Microsoft-Windows-System-Restore
4 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 8300 | Scoping started for shadowcopy SnapshotPath. | Application |
| 8301 | Scoping completed for shadowcopy \\? | Application |
| 8302 | Scoping successfully completed for shadowcopy \\? | Application |
| 8303 | Scoping unsuccessful for shadowcopy %1 with error %2. | Application |
Event ID 8300 — Scoping started for shadowcopy SnapshotPath.
Message
Fields
| Name | Description |
|---|---|
Data | — |
Example Event
system:
provider: Microsoft-Windows-System-Restore
guid: 126CDB97-D346-4894-8A34-658DA5EEA1B6
event_source_name: ''
event_id: 8300
version: 0
level: 4
task: 0
opcode: 1
keywords: 9223653511831486465
time_created: '2025-12-31T19:34:21.244176+00:00'
event_record_id: 35
correlation: {}
execution:
process_id: 8064
thread_id: 8028
channel: Application
computer: WIN11-22H2-X64
security:
user_id: S-1-5-18
event_data:
Data:
Name: SnapshotPath
Value: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
message: Scoping started for shadowcopy SnapshotPath.
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8301 — Scoping completed for shadowcopy \\?
Message
Fields
| Name | Description |
|---|---|
SnapshotPath | — |
ErrorCode | — |
TotalDirectories | — |
TotalFiles | — |
FilesScoped | — |
FilesResident | — |
FilesCachedFirstPass | — |
FilesMissedSecondPass | — |
Example Event
system:
provider: Microsoft-Windows-System-Restore
guid: 126CDB97-D346-4894-8A34-658DA5EEA1B6
event_source_name: ''
event_id: 8301
version: 0
level: 4
task: 0
opcode: 2
keywords: 9223653511831486465
time_created: '2025-12-31T19:34:28.745120+00:00'
event_record_id: 42
correlation: {}
execution:
process_id: 8064
thread_id: 8028
channel: Application
computer: WIN11-22H2-X64
security:
user_id: S-1-5-18
event_data:
SnapshotPath: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
ErrorCode: 0
TotalDirectories: 24336
TotalFiles: 77119
FilesScoped: 582
FilesResident: 110
FilesCachedFirstPass: 224
FilesMissedSecondPass: 0
message: Scoping completed for shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1.
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8302 — Scoping successfully completed for shadowcopy \\?
Message
Fields
| Name | Description |
|---|---|
SnapshotPath | — |
ErrorCode | — |
TotalDirectories | — |
TotalFiles | — |
FilesScoped | — |
FilesResident | — |
FilesCachedFirstPass | — |
FilesMissedSecondPass | — |
Example Event
system:
provider: Microsoft-Windows-System-Restore
guid: 126CDB97-D346-4894-8A34-658DA5EEA1B6
event_source_name: ''
event_id: 8302
version: 0
level: 4
task: 0
opcode: 0
keywords: 9223372036854775808
time_created: '2025-12-31T19:34:28.745150+00:00'
event_record_id: 43
correlation: {}
execution:
process_id: 8064
thread_id: 8028
channel: Application
computer: WIN11-22H2-X64
security:
user_id: S-1-5-18
event_data:
SnapshotPath: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
ErrorCode: 0
TotalDirectories: 24336
TotalFiles: 77119
FilesScoped: 582
FilesResident: 110
FilesCachedFirstPass: 224
FilesMissedSecondPass: 0
message: Scoping successfully completed for shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1.
References
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8303 — Scoping unsuccessful for shadowcopy %1 with error %2.
Message
Fields
| Name | Description |
|---|---|
SnapshotPath | — |
ErrorCode | — |
TotalDirectories | — |
TotalFiles | — |
FilesScoped | — |
FilesResident | — |
FilesCachedFirstPass | — |
FilesMissedSecondPass | — |