Event ID 12 — Handle for virtual disk 'VhdFile' created successfully.
Description
Handle for virtual disk '' created successfully. VM ID = , Type = , Version = , Flags = , AccessMask = , WriteDepth = , GetInfoOnly = , ReadOnly = , HandleContext = , VirtualDisk = .
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | — NTSTATUS reference |
VhdFile UnicodeString | — |
VmId GUID | — |
VhdType UInt32 | — |
Version UInt32 | — |
Flags UInt32 | — |
AccessMask UInt32 | — Access mask reference |
WriteDepth UInt32 | — |
GetInfoOnly Boolean | — |
ReadOnly Boolean | — |
HandleContext Pointer | — |
VirtualDisk Pointer | — |
FileObject Pointer | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-VHDMP",
"guid": "E2816346-87F4-4F85-95C3-0C79409AA89D",
"event_source_name": "",
"event_id": 12,
"version": 0,
"level": 4,
"task": 1201,
"opcode": 2,
"keywords": 9223372036854775809,
"time_created": "2023-10-25T22:51:06.006379+00:00",
"event_record_id": 118,
"correlation": {},
"execution": {
"process_id": 4416,
"thread_id": 6872
},
"channel": "Microsoft-Windows-VHDMP-Operational",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"Status": 0,
"VhdFile": "\\\\?\\C:\\Users\\Administrator\\windows.iso",
"VmId": "00000000-0000-0000-0000-000000000000",
"VhdType": 3,
"Version": 1,
"Flags": 0,
"AccessMask": 851968,
"WriteDepth": 1,
"GetInfoOnly": false,
"ReadOnly": false,
"HandleContext": "0xffffb5031dcd2880",
"VirtualDisk": "0xffffb5031808f040",
"FileObject": "0xffffb5031dc4d5f0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline