Microsoft-Windows-ReadyBoost

29 events across 2 channels

Event ID	Title	Channel
1000	The device (DeviceName) is suitable for a ReadyBoost cache.	Operational
1002	The device (DeviceName) will not be used for a ReadyBoost cache because it is …	Operational
1003	The device (DeviceName) will not be used for a ReadyBoost cache because it does …	Operational
1004	The device (DeviceName) will not be used for a ReadyBoost cache because it has …	Operational
1005	The device (DeviceName) will not be used for a ReadyBoost cache because it has …	Operational
1006	The ReadyBoost service encountered an error during the analysis of the new …	Operational
1007	The device (DeviceName) will not be used for a ReadyBoost cache because it is …	Operational
1008	The device (DeviceName) will not be used for a ReadyBoost cache because it does …	Operational
1009	The device (DeviceName) will not be used for a ReadyBoost cache because the …	Operational
1010	A ReadyBoost cache was successfully created on the device (DeviceName) of size …	Operational
1011	Caching was enabled for device (DeviceName).	Operational
1012	The device (DeviceName) will not be used for a ReadyBoost cache because a …	Operational
1013	A ReadyBoost cache was successfully deleted on the device (DeviceName).	Operational
1014	Caching was disabled for device (DeviceName).	Operational
1015	Summary of ReadyBoot Performance.	Operational
1016	Boot plan calculation completed.	Operational
1017	A defrag.	Operational
1018	ReadyBoot disk assessment completed.	Operational
1019	The device (DeviceName) will not be used for a ReadyBoost cache because it is …	Operational
1020	The device (DeviceName) will not be used for a ReadyBoost cache because it …	Operational
1021	The device (DeviceName) will not be used for a ReadyBoost cache because it …	Operational
1022	The device (DeviceName) will not be used for a ReadyBoost cache because the …	Operational
1023	The device (DeviceName) will not be used for a ReadyBoost cache because it is …	Operational
1024		Analytic
1025	The device (DeviceName) will not be used for a ReadyBoost cache because it is a …	Operational
1026	The attach state for volume VolumePath (Unique Id: VolumeUniqueId) has changed.	Operational
1027	ReadyBoot has updated the system volume unique ID: VolumeUniqueId.	Operational
1028	Caching on the solid state hybrid disk (Disk number: DiskNumber) has been …	Operational
1029	A speed test was performed on the Hybrid Disk.	Operational

Event ID 1000 — The device (DeviceName) is suitable for a ReadyBoost cache.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) is suitable for a ReadyBoost cache. The random read speed is ReadRate KB/sec. The random write speed is WriteRate KB/sec.

Message #

The device (%1) is suitable for a ReadyBoost cache.  The random read speed is %3 KB/sec.  The random write speed is %4 KB/sec.

Fields #

Name	Description
`DeviceName` UnicodeString	—
`FreeSpace` UInt32	—
`ReadRate` UInt32	—
`WriteRate` UInt32	—

Event ID 1002 — The device (DeviceName) will not be used for a ReadyBoost cache because it is not attached to a supported interface.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it is not attached to a supported interface.

Message #

The device (%1) will not be used for a ReadyBoost cache because it is not attached to a supported interface.
     For USB devices, ReadyBoost requires that the device be connected to a USB 2.0 interface.

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1003 — The device (DeviceName) will not be used for a ReadyBoost cache because it does not have enough free space.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it does not have enough free space. Free Space: IntValue MB.

Message #

The device (%1) will not be used for a ReadyBoost cache because it does not have enough free space. Free Space: %2 MB

Fields #

Name	Description
`DeviceName` UnicodeString	—
`IntValue` UInt32	—
`SecondIntValue` UInt32	—

Event ID 1004 — The device (DeviceName) will not be used for a ReadyBoost cache because it has insufficient write performance: IORate KB/sec.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it has insufficient write performance: IORate KB/sec.

Message #

The device (%1) will not be used for a ReadyBoost cache because it has insufficient write performance: %2 KB/sec.

Fields #

Name	Description
`DeviceName` UnicodeString	—
`IORate` UInt32	—

Event ID 1005 — The device (DeviceName) will not be used for a ReadyBoost cache because it has insufficient read performance: IORate KB/sec.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it has insufficient read performance: IORate KB/sec.

Message #

The device (%1) will not be used for a ReadyBoost cache because it has insufficient read performance: %2 KB/sec.

Fields #

Name	Description
`DeviceName` UnicodeString	—
`IORate` UInt32	—

Event ID 1006 — The ReadyBoost service encountered an error during the analysis of the new device (DeviceName).

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The ReadyBoost service encountered an error during the analysis of the new device (DeviceName). Error code: ErrorCode.

Message #

The ReadyBoost service encountered an error during the analysis of the new device (%1). Error code: %2

Fields #

Name	Description
`DeviceName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 1007 — The device (DeviceName) will not be used for a ReadyBoost cache because it is not formatted with FAT, FAT32, or NTFS.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it is not formatted with FAT, FAT32, or NTFS. Current Format:%2.

Message #

The device (%1) will not be used for a ReadyBoost cache because it is not formatted with FAT, FAT32, or NTFS. Current Format:%2

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1008 — The device (DeviceName) will not be used for a ReadyBoost cache because it does not exhibit uniform performance across the device.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it does not exhibit uniform performance across the device. Size of fast region: IntValue MB.

Message #

The device (%1) will not be used for a ReadyBoost cache because it does not exhibit uniform performance across the device.  Size of fast region: %2 MB.

Fields #

Name	Description
`DeviceName` UnicodeString	—
`IntValue` UInt32	—

Event ID 1009 — The device (DeviceName) will not be used for a ReadyBoost cache because the device is too small.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Level: Informational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because the device is too small. Size: IntValue MB. Minimum Size: SecondIntValue MB.

Message #

The device (%1) will not be used for a ReadyBoost cache because the device is too small. Size: %2 MB.  Minimum Size: %3 MB

Fields #

Name	Description
`DeviceName` UnicodeString	—
`IntValue` UInt32	—
`SecondIntValue` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ReadyBoost",
    "guid": "E6307A09-292C-497E-AAD6-498F68E2B619",
    "event_source_name": "",
    "event_id": 1009,
    "version": 0,
    "level": 4,
    "task": 1019,
    "opcode": 0,
    "keywords": 9223372036854792192,
    "time_created": "2023-10-25T21:22:34.627310+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 2740,
      "thread_id": 2832
    },
    "channel": "Microsoft-Windows-ReadyBoost/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceName": "Unknown Unknown",
    "IntValue": 96,
    "SecondIntValue": 235
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1010 — A ReadyBoost cache was successfully created on the device (DeviceName) of size IntValue MB.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

A ReadyBoost cache was successfully created on the device (DeviceName) of size IntValue MB.

Message #

A ReadyBoost cache was successfully created on the device (%1) of size %2 MB.

Fields #

Name	Description
`DeviceName` UnicodeString	—
`IntValue` UInt32	—

Event ID 1011 — Caching was enabled for device (DeviceName).

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Opcode: Info

Description

Caching was enabled for device (DeviceName).

Message #

Caching was enabled for device (%1).

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1012 — The device (DeviceName) will not be used for a ReadyBoost cache because a ReadyBoost cache already exists (on device StringLabel) and only one cache is supported at...

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Opcode: Info

Description

The device (DeviceName) will not be used for a ReadyBoost cache because a ReadyBoost cache already exists (on device StringLabel) and only one cache is supported at a given time.

Message #

The device (%1) will not be used for a ReadyBoost cache because a ReadyBoost cache already exists (on device %2) and only one cache is supported at a given time.

Fields #

Name	Description
`DeviceName` UnicodeString	—
`StringLabel` UnicodeString	—

Event ID 1013 — A ReadyBoost cache was successfully deleted on the device (DeviceName).

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

A ReadyBoost cache was successfully deleted on the device (DeviceName).

Message #

A ReadyBoost cache was successfully deleted on the device (%1).

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1014 — Caching was disabled for device (DeviceName).

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Opcode: Info

Description

Caching was disabled for device (DeviceName).

Message #

Caching was disabled for device (%1).

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1015 — Summary of ReadyBoot Performance.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Level: Informational
Task: ReadyBoot

Description

Summary of ReadyBoot Performance.

Message #

Summary of ReadyBoot Performance:
     Io Read Count: %12
     Io Read KB: %3
     Cache Hit Count: %13
     Cache Hit KB: %4
     Cache Hit Percentage: %9
     Cache Fragmentation: %10
     Compressed Data Size KB: %5
     Raw Data Size KB: %6
     Compression Ratio: %11
     Cache Size KB: %14
     Boot Prefetch Time us: %7
     Boot Prefetch Bytes Read: %8
     Boot Timestamp (UTC): %1
     Last Boot Plan Timestamp (UTC): %2
     Last Boot Plan Timestamp (Local): %16

Fields #

Name	Description
`RB_IoReadBytes` UInt64	[Summary of ReadyBoot Performance] Io Read Bytes.
`RB_CacheHitBytes` UInt64	[Summary of ReadyBoot Performance] Cache Hit Bytes.
`RB_PrefetchBytes` UInt64	[Summary of ReadyBoot Performance] Boot Prefetch Bytes.
`RB_CacheHitPercentage` Double	[Summary of ReadyBoot Performance] Cache Hit Percentage.
`RB_IoReadCount` UInt32	[Summary of ReadyBoot Performance] Io Read Count.
`RB_CacheHitCount` UInt32	[Summary of ReadyBoot Performance] Cache Hit Count.
`RB_PrefetchReadCount` UInt32	[Summary of ReadyBoot Performance] Boot Prefetch Read Count.
`RB_PrefetchDiskTimeUs` UInt32	[Summary of ReadyBoot Performance] Boot Prefetch Time (us).
`RB_SyncPrefetchIoBytes` UInt64	[Summary of ReadyBoot Performance] Sync Prefetch IO Bytes.
`RB_SyncPrefetchIoCount` UInt32	[Summary of ReadyBoot Performance] Sync Prefetch IO Count.
`RB_SyncPhaseDurationUs` UInt32	[Summary of ReadyBoot Performance] Sync Prefetch Duration (us).
`RB_PostSyncPhasePendCount` UInt32	[Summary of ReadyBoot Performance] Post Sync Phase Pend Count.
`RB_Flags` UInt32	[Summary of ReadyBoot Performance] Flags.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ReadyBoost",
    "guid": "E6307A09-292C-497E-AAD6-498F68E2B619",
    "event_source_name": "",
    "event_id": 1015,
    "version": 2,
    "level": 4,
    "task": 1016,
    "opcode": 0,
    "keywords": 9223372036854784000,
    "time_created": "2023-10-25T22:49:28.791349+00:00",
    "event_record_id": 27,
    "correlation": {},
    "execution": {
      "process_id": 1584,
      "thread_id": 5392
    },
    "channel": "Microsoft-Windows-ReadyBoost/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "RB_IoReadBytes": 957741056,
    "RB_CacheHitBytes": 639155712,
    "RB_PrefetchBytes": 711483392,
    "RB_CacheHitPercentage": "86.88958156229337",
    "RB_IoReadCount": 31761,
    "RB_CacheHitCount": 27597,
    "RB_PrefetchReadCount": 17181,
    "RB_PrefetchDiskTimeUs": 28124905,
    "RB_SyncPrefetchIoBytes": 439320576,
    "RB_SyncPrefetchIoCount": 10433,
    "RB_SyncPhaseDurationUs": 9889786,
    "RB_PostSyncPhasePendCount": 0,
    "RB_Flags": 96
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1016 — Boot plan calculation completed.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Level: Informational
Task: ReadyBoot

Description

Boot plan calculation completed.

Message #

Boot plan calculation completed.
     Boot Plan Timestamp (UTC): %1
     Valid Boot Plan Obtained: %2

Fields #

Name	Description
`BootPlanTimestamp` FILETIME	—
`ErrorCode` UInt32	Result.
`Duration (ms)` UInt16	—
`Reason` UInt8	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ReadyBoost",
    "guid": "E6307A09-292C-497E-AAD6-498F68E2B619",
    "event_source_name": "",
    "event_id": 1016,
    "version": 1,
    "level": 4,
    "task": 1016,
    "opcode": 0,
    "keywords": 9223372036854784000,
    "time_created": "2023-10-26T04:18:10.972559+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 1060,
      "thread_id": 3548
    },
    "channel": "Microsoft-Windows-ReadyBoost/Operational",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "BootPlanTimestamp": "2023-10-25T21:18:10.357218Z",
    "ErrorCode": 1104,
    "Duration (ms)": 609,
    "Reason": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1017 — A defrag.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Level: Informational
Task: ReadyBoost

Description

A defrag. operation has completed. A boot plan will be calculated soon. Defrag. Timestamp (UTC): DeviceName.

Message #

A defrag. operation has completed.  A boot plan will be calculated soon.  Defrag. Timestamp (UTC): %1

Fields #

Name	Description
`DeviceName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ReadyBoost",
    "guid": "E6307A09-292C-497E-AAD6-498F68E2B619",
    "event_source_name": "",
    "event_id": 1017,
    "version": 1,
    "level": 4,
    "task": 1019,
    "opcode": 0,
    "keywords": 9223372036854792192,
    "time_created": "2023-10-26T04:17:59.788230+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 1060,
      "thread_id": 1880
    },
    "channel": "Microsoft-Windows-ReadyBoost/Operational",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DeviceName": "Unknown Unknown"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1018 — ReadyBoot disk assessment completed.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Level: Informational
Task: ReadyBoot

Description

ReadyBoot disk assessment completed.

Message #

ReadyBoot disk assessment completed.
     Disk Assessment Timestamp (UTC): %1
     Success: %2

Fields #

Name	Description
`DiskAssessmentTimestamp` FILETIME	—
`ErrorCode` UInt32	Result.
`Duration (ms)` UInt16	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ReadyBoost",
    "guid": "E6307A09-292C-497E-AAD6-498F68E2B619",
    "event_source_name": "",
    "event_id": 1018,
    "version": 1,
    "level": 4,
    "task": 1016,
    "opcode": 0,
    "keywords": 9223372036854784000,
    "time_created": "2023-10-25T22:36:43.767022+00:00",
    "event_record_id": 24,
    "correlation": {},
    "execution": {
      "process_id": 1640,
      "thread_id": 3768
    },
    "channel": "Microsoft-Windows-ReadyBoost/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DiskAssessmentTimestamp": "2023-10-25T15:36:42.388640Z",
    "ErrorCode": 0,
    "Duration (ms)": 1375
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1019 — The device (DeviceName) will not be used for a ReadyBoost cache because it is remote, read-only, virtual, or otherwise unsupported.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it is remote, read-only, virtual, or otherwise unsupported.

Message #

The device (%1) will not be used for a ReadyBoost cache because it is remote, read-only, virtual, or otherwise unsupported.

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1020 — The device (DeviceName) will not be used for a ReadyBoost cache because it contains a system volume.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it contains a system volume.

Message #

The device (%1) will not be used for a ReadyBoost cache because it contains a system volume.

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1021 — The device (DeviceName) will not be used for a ReadyBoost cache because it contains a configuration file which explicitly prohibits this.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it contains a configuration file which explicitly prohibits this.

Message #

The device (%1) will not be used for a ReadyBoost cache because it contains a configuration file which explicitly prohibits this.

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1022 — The device (DeviceName) will not be used for a ReadyBoost cache because the ReadyBoost driver is attached to its volume stack.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because the ReadyBoost driver is attached to its volume stack.

Message #

The device (%1) will not be used for a ReadyBoost cache because the ReadyBoost driver is attached to its volume stack.

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1023 — The device (DeviceName) will not be used for a ReadyBoost cache because it is mounted read-only.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it is mounted read-only.

Message #

The device (%1) will not be used for a ReadyBoost cache because it is mounted read-only.

 This is usually caused by one of the following reasons:
 * Write-protected devices/media
 * BitLocker group policy settings prohibit write access to non-encrypted removable devices

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1024 —

Provider: Microsoft-Windows-ReadyBoost
Channel: Analytic
Task: ReadyBoot

Fields #

Name	Description
`RB_HistoryCount` UInt32	—
`RB_BootPlanAge` UInt32	—
`RB_DiskAssessmentRPM` UInt32	—
`RB_Flags` UInt32	—

Event ID 1025 — The device (DeviceName) will not be used for a ReadyBoost cache because it is a VHD (virtual hard disk).

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: ReadyBoost

Description

The device (DeviceName) will not be used for a ReadyBoost cache because it is a VHD (virtual hard disk).

Message #

The device (%1) will not be used for a ReadyBoost cache because it is a VHD (virtual hard disk).

Fields #

Name	Description
`DeviceName` UnicodeString	—

Event ID 1026 — The attach state for volume VolumePath (Unique Id: VolumeUniqueId) has changed.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Level: Informational
Task: ReadyBoot

Description

The attach state for volume VolumePath (Unique Id: VolumeUniqueId) has changed.

Message #

The attach state for volume %6 (Unique Id: %1) has changed.
     Old ReadyBoost State: %2
     New ReadyBoost State: %3

     Old Hybrid Drive State: %4
     New Hybrid Drive State: %5

Fields #

Name	Description
`VolumeUniqueId` UnicodeString	6 (Unique Id.
`OldRdbAttachState` UInt16	Old ReadyBoost State.
`NewRdbAttachState` UInt16	New ReadyBoost State.
`OldHbdrvAttachState` UInt16	Old Hybrid Drive State.
`NewHbdrvAttachState` UInt16	New Hybrid Drive State.
`VolumePath` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ReadyBoost",
    "guid": "E6307A09-292C-497E-AAD6-498F68E2B619",
    "event_source_name": "",
    "event_id": 1026,
    "version": 1,
    "level": 4,
    "task": 1016,
    "opcode": 0,
    "keywords": 9223372036854784000,
    "time_created": "2023-10-26T04:17:59.786234+00:00",
    "event_record_id": 3,
    "correlation": {},
    "execution": {
      "process_id": 1060,
      "thread_id": 1880
    },
    "channel": "Microsoft-Windows-ReadyBoost/Operational",
    "computer": "WIN-OQ6R0RVA4NF",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeUniqueId": "C>MKj%0735aP",
    "OldRdbAttachState": 3,
    "NewRdbAttachState": 0,
    "OldHbdrvAttachState": 0,
    "NewHbdrvAttachState": 0,
    "VolumePath": "\\DEVICE\\HARDDISKVOLUME4"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1027 — ReadyBoot has updated the system volume unique ID: VolumeUniqueId.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Level: Informational
Task: ReadyBoot

Description

ReadyBoot has updated the system volume unique ID: VolumeUniqueId.

Message #

ReadyBoot has updated the system volume unique ID: %3
 ErrorCode: %1

Fields #

Name	Description
`ErrorCode` UInt32	—
`UniqueIdLength` UInt32	—
`VolumeUniqueId` Binary	ReadyBoot has updated the system volume unique ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ReadyBoost",
    "guid": "E6307A09-292C-497E-AAD6-498F68E2B619",
    "event_source_name": "",
    "event_id": 1027,
    "version": 1,
    "level": 4,
    "task": 1016,
    "opcode": 0,
    "keywords": 9223372036854784000,
    "time_created": "2023-11-05T22:33:04.671740+00:00",
    "event_record_id": 32,
    "correlation": {},
    "execution": {
      "process_id": 1896,
      "thread_id": 2032
    },
    "channel": "Microsoft-Windows-ReadyBoost/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ErrorCode": 0,
    "UniqueIdLength": 0,
    "VolumeUniqueId": ""
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1028 — Caching on the solid state hybrid disk (Disk number: DiskNumber) has been disabled due to insufficient device performance.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: HybridDrive

Description

Caching on the solid state hybrid disk (Disk number: DiskNumber) has been disabled due to insufficient device performance.

Message #

Caching on the solid state hybrid disk (Disk number: %1) has been disabled due to insufficient device performance.

Fields #

Name	Description
`DiskNumber` UInt32	—

Event ID 1029 — A speed test was performed on the Hybrid Disk.

Provider: Microsoft-Windows-ReadyBoost
Channel: Operational
Task: HybridDrive

Description

A speed test was performed on the Hybrid Disk.

Message #

A speed test was performed on the Hybrid Disk.
Test result: %1
ErrorCode: %7

Fields #

Name	Description
`Test_result`	—
`ErrorCode` UInt32	—
`HbdrvSpeedTestResult` UInt32	—
`DiskSeqReadKbps` UInt32	—
`DiskSeqWriteKbps` UInt32	—
`FlashSeqReadKbps` UInt32	—
`FlashSeqWriteKbps` UInt32	—
`FlashRndReadKbps` UInt32	—