detection.wiki

Microsoft-Windows-ReadyBoostDriver

33 events across 2 channels

Event IDTitleChannel
1Analytic
2Analytic
3Analytic
4Analytic
5Analytic
6Analytic
7Analytic
8Analytic
9Analytic
10Analytic
11Analytic
12Analytic
13VirtualAddress Virtual Address: Physical_Address Physical Address: …Operational
14Analytic
15Analytic
16Analytic
17A ReadyBoost cache partially or fully failed to persist across boot.Operational
18Analytic
19Analytic
20Analytic
21Analytic
22Analytic
23Analytic
24Analytic
25Analytic
26Analytic
27Device_name Device name: FailStatus Cache path: DeviceDescription.Operational
28Analytic
29Operational
30Analytic
31Analytic
32Analytic
33Analytic

Event ID 1 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreRead
Opcode
Start

Fields #

NameDescription
ByteOffset UInt64
Irp Pointer
ByteLength UInt32
Flags UInt32
FileKey Pointer
StoreId UInt16
VolumeId UInt16

Event ID 2 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreRead
Opcode
Stop

Fields #

NameDescription
Irp Pointer
Status UInt32NTSTATUS reference

Event ID 3 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreAdd

Fields #

NameDescription
DataKey UInt64
DataMgr Pointer
StoreOffset UInt32
CompressedSize UInt16
Flags UInt16

Event ID 4 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreRemove

Fields #

NameDescription
DataKey UInt64
DataMgr Pointer
StoreOffset UInt32

Event ID 5 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreCreate
Opcode
Info

Fields #

NameDescription
StoreKey Pointer
StoreFileKey Pointer
UserDataMgr Pointer
MetadataMgr Pointer
RegionSize UInt32
RegionCount UInt32
BlockSize UInt32
SectorSize UInt32
EncryptionStrength UInt32
StoreType UInt16
StoreId UInt16
BlocksStored UInt32
RegionsInUse UInt32
TotalSpaceUsed UInt32
Flags UInt32
MetaRegionCount UInt32
MetaRegionsInUse UInt32
MetaRegionsSpaceUsed UInt32
StoreTime UInt32
OwnerProcessId UInt32
PartitionId UInt32

Event ID 6 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreDelete

Fields #

NameDescription
StoreKey Pointer

Event ID 7 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreRundown
Opcode
Info

Fields #

NameDescription
StoreKey Pointer
StoreFileKey Pointer
UserDataMgr Pointer
MetadataMgr Pointer
RegionSize UInt32
RegionCount UInt32
BlockSize UInt32
SectorSize UInt32
EncryptionStrength UInt32
StoreType UInt16
StoreId UInt16
BlocksStored UInt32
RegionsInUse UInt32
TotalSpaceUsed UInt32
Flags UInt32
MetaRegionCount UInt32
MetaRegionsInUse UInt32
MetaRegionsSpaceUsed UInt32
StoreTime UInt32
OwnerProcessId UInt32
PartitionId UInt32

Event ID 8 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
VolumeMapRundown

Fields #

NameDescription
VolumeId UInt16
VolumeNameLength UInt16
VolumePath UnicodeString

Event ID 9 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
VolumeMapCreate

Fields #

NameDescription
VolumeId UInt16
VolumeNameLength UInt16
VolumePath UnicodeString

Event ID 10 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
VolumeMapRemove

Fields #

NameDescription
VolumeId UInt16
VolumeNameLength UInt16
VolumePath UnicodeString

Event ID 11 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreIgnoredIO

Fields #

NameDescription
Irp Pointer
Reason UInt16
Flags UInt16

Event ID 12 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
ReadyBootIO

Fields #

NameDescription
StartTime UInt64
ByteOffset UInt64
FileKey Pointer
ProcessKey Pointer
ByteLength UInt32
Flags UInt32

Event ID 13 — VirtualAddress Virtual Address: Physical_Address Physical Address: Corruption_Window_Size Corruption Window Size: DataMgr.

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Operational
Task
StoreCorruption

Message #

%5



Virtual Address: %2

Physical Address: %3

Corruption Window Size: %4

Fields #

NameDescription
Virtual_Address
Physical_Address
Corruption_Window_Size
DataMgr Pointer
VirtualAddress Pointer
PhysicalAddress UInt64
Size UInt16
FileBacked UInt8
CorruptionType UInt8
Flags UInt32

Event ID 14 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StorePageRundown

Fields #

NameDescription
DataKey UInt64
DataMgr Pointer
StoreOffset UInt32
CompressedSize UInt16
Flags UInt16

Event ID 15 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
RegionEvict

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 16 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
RegionWrite

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 17 — A ReadyBoost cache partially or fully failed to persist across boot.

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Operational
Task
UnpersistFailure

Description

A ReadyBoost cache partially or fully failed to persist across boot. This may happen if the cache device was modified on another computer or if this computer was booted into another operating system.

Message #

A ReadyBoost cache partially or fully failed to persist across boot. This may happen if the cache device was modified on another computer or if this computer was booted into another operating system.

Fields #

NameDescription
FailReason UInt32
FailStatus HexInt32
ObjectPathLength UInt16
ObjectPath UnicodeString

Event ID 18 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
UserActive

Fields #

NameDescription
UserActive UInt8

Event ID 19 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreIoStats

Fields #

NameDescription
StoreKey Pointer
Size UInt32
Data Binary

Event ID 20 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
GlobalStats

Fields #

NameDescription
Size UInt32
Data Binary

Event ID 21 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
StoreEmpty

Fields #

NameDescription
StoreKey Pointer
Param Pointer

Event ID 22 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
RegionRelease

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 23 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
RegionCompact
Opcode
Start

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 24 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
RegionCompact
Opcode
Stop

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 25 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
RegionRundown

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 26 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
WriteEvict

Fields #

NameDescription
DataKey UInt64
LengthInBytes UInt64

Event ID 27 — Device_name Device name: FailStatus Cache path: DeviceDescription.

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Operational
Task
CacheTermination

Message #

%1



Device name: %4

Cache path: %6

Fields #

NameDescription
Device_name
Cache_path
Reason UInt8
FailStatus HexInt32
DeviceDescLength UInt16
DeviceDescription UnicodeString
ObjectPathLength UInt16
ObjectPath UnicodeString

Event ID 28 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
ReadyBootPeriodicStats

Fields #

NameDescription
Size UInt32
Data Binary

Event ID 29 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Operational
Opcode
Info

Fields #

NameDescription
SqmType UInt32
SqmSessionGuid GUID
SqmID UInt32
SqmStreamRowLength UInt32
SqmStreamRow Int16

Event ID 30 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
ReadyBootCacheOp

Fields #

NameDescription
Key Pointer
Operation UInt32
Known values
%%2456
Open key file.
%%2457
Delete key file.
%%2458
Read persisted key from file.
%%2459
Write persisted key to file.
%%2464
Export of persistent cryptographic key.
%%2465
Import of persistent cryptographic key.
%%2480
Open Key.
%%2481
Create Key.
%%2482
Delete Key.
%%2483
Encrypt.
%%2484
Decrypt.
%%2485
Sign hash.
%%2486
Secret agreement.
%%2487
Domain settings.
%%2488
Local settings.
%%2489
Add provider.
%%2490
Remove provider.
%%2491
Add context.
%%2492
Remove context.
%%2493
Add function.
%%2494
Remove function.
%%2495
Add function provider.
%%2496
Remove function provider.
%%2497
Add function property.
%%2498
Remove function property.
%%2499
Machine key.
%%2500
User key.
%%2501
Key Derivation.
%%2502
Claim Creation.
%%2503
Claim Verification.
Flags UInt32

Event ID 31 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
HbdrvIrpTag

Fields #

NameDescription
VolumeOffset UInt64
Length UInt32
Read UInt8
Priority UInt16
PartialBmpHit UInt8

Event ID 32 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
SyncCall
Opcode
Start

Fields #

NameDescription
Key Pointer

Event ID 33 —

Provider
Microsoft-Windows-ReadyBoostDriver
Channel
Analytic
Task
SyncCall
Opcode
Stop

Fields #

NameDescription
Key Pointer
Flags UInt32