detection.wiki
Blog

Microsoft-Windows-StorDiag

58 events across 4 channels

Event IDTitleChannel
1ClassPnP IO request completeOperational
2ClassPnP Enqueue Idle IO requestOperational
3ClassPnP Boost Idle IO requestOperational
4CopyOffload request servicing time taken by lower driver stack(s).Analytic
5Dispatching a CopyOffload read request.Diagnose
6Dispatching a CopyOffload write request.Diagnose
7Completing a CopyOffload IO (read/write) request.Diagnose
8Device returned sense data.Diagnose
201Request servicing time taken by lower driver stack(s).Analytic
202Dispatching a read request.Diagnose
203Dispatching a write request.Diagnose
204Dispatching a read request.Diagnose
205Dispatching a write request.Diagnose
206Dispatching a read request.Diagnose
207Dispatching a write request.Diagnose
208Completing an IO (read/write) request.Diagnose
209Retrying an IO (read/write) request.Diagnose
210Flush request.Diagnose
211Flush request.Diagnose
212Dispatching an IOCTL.Diagnose
213Dispatching a WMI request.Diagnose
214Completing a non-read/write request.Diagnose
215Dispatching a power request.Diagnose
216Completing a power request.Diagnose
217Dispatching a PnP request.Diagnose
218Completing a PnP request.Diagnose
219Completing a PnP enumeration request.Diagnose
220Performing a queue-related operation.Diagnose
221Dispatching a PassThrough request.Diagnose
222Upperlevel Trim request servicing time.Analytic
223Downlevel Unmap SRB request servicing time taken by lower driver stack(s)Analytic
224Report Zone LatencyDiagnose
225Reset Write Pointer LatencyDiagnose
226Completing a failed IOCTL request.Diagnose
500Completing a failed upper level read request.Operational
501Completing a failed upper level write request.Operational
502Completing a failed upper level paging read request.Operational
503Completing a failed upper level paging write request.Operational
504Completing a failed IOCTL request.Operational
505Completing a failed Read SCSI SRB requestOperational
506Completing a failed Write SCSI SRB requestOperational
507Completing a failed non-ReadWrite SCSI SRB requestOperational
508Completing a failed Non-SCSI SRB requestOperational
509Completing a failed PNP request.Operational
510Completing a failed Power request.Operational
511Completing a failed WMI requestOperational
512Get Storage Firmware InformationOperational
513Download Storage FirmwareOperational
514Activate New Storage FirmwareOperational
515Query Device TelemetryOperational
516Failed to process zone command asynchronouslyOperational
517Read capacity failed with SMR deviceOperational
518Zone count mismatchOperational
519Retrieve zone information failedOperational
520Query Command Duration Limit support and its Mode PageOperational
521Query Command Duration Limit Mode Page failedOperational
522Set Command Duration Limit Mode Page failedOperational
523Read capacity failedOperational

Event ID 1 — ClassPnP IO request complete

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

ClassPnP IO request complete

Fields

NameDescription
RequestProcessTime
OriginalIrp
Irp
MajorFunction
RequestType
SrbStatus
DeviceNumber

Event ID 2 — ClassPnP Enqueue Idle IO request

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

ClassPnP Enqueue Idle IO request

Fields

NameDescription
Irp
CurrentIOCount
ActiveIOCount
DeviceNumber

Event ID 3 — ClassPnP Boost Idle IO request

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

ClassPnP Boost Idle IO request

Fields

NameDescription
Irp
Thread
CurrentIOCount
ActiveIOCount
DeviceNumber

Event ID 4 — CopyOffload request servicing time taken by lower driver stack(s).

Provider
Microsoft-Windows-StorDiag
Channel
Analytic

Message

CopyOffload request servicing time taken by lower driver stack(s).

Fields

NameDescription
DeviceNumber
RequestDurationin100ns
Irp
Command
ServiceAction
SrbStatus
OriginalIrp

Event ID 5 — Dispatching a CopyOffload read request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a CopyOffload read request.

Fields

NameDescription
DeviceNumber
Irp
IsWrite
FirstStartingLBA
LengthOfTransferinbytes

Event ID 6 — Dispatching a CopyOffload write request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a CopyOffload write request.

Fields

NameDescription
DeviceNumber
Irp
IsWrite
FirstStartingLBA
LengthOfTransferinbytes

Event ID 7 — Completing a CopyOffload IO (read/write) request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Completing a CopyOffload IO (read/write) request.

Fields

NameDescription
DeviceNumber
Irp
TransferredLength
Flags
NTStatus

Event ID 8 — Device returned sense data.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Device returned sense data.

Fields

NameDescription
DeviceNumber
SenseKey
AddSense
AddSenseQ
CurrentRetryCount

Event ID 201 — Request servicing time taken by lower driver stack(s).

Provider
Microsoft-Windows-StorDiag
Channel
Analytic

Message

Request servicing time taken by lower driver stack(s).

Fields

NameDescription
DeviceNumber
RequestDurationin100ns
Irp
Command
SrbStatus
OriginalIrp

Event ID 202 — Dispatching a read request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a read request.

Fields

NameDescription
DeviceNumber
Irp
Command
LengthOfTransferinbytes
LBA
OriginalIrp
NvCachePriority

Event ID 203 — Dispatching a write request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a write request.

Fields

NameDescription
DeviceNumber
Irp
Command
LengthOfTransferinbytes
LBA
OriginalIrp
NvCachePriority

Event ID 204 — Dispatching a read request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a read request.

Fields

NameDescription
DeviceNumber
Irp
Command
LengthOfTransferinbytes
LBA
OriginalIrp
NvCachePriority

Event ID 205 — Dispatching a write request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a write request.

Fields

NameDescription
DeviceNumber
Irp
Command
LengthOfTransferinbytes
LBA
OriginalIrp
NvCachePriority

Event ID 206 — Dispatching a read request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a read request.

Fields

NameDescription
DeviceNumber
Irp
Command
LengthOfTransferinbytes
LBA
OriginalIrp
NvCachePriority

Event ID 207 — Dispatching a write request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a write request.

Fields

NameDescription
DeviceNumber
Irp
Command
LengthOfTransferinbytes
LBA
OriginalIrp
NvCachePriority

Event ID 208 — Completing an IO (read/write) request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Completing an IO (read/write) request.

Fields

NameDescription
DeviceNumber
Irp
NTStatus
SrbStatus
ScsiStatus
SenseKey
AddSense
AddSenseQ
OriginalIrp
NumberOfTimesRetried

Event ID 209 — Retrying an IO (read/write) request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Retrying an IO (read/write) request.

Fields

NameDescription
DeviceNumber
Irp
CurrentRetryCount
NTStatus
SrbStatus
ScsiStatus
SenseKey
AddSense
AddSenseQ

Event ID 210 — Flush request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Flush request.

Fields

NameDescription
DeviceNumber
Irp
Bus
Target
LUN

Event ID 211 — Flush request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Flush request.

Fields

NameDescription
DeviceNumber
Irp
NTStatus
SrbStatus
ScsiStatus
SenseKey
AddSense
AddSenseQ
OriginalIrp

Event ID 212 — Dispatching an IOCTL.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching an IOCTL.

Fields

NameDescription
DeviceNumber
Irp
MajorFunction
MinorFunction
Parameter

Event ID 213 — Dispatching a WMI request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a WMI request.

Fields

NameDescription
DeviceNumber
Irp
MajorFunction
MinorFunction
Parameter

Event ID 214 — Completing a non-read/write request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Completing a non-read/write request.

Fields

NameDescription
DeviceNumber
Irp
Status

Event ID 215 — Dispatching a power request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a power request.

Fields

NameDescription
DeviceNumber
Irp
MinorFunction
Type
OldState
NewState
Action
PowerStateContext

Event ID 216 — Completing a power request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Completing a power request.

Fields

NameDescription
DeviceNumber
Irp
Status

Event ID 217 — Dispatching a PnP request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a PnP request.

Fields

NameDescription
DeviceNumber
Irp
MinorFunction
Type
DeviceObject

Event ID 218 — Completing a PnP request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Completing a PnP request.

Fields

NameDescription
DeviceNumber
Irp
Status

Event ID 219 — Completing a PnP enumeration request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Completing a PnP enumeration request.

Fields

NameDescription
DeviceNumber
Irp
NumberOfChildren
Status

Event ID 220 — Performing a queue-related operation.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Performing a queue-related operation.

Fields

NameDescription
DeviceNumber
QueueTag
Operation
Status

Event ID 221 — Dispatching a PassThrough request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Dispatching a PassThrough request.

Fields

NameDescription
DeviceNumber
Irp
MajorFunction
MinorFunction
Parameter

Event ID 222 — Upperlevel Trim request servicing time.

Provider
Microsoft-Windows-StorDiag
Channel
Analytic

Message

Upperlevel Trim request servicing time.

Fields

NameDescription
DeviceGUID
DeviceNumber
RequestDurationin100ns
UpperLevelIrp
IrpStatus
DsmFlags
DataSetRangesCount
DataSetRanges

Event ID 223 — Downlevel Unmap SRB request servicing time taken by lower driver stack(s)

Provider
Microsoft-Windows-StorDiag
Channel
Analytic

Message

Downlevel Unmap SRB request servicing time taken by lower driver stack(s)

Fields

NameDescription
DeviceGUID
DeviceNumber
RequestDurationin100ns
OriginalIrp
SrbStatus
SrbFlags
MaxAllowedLbaCount
MaxAllowedBlockDescriptorCount
LbaSizeinBytes
Srb_BlockDescriptorCount
Srb_BlockDescriptors

Event ID 224 — Report Zone Latency

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Report Zone Latency

Fields

NameDescription
DeviceNumber
RequestDurationin100ns
UpperLevelIrp
IrpStatus
IsPartial
StartingOffset
BufferSize

Event ID 225 — Reset Write Pointer Latency

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Reset Write Pointer Latency

Fields

NameDescription
DeviceNumber
RequestDurationin100ns
UpperLevelIrp
IrpStatus
ResetAll
StartingOffset

Event ID 226 — Completing a failed IOCTL request.

Provider
Microsoft-Windows-StorDiag
Channel
Diagnose

Message

Completing a failed IOCTL request.

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
IrpStatus
IoctlControlCode

Event ID 500 — Completing a failed upper level read request.

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed upper level read request.

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
IrpStatus
LBA
TransferByteCount
NvCachePriority
PagingPriority

Event ID 501 — Completing a failed upper level write request.

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed upper level write request.

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
IrpStatus
LBA
TransferByteCount
NvCachePriority
PagingPriority

Event ID 502 — Completing a failed upper level paging read request.

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed upper level paging read request.

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
IrpStatus
LBA
TransferByteCount
NvCachePriority
PagingPriority

Event ID 503 — Completing a failed upper level paging write request.

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed upper level paging write request.

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
IrpStatus
LBA
TransferByteCount
NvCachePriority
PagingPriority

Event ID 504 — Completing a failed IOCTL request.

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed IOCTL request.

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
IrpStatus
IoctlControlCode

Event ID 505 — Completing a failed Read SCSI SRB request

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed Read SCSI SRB request

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
DownLevelIrpStatus
SrbStatus
ScsiStatus
SenseKey
AdditionalSenseCode
AdditionalSenseCodeQualifier
CdbByteCount
CdbBytes
NumberOfRetriesDone

Event ID 506 — Completing a failed Write SCSI SRB request

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed Write SCSI SRB request

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
DownLevelIrpStatus
SrbStatus
ScsiStatus
SenseKey
AdditionalSenseCode
AdditionalSenseCodeQualifier
CdbByteCount
CdbBytes
NumberOfRetriesDone

Event ID 507 — Completing a failed non-ReadWrite SCSI SRB request

Provider
Microsoft-Windows-StorDiag
Channel
Operational
Level
2
Samples
1

Message

Completing a failed non-ReadWrite SCSI SRB request

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
DownLevelIrpStatus
SrbStatus
ScsiStatus
SenseKey
AdditionalSenseCode
AdditionalSenseCodeQualifier
CdbByteCount
CdbBytes
NumberOfRetriesDone

Example Event

system:
  provider: Microsoft-Windows-StorDiag
  guid: F5D05B38-80A6-4653-825D-C414E4AB3C68
  event_source_name: ''
  event_id: 507
  version: 1
  level: 2
  task: 200
  opcode: 101
  keywords: 576460752437641216
  time_created: '2022-04-07T17:41:19.261973+00:00'
  event_record_id: 10
  correlation:
    ActivityID: 00000000-0000-0000-0000-000000000001
  execution:
    process_id: 4
    thread_id: 32
  channel: Microsoft-Windows-Storage-ClassPnP/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  DeviceGUID: E9A1B7AB-024C-F6F4-5089-48CC840C29D0
  DeviceNumber: 1
  Vendor: VendorCo
  Model: ProductCode
  FirmwareVersion: '2.00'
  SerialNumber: '9207032533193411390'
  DownLevelIrpStatus: '0xc000000d'
  SrbStatus: 132
  ScsiStatus: 2
  SenseKey: 5
  AdditionalSenseCode: 32
  AdditionalSenseCodeQualifier: 0
  CdbByteCount: 16
  CdbBytes: 9E100000000000000000000000200000
  NumberOfRetriesDone: 0
message: ''

References

Event ID 508 — Completing a failed Non-SCSI SRB request

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed Non-SCSI SRB request

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
DownLevelIrpStatus
SrbStatus
SrbFunction
SrbFlags
NumberOfRetriesDone

Event ID 509 — Completing a failed PNP request.

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed PNP request.

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
IrpStatus
IrpMinorFunction
PnPType
PnPUsageInPath
CurrentPnpState
PreviousPnpState
PagingPathUsageCount
HibernationPathUsageCount
DumpPathUsageCount

Event ID 510 — Completing a failed Power request.

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed Power request.

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
IrpStatus
IrpMinorFunction
PowerSystemContext
PowerStateType
PowerState
PowerShutdownType
CurrentPowerState
ContextPowerChangeState

Event ID 511 — Completing a failed WMI request

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Completing a failed WMI request

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
IrpStatus
IrpMinorFunction
WmiDataBlockGUID
WmiProviderId

Event ID 512 — Get Storage Firmware Information

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Get Storage Firmware Information

Fields

NameDescription
DeviceGUID
Status
InputBufferLength
OutputBufferLength
DeviceNumber
PortDriverCodeSet
FirmwareGetInfoSupport
QueryFlag

Event ID 513 — Download Storage Firmware

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Download Storage Firmware

Fields

NameDescription
DeviceGUID
Status
InputBufferLength
DeviceNumber
PortDriverCodeSet
FirmwareGetInfoSupport
HWFirmwareSupportUpgrade
ImagePayloadAlignment
SlotCount
SlotIndex
FWImageVersion
FWSize
FWSlot
FWImageBufferSize
Flags
FWImageOffset

Event ID 514 — Activate New Storage Firmware

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Activate New Storage Firmware

Fields

NameDescription
DeviceGUID
Status
InputBufferLength
DeviceNumber
PortDriverCodeSet
FirmwareGetInfoSupport
HWFirmwareSupportUpgrade
SlotCount
SlotIndex
FWImageVersion
FWSize
FWSlot
Flags

Event ID 515 — Query Device Telemetry

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Query Device Telemetry

Fields

NameDescription
DeviceGUID
DeviceNumber
T10VendorIdLength
T10VendorId
DataSet1Length
DataSet2Length
DataSet3Length
DataSet4Length
DataVersion
ReasonIdentifierLength
ReasonIdentifier

Event ID 516 — Failed to process zone command asynchronously

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Failed to process zone command asynchronously

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
DsmAction

Event ID 517 — Read capacity failed with SMR device

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Read capacity failed with SMR device

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
DefaultValueUsed
BytesPerSector
SectorShift
NTStatus

Event ID 518 — Zone count mismatch

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Zone count mismatch

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
ActualZoneCount
DeviceZoneCount
ZoneGroupCount
BytesPerSector

Event ID 519 — Retrieve zone information failed

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Retrieve zone information failed

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
NTStatus
BytesPerSector

Event ID 520 — Query Command Duration Limit support and its Mode Page

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Query Command Duration Limit support and its Mode Page

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
NTStatus
CommandOpCode
T2CDLPage
CDLPage

Event ID 521 — Query Command Duration Limit Mode Page failed

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Query Command Duration Limit Mode Page failed

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
NTStatus
CDLSupported
PageSavable
T2CDLPage
CDLPage

Event ID 522 — Set Command Duration Limit Mode Page failed

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Set Command Duration Limit Mode Page failed

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
NTStatus
CDLSupported
PageSavable
T2CDLPage
CDLPage

Event ID 523 — Read capacity failed

Provider
Microsoft-Windows-StorDiag
Channel
Operational

Message

Read capacity failed

Fields

NameDescription
DeviceGUID
DeviceNumber
Vendor
Model
FirmwareVersion
SerialNumber
DefaultValueUsed
BytesPerSector
SectorShift
NTStatus