13_PVOIDTxfTrans {A14__TxfTransKtmUow}, Status was 0xA15_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back Tx at 0xA13_PVOIDTxfTrans {A14__TxfTransKtmUow}, Status was 0xA15_Status.

Message #

%1: RM at 0x%2!p! {%3!S!}, rolling back Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_PVOIDTxfTrans Pointer
A14__TxfTransKtmUow GUID
A15_Status HexInt32

Event ID 633 — A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to {A13__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to {A13__TxfRmcbRmId}.

Message #

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__OldGuid GUID
A13__TxfRmcbRmId GUID

Event ID 634 — TxfFsctlStartRm: Denying access due starting default RM is not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfFsctlStartRm: Denying access due starting default RM is not allowed. Thread: A10_PsGetCurrentThread, Vcb: A11_RmRootFcbVcb, VolumeName: A12__RmRootFcbVcbVolumeName, VolumeLabel: A13_WppCountedStringWRmRootFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHRmRootFcbVcbVpb, RmRootFcb: A14_RmRootFcb.

Message #

TxfFsctlStartRm: Denying access due starting default RM is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RmRootFcb: %5!p!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_RmRootFcbVcb Pointer
A12__RmRootFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWRmRootFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHRmRootFcbVcbVpb CountedUtf16String
A14_RmRootFcb Pointer

Event ID 635 — TxfFsctlWriteBackupInformation: Denying access due RM is active.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: A10_PsGetCurrentThread, Vcb: A11_FcbVcb, VolumeName: A12__FcbVcbVolumeName, VolumeLabel: A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb, BackupInfo flags: 0xA14_BackupInfoFlags!08x!.

Message #

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, BackupInfo flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_BackupInfoFlags HexInt32

Event ID 636 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found too high of a TxF ID in log.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found too high of a TxF ID in log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found too high of a TxF ID in log

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 637 — A10___FUNCTION__: Error Setting Delete Disposition: 0xA11_Status FileObject: 0xA12_PVOIDFileObject.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Error Setting Delete Disposition: 0xA11_Status FileObject: 0xA12_PVOIDFileObject.

Message #

%1: Error Setting Delete Disposition: 0x%2!x!  FileObject: 0x%3!p!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status HexInt32
A12_PVOIDFileObject Pointer

Event ID 638 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Got a RECOVER notification for a transaction that isn't in-doubt.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Got a RECOVER notification for a transaction that isn't in-doubt.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Got a RECOVER notification for a transaction that isn't in-doubt

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 639 — TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a non-TxF modify handle.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a non-TxF modify handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Attribute Type Code: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__CcbFullFileName CountedUtf16String
A19_CcbFlags HexInt32

Event ID 640 — TxfSetupTransactionContextFromCcb: Invalid TxF structure.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfSetupTransactionContextFromCcb: Invalid TxF structure. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, TxfFo: %8!p!, KtmTrans: %9!p!, TxfRmcb: %10!p!, Ccb FullFileName: %11!S!

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_CcbTxfFo Pointer
A18_CcbTxfFoKtmTrans Pointer
A19_ScbFcbTxfRmcb Pointer
A20_CcbFullFileNameBuffer UnicodeString

Event ID 641 — TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a read-only handle.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a read-only handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, FO write access: %10!d!, FO delete access: %11!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17__CcbFullFileName CountedUtf16String
A18_CcbAccessFlags HexInt32
A19_FileObjectWriteAccess Int32
A20_FileObjectDeleteAccess Int32

Event ID 642 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} raising 0xA13_ExceptionCode to KTM!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} raising 0xA13_ExceptionCode to KTM!

Message #

%1: RM at 0x%2!p! {%3!S!} raising 0x%4!x! to KTM!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_ExceptionCode HexInt32

Event ID 643 — A10___FUNCTION__: Commit (0xA11_TransactionNotification) ofA12_TransactionAlreadyPreparedPREPAREDtx {A13__TxfTransKtmUow} on RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId} failed with 0xA16_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Commit (0xA11_TransactionNotification) ofA12_TransactionAlreadyPreparedPREPAREDtx {A13__TxfTransKtmUow} on RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId} failed with 0xA16_Status.

Message #

%1: Commit (0x%2!x!) of%3!S!tx {%4!S!} on RM at 0x%5!p! {%6!S!} failed with 0x%7!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_TransactionNotification HexInt32
A12_TransactionAlreadyPreparedPREPARED AnsiString
A13__TxfTransKtmUow GUID
A14_PVOIDTxfRmcb Pointer
A15__TxfRmcbRmId GUID
A16_Status HexInt32

Event ID 644 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow} (notify commit).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow} (notify commit).

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify commit)

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_TxfTrans Pointer
A14__TxfTransKtmUow GUID

Event ID 645 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow} (notify rollback).

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow} (notify rollback).

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify rollback)

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_TxfTrans Pointer
A14__TxfTransKtmUow GUID

Event ID 646 — A10___FUNCTION__: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0xA11_PVOIDTransTxfRmcb {A12__TransTxfRmcbRmId}: 0xA13_FlushStatus.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0xA11_PVOIDTransTxfRmcb {A12__TransTxfRmcbRmId}: 0xA13_FlushStatus.

Message #

%1: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x%2!p! {%3!S!}: 0x%4!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTransTxfRmcb Pointer
A12__TransTxfRmcbRmId GUID
A13_FlushStatus HexInt32

Event ID 647 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} trying to abort transaction at 0xA13_Trans {A14__TransKtmUow}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} trying to abort transaction at 0xA13_Trans {A14__TransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} trying to abort transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_Trans Pointer
A14__TransKtmUow GUID

Event ID 648 — A10___FUNCTION__: Aborting call stack: 0xA11_CallStack0 0xA12_CallStack1 0xA13_CallStack2 0xA14_CallStack3 0xA15_CallStack4.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Aborting call stack: 0xA11_CallStack0 0xA12_CallStack1 0xA13_CallStack2 0xA14_CallStack3 0xA15_CallStack4.

Message #

%1: Aborting call stack: 0x%2!p! 0x%3!p! 0x%4!p! 0x%5!p! 0x%6!p!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_CallStack0 Pointer
A12_CallStack1 Pointer
A13_CallStack2 Pointer
A14_CallStack3 Pointer
A15_CallStack4 Pointer

Event ID 649 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_Trans {A14__TransKtmUow}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_Trans {A14__TransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_Trans Pointer
A14__TransKtmUow GUID

Event ID 650 — A10___FUNCTION__: 0xA11_Status initializing IrpContext for tx at A12_PVOIDTrans {A13__TransKtmUow}, RM at A14_PVOIDTxfRmcb {A15__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: 0xA11_Status initializing IrpContext for tx at A12_PVOIDTrans {A13__TransKtmUow}, RM at A14_PVOIDTxfRmcb {A15__TxfRmcbRmId}.

Message #

%1: 0x%2!x! initializing IrpContext for tx at %3!p! {%4!S!}, RM at %5!p! {%6!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status HexInt32
A12_PVOIDTrans Pointer
A13__TransKtmUow GUID
A14_PVOIDTxfRmcb Pointer
A15__TxfRmcbRmId GUID

Event ID 651 — A10___FUNCTION__: 0xA11_Status writing log record for RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}, Tx at 0xA14_PVOIDTrans {A15__TransKtmUow}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: 0xA11_Status writing log record for RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}, Tx at 0xA14_PVOIDTrans {A15__TransKtmUow}.

Message #

%1: 0x%2!x! writing log record for RM at 0x%3!p! {%4!S!}, Tx at 0x%5!p! {%6!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status HexInt32
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_PVOIDTrans Pointer
A15__TransKtmUow GUID

Event ID 652 — A10___FUNCTION__: About to force aborts on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: About to force aborts on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: About to force aborts on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 653 — A10___FUNCTION__: BaseLsn is greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: BaseLsn is greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: BaseLsn is greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 654 — A10___FUNCTION__: No transactions remain on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: No transactions remain on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: No transactions remain on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 655 — A10___FUNCTION__: Transaction's first undo LSN greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Transaction's first undo LSN greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Transaction's first undo LSN greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 656 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} surprise-aborting transaction at 0xA13_OldestTrans {A14__OldestTransKtmUow}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} surprise-aborting transaction at 0xA13_OldestTrans {A14__OldestTransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} surprise-aborting transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_OldestTrans Pointer
A14__OldestTransKtmUow GUID

Event ID 657 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} got 0xA13_Status from TxfTryAbortTransaction on Tx 0xA14_OldestTrans {A15__OldestTransKtmUow}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} got 0xA13_Status from TxfTryAbortTransaction on Tx 0xA14_OldestTrans {A15__OldestTransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} got 0x%4!x! from TxfTryAbortTransaction on Tx 0x%5!p! {%6!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_Status HexInt32
A14_OldestTrans Pointer
A15__OldestTransKtmUow GUID

Event ID 658 — A10___FUNCTION__: Inactive RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Inactive RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Inactive RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 659 — A10___FUNCTION__: Log is pinned on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Log is pinned on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Log is pinned on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 660 — A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back KTM Tx at 0xA13_PVOIDTransToDereference {A14__TransToDereferenceKtmUow}, Status was 0xA15_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back KTM Tx at 0xA13_PVOIDTransToDereference {A14__TransToDereferenceKtmUow}, Status was 0xA15_Status.

Message #

%1: RM at 0x%2!p! {%3!S!}, rolling back KTM Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_PVOIDTransToDereference Pointer
A14__TransToDereferenceKtmUow GUID
A15_Status HexInt32

Event ID 661 — A10___FUNCTION__: Log pinned trying to advance RestartLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Log pinned trying to advance RestartLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Log pinned trying to advance RestartLsn on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 662 — A10___FUNCTION__: Log pinned by doomed transaction on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Log pinned by doomed transaction on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Log pinned by doomed transaction on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 663 — A10___FUNCTION__: Reporting 0xA11_PinnedStatus to CLFS from RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}: 0xA14_Status.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Reporting 0xA11_PinnedStatus to CLFS from RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}: 0xA14_Status.

Message #

%1: Reporting 0x%2!X! to CLFS from RM at 0x%3!p! {%4!S!}: 0x%5!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PinnedStatus HexInt32
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_Status HexInt32

Event ID 664 — A10___FUNCTION__: Done forcing aborts on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Done forcing aborts on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Done forcing aborts on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 665 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Txf directory is missing in pre-existing RM.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Txf directory is missing in pre-existing RM.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Txf directory is missing in pre-existing RM

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 666 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 667 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found non-empty $Txf but there is no log.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found non-empty $Txf but there is no log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found non-empty $Txf but there is no log

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 668 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find $INDEX_ROOT on $Txf.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find $INDEX_ROOT on $Txf.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find $INDEX_ROOT on $Txf

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 669 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find TXF_DATA_ATTR on $Txf.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find TXF_DATA_ATTR on $Txf.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find TXF_DATA_ATTR on $Txf

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 670 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found TXF_DATA_ATTR for normal file on $Txf.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found TXF_DATA_ATTR for normal file on $Txf.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found TXF_DATA_ATTR for normal file on $Txf

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 671 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Expected a secondary RM here.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Expected a secondary RM here.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Expected a secondary RM here

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 672 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is missing but $Txf is non-empty.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is missing but $Txf is non-empty.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but $Txf is non-empty

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 673 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is missing but there is already a log.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is missing but there is already a log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but there is already a log

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 674 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is A13_IsEncrypted_TopsFcbInfoencryptedcompressed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is A13_IsEncrypted_TopsFcbInfoencryptedcompressed.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is %4!S!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_IsEncrypted_TopsFcbInfoencryptedcompressed AnsiString

Event ID 675 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Missing $STANDARD_INFORMATION.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Missing $STANDARD_INFORMATION.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Missing $STANDARD_INFORMATION

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 676 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find file attributes.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find file attributes.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find file attributes

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 677 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is corrupt.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is corrupt.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is corrupt

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 678 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Could not find unnamed data stream.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Could not find unnamed data stream.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Could not find unnamed data stream

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 679 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops metadata is the wrong version or records wrong size.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops metadata is the wrong version or records wrong size.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong version or records wrong size

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 680 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops metadata is the wrong size.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops metadata is the wrong size.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong size

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 681 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Non-NULL RM ID found in $Tops and there is no log.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Non-NULL RM ID found in $Tops and there is no log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Non-NULL RM ID found in $Tops and there is no log

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 682 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Epoch in $Tops metadata doesn't match RM.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Epoch in $Tops metadata doesn't match RM.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Epoch in $Tops metadata doesn't match RM

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 683 — A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find $T stream.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find $T stream.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find $T stream

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 684 — NtfsReadUsnJournal: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsReadUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 685 — TrimUsnJournal (A10_Vcb, A11_IrpContext): Decided to trim usn journal.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (!p!, !p!): Decided to trim usn journal. FirstValidUsn !I64x!, new FirstValidUsn !I64x!, FS !I64x!, AS !I64x!, MaxSize !I64x!, DeltaSize !I64x!

Message #

TrimUsnJournal (%1!p!, %2!p!): Decided to trim usn journal.  FirstValidUsn %3!I64x!, new FirstValidUsn %4!I64x!, FS %5!I64x!, AS %6!I64x!, MaxSize %7!I64x!, DeltaSize %8!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_VcbFirstValidUsn HexInt64
A13_FirstValidUsn HexInt64
A14_TrackUsnJournalFileSize HexInt64
A15_TrackUsnJournalAllocationSize HexInt64
A16_TrackUsnJournalMaxSize HexInt64
A17_TrackUsnJournalDeltaAllocation HexInt64

Event ID 686 — TrimUsnJournal (A10_Vcb, A11_IrpContext): About to delete allocation till A12_FirstValidUsn1!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): About to delete allocation till A12_FirstValidUsn1!I64x!, SavedReserve A13_SavedReserved!I64x!, RequiredReserve A14_RequiredReserved!I64x!

Message #

TrimUsnJournal (%1!p!, %2!p!): About to delete allocation till %3!I64x!, SavedReserve %4!I64x!, RequiredReserve %5!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_FirstValidUsn1 HexInt64
A13_SavedReserved HexInt64
A14_RequiredReserved HexInt64

Event ID 687 — TrimUsnJournal (A10_Vcb, A11_IrpContext): Before trimming journal AS A12_UsnJournalHeaderAllocationSizeQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): Before trimming journal AS A12_UsnJournalHeaderAllocationSizeQuadPart!I64x!, FS A13_UsnJournalHeaderFileSizeQuadPart!I64x!, VDL A14_UsnJournalHeaderValidDataLengthQuadPart!I64x!, TA A15_UsnJournalTotalAllocated!I64x!

Message #

TrimUsnJournal (%1!p!, %2!p!): Before trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_UsnJournalHeaderAllocationSizeQuadPart HexInt64
A13_UsnJournalHeaderFileSizeQuadPart HexInt64
A14_UsnJournalHeaderValidDataLengthQuadPart HexInt64
A15_UsnJournalTotalAllocated HexInt64

Event ID 688 — TrimUsnJournal (A10_Vcb, A11_IrpContext): After trimming journal AS A12_UsnJournalHeaderAllocationSizeQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): After trimming journal AS A12_UsnJournalHeaderAllocationSizeQuadPart!I64x!, FS A13_UsnJournalHeaderFileSizeQuadPart!I64x!, VDL A14_UsnJournalHeaderValidDataLengthQuadPart!I64x!, TA A15_UsnJournalTotalAllocated!I64x!

Message #

TrimUsnJournal (%1!p!, %2!p!): After trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_UsnJournalHeaderAllocationSizeQuadPart HexInt64
A13_UsnJournalHeaderFileSizeQuadPart HexInt64
A14_UsnJournalHeaderValidDataLengthQuadPart HexInt64
A15_UsnJournalTotalAllocated HexInt64

Event ID 689 — TrimUsnJournal (A10_Vcb, A11_IrpContext): Mapping pairs validated.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): Mapping pairs validated.

Message #

TrimUsnJournal (%1!p!, %2!p!): Mapping pairs validated

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 690 — TrimUsnJournal (A10_Vcb, A11_IrpContext): Checkpointed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): Checkpointed.

Message #

TrimUsnJournal (%1!p!, %2!p!): Checkpointed

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 691 — NtfsQueryUsnJournal: Denying access due to NULL Ccb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsQueryUsnJournal: Denying access due to NULL Ccb. Thread: !p!, TypeOfOpen: !d!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!.

Message #

NtfsQueryUsnJournal: Denying access due to NULL Ccb. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64

Event ID 692 — NtfsDeleteUsnJournal: Caller does not have manage volume access.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeleteUsnJournal: Caller does not have manage volume access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsDeleteUsnJournal: Caller does not have manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 693 — NtfsRestartUsnJournal: Caller does not have manage volume privilege.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRestartUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 694 — NtOfsCreateAttributeEx: Stream already has a open user handle.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtOfsCreateAttributeEx: Stream already has a open user handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb CleanupCount: %10!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbCleanupCount Int32

Event ID 695 — OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): Extending journal from AS A14_ScbHeaderAllocationSizeQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): Extending journal from AS A14_ScbHeaderAllocationSizeQuadPart!I64x!, FS A15_ScbHeaderFileSizeQuadPart!I64x!, VDL A16_ScbHeaderValidDataLengthQuadPart!I64x!, to AS A17_NewAllocationSize!I64x!

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Extending journal from AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, to AS %8!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextOriginatingIrp Pointer
A13_PsGetCurrentThread Pointer
A14_ScbHeaderAllocationSizeQuadPart HexInt64
A15_ScbHeaderFileSizeQuadPart HexInt64
A16_ScbHeaderValidDataLengthQuadPart HexInt64
A17_NewAllocationSize HexInt64

Event ID 696 — OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): Done extending journal AS A14_ScbHeaderAllocationSizeQuadPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): Done extending journal AS A14_ScbHeaderAllocationSizeQuadPart!I64x!, FS A15_ScbHeaderFileSizeQuadPart!I64x!, VDL A16_ScbHeaderValidDataLengthQuadPart!I64x!, TA A17_ScbTotalAllocated!I64x!

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Done extending journal AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, TA %8!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextOriginatingIrp Pointer
A13_PsGetCurrentThread Pointer
A14_ScbHeaderAllocationSizeQuadPart HexInt64
A15_ScbHeaderFileSizeQuadPart HexInt64
A16_ScbHeaderValidDataLengthQuadPart HexInt64
A17_ScbTotalAllocated HexInt64

Event ID 697 — OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): After NtfsWriteFileSizes.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): After NtfsWriteFileSizes.

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsWriteFileSizes

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextOriginatingIrp Pointer
A13_PsGetCurrentThread Pointer

Event ID 698 — OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): After NtfsSetCcFileSizesUsnBiasAware.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): After NtfsSetCcFileSizesUsnBiasAware.

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsSetCcFileSizesUsnBiasAware

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextOriginatingIrp Pointer
A13_PsGetCurrentThread Pointer

Event ID 699 — NtOfsPostNewLength (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Status A13_IrpContextExceptionStatus before calling NtfsReadUsnJournal.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtOfsPostNewLength (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Status A13_IrpContextExceptionStatus before calling NtfsReadUsnJournal.

Message #

NtOfsPostNewLength (%1!p!,%2!p!,%3!p!): Status %4!x! before calling NtfsReadUsnJournal

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 700 — NtfsIsRegionDangling: RemainingClusterCount: 0xA10_RemainingClusterCount!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsIsRegionDangling: RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, Scb: A11_Scb, Vcn: 0xA12_Vcn!I64x!, Lcn: 0xA13_Lcn!I64x!, Clusters: 0xA14_ClusterCount!I64x!

Message #

NtfsIsRegionDangling: RemainingClusterCount: 0x%1!I64x!, Scb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Clusters: 0x%5!I64x!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_Scb Pointer
A12_Vcn HexInt64
A13_Lcn HexInt64
A14_ClusterCount HexInt64

Event ID 701 — Vcb A10_Vcb - has *no* active PFNs.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb - has *no* active PFNs.

Message #

Vcb %1!p! - has *no* active PFNs

Fields #

NameDescription
A10_Vcb Pointer

Event ID 702 — Vcb A10_Vcb - failed to query active PFNs assuming there are some.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb - failed to query active PFNs assuming there are some.

Message #

Vcb %1!p! - failed to query active PFNs assuming there are some

Fields #

NameDescription
A10_Vcb Pointer

Event ID 703 — Vcb A10_Vcb - has active PFNs.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb - has active PFNs.

Message #

Vcb %1!p! - has active PFNs

Fields #

NameDescription
A10_Vcb Pointer

Event ID 704 — NtfsPerformDismountOnVcb: Vcb A10_Vcb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb A10_Vcb.

Message #

NtfsPerformDismountOnVcb: Vcb %1!p!

Fields #

NameDescription
A10_Vcb Pointer

Event ID 705 — NtfsPerformDismountOnVcb: Vcb A10_Vcb - Found frozen deallocated clusters.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb A10_Vcb - Found frozen deallocated clusters.

Message #

NtfsPerformDismountOnVcb: Vcb %1!p! - Found frozen deallocated clusters

Fields #

NameDescription
A10_Vcb Pointer

Event ID 706 — NtfsPerformDismountOnVcb: Vcb A10_Vcb - Wait for any on going trim to finish.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb A10_Vcb - Wait for any on going trim to finish.

Message #

NtfsPerformDismountOnVcb: Vcb %1!p! - Wait for any on going trim to finish

Fields #

NameDescription
A10_Vcb Pointer

Event ID 707 — NtfsPerformDismountOnVcb: Vcb A10_Vcb - No more on going trim.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb A10_Vcb - No more on going trim.

Message #

NtfsPerformDismountOnVcb: Vcb %1!p! - No more on going trim

Fields #

NameDescription
A10_Vcb Pointer

Event ID 708 — NtfsPerformDismountOnVcb: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

Message #

NtfsPerformDismountOnVcb: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__VolumeLabel CountedUtf16String
A13__VcbDeviceName CountedUtf16String

Event ID 709 — NtfsPostVcbIsCorrupt.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPostVcbIsCorrupt(A10_IrpContext, A11_Status, A12_FileReference, A13_Fcb, A14_Source!016I64x!): IrpContext->TopLevelIrpContext->ExceptionStatus == A15_TopLevelExceptionStatus before NtfsSetVcbDirtyFlag.

Message #

NtfsPostVcbIsCorrupt(%1!p!, %2!x!, %3!p!, %4!p!, %5!016I64x!): IrpContext->TopLevelIrpContext->ExceptionStatus == %6!x! before NtfsSetVcbDirtyFlag.

Fields #

NameDescription
A10_IrpContext Pointer
A11_Status HexInt32
A12_FileReference Pointer
A13_Fcb Pointer
A14_Source HexInt64
A15_TopLevelExceptionStatus HexInt32

Event ID 710 — NtfsPostVcbIsCorrupt: Marking volume dirty.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPostVcbIsCorrupt: Marking volume dirty. Vcb A10_Vcb, WasDirty: A11_WasDirty, FileReference A12_NtfsFullSegmentNumber_BugCheckFileReference!I64x!, Source A13_Source!016I64x!

Message #

NtfsPostVcbIsCorrupt: Marking volume dirty.  Vcb %1!p!, WasDirty: %2!x!, FileReference %3!I64x!, Source %4!016I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_WasDirty HexInt32
A12_NtfsFullSegmentNumber_BugCheckFileReference HexInt64
A13_Source HexInt64

Event ID 711 — NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_FsInformationClass HexInt32
A18_Scb Pointer

Event ID 712 — NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_FsInformationClass HexInt32
A18_Scb Pointer

Event ID 713 — Succeeding log write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Succeeding log write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!08x!A11_IrpSpParametersWriteByteOffsetLowPart!08x! after getting 0xA12_IrpContextTopLevelIrpContextExceptionStatus in top-level irpcontext.

Message #

Succeeding log write @ 0x%1!08x!%2!08x! after getting 0x%3!x! in top-level irpcontext

Fields #

NameDescription
A10_IrpSpParametersWriteByteOffsetHighPart HexInt32
A11_IrpSpParametersWriteByteOffsetLowPart HexInt32
A12_IrpContextTopLevelIrpContextExceptionStatus HexInt32

Event ID 714 — Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=A10_Scb.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=A10_Scb.

Message #

Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=%1!p!

Fields #

NameDescription
A10_Scb Pointer

Event ID 715 — NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed.

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, RequestedRange: 0x!I64x!, AllowedRange: 0x!I64x!.

Message #

NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RequestedRange: 0x%5!I64x!, AllowedRange: 0x%6!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ByteRange HexInt64
A15_HIGHEST_WRITABLE_SECTOR_ON_ACTIVE_VOLUMEVcbSectorSizeInfoLogicalBytesPerSector HexInt64

Event ID 716 — Ignoring write to 0xA10_StartingVbo!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Ignoring write to 0xA10_StartingVbo!I64x!, SCB length is 0xA11_ScbHeaderValidDataLengthQuadPart!I64x! for SCB 0xA12_ptrdiff_tScb.

Message #

Ignoring write to 0x%1!I64x!, SCB length is 0x%2!I64x! for SCB 0x%3!Ix!

Fields #

NameDescription
A10_StartingVbo HexInt64
A11_ScbHeaderValidDataLengthQuadPart HexInt64
A12_ptrdiff_tScb Pointer

Event ID 717 — Truncating write from 0xA10_ByteRange!

Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Truncating write from 0xA10_ByteRange!I64x! to 0xA11_SectorAlignedVdl!I64x! for SCB 0xA12_ptrdiff_tScb.

Message #

Truncating write from 0x%1!I64x! to 0x%2!I64x! for SCB 0x%3!Ix!

Fields #

NameDescription
A10_ByteRange HexInt64
A11_SectorAlignedVdl HexInt64
A12_ptrdiff_tScb Pointer