Microsoft-Windows-Storsvc

3 events across 1 channel

Event ID	Title	Channel
1001	For internal use only.	Diagnostic
1002	For internal use only.	Diagnostic
1003	For internal use only.	Diagnostic

Event ID 1001 — For internal use only.

Provider: Microsoft-Windows-Storsvc
Channel: Diagnostic
Level: 4
Samples: 1

Message

For internal use only.

Fields

Name	Description
`Version`	—
`DiskNumber`	—
`VendorId`	—
`ProductId`	—
`ProductRevision`	—
`SerialNumber`	—
`ParentId`	—
`FileSystem`	—
`BusType`	—
`PartitionStyle`	—
`VolumeCount`	—
`ContainsRawVolumes`	—
`Size`	—

Example Event

system:
  provider: Microsoft-Windows-Storsvc
  guid: A963A23C-0058-521D-71EC-A1CCE6173F21
  event_source_name: ''
  event_id: 1001
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:41:20.034286+00:00'
  event_record_id: 4
  correlation:
    ActivityID: E0AAB88C-4A9F-0000-7BBB-AAE09F4AD801
  execution:
    process_id: 1332
    thread_id: 4112
  channel: Microsoft-Windows-Storsvc/Diagnostic
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Version: 2
  DiskNumber: 1
  VendorId: VendorCo
  ProductId: ProductCode
  ProductRevision: '2.00'
  SerialNumber: '9207032533193411390'
  ParentId: USB\VID_FFFF&PID_5678\9207032533193411390
  FileSystem: FAT32
  BusType: 7
  PartitionStyle: 0
  VolumeCount: 1
  ContainsRawVolumes: false
  Size: 16672358400
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1002 — For internal use only.

Provider: Microsoft-Windows-Storsvc
Channel: Diagnostic
Level: 4
Samples: 1

Message

For internal use only.

Fields

Name	Description
`Version`	—
`Epoch`	—
`DiskIndex`	—
`TotalDisks`	—
`DiskNumber`	—
`VendorId`	—
`ProductId`	—
`ProductRevision`	—
`SerialNumber`	—
`ParentId`	—
`FileSystem`	—
`BusType`	—
`PartitionStyle`	—
`VolumeCount`	—
`ContainsRawVolumes`	—
`Size`	—

Example Event

system:
  provider: Microsoft-Windows-Storsvc
  guid: A963A23C-0058-521D-71EC-A1CCE6173F21
  event_source_name: ''
  event_id: 1002
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-05T23:34:26.042356+00:00'
  event_record_id: 1
  correlation:
    ActivityID: E4DB489E-1037-0003-B784-DBE43710DA01
  execution:
    process_id: 7484
    thread_id: 5344
  channel: Microsoft-Windows-Storsvc/Diagnostic
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Version: 2
  Epoch: 0
  DiskIndex: 0
  TotalDisks: 1
  DiskNumber: 0
  VendorId: 'VMware, '
  ProductId: VMware Virtual S
  ProductRevision: '1.0 '
  SerialNumber: ''
  ParentId: PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\4&2509F6E&0&00A8
  FileSystem: NTFS
  BusType: 10
  PartitionStyle: 1
  VolumeCount: 3
  ContainsRawVolumes: false
  Size: 134217728000
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1003 — For internal use only.

Provider: Microsoft-Windows-Storsvc
Channel: Diagnostic

Message

For internal use only.

Fields

Name	Description
`Version`	—
`PoliciesEnabled`	—
`StorageType`	—
`DeviceIndex`	—
`Flags`	—
`VolumeStatus`	—
`TargetSizeMB`	—
`CleanedBytes`	—
`CleanupSucceeded`	—
`CleanupFailed`	—
`TotalBytes`	—
`FreeBytesBefore`	—
`FreeBytesAfter`	—
`StorageReserveBefore`	—
`StorageReserveAfter`	—
`HR`	—
`HrReserveInit`	—
`IsLowStorage`	—