Microsoft-Windows-StorageManagement

11 events across 2 channels

Event ID	Title	Channel
1	Message FileName(LineNumber).	Debug
2	Message ErrorCode FileName(LineNumber).	Debug
3	Message FileName(LineNumber).	Debug
4	An error has occurred during method execution.	Operational
5	An error has occurred during method execution.	Operational
6	The Windows Storage Provider host service failed to start.	Operational
7	The Windows Storage Provider host service was started successfully.	Operational
8	The Windows Storage Management WMI Provider was loaded.	Operational
9	A Windows Storage Management WMI enumeration operation was performed.	Operational
10	A Windows Storage Management WMI get instance operation was performed.	Operational
11	A Windows Storage Management WMI method operation was performed.	Operational

Event ID 1 — Message FileName(LineNumber).

Provider: Microsoft-Windows-StorageManagement
Channel: Debug

Message #

%1
%2(%3)

Fields #

Name	Description
`Message` UnicodeString	—
`FileName` AnsiString	—
`LineNumber` UInt32	—

Event ID 2 — Message ErrorCode FileName(LineNumber).

Provider: Microsoft-Windows-StorageManagement
Channel: Debug

Message #

%1 %2
%3(%4)

Fields #

Name	Description
`Message` UnicodeString	—
`ErrorCode` HexInt32	—
`FileName` AnsiString	—
`LineNumber` UInt32	—

Event ID 3 — Message FileName(LineNumber).

Provider: Microsoft-Windows-StorageManagement
Channel: Debug

Message #

%1
%2(%3)

Fields #

Name	Description
`Message` UnicodeString	—
`FileName` AnsiString	—
`LineNumber` UInt32	—

Event ID 4 — An error has occurred during method execution.

Provider: Microsoft-Windows-StorageManagement
Channel: Operational

Description

An error has occurred during method execution.

Message #

An error has occurred during method execution.                    
Class: %1                    
Method: %2                    
Error Code: %3                    
Error Message: %4

Fields #

Name	Description
`ClassName` UnicodeString	—
`MethodName` UnicodeString	—
`ErrorCode` UInt32	—
`MessageString` UnicodeString	—

Event ID 5 — An error has occurred during method execution.

Provider: Microsoft-Windows-StorageManagement
Channel: Operational

Description

An error has occurred during method execution.

Message #

An error has occurred during method execution.                   
Class: %1                   
Method: %2                   
Error Code: %3

Fields #

Name	Description
`ClassName` UnicodeString	—
`MethodName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 6 — The Windows Storage Provider host service failed to start.

Provider: Microsoft-Windows-StorageManagement
Channel: Operational

Description

The Windows Storage Provider host service failed to start.

Message #

The Windows Storage Provider host service failed to start.                    
Error Code: %1                    
Operation: %2

Fields #

Name Description

ErrorCode UInt32 —

Name	Description
`ErrorCode` UInt32	—
`Operation` UnicodeString	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.

Operation UnicodeString

—

Known values

%%2456: Open key file.
%%2457: Delete key file.
%%2458: Read persisted key from file.
%%2459: Write persisted key to file.
%%2464: Export of persistent cryptographic key.
%%2465: Import of persistent cryptographic key.
%%2480: Open Key.
%%2481: Create Key.
%%2482: Delete Key.
%%2483: Encrypt.
%%2484: Decrypt.
%%2485: Sign hash.
%%2486: Secret agreement.
%%2487: Domain settings.
%%2488: Local settings.
%%2489: Add provider.
%%2490: Remove provider.
%%2491: Add context.
%%2492: Remove context.
%%2493: Add function.
%%2494: Remove function.
%%2495: Add function provider.
%%2496: Remove function provider.
%%2497: Add function property.
%%2498: Remove function property.
%%2499: Machine key.
%%2500: User key.
%%2501: Key Derivation.
%%2502: Claim Creation.
%%2503: Claim Verification.

Event ID 7 — The Windows Storage Provider host service was started successfully.

Provider: Microsoft-Windows-StorageManagement
Channel: Operational
Level: Informational

Description

The Windows Storage Provider host service was started successfully.

Message #

The Windows Storage Provider host service was started successfully.                    
Start time (milliseconds): %1

Fields #

Name	Description
`StartTime_msecs` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-StorageManagement",
    "guid": "7E58E69A-E361-4F06-B880-AD2F4B64C944",
    "event_source_name": "",
    "event_id": 7,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T22:49:38.651173+00:00",
    "event_record_id": 9,
    "correlation": {
      "ActivityID": "49DBD9FB-0795-0001-68EC-DB499507DA01"
    },
    "execution": {
      "process_id": 4416,
      "thread_id": 6856
    },
    "channel": "Microsoft-Windows-StorageManagement/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
    }
  },
  "event_data": {
    "StartTime_msecs": 1297
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8 — The Windows Storage Management WMI Provider was loaded.

Provider: Microsoft-Windows-StorageManagement
Channel: Operational
Level: Informational

Description

The Windows Storage Management WMI Provider was loaded.

Message #

The Windows Storage Management WMI Provider was loaded.                    
Load time (milliseconds): %1

Fields #

Name	Description
`LoadTime_msecs` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-StorageManagement",
    "guid": "7E58E69A-E361-4F06-B880-AD2F4B64C944",
    "event_source_name": "",
    "event_id": 8,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T22:51:05.956749+00:00",
    "event_record_id": 11,
    "correlation": {
      "ActivityID": "49DBD9FB-0795-0001-68EC-DB499507DA01"
    },
    "execution": {
      "process_id": 4416,
      "thread_id": 6872
    },
    "channel": "Microsoft-Windows-StorageManagement/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "LoadTime_msecs": 0
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 9 — A Windows Storage Management WMI enumeration operation was performed.

Provider: Microsoft-Windows-StorageManagement
Channel: Operational
Level: Informational

Description

A Windows Storage Management WMI enumeration operation was performed.

Message #

A Windows Storage Management WMI enumeration operation was performed.                   
Class: %1                   
ResultCount: %2                   
Operation time (milliseconds): %3

Fields #

Name	Description
`ClassName` UnicodeString	—
`ResultCount` UInt32	—
`OperationTime_msecs` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-StorageManagement",
    "guid": "7E58E69A-E361-4F06-B880-AD2F4B64C944",
    "event_source_name": "",
    "event_id": 9,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-10-25T22:49:38.760958+00:00",
    "event_record_id": 10,
    "correlation": {
      "ActivityID": "49DBD9FB-0795-0001-68EC-DB499507DA01"
    },
    "execution": {
      "process_id": 4416,
      "thread_id": 6856
    },
    "channel": "Microsoft-Windows-StorageManagement/Operational",
    "computer": "WinDevEval",
    "security": {
      "user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
    }
  },
  "event_data": {
    "ClassName": "MSFT_Volume",
    "ResultCount": 6,
    "OperationTime_msecs": 109
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 10 — A Windows Storage Management WMI get instance operation was performed.

Provider: Microsoft-Windows-StorageManagement
Channel: Operational
Level: Informational

Description

A Windows Storage Management WMI get instance operation was performed.

Message #

A Windows Storage Management WMI get instance operation was performed.                   
Class: %1                   
Operation time (milliseconds): %2

Fields #

Name	Description
`ClassName` UnicodeString	—
`OperationTime_msecs` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-StorageManagement",
    "guid": "7E58E69A-E361-4F06-B880-AD2F4B64C944",
    "event_source_name": "",
    "event_id": 10,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:21:56.538886+00:00",
    "event_record_id": 34,
    "correlation": {
      "ActivityID": "81FAF879-7D33-43C8-9320-DFCB4C248FFD"
    },
    "execution": {
      "process_id": 892,
      "thread_id": 2328
    },
    "channel": "Microsoft-Windows-StorageManagement/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "ClassName": "SPACES_PhysicalDisk",
    "OperationTime_msecs": 16
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 11 — A Windows Storage Management WMI method operation was performed.

Provider: Microsoft-Windows-StorageManagement
Channel: Operational

Description

A Windows Storage Management WMI method operation was performed.

Message #

A Windows Storage Management WMI method operation was performed.                   
Class: %1                   
Method: %2                   
Operation time (milliseconds): %3

Fields #

Name	Description
`ClassName` UnicodeString	—
`MethodName` UnicodeString	—
`OperationTime_msecs` UInt32	—