Microsoft-Windows-Storsvc
3 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 1001 | For internal use only. | Diagnostic |
| 1002 | For internal use only. | Diagnostic |
| 1003 | For internal use only. | Diagnostic |
Event ID 1001 — For internal use only.
#Description
For internal use only.
Message #
Fields #
| Name | Description |
|---|---|
Version UInt32 | — |
DiskNumber UInt32 | — |
VendorId AnsiString | — |
ProductId AnsiString | — |
ProductRevision AnsiString | — |
SerialNumber AnsiString | — |
ParentId UnicodeString | — |
FileSystem UnicodeString | — |
BusType UInt32 | — |
PartitionStyle UInt32 | — |
VolumeCount UInt32 | — |
ContainsRawVolumes Boolean | — |
Size UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Storsvc",
"guid": "A963A23C-0058-521D-71EC-A1CCE6173F21",
"event_source_name": "",
"event_id": 1001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T17:41:20.034286+00:00",
"event_record_id": 4,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-7BBB-AAE09F4AD801"
},
"execution": {
"process_id": 1332,
"thread_id": 4112
},
"channel": "Microsoft-Windows-Storsvc/Diagnostic",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Version": 2,
"DiskNumber": 1,
"VendorId": "VendorCo",
"ProductId": "ProductCode",
"ProductRevision": "2.00",
"SerialNumber": "9207032533193411390",
"ParentId": "USB\\VID_FFFF&PID_5678\\9207032533193411390",
"FileSystem": "FAT32",
"BusType": 7,
"PartitionStyle": 0,
"VolumeCount": 1,
"ContainsRawVolumes": false,
"Size": 16672358400
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1002 — For internal use only.
#Description
For internal use only.
Message #
Fields #
| Name | Description |
|---|---|
Version UInt32 | — |
Epoch UInt32 | — |
DiskIndex UInt32 | — |
TotalDisks UInt32 | — |
DiskNumber UInt32 | — |
VendorId AnsiString | — |
ProductId AnsiString | — |
ProductRevision AnsiString | — |
SerialNumber AnsiString | — |
ParentId UnicodeString | — |
FileSystem UnicodeString | — |
BusType UInt32 | — |
PartitionStyle UInt32 | — |
VolumeCount UInt32 | — |
ContainsRawVolumes Boolean | — |
Size UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Storsvc",
"guid": "A963A23C-0058-521D-71EC-A1CCE6173F21",
"event_source_name": "",
"event_id": 1002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T23:34:26.042356+00:00",
"event_record_id": 1,
"correlation": {
"ActivityID": "E4DB489E-1037-0003-B784-DBE43710DA01"
},
"execution": {
"process_id": 7484,
"thread_id": 5344
},
"channel": "Microsoft-Windows-Storsvc/Diagnostic",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Version": 2,
"Epoch": 0,
"DiskIndex": 0,
"TotalDisks": 1,
"DiskNumber": 0,
"VendorId": "VMware, ",
"ProductId": "VMware Virtual S",
"ProductRevision": "1.0 ",
"SerialNumber": "",
"ParentId": "PCI\\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\\4&2509F6E&0&00A8",
"FileSystem": "NTFS",
"BusType": 10,
"PartitionStyle": 1,
"VolumeCount": 3,
"ContainsRawVolumes": false,
"Size": 134217728000
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1003 — For internal use only.
Description
For internal use only.
Message #
Fields #
| Name | Description |
|---|---|
Version UInt32 | — |
PoliciesEnabled AnsiString | — |
StorageType UInt32 | — |
DeviceIndex UInt32 | — |
Flags UInt32 | — |
VolumeStatus UInt32 | — |
TargetSizeMB UInt32 | — |
CleanedBytes AnsiString | — |
CleanupSucceeded AnsiString | — |
CleanupFailed AnsiString | — |
TotalBytes UInt64 | — |
FreeBytesBefore UInt64 | — |
FreeBytesAfter UInt64 | — |
StorageReserveBefore AnsiString | — |
StorageReserveAfter AnsiString | — |
HR Int32 | — |
HrReserveInit Int32 | — |
IsLowStorage Boolean | — |