Event ID 1026 — The attach state for volume VolumePath (Unique Id: VolumeUniqueId) has changed.
Description
The attach state for volume VolumePath (Unique Id: VolumeUniqueId) has changed.
Message #
Fields #
| Name | Description |
|---|---|
VolumeUniqueId UnicodeString | 6 (Unique Id. |
OldRdbAttachState UInt16 | Old ReadyBoost State. |
NewRdbAttachState UInt16 | New ReadyBoost State. |
OldHbdrvAttachState UInt16 | Old Hybrid Drive State. |
NewHbdrvAttachState UInt16 | New Hybrid Drive State. |
VolumePath UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-ReadyBoost",
"guid": "E6307A09-292C-497E-AAD6-498F68E2B619",
"event_source_name": "",
"event_id": 1026,
"version": 1,
"level": 4,
"task": 1016,
"opcode": 0,
"keywords": 9223372036854784000,
"time_created": "2023-10-26T04:17:59.786234+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 1060,
"thread_id": 1880
},
"channel": "Microsoft-Windows-ReadyBoost/Operational",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeUniqueId": "C>MKj%0735aP",
"OldRdbAttachState": 3,
"NewRdbAttachState": 0,
"OldHbdrvAttachState": 0,
"NewHbdrvAttachState": 0,
"VolumePath": "\\DEVICE\\HARDDISKVOLUME4"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline