Microsoft-Windows-Partition
16 events across 3 channels
| Event ID | Title | Channel |
|---|---|---|
| 1001 | Operation started. | Diagnostic |
| 1002 | Operation completed. | Diagnostic |
| 1003 | Analytic | |
| 1004 | Analytic | |
| 1005 | Analytic | |
| 1006 | For internal use only. | Diagnostic |
| 1007 | Disk %1 has %2 hidden partitions. | Diagnostic |
| 1008 | Critical partition error: failed to change the layout for disk %1 due to … | Diagnostic |
| 1009 | Service partition error: failed to set partition information for disk %1 … | Diagnostic |
| 5000 | WakeNotificationWorkItem | Debug |
| 5001 | NotificationWorkItemLoop | Debug |
| 5002 | NotificationWorkItemExit | Debug |
| 5003 | QueryRemovalRelationsEnter | Debug |
| 5004 | QueryRemovalRelationsWait | Debug |
| 5005 | QueryRemovalRelationsExit | Debug |
| 5006 | QueryDepends | Debug |
Event ID 1001 — Operation started.
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
ControlCode | — |
Event ID 1002 — Operation completed.
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
ControlCode | — |
Status | — |
Event ID 1003 —
Fields
| Name | Description |
|---|---|
Process | — |
IncrementEnergy | — |
SrvTime | — |
EndByteOffset | — |
IoSize | — |
LastIdleState | — |
IsRandom | — |
Event ID 1004 —
Fields
| Name | Description |
|---|---|
Process | — |
IncrementEnergy | — |
IdleTime | — |
LastIdleState | — |
Event ID 1005 —
Fields
| Name | Description |
|---|---|
LocalLastCompTime | — |
SharedLastCompTime | — |
CompTime | — |
Event ID 1006 — For internal use only.
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
Flags | — |
Characteristics | — |
IsSystemCritical | — |
PagingCount | — |
HibernationCount | — |
DumpCount | — |
BytesPerSector | — |
Capacity | — |
BusType | — |
Manufacturer | — |
Model | — |
Revision | — |
SerialNumber | — |
Location | — |
ParentId | — |
Socket | — |
Slot | — |
Bus | — |
Device | — |
Function | — |
Adapter | — |
Port | — |
Target | — |
Lun | — |
IoctlSupport | — |
IdFlags | — |
DiskId | — |
AdapterId | — |
RegistryId | — |
PoolId | — |
FirmwareSupportsUpgrade | — |
FirmwareSlotCount | — |
StorageIdCount | — |
StorageIdCodeSet | — |
StorageIdType | — |
StorageIdAssociation | — |
StorageIdBytes | — |
StorageId | — |
WriteCacheType | — |
WriteCacheEnabled | — |
WriteCacheChangeable | — |
WriteThroughSupported | — |
FlushCacheSupported | — |
IsPowerProtected | — |
NVCacheEnabled | — |
BytesPerLogicalSector | — |
BytesPerPhysicalSector | — |
BytesOffsetForSectorAlignment | — |
IncursSeekPenalty | — |
IsTrimSupported | — |
IsThinProvisioned | — |
OptimalUnmapGranularity | — |
UnmapAlignment | — |
NumberOfLogicalCopies | — |
NumberOfPhysicalCopies | — |
FaultTolerance | — |
NumberOfColumns | — |
InterleaveBytes | — |
HybridSupported | — |
HybridCacheBytes | — |
AdapterMaximumTransferBytes | — |
AdapterMaximumTransferPages | — |
AdapterAlignmentMask | — |
AdapterSerialNumber | — |
PortDriver | — |
UserRemovalPolicy | — |
PartitionStyle | — |
PartitionCount | — |
PartitionTableBytes | — |
PartitionTable | — |
MbrBytes | — |
Mbr | — |
Vbr0Bytes | — |
Vbr0 | — |
Vbr1Bytes | — |
Vbr1 | — |
Vbr2Bytes | — |
Vbr2 | — |
Vbr3Size | — |
Vbr3 | — |
Example Event
system:
provider: Microsoft-Windows-Partition
guid: 412BDFF2-A8C4-470D-8F33-63FE0D8C20E2
event_source_name: ''
event_id: 1006
version: 4
level: 4
task: 0
opcode: 0
keywords: 9223372036854775808
time_created: '2023-11-06T06:25:12.672631+00:00'
event_record_id: 11
correlation: {}
execution:
process_id: 4
thread_id: 236
channel: Microsoft-Windows-Partition/Diagnostic
computer: WinDev2310Eval
security:
user_id: S-1-5-18
event_data:
DiskNumber: 0
Flags: 538976528
Characteristics: 262400
IsSystemCritical: true
PagingCount: 0
HibernationCount: 0
DumpCount: 0
BytesPerSector: 512
Capacity: 134217728000
BusType: 10
Manufacturer: VMware,
Model: VMware Virtual S
Revision: '1.0'
SerialNumber: 'NULL'
Location: 'PCI Slot 160 : Bus 3 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target
0 : LUN 0'
ParentId: PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\4&2509f6e&0&00A8
Socket: -1
Slot: 160
Bus: 3
Device: 0
Function: 0
Adapter: 0
Port: 0
Target: 0
Lun: 0
IoctlSupport: 59751
IdFlags: 2
DiskId: 33A0A150-7C6D-11EE-9369-806E6F6E6963
AdapterId: C831DD37-73BE-11EE-935E-806E6F6E6963
RegistryId: C831DD44-73BE-11EE-935E-806E6F6E6963
PoolId: 00000000-0000-0000-0000-000000000000
FirmwareSupportsUpgrade: true
FirmwareSlotCount: 1
StorageIdCount: 0
StorageIdCodeSet: 0
StorageIdType: 0
StorageIdAssociation: 0
StorageIdBytes: 0
StorageId: ''
WriteCacheType: 0
WriteCacheEnabled: 0
WriteCacheChangeable: 0
WriteThroughSupported: 0
FlushCacheSupported: false
IsPowerProtected: false
NVCacheEnabled: false
BytesPerLogicalSector: 512
BytesPerPhysicalSector: 512
BytesOffsetForSectorAlignment: 0
IncursSeekPenalty: false
IsTrimSupported: false
IsThinProvisioned: false
OptimalUnmapGranularity: 0
UnmapAlignment: 0
NumberOfLogicalCopies: 0
NumberOfPhysicalCopies: 0
FaultTolerance: 0
NumberOfColumns: 0
InterleaveBytes: 0
HybridSupported: false
HybridCacheBytes: 0
AdapterMaximumTransferBytes: 16777215
AdapterMaximumTransferPages: 257
AdapterAlignmentMask: 0
AdapterSerialNumber: 'NULL'
PortDriver: 1
UserRemovalPolicy: false
PartitionStyle: 1
PartitionCount: 4
PartitionTableBytes: 624
PartitionTable: 0100000004000000215EE82F29506742BFFD03FE966FCE0E0044000000000000007AFF3F1F0000008000000000000000010000000000000000001000000000000000C012000000000100000000000000A4BB94DED106404DA16ABFD50179D6AC0A74B2F82423DB44BBF880523FE5334B01000000000000804200610073006900630020006400610074006100200070006100720074006900740069006F006E0000000000000000009AE46A7CC1260000EA113C27FA7F0000090000000000000001000000000000000000D012000000000000400600000000020000000000000028732AC11FF8D211BA4B00A0C93EC93BB06A6BD681E41D4CA3B9CD12F12570F700000000000000804500460049002000730079007300740065006D00200070006100720074006900740069006F006E000000000000000000000000000000000000000000000000000000000000000000010000000000000000001019000000000000000800000000030000000000000016E3C9E35C0BB84D817DF92DF00215AE939D5ACC01EDF948B355D70EA2CD61CA00000000000000804D006900630072006F0073006F0066007400200072006500730065007200760065006400200070006100720074006900740069006F006E0000000000000000000000000000000000010000000000000000001021000000000000E01E1F0000000400000000000000A2A0D0EBE5B9334487C068B6B72699C7A3D297750444994FB9796233378A81BF00000000000000004200610073006900630020006400610074006100200070006100720074006900740069006F006E0000000000000000009AE46A7CC1260000EA113C27FA7F00000900000000000000
MbrBytes: 0
Mbr: ''
Vbr0Bytes: 0
Vbr0: ''
Vbr1Bytes: 0
Vbr1: ''
Vbr2Bytes: 0
Vbr2: ''
Vbr3Size: 0
Vbr3: ''
message: ''
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1007 — Disk %1 has %2 hidden partitions.
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
HiddenPartitionsCount | — |
HiddenPartitions | — |
Event ID 1008 — Critical partition error: failed to change the layout for disk %1 due to partition %2.
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
PartitionNumber | — |
Event ID 1009 — Service partition error: failed to set partition information for disk %1 partition %2.
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
PartitionNumber | — |
Event ID 5000 — WakeNotificationWorkItem
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
Flags | — |
Status | — |
Caller | — |
Event ID 5001 — NotificationWorkItemLoop
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
Flags | — |
Iteration | — |
Event ID 5002 — NotificationWorkItemExit
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
Event ID 5003 — QueryRemovalRelationsEnter
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
Irp | — |
Event ID 5004 — QueryRemovalRelationsWait
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
Irp | — |
Status | — |
Event ID 5005 — QueryRemovalRelationsExit
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
Irp | — |
Event ID 5006 — QueryDepends
Message
Fields
| Name | Description |
|---|---|
DiskNumber | — |
Irp | — |