Microsoft-Windows-System-Restore
4 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 8300 | Scoping started for shadowcopy SnapshotPath. | Application |
| 8301 | Scoping completed for shadowcopy \\? | Application |
| 8302 | Scoping successfully completed for shadowcopy \\? | Application |
| 8303 | Scoping unsuccessful for shadowcopy SnapshotPath with error ErrorCode. | Application |
Event ID 8300 — Scoping started for shadowcopy SnapshotPath.
#Description
Scoping started for shadowcopy .
Message #
Fields #
| Name | Description |
|---|---|
Data | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-System-Restore",
"guid": "126CDB97-D346-4894-8A34-658DA5EEA1B6",
"event_source_name": "",
"event_id": 8300,
"version": 0,
"level": 4,
"task": 0,
"opcode": 1,
"keywords": 9223653511831486465,
"time_created": "2025-12-31T19:34:21.244176+00:00",
"event_record_id": 35,
"correlation": {},
"execution": {
"process_id": 8064,
"thread_id": 8028
},
"channel": "Application",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": {
"Name": "SnapshotPath",
"Value": "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1"
}
},
"message": "Scoping started for shadowcopy SnapshotPath."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8301 — Scoping completed for shadowcopy \\?
#Description
Scoping completed for shadowcopy .
Message #
Fields #
| Name | Description |
|---|---|
SnapshotPath UnicodeString | — |
ErrorCode HexInt32 | — |
TotalDirectories UInt64 | — |
TotalFiles UInt64 | — |
FilesScoped UInt64 | — |
FilesResident UInt64 | — |
FilesCachedFirstPass UInt64 | — |
FilesMissedSecondPass UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-System-Restore",
"guid": "126CDB97-D346-4894-8A34-658DA5EEA1B6",
"event_source_name": "",
"event_id": 8301,
"version": 0,
"level": 4,
"task": 0,
"opcode": 2,
"keywords": 9223653511831486465,
"time_created": "2025-12-31T19:34:28.745120+00:00",
"event_record_id": 42,
"correlation": {},
"execution": {
"process_id": 8064,
"thread_id": 8028
},
"channel": "Application",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SnapshotPath": "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1",
"ErrorCode": 0,
"TotalDirectories": 24336,
"TotalFiles": 77119,
"FilesScoped": 582,
"FilesResident": 110,
"FilesCachedFirstPass": 224,
"FilesMissedSecondPass": 0
},
"message": "Scoping completed for shadowcopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8302 — Scoping successfully completed for shadowcopy \\?
#Description
Scoping successfully completed for shadowcopy .
Message #
Fields #
| Name | Description |
|---|---|
SnapshotPath UnicodeString | — |
ErrorCode HexInt32 | — |
TotalDirectories UInt64 | — |
TotalFiles UInt64 | — |
FilesScoped UInt64 | — |
FilesResident UInt64 | — |
FilesCachedFirstPass UInt64 | — |
FilesMissedSecondPass UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-System-Restore",
"guid": "126CDB97-D346-4894-8A34-658DA5EEA1B6",
"event_source_name": "",
"event_id": 8302,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2025-12-31T19:34:28.745150+00:00",
"event_record_id": 43,
"correlation": {},
"execution": {
"process_id": 8064,
"thread_id": 8028
},
"channel": "Application",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SnapshotPath": "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1",
"ErrorCode": 0,
"TotalDirectories": 24336,
"TotalFiles": 77119,
"FilesScoped": 582,
"FilesResident": 110,
"FilesCachedFirstPass": 224,
"FilesMissedSecondPass": 0
},
"message": "Scoping successfully completed for shadowcopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1."
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline