Microsoft-Windows-VHDMP
84 events across 2 channels
Event ID 1 — The VHD VhdFileName has come online (surfaced) as disk number VhdDiskNumber.
#Description
The VHD VhdFileName has come online (surfaced) as disk number VhdDiskNumber.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
VhdDiskNumber UInt32 | — |
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 1205,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:49:36.935694+00:00",
"event_record_id": 43,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 252
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VhdFileName": "C:\\Users\\Administrator\\windows.iso",
"VhdDiskNumber": 2,
"VirtualDisk": "0xffffb5031d1c0040"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2 — The VHD VhdFileName has been removed (unsurfaced) as disk number VhdDiskNumber.
#Description
The VHD VhdFileName has been removed (unsurfaced) as disk number VhdDiskNumber.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
VhdDiskNumber UInt32 | — |
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 1206,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:06.004748+00:00",
"event_record_id": 104,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"VhdFileName": "C:\\Users\\Administrator\\windows.iso",
"VhdDiskNumber": 2,
"VirtualDisk": "0xffffb5031d1c0040"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3 — Failed to surface VHD VhdFileName.
Description
Failed to surface VHD VhdFileName. Error status Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
VirtualDisk Pointer | — |
Event ID 4 — Failed to surface VHD VhdFileName.
Event ID 5 — Failed to VhdMetaOps VHD VhdFileName.
Description
Failed to VhdMetaOps VHD VhdFileName. Error status Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdMetaOps AnsiString | — |
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Event ID 6 — Operation failed on VHD VhdFileName.
Description
Operation failed on VHD VhdFileName. Operation type VhdIoType. Error status Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdIoType UInt32 | — |
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Event ID 7 — The Vhd Chain for VHD VhdFileName is corrupted.
Description
The Vhd Chain for VHD VhdFileName is corrupted. The expected LastWriteGUID ExpectedParentLastWriteGUID1 (ExpectedParentLastWriteGUID2) did not match the parent's actual LastWriteGUID (ParentLastWriteGUID).
Message #
Fields #
| Name | Description |
|---|---|
ParentLastWriteGUID GUID | — |
ExpectedParentLastWriteGUID1 GUID | — |
ExpectedParentLastWriteGUID2 GUID | — |
VhdFileName UnicodeString | — |
Event ID 8 — The change tracking file for VHD VhdFileName is corrupted and cannot be read.
Event ID 9 — The VHD file VhdFileName has been modified without updating its associated change tracking file.
Event ID 10 — Error Status occured when attempting to update the change tracking file for VHD VhdFileName.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Event ID 11 — Surface for VHD VhdFileName is invalidated and will be removed (unsurfaced) because of a VhdIoType operation failure with status Status.
Description
Surface for VHD VhdFileName is invalidated and will be removed (unsurfaced) because of a VhdIoType operation failure with status Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdIoType UInt32 | — |
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Event ID 12 — Handle for virtual disk 'VhdFile' created successfully.
#Description
Handle for virtual disk '' created successfully. VM ID = , Type = , Version = , Flags = , AccessMask = , WriteDepth = , GetInfoOnly = , ReadOnly = , HandleContext = , VirtualDisk = .
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
VhdFile UnicodeString | — |
VmId GUID | — |
VhdType UInt32 | — |
Version UInt32 | — |
Flags UInt32 | — |
AccessMask UInt32 | — Access mask reference |
WriteDepth UInt32 | — |
GetInfoOnly Boolean | — |
ReadOnly Boolean | — |
HandleContext Pointer | — |
VirtualDisk Pointer | — |
FileObject Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 12,
"version": 0,
"level": 4,
"task": 1201,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:06.006379+00:00",
"event_record_id": 118,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"Status": 0,
"VhdFile": "\\\\?\\C:\\Users\\Administrator\\windows.iso",
"VmId": "00000000-0000-0000-0000-000000000000",
"VhdType": 3,
"Version": 1,
"Flags": 0,
"AccessMask": 851968,
"WriteDepth": 1,
"GetInfoOnly": false,
"ReadOnly": false,
"HandleContext": "0xffffb5031dcd2880",
"VirtualDisk": "0xffffb5031808f040",
"FileObject": "0xffffb5031dc4d5f0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 13 — Failed to create handle for virtual disk 'VhdFile'.
Description
Failed to create handle for virtual disk ''. Status = , VM ID = , Type = , Version = , Flags = , AccessMask = , WriteDepth = , GetInfoOnly = , ReadOnly = , HandleContext = , VirtualDisk = .
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
VhdFile UnicodeString | — |
VmId GUID | — |
VhdType UInt32 | — |
Version UInt32 | — |
Flags UInt32 | — |
AccessMask UInt32 | — Access mask reference |
WriteDepth UInt32 | — |
GetInfoOnly Boolean | — |
ReadOnly Boolean | — |
HandleContext Pointer | — |
VirtualDisk Pointer | — |
FileObject Pointer | — |
Event ID 14 — Virtual disk handle closed: HandleContext = HandleContext, VirtualDisk = VirtualDisk.
#Description
Virtual disk handle closed: HandleContext = HandleContext, VirtualDisk = VirtualDisk.
Message #
Fields #
| Name | Description |
|---|---|
HandleContext Pointer | — |
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 14,
"version": 0,
"level": 4,
"task": 1202,
"opcode": 2,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T22:51:06.008478+00:00",
"event_record_id": 132,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"HandleContext": "0xffffb50315628b00",
"VirtualDisk": "0xffffb50315a8f040"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 15 — Virtual disk object created: VirtualDisk.
#Description
Virtual disk object created: VirtualDisk.
Message #
Fields #
| Name | Description |
|---|---|
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 15,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T22:51:06.005216+00:00",
"event_record_id": 111,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"VirtualDisk": "0xffffb5031808f040"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 16 — Virtual disk object destroyed: VirtualDisk.
#Description
Virtual disk object destroyed: VirtualDisk.
Message #
Fields #
| Name | Description |
|---|---|
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 16,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T22:51:06.008477+00:00",
"event_record_id": 131,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"VirtualDisk": "0xffffb50315a8f040"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 17 — Virtual disk 'VhdFileName' (no host access) has been surfaced.
Description
Virtual disk 'VhdFileName' (no host access) has been surfaced.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
VhdDiskNumber UInt32 | — |
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 17,
"version": 0,
"level": 4,
"task": 1205,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2026-03-11T06:32:03.664902+00:00",
"event_record_id": 121,
"correlation": {},
"execution": {
"process_id": 9436,
"thread_id": 10012
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-83-1-698845485-1245677379-4261864325-3027728797"
}
},
"event_data": {
"VhdFileName": "C:\\Users\\localuser\\AppData\\Local\\wsl\\{4d205ef4-e2d2-4c32-b102-f7572f1907f9}\\ext4.vhdx",
"VhdDiskNumber": 0,
"VirtualDisk": "0xffff820343430040"
},
"message": ""
}
Event ID 18 — Virtual disk 'VhdFileName' (no host access) has been unsurfaced.
Description
Virtual disk 'VhdFileName' (no host access) has been unsurfaced.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
VhdDiskNumber UInt32 | — |
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 18,
"version": 0,
"level": 4,
"task": 1206,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2026-03-13T20:25:37.714656+00:00",
"event_record_id": 1797,
"correlation": {},
"execution": {
"process_id": 2520,
"thread_id": 5096
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-83-1-2656045725-1227044221-1802231738-3450451864"
}
},
"event_data": {
"VhdFileName": "C:\\HyperV\\TestVMs\\TestDisk2_1EB37596-3822-4C9C-A783-E652A8852152.avhdx",
"VhdDiskNumber": 0,
"VirtualDisk": "0xffff920b9d72c040"
},
"message": ""
}
Event ID 19 — The VHD VhdFileName has come online (surfaced) as disk number VhdInstanceId.
Event ID 20 — The VHD VhdFileName has been removed (unsurfaced) as disk number VhdInstanceId.
Event ID 21 — Starting to open handle for virtual disk.
#Description
Starting to open handle for virtual disk.
Message #
Fields #
| Name | Description |
|---|---|
FileObject Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 21,
"version": 0,
"level": 4,
"task": 1201,
"opcode": 1,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:06.005179+00:00",
"event_record_id": 110,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"FileObject": "0xffffb5031dc4d5f0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 22 — Starting to create the handle for the file backing virtual disk 'VhdFileName'.
#Description
Starting to create the handle for the file backing virtual disk 'VhdFileName'.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
DesiredAccess UInt32 | — Process access rights reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 1203,
"opcode": 1,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:06.005478+00:00",
"event_record_id": 116,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"VhdFileName": "C:\\Users\\Administrator\\windows.iso",
"DesiredAccess": 2148532224
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 23 — Handle for the file backing virtual disk 'VhdFileName' created successfully.
#Description
Handle for the file backing virtual disk 'VhdFileName' created successfully.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 23,
"version": 0,
"level": 4,
"task": 1203,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:06.005539+00:00",
"event_record_id": 117,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"VhdFileName": "C:\\Users\\Administrator\\windows.iso",
"Status": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 24 — Failed to create handle for the file backing virtual disk 'VhdFileName'.
Description
Failed to create handle for the file backing virtual disk 'VhdFileName'. Status = Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 24,
"version": 0,
"level": 4,
"task": 1203,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2026-03-11T06:32:03.662183+00:00",
"event_record_id": 116,
"correlation": {},
"execution": {
"process_id": 9436,
"thread_id": 10012
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-83-1-698845485-1245677379-4261864325-3027728797"
}
},
"event_data": {
"VhdFileName": "C:\\Users\\localuser\\AppData\\Local\\wsl\\{4d205ef4-e2d2-4c32-b102-f7572f1907f9}\\ext4.vhdx.rct",
"Status": 3221225524
},
"message": ""
}
Event ID 25 — Beginning to bring the VHD VhdFileName online (surface).
#Description
Beginning to bring the VHD VhdFileName online (surface).
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 25,
"version": 0,
"level": 4,
"task": 1205,
"opcode": 1,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:49:36.912522+00:00",
"event_record_id": 42,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6856
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"VhdFileName": "C:\\Users\\Administrator\\windows.iso",
"VirtualDisk": "0xffffb5031d1c0040"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 26 — Beginning to remove the VHD VirtualDisk (unsurface).
#Description
Beginning to remove the VHD VirtualDisk (unsurface).
Message #
Fields #
| Name | Description |
|---|---|
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 26,
"version": 0,
"level": 4,
"task": 1206,
"opcode": 1,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:05.979830+00:00",
"event_record_id": 103,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"VirtualDisk": "0xffffb50315a8f040"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 27 — Starting to close the handle for the file backing virtual disk 'VhdFileName'.
#Description
Starting to close the handle for the file backing virtual disk 'VhdFileName'.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
DesiredAccess UInt32 | — Process access rights reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 27,
"version": 0,
"level": 4,
"task": 1204,
"opcode": 1,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:06.008290+00:00",
"event_record_id": 129,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"VhdFileName": "C:\\Users\\Administrator\\windows.iso",
"DesiredAccess": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 28 — Handle for the file backing virtual disk 'VhdFileName' closed successfully.
#Description
Handle for the file backing virtual disk 'VhdFileName' closed successfully.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 28,
"version": 0,
"level": 4,
"task": 1204,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:06.008317+00:00",
"event_record_id": 130,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"VhdFileName": "C:\\Users\\Administrator\\windows.iso",
"Status": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 29 — Operation failed on VHD VhdFileName.
Description
Operation failed on VHD VhdFileName. Operation type VhdIoType. Error status Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdIoType UInt32 | — |
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Event ID 30 — Starting to close virtual disk handle: HandleContext = HandleContext, VirtualDisk = VirtualDisk.
#Description
Starting to close virtual disk handle: HandleContext = HandleContext, VirtualDisk = VirtualDisk.
Message #
Fields #
| Name | Description |
|---|---|
HandleContext Pointer | — |
VirtualDisk Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 30,
"version": 0,
"level": 4,
"task": 1202,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:06.007100+00:00",
"event_record_id": 126,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"HandleContext": "0xffffb50315628b00",
"VirtualDisk": "0xffffb50315a8f040"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 31 — Starting to cleanup the backing store for virtual disk 'VhdFileName'.
Description
Starting to cleanup the backing store for virtual disk 'VhdFileName'.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 31,
"version": 0,
"level": 4,
"task": 1207,
"opcode": 1,
"keywords": 9223372036854775809,
"time_created": "2026-03-13T20:25:37.731437+00:00",
"event_record_id": 1832,
"correlation": {},
"execution": {
"process_id": 2520,
"thread_id": 5096
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VhdFileName": "C:\\HyperV\\TestVMs\\TestVM2\\Virtual Machines\\9E500A9D-357D-4923-BADF-6B6B98B7A9CD.vmgs"
},
"message": ""
}
Event ID 32 — Finished cleaning up the backing store for virtual disk 'VhdFileName'.
Description
Finished cleaning up the backing store for virtual disk 'VhdFileName'.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 32,
"version": 0,
"level": 4,
"task": 1207,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2026-03-13T20:25:37.733125+00:00",
"event_record_id": 1835,
"correlation": {},
"execution": {
"process_id": 2520,
"thread_id": 5096
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VhdFileName": "C:\\HyperV\\TestVMs\\TestVM2\\Virtual Machines\\9E500A9D-357D-4923-BADF-6B6B98B7A9CD.vmgs"
},
"message": ""
}
Event ID 33 — Starting to flush the backing store footer for virtual disk 'VhdFileName'.
Description
Starting to flush the backing store footer for virtual disk 'VhdFileName'.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 33,
"version": 0,
"level": 4,
"task": 1208,
"opcode": 1,
"keywords": 9223372036854775809,
"time_created": "2026-03-13T20:25:37.731454+00:00",
"event_record_id": 1833,
"correlation": {},
"execution": {
"process_id": 2520,
"thread_id": 5096
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VhdFileName": "C:\\HyperV\\TestVMs\\TestVM2\\Virtual Machines\\9E500A9D-357D-4923-BADF-6B6B98B7A9CD.vmgs"
},
"message": ""
}
Event ID 34 — Finished flushing the backing store footer for virtual disk 'VhdFileName'.
Description
Finished flushing the backing store footer for virtual disk 'VhdFileName'.
Message #
Fields #
| Name | Description |
|---|---|
VhdFileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 34,
"version": 0,
"level": 4,
"task": 1208,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2026-03-13T20:25:37.733110+00:00",
"event_record_id": 1834,
"correlation": {},
"execution": {
"process_id": 2520,
"thread_id": 5096
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VhdFileName": "C:\\HyperV\\TestVMs\\TestVM2\\Virtual Machines\\9E500A9D-357D-4923-BADF-6B6B98B7A9CD.vmgs"
},
"message": ""
}
Event ID 35 — Virtual disk 'VhdFileName' (no host access) has been unsurfaced with unflushed data.
Event ID 36 — I/O cancellation (FastClose) started for file 'VhdFile'.
Description
I/O cancellation (FastClose) started for file 'VhdFile'. (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 50 — Performing VhdMetaOps VHD for VhdFileName (target 'TargetVhdFileName').
Description
Performing VhdMetaOps VHD for VhdFileName (target 'TargetVhdFileName').
Message #
Fields #
| Name | Description |
|---|---|
VhdMetaOps AnsiString | — |
VhdFileName UnicodeString | — |
TargetVhdFileName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 50,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:32:00.644588+00:00",
"event_record_id": 73,
"correlation": {},
"execution": {
"process_id": 3708,
"thread_id": 7448
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"VhdMetaOps": "Create",
"VhdFileName": "C:\\Users\\localuser\\AppData\\Local\\Temp\\29A7892D-8743-4A3F-85E3-06FE9D7977B4\\swap.vhdx",
"TargetVhdFileName": ""
},
"message": ""
}
Event ID 51 — Successfully performed VhdMetaOps VHD VhdFileName.
Description
Successfully performed VhdMetaOps VHD VhdFileName.
Message #
Fields #
| Name | Description |
|---|---|
VhdMetaOps AnsiString | — |
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 51,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:32:00.672841+00:00",
"event_record_id": 76,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 10056
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"VhdMetaOps": "Create",
"VhdFileName": "C:\\Users\\localuser\\AppData\\Local\\Temp\\29A7892D-8743-4A3F-85E3-06FE9D7977B4\\swap.vhdx",
"Status": 0
},
"message": ""
}
Event ID 100 — Vhd resiliency initiated for VhdFile (VM ID: VmId).
Description
Vhd resiliency initiated for VhdFile (VM ID: VmId). A VhdIoType IO failed with error Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
VhdIoType UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 101 — Vhd resiliency successfully recovered VhdFile (VM ID: VmId).
Event ID 102 — Vhd resiliency failed to recover VhdFile (VM ID: VmId) with error Status.
Description
Vhd resiliency failed to recover VhdFile (VM ID: VmId) with error Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 110 — Recovery initiated for VhdFile (VM ID: VmId) due to an IO failure with error Status.
Description
Recovery initiated for VhdFile (VM ID: VmId) due to an IO failure with error Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 111 — Recovery succeeded for VhdFile (VM ID: VmId).
Event ID 112 — Recovery failed for VhdFile (VM ID: VmId) with error Status.
Description
Recovery failed for VhdFile (VM ID: VmId) with error Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 113 — File VhdFile is invalidated (VM ID: VmId) from current mode Mode with error Status.
Description
File VhdFile is invalidated (VM ID: VmId) from current mode Mode with error Status. Any recovery in process will be failed and the virtual disk will be invalidated as well.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Mode UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 114 — Waiting on file (RefType) recovery for VhdFile (VM ID: VmId) due to an IO failure with error Status.
Description
Waiting on file (RefType) recovery for VhdFile (VM ID: VmId) due to an IO failure with error Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
RefType UInt32 | — |
Mode UInt32 | — |
PendingRecoveryCount UInt32 | — |
Event ID 115 — Waiting on file (RefType) recovery for VhdFile (VM ID: VmId) completed with status Status.
Description
Waiting on file (RefType) recovery for VhdFile (VM ID: VmId) completed with status Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
RefType UInt32 | — |
Event ID 116 — File (RefType) recovery succeeded for VhdFile (VM ID: VmId).
Event ID 117 — File (RefType) recovery failed for VhdFile (VM ID: VmId) with error Status.
Description
File (RefType) recovery failed for VhdFile (VM ID: VmId) with error Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
RefType UInt32 | — |
Mode UInt32 | — |
PendingRecoveryCount UInt32 | — |
Event ID 118 — Failed to open file VhdFile with error Status.
Description
Failed to open file VhdFile with error Status. The file handle was previously invalidated due to a critical error. This operation will be retried periodically. (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 119 — File VhdFile has been closed before initiating a recovery attempt.
Description
File VhdFile has been closed before initiating a recovery attempt. The file was open in mode Mode. (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Mode UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 120 — Recovery attempt initiated for virtual disk VhdFile (VM ID: VmId).
Description
Recovery attempt initiated for virtual disk VhdFile (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 121 — Recovery attempt completed successfully for virtual disk VhdFile (VM ID: VmId).
Description
Recovery attempt completed successfully for virtual disk VhdFile (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 122 — Recovery attempt for virtual disk VhdFile failed with status Status (VM ID: VmId).
Description
Recovery attempt for virtual disk VhdFile failed with status Status (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 123 — Reopening handles to file VhdFile (VM ID: VmId).
Description
Reopening handles to file VhdFile (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 124 — Waiting for handles to file VhdFile to be reactivated (VM ID: VmId).
Description
Waiting for handles to file VhdFile to be reactivated (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 125 — Recovery attempt completed for file VhdFile with status Status (VM ID: VmId).
Description
Recovery attempt completed for file VhdFile with status Status (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 126 — I/O failed with status Status on file VhdFile (VM ID: VmId).
Description
I/O failed with status Status on file VhdFile (VM ID: VmId).
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
Status UInt32 | — NTSTATUS reference |
Event ID 208 — Change Tracking has been enabled for the VHD VhdFileName (VirtualDisk) with log file LogFileName.
Event ID 209 — Change Tracking has been disabled for the VHD VhdFileName (VirtualDisk).
Event ID 210 — Change Tracking for the VHD VirtualDisk to the log file LogFileName has been stopped due to the error Status.
Description
Change Tracking for the VHD VirtualDisk to the log file LogFileName has been stopped due to the error Status.
Message #
Fields #
| Name | Description |
|---|---|
VirtualDisk UInt64 | — |
LogFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Event ID 211 — Flushing of the header of the log file LogFileName has failed due to error Status.
Description
Flushing of the header of the log file LogFileName has failed due to error Status.
Message #
Fields #
| Name | Description |
|---|---|
LogFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Event ID 212 — Flushing of the buffers to the log file LogFileName has failed due to error Status.
Description
Flushing of the buffers to the log file LogFileName has failed due to error Status.
Message #
Fields #
| Name | Description |
|---|---|
LogFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Event ID 213 — Opening the log file LogFileName for tracking has failed due to error Status.
Description
Opening the log file LogFileName for tracking has failed due to error Status.
Message #
Fields #
| Name | Description |
|---|---|
LogFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Event ID 214 — Offline changes are detected for VHD VhdFileName.
Description
Offline changes are detected for VHD VhdFileName. Log file: LogFileName, VHD time: VHDFileTime, Log file time: LogFileTime.
Message #
Fields #
| Name | Description |
|---|---|
LogFileName UnicodeString | — |
VhdFileName UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
VHDFileTime UInt64 | — |
LogFileTime UInt64 | — |
Event ID 215 — No configurations were found for CtLogPerfOpts; Using default [Value].
Event ID 216 — CtLogPerfOpts is set to CtLogPerfOptNoChange [Value]; No perf changes applied.
Event ID 217 — CtLogPerfOpts is set to CtLogPerfOptDisableWriteThrough [Value]; Write Through will be disabled.
Event ID 218 — CtLogPerfOpts is set to [Value]; Write Through will be disabled and Custom perf conf will be used.
Event ID 219 — CtLogPerfOpts is set to [Value]; Custom perf conf will be used.
Event ID 220 — Expected conf value for CtMinMasterBufferSize not found using default [Value].
Event ID 221 — Expected conf value for CtMaxDirtyMemThresholdPercent not found using default [Value].
Event ID 222 — Expected conf value for CtMaxFlushBufferSize not found using default [Value].
Event ID 223 — Using following values [CtLogPerfOpts, CtMinMasterBufferSize, CtMaxDirtyMemThresholdPercent, CtMaxFlushBufferSize] for CtLog.
Event ID 224 — CtLogPerfOpts is set to [Value] is not a supported value.
Event ID 300 — IO latency summary.
Description
IO latency summary.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
IoTypeStr UnicodeString | — |
IntervalDurationStr UnicodeString | — |
MaxLatencyMs UInt64 | — |
HighLatencyIoCount UInt32 | — |
TotalIoCount UInt64 | — |
AverageIops UInt64 | — |
AverageLatencyNs UInt64 | — |
AverageLatencyStr UnicodeString | — |
LatencyBuckets UnicodeString | — |
IoCount0 UInt64 | — |
IoCount1 UInt64 | — |
IoCount2 UInt64 | — |
IoCount3 UInt64 | — |
IoCount4 UInt64 | — |
IoCount5 UInt64 | — |
IoCount6 UInt64 | — |
IoCount7 UInt64 | — |
IoCount8 UInt64 | — |
IoCount9 UInt64 | — |
IoCount10 UInt64 | — |
IoCount11 UInt64 | — |
IoCount12 UInt64 | — |
IoCount13 UInt64 | — |
IoCount14 UInt64 | — |
IoCount15 UInt64 | — |
TotalTimeNs0 UInt64 | — |
TotalTimeNs1 UInt64 | — |
TotalTimeNs2 UInt64 | — |
TotalTimeNs3 UInt64 | — |
TotalTimeNs4 UInt64 | — |
TotalTimeNs5 UInt64 | — |
TotalTimeNs6 UInt64 | — |
TotalTimeNs7 UInt64 | — |
TotalTimeNs8 UInt64 | — |
TotalTimeNs9 UInt64 | — |
TotalTimeNs10 UInt64 | — |
TotalTimeNs11 UInt64 | — |
TotalTimeNs12 UInt64 | — |
TotalTimeNs13 UInt64 | — |
TotalTimeNs14 UInt64 | — |
TotalTimeNs15 UInt64 | — |
SnapshotId UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 300,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223653511831486468,
"time_created": "2026-03-12T02:32:47.489264+00:00",
"event_record_id": 159,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 7740
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VhdFile": "C:\\Users\\localuser\\AppData\\Local\\wsl\\{4d205ef4-e2d2-4c32-b102-f7572f1907f9}\\ext4.vhdx",
"IoTypeStr": "Flush",
"IntervalDurationStr": "3600 s",
"MaxLatencyMs": 30000,
"HighLatencyIoCount": 0,
"TotalIoCount": 223,
"AverageIops": 188,
"AverageLatencyNs": 5326333,
"AverageLatencyStr": "5 ms",
"LatencyBuckets": "128 µs, 256 µs, 512 µs, 1 ms, 4 ms, 16 ms, 64 ms, 128 ms, 256 ms, 512 ms, 1 s, 5 s, 10 s, 20 s, 30 s, > 30 s",
"IoCount0": 0,
"IoCount1": 0,
"IoCount2": 0,
"IoCount3": 1,
"IoCount4": 187,
"IoCount5": 26,
"IoCount6": 3,
"IoCount7": 6,
"IoCount8": 0,
"IoCount9": 0,
"IoCount10": 0,
"IoCount11": 0,
"IoCount12": 0,
"IoCount13": 0,
"IoCount14": 0,
"IoCount15": 0,
"TotalTimeNs0": 0,
"TotalTimeNs1": 0,
"TotalTimeNs2": 0,
"TotalTimeNs3": 909300,
"TotalTimeNs4": 514097100,
"TotalTimeNs5": 134031900,
"TotalTimeNs6": 100298800,
"TotalTimeNs7": 438435300,
"TotalTimeNs8": 0,
"TotalTimeNs9": 0,
"TotalTimeNs10": 0,
"TotalTimeNs11": 0,
"TotalTimeNs12": 0,
"TotalTimeNs13": 0,
"TotalTimeNs14": 0,
"TotalTimeNs15": 0,
"SnapshotId": 471410465843
},
"message": ""
}
Event ID 301 — IO latency summary.
Description
IO latency summary.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
IoTypeStr UnicodeString | — |
IntervalDurationStr UnicodeString | — |
MaxLatencyMs UInt64 | — |
HighLatencyIoCount UInt32 | — |
TotalIoCount UInt64 | — |
AverageIops UInt64 | — |
AverageLatencyNs UInt64 | — |
AverageLatencyStr UnicodeString | — |
LatencyBuckets UnicodeString | — |
IoCount0 UInt64 | — |
IoCount1 UInt64 | — |
IoCount2 UInt64 | — |
IoCount3 UInt64 | — |
IoCount4 UInt64 | — |
IoCount5 UInt64 | — |
IoCount6 UInt64 | — |
IoCount7 UInt64 | — |
IoCount8 UInt64 | — |
IoCount9 UInt64 | — |
IoCount10 UInt64 | — |
IoCount11 UInt64 | — |
IoCount12 UInt64 | — |
IoCount13 UInt64 | — |
IoCount14 UInt64 | — |
IoCount15 UInt64 | — |
TotalTimeNs0 UInt64 | — |
TotalTimeNs1 UInt64 | — |
TotalTimeNs2 UInt64 | — |
TotalTimeNs3 UInt64 | — |
TotalTimeNs4 UInt64 | — |
TotalTimeNs5 UInt64 | — |
TotalTimeNs6 UInt64 | — |
TotalTimeNs7 UInt64 | — |
TotalTimeNs8 UInt64 | — |
TotalTimeNs9 UInt64 | — |
TotalTimeNs10 UInt64 | — |
TotalTimeNs11 UInt64 | — |
TotalTimeNs12 UInt64 | — |
TotalTimeNs13 UInt64 | — |
TotalTimeNs14 UInt64 | — |
TotalTimeNs15 UInt64 | — |
TotalBytes UInt64 | — |
AverageBps UInt64 | — |
TotalBytes0 UInt64 | — |
TotalBytes1 UInt64 | — |
TotalBytes2 UInt64 | — |
TotalBytes3 UInt64 | — |
TotalBytes4 UInt64 | — |
TotalBytes5 UInt64 | — |
TotalBytes6 UInt64 | — |
TotalBytes7 UInt64 | — |
TotalBytes8 UInt64 | — |
TotalBytes9 UInt64 | — |
TotalBytes10 UInt64 | — |
TotalBytes11 UInt64 | — |
TotalBytes12 UInt64 | — |
TotalBytes13 UInt64 | — |
TotalBytes14 UInt64 | — |
TotalBytes15 UInt64 | — |
SnapshotId UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 301,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223653511831486468,
"time_created": "2026-03-12T02:32:47.489248+00:00",
"event_record_id": 158,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 7740
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VhdFile": "C:\\Users\\localuser\\AppData\\Local\\wsl\\{4d205ef4-e2d2-4c32-b102-f7572f1907f9}\\ext4.vhdx",
"IoTypeStr": "Write",
"IntervalDurationStr": "3600 s",
"MaxLatencyMs": 30000,
"HighLatencyIoCount": 0,
"TotalIoCount": 1272,
"AverageIops": 393,
"AverageLatencyNs": 2542019,
"AverageLatencyStr": "2 ms",
"LatencyBuckets": "128 µs, 256 µs, 512 µs, 1 ms, 4 ms, 16 ms, 64 ms, 128 ms, 256 ms, 512 ms, 1 s, 5 s, 10 s, 20 s, 30 s, > 30 s",
"IoCount0": 0,
"IoCount1": 9,
"IoCount2": 526,
"IoCount3": 472,
"IoCount4": 171,
"IoCount5": 48,
"IoCount6": 46,
"IoCount7": 0,
"IoCount8": 0,
"IoCount9": 0,
"IoCount10": 0,
"IoCount11": 0,
"IoCount12": 0,
"IoCount13": 0,
"IoCount14": 0,
"IoCount15": 0,
"TotalTimeNs0": 0,
"TotalTimeNs1": 2157100,
"TotalTimeNs2": 227236100,
"TotalTimeNs3": 304852600,
"TotalTimeNs4": 253009200,
"TotalTimeNs5": 408639200,
"TotalTimeNs6": 2037554800,
"TotalTimeNs7": 0,
"TotalTimeNs8": 0,
"TotalTimeNs9": 0,
"TotalTimeNs10": 0,
"TotalTimeNs11": 0,
"TotalTimeNs12": 0,
"TotalTimeNs13": 0,
"TotalTimeNs14": 0,
"TotalTimeNs15": 0,
"TotalBytes": 154968064,
"AverageBps": 47926553,
"TotalBytes0": 0,
"TotalBytes1": 49152,
"TotalBytes2": 3325952,
"TotalBytes3": 15396864,
"TotalBytes4": 48160768,
"TotalBytes5": 39374848,
"TotalBytes6": 48660480,
"TotalBytes7": 0,
"TotalBytes8": 0,
"TotalBytes9": 0,
"TotalBytes10": 0,
"TotalBytes11": 0,
"TotalBytes12": 0,
"TotalBytes13": 0,
"TotalBytes14": 0,
"TotalBytes15": 0,
"SnapshotId": 471410465843
},
"message": ""
}
Event ID 302 — An IO took more than MaxLatencyMs ms to complete.
Event ID 303 — An IO took more than MaxLatencyMs ms to complete.
Event ID 304 — A persistent reservation IO took more than MaxLatencyMs ms to complete.
Event ID 1001 — Starting an IO.
Event ID 1002 — Completing an IO.
Event ID 1010 — A VhdSrbType VhdIoType IO to VhdFile (VM ID: VmId) failed with error Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
VhdIoType UInt32 | — |
VhdSrbType UInt32 | — |
Offset UInt64 | — |
Length UInt32 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 1011 — A VhdSrbType VhdIoType IO to VhdFile (VM ID: VmId) failed with error Status.
Message #
Fields #
| Name | Description |
|---|---|
VhdFile UnicodeString | — |
VmId GUID | — |
VhdIoType UInt32 | — |
VhdSrbType UInt32 | — |
Offset UInt64 | — |
Length UInt32 | — |
Status UInt32 | — NTSTATUS reference |