Microsoft-Windows-Partition
16 events across 3 channels
| Event ID | Title | Channel |
|---|---|---|
| 1001 | Operation started. | Diagnostic |
| 1002 | Operation completed. | Diagnostic |
| 1003 | Analytic | |
| 1004 | Analytic | |
| 1005 | Analytic | |
| 1006 | For internal use only. | Diagnostic |
| 1007 | Disk DiskNumber has HiddenPartitionsCount hidden partitions. | Diagnostic |
| 1008 | Critical partition error: failed to change the layout for disk DiskNumber due to … | Diagnostic |
| 1009 | Service partition error: failed to set partition information for disk DiskNumber … | Diagnostic |
| 5000 | WakeNotificationWorkItem | Debug |
| 5001 | NotificationWorkItemLoop | Debug |
| 5002 | NotificationWorkItemExit | Debug |
| 5003 | QueryRemovalRelationsEnter | Debug |
| 5004 | QueryRemovalRelationsWait | Debug |
| 5005 | QueryRemovalRelationsExit | Debug |
| 5006 | QueryDepends | Debug |
Event ID 1001 — Operation started.
Event ID 1002 — Operation completed.
Description
Operation completed.
Message #
Fields #
| Name | Description |
|---|---|
DiskNumber UInt32 | — |
ControlCode UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 1003 —
Fields #
| Name | Description |
|---|---|
Process Pointer | — |
IncrementEnergy UInt64 | — |
SrvTime UInt64 | — |
EndByteOffset UInt64 | — |
IoSize UInt32 | — |
LastIdleState UInt8 | — |
IsRandom UInt8 | — |
Event ID 1004 —
Fields #
| Name | Description |
|---|---|
Process Pointer | — |
IncrementEnergy UInt64 | — |
IdleTime UInt64 | — |
LastIdleState UInt8 | — |
Event ID 1005 —
Fields #
| Name | Description |
|---|---|
LocalLastCompTime UInt64 | — |
SharedLastCompTime UInt64 | — |
CompTime UInt64 | — |
Event ID 1006 — For internal use only.
#Description
For internal use only.
Message #
Fields #
| Name | Description |
|---|---|
DiskNumber UInt32 | — |
Flags UInt32 | — |
Characteristics UInt32 | — |
IsSystemCritical Boolean | — |
PagingCount UInt32 | — |
HibernationCount UInt32 | — |
DumpCount UInt32 | — |
BytesPerSector UInt32 | — |
Capacity UInt64 | — |
BusType UInt32 | — |
Manufacturer UnicodeString | — |
Model UnicodeString | — |
Revision UnicodeString | — |
SerialNumber UnicodeString | — |
Location UnicodeString | — |
ParentId UnicodeString | — |
Socket Int32 | — |
Slot Int32 | — |
Bus Int32 | — |
Device Int32 | — |
Function Int32 | — |
Adapter Int32 | — |
Port Int32 | — |
Target Int32 | — |
Lun Int32 | — |
IoctlSupport UInt64 | — |
IdFlags UInt32 | — |
DiskId GUID | — |
AdapterId GUID | — |
RegistryId GUID | — |
PoolId GUID | — |
FirmwareSupportsUpgrade Boolean | — |
FirmwareSlotCount UInt8 | — |
StorageIdCount UInt32 | — |
StorageIdCodeSet UInt32 | — |
StorageIdType UInt32 | — |
StorageIdAssociation UInt32 | — |
StorageIdBytes UInt32 | — |
StorageId Binary | — |
WriteCacheType UInt32 | — |
WriteCacheEnabled UInt32 | — |
WriteCacheChangeable UInt32 | — |
WriteThroughSupported UInt32 | — |
FlushCacheSupported Boolean | — |
IsPowerProtected Boolean | — |
NVCacheEnabled Boolean | — |
BytesPerLogicalSector UInt32 | — |
BytesPerPhysicalSector UInt32 | — |
BytesOffsetForSectorAlignment UInt32 | — |
IncursSeekPenalty Boolean | — |
IsTrimSupported Boolean | — |
IsThinProvisioned Boolean | — |
OptimalUnmapGranularity UInt64 | — |
UnmapAlignment UInt64 | — |
NumberOfLogicalCopies UInt32 | — |
NumberOfPhysicalCopies UInt32 | — |
FaultTolerance UInt32 | — |
NumberOfColumns UInt32 | — |
InterleaveBytes UInt32 | — |
HybridSupported Boolean | — |
HybridCacheBytes UInt64 | — |
AdapterMaximumTransferBytes UInt32 | — |
AdapterMaximumTransferPages UInt32 | — |
AdapterAlignmentMask UInt32 | — |
AdapterSerialNumber UnicodeString | — |
PortDriver UInt32 | — |
UserRemovalPolicy Boolean | — |
PartitionStyle UInt32 | — |
PartitionCount UInt32 | — |
PartitionTableBytes UInt32 | — |
PartitionTable Binary | — |
MbrBytes UInt32 | — |
Mbr Binary | — |
Vbr0Bytes UInt32 | — |
Vbr0 Binary | — |
Vbr1Bytes UInt32 | — |
Vbr1 Binary | — |
Vbr2Bytes UInt32 | — |
Vbr2 Binary | — |
Vbr3Size UInt32 | — |
Vbr3 Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Partition",
"guid": "412BDFF2-A8C4-470D-8F33-63FE0D8C20E2",
"event_source_name": "",
"event_id": 1006,
"version": 4,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:12.672631+00:00",
"event_record_id": 11,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 236
},
"channel": "Microsoft-Windows-Partition/Diagnostic",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DiskNumber": 0,
"Flags": 538976528,
"Characteristics": 262400,
"IsSystemCritical": true,
"PagingCount": 0,
"HibernationCount": 0,
"DumpCount": 0,
"BytesPerSector": 512,
"Capacity": 134217728000,
"BusType": 10,
"Manufacturer": "VMware,",
"Model": "VMware Virtual S",
"Revision": "1.0",
"SerialNumber": "NULL",
"Location": "PCI Slot 160 : Bus 3 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0",
"ParentId": "PCI\\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\\4&2509f6e&0&00A8",
"Socket": -1,
"Slot": 160,
"Bus": 3,
"Device": 0,
"Function": 0,
"Adapter": 0,
"Port": 0,
"Target": 0,
"Lun": 0,
"IoctlSupport": 59751,
"IdFlags": 2,
"DiskId": "33A0A150-7C6D-11EE-9369-806E6F6E6963",
"AdapterId": "C831DD37-73BE-11EE-935E-806E6F6E6963",
"RegistryId": "C831DD44-73BE-11EE-935E-806E6F6E6963",
"PoolId": "00000000-0000-0000-0000-000000000000",
"FirmwareSupportsUpgrade": true,
"FirmwareSlotCount": 1,
"StorageIdCount": 0,
"StorageIdCodeSet": 0,
"StorageIdType": 0,
"StorageIdAssociation": 0,
"StorageIdBytes": 0,
"StorageId": "",
"WriteCacheType": 0,
"WriteCacheEnabled": 0,
"WriteCacheChangeable": 0,
"WriteThroughSupported": 0,
"FlushCacheSupported": false,
"IsPowerProtected": false,
"NVCacheEnabled": false,
"BytesPerLogicalSector": 512,
"BytesPerPhysicalSector": 512,
"BytesOffsetForSectorAlignment": 0,
"IncursSeekPenalty": false,
"IsTrimSupported": false,
"IsThinProvisioned": false,
"OptimalUnmapGranularity": 0,
"UnmapAlignment": 0,
"NumberOfLogicalCopies": 0,
"NumberOfPhysicalCopies": 0,
"FaultTolerance": 0,
"NumberOfColumns": 0,
"InterleaveBytes": 0,
"HybridSupported": false,
"HybridCacheBytes": 0,
"AdapterMaximumTransferBytes": 16777215,
"AdapterMaximumTransferPages": 257,
"AdapterAlignmentMask": 0,
"AdapterSerialNumber": "NULL",
"PortDriver": 1,
"UserRemovalPolicy": false,
"PartitionStyle": 1,
"PartitionCount": 4,
"PartitionTableBytes": 624,
"PartitionTable": "0100000004000000215EE82F29506742BFFD03FE966FCE0E0044000000000000007AFF3F1F0000008000000000000000010000000000000000001000000000000000C012000000000100000000000000A4BB94DED106404DA16ABFD50179D6AC0A74B2F82423DB44BBF880523FE5334B01000000000000804200610073006900630020006400610074006100200070006100720074006900740069006F006E0000000000000000009AE46A7CC1260000EA113C27FA7F0000090000000000000001000000000000000000D012000000000000400600000000020000000000000028732AC11FF8D211BA4B00A0C93EC93BB06A6BD681E41D4CA3B9CD12F12570F700000000000000804500460049002000730079007300740065006D00200070006100720074006900740069006F006E000000000000000000000000000000000000000000000000000000000000000000010000000000000000001019000000000000000800000000030000000000000016E3C9E35C0BB84D817DF92DF00215AE939D5ACC01EDF948B355D70EA2CD61CA00000000000000804D006900630072006F0073006F0066007400200072006500730065007200760065006400200070006100720074006900740069006F006E0000000000000000000000000000000000010000000000000000001021000000000000E01E1F0000000400000000000000A2A0D0EBE5B9334487C068B6B72699C7A3D297750444994FB9796233378A81BF00000000000000004200610073006900630020006400610074006100200070006100720074006900740069006F006E0000000000000000009AE46A7CC1260000EA113C27FA7F00000900000000000000",
"MbrBytes": 0,
"Mbr": "",
"Vbr0Bytes": 0,
"Vbr0": "",
"Vbr1Bytes": 0,
"Vbr1": "",
"Vbr2Bytes": 0,
"Vbr2": "",
"Vbr3Size": 0,
"Vbr3": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1007 — Disk DiskNumber has HiddenPartitionsCount hidden partitions.
Event ID 1008 — Critical partition error: failed to change the layout for disk DiskNumber due to partition PartitionNumber.
Event ID 1009 — Service partition error: failed to set partition information for disk DiskNumber partition PartitionNumber.
Event ID 5000 — WakeNotificationWorkItem
Description
WakeNotificationWorkItem.
Message #
Fields #
| Name | Description |
|---|---|
DiskNumber UInt32 | — |
Flags HexInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Caller AnsiString | — |
Event ID 5001 — NotificationWorkItemLoop
Event ID 5002 — NotificationWorkItemExit
Event ID 5003 — QueryRemovalRelationsEnter
Event ID 5004 — QueryRemovalRelationsWait
Description
QueryRemovalRelationsWait.
Message #
Fields #
| Name | Description |
|---|---|
DiskNumber UInt32 | — |
Irp Pointer | — |
Status HexInt32 | — NTSTATUS reference |