Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Fields

Message

The volume snapshot driver has begun processing for volume online.

Volume GUID: %1

Guidance:
When a volume is brought online the volume snapshot driver scans for any persistent snapshots that may be on the volume.

You should expect this event when a volume is brought online.  No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-VolumeSnapshot-Driver
  guid: 67FE2216-727A-40CB-94B2-C02211EDB34A
  event_source_name: ''
  event_id: 100
  version: 0
  level: 4
  task: 0
  opcode: 1
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:25:13.425270+00:00'
  event_record_id: 87
  correlation: {}
  execution:
    process_id: 4
    thread_id: 228
  channel: Microsoft-Windows-VolumeSnapshot-Driver/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  TargetVolumeGuid: 7597D2A3-4404-4F99-B979-6233378A81BF
  SourceFile: '0x1'
  SourceLine: 39024
  SourceTag: 124
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The volume snapshot driver has completed processing for volume online.

Volume GUID: %1

Guidance:
The volume snapshot driver was able to scan for any persistent snapshots on this volume.

You should expect this event when a volume is brought online.  No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-VolumeSnapshot-Driver
  guid: 67FE2216-727A-40CB-94B2-C02211EDB34A
  event_source_name: ''
  event_id: 101
  version: 0
  level: 4
  task: 0
  opcode: 2
  keywords: 4611686018427387904
  time_created: '2023-11-06T06:25:13.433430+00:00'
  event_record_id: 88
  correlation: {}
  execution:
    process_id: 4
    thread_id: 228
  channel: Microsoft-Windows-VolumeSnapshot-Driver/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  TargetVolumeGuid: 7597D2A3-4404-4F99-B979-6233378A81BF
  SourceFile: '0x1'
  SourceLine: 39187
  SourceTag: 125
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The volume snapshot driver encountered an error while performing processing for volume online.

Error: %2

Volume GUID: %1

Guidance:
When a volume is brought online the volume snapshot driver scans for any persistent snapshots that may be on the volume.  In case of an error this scan is not performed.  The error may have originated in storage drivers beneath the volume snapshot driver; check their logs.

If the error is STATUS_DEVICE_NOT_CONNECTED this means the volume is in snapshot protection mode and has been taken offline to prevent loss of snapshots.

Fields

Message

Activation of discovered snapshots began.

Volume GUID: %1

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.

You should expect this event when a volume is brought online or reverted to a snapshot.  No user action is required.

Fields

Message

Activation of discovered snapshots completed.

Volume GUID: %1
Total Number of Snapshots Found: %2
Number of Snapshots Marked for Delete: %3
Number of Visible Snapshots Found: %4

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  Some snapshots may be marked 'visible', meaning they were exposed as a local volume or file share.  Some detected snapshots may be marked 'deleted', meaning they are no longer available for use and their diff area space will be reclaimed when all older snapshots are deleted.  Look for instances of event 106 to see each snapshot that was discovered and whether it was 'visible' or 'deleted'.

You should expect this event when a volume is brought online or reverted to a snapshot.  No user action is required.

Fields

Message

Activation of discovered snapshots encountered an error.

Error: %2

Volume GUID: %1

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  Unless the volume is in snapshot protection mode or the error code indicates the volume is offline, a failure during this process results in loss of all snapshots on the volume.

Fields

Message

A persistent snapshot was activated.

Volume GUID: %1
Snapshot GUID: %2
Snapshot Marked Deleted: %3
Snapshot Visible: %4
Snapshot Commit Timestamp: %5

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  If the snapshot is 'visible', it was exposed as a local volume or file share.  If the snapshot is 'deleted', it is no longer available for use and its diff area space will be reclaimed when all older snapshots are deleted.

You should expect this event when a volume containing persistent snapshots is brought online or reverted to a snapshot.  If all discovered snapshots are successfully activated you should expect event 104, otherwise you will see event 105.  No user action is required.

Fields

Message

Reading of a snapshot diff area's metadata began.

Volume GUID: %1
Snapshot GUID: %2

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver reads the diff area for the most-recent persistent snapshot (if any).  The diff area for earlier persistent snapshots is typically read the first time the snapshot is read from.

You should expect this event when a volume is brought online, reverted to a snapshot, or when reading from a persistent snapshot for the first time after bringing a volume online.  This event may also occur if a volume is dismounted that contains snapshots that have not been read since the volume was brought online.  No user action is required.

Fields

Message

Reading of a snapshot diff area's metadata completed.

Volume GUID: %1
Snapshot GUID: %2
Count of 1MB Reads: %3
Count of 16KB Reads: %4
Diff Area Metadata Size: %5 Bytes
Total Data Read: %6 Bytes

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver reads the diff area for the most-recent persistent snapshot (if any).  The diff area for earlier persistent snapshots is typically read the first time the snapshot is read from.  The size of the diff area metadata may be less than the total number of bytes read if the diff area is discontiguous on disk.

You should expect this event when a volume is brought online, reverted to a snapshot, or when reading from a persistent snapshot for the first time after bringing a volume online.  This event may also occur if a volume is dismounted that contains snapshots that have not been read since the volume was brought online.  No user action is required.

Fields

Message

Reading of a snapshot diff area's metadata encountered an error.

Error: %3

Volume GUID: %1
Snapshot GUID: %2
Count of 1MB Reads: %4
Count of 16KB Reads: %5
Amount of Diff Area Metadata Read: %6 Bytes
Total Data Read: %7 Bytes

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver reads the diff area for the most-recent persistent snapshot (if any).  The diff area for earlier persistent snapshots is typically read the first time the snapshot is read from.  Unless the volume is in snapshot protection mode, a failure during this process results in loss of all snapshots on the volume.

Fields

Message

Validation of diff area files began.

Volume GUID: %1

Guidance:
When a volume is mounted, the volume snapshot driver reads and validates all the diff area files located on the volume.  These diff area files may be for persistent snapshots of the volume being mounted, or for persistent snapshots of other volumes.

You should expect this event when mounting a volume.  No user action is required.

Fields

Message

Validation of diff area files completed.

Number of Diff Areas: %2

Guidance:
When a volume is mounted, the volume snapshot driver reads and validates all the diff area files located on the volume.  These diff area files may be for persistent snapshots of the volume being mounted, or for persistent snapshots of other volumes.

You should expect this event when mounting a volume.  No user action is required.

Fields

Message

Validation of diff area files encountered an error.

Error: %2

Volume GUID: %1

Guidance:
When a volume is mounted, the volume snapshot driver reads and validates all the diff area files located on the volume.  These diff area files may be for persistent snapshots of the volume being mounted, or for persistent snapshots of other volumes.  A failure during this process results in loss of all snapshots whose diff area files are located on the volume, unless those snapshots are of volumes that are in snapshot protection mode.

Fields

Message

The volume is preparing to be taken offline.

Volume GUID: %1

Guidance:
Some system services, such as the cluster service, inform the volume snapshot driver when they are about to take the volume offline.

You should expect this event when an entity such as the cluster service prepares to take a volume offline.  No user action is required.

Fields

Message

The volume snapshot driver has begun processing for dismount.

Volume GUID: %1

Guidance:
When a volume is dismounted, the volume snapshot driver closes any handles it may have open on the dismounting volume, such as handles to diff areas.  All auto-release snapshots that have diff areas on the dismounting volume are deleted at this time. The volume snapshot driver may also perform some work to detect whether any future direct writes to the volume are to diff area space for persistent snapshots.  If such writes occur this detection work allows the volume snapshot driver to destroy the snapshots, since the direct volume writes may corrupt them.

You should expect this event when a volume dismounts.  No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-VolumeSnapshot-Driver
  guid: 67FE2216-727A-40CB-94B2-C02211EDB34A
  event_source_name: ''
  event_id: 114
  version: 0
  level: 4
  task: 0
  opcode: 1
  keywords: 4611686018427387904
  time_created: '2022-04-07T16:45:03.737710+00:00'
  event_record_id: 9
  correlation: {}
  execution:
    process_id: 4
    thread_id: 32
  channel: Microsoft-Windows-VolumeSnapshot-Driver/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
event_data:
  TargetVolumeGuid: E856EAFF-60EA-4D9C-8467-32D0B50DBFFC
  SourceFile: '0x1'
  SourceLine: 37521
  SourceTag: 119
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The volume snapshot driver has completed processing for dismount.

Volume GUID: %1

Guidance:
When a volume is dismounted, the volume snapshot driver closes any handles it may have open on the dismounting volume, such as handles to diff areas.  All auto-release snapshots that have diff areas on the dismounting volume are deleted at this time. The volume snapshot driver may also perform some work to detect whether any future direct writes to the volume are to diff area space for persistent snapshots.  If such writes occur this detection work allows the volume snapshot driver to destroy the snapshots, since the direct volume writes may corrupt them.

You should expect this event when a volume dismounts.  No user action is required.

Fields

Example Event

system:
  provider: Microsoft-Windows-VolumeSnapshot-Driver
  guid: 67FE2216-727A-40CB-94B2-C02211EDB34A
  event_source_name: ''
  event_id: 115
  version: 0
  level: 4
  task: 0
  opcode: 2
  keywords: 4611686018427387904
  time_created: '2022-04-07T16:45:03.737712+00:00'
  event_record_id: 10
  correlation: {}
  execution:
    process_id: 4
    thread_id: 32
  channel: Microsoft-Windows-VolumeSnapshot-Driver/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
event_data:
  TargetVolumeGuid: E856EAFF-60EA-4D9C-8467-32D0B50DBFFC
  SourceFile: '0x1'
  SourceLine: 38322
  SourceTag: 122
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The volume snapshot driver has begun processing for volume offline.

Volume GUID: %1

Guidance:
When a volume is taken offline, the volume snapshot driver disables any persistent snapshots that still exist for the volume (autorelease snapshots were deleted when the volume was dismounted).  Snapshots of other volumes whose diff areas are on the offlining volume are destroyed, unless those volumes are in snapshot protection mode.  In that case those volumes are taken offline.

You should expect this event when a volume is taken offline.  No user action is required.

Fields

Message

The volume snapshot driver has completed processing for volume offline.

Volume GUID: %1

Guidance:
When a volume is taken offline, the volume snapshot driver disables any persistent snapshots that still exist for the volume (autorelease snapshots were deleted when the volume was dismounted).  Snapshots of other volumes whose diff areas are on the offlining volume are destroyed, unless those volumes are in snapshot protection mode.  In that case those volumes are taken offline.

You should expect this event when a volume is taken offline.  No user action is required.

Fields

Message

The volume snapshot driver encountered an error while performing processing for volume offline.

Error: %2

Volume GUID: %1

Guidance:
When a volume is taken offline, the volume snapshot driver disables any persistent snapshots that still exist for the volume (autorelease snapshots were deleted when the volume was dismounted).  Snapshots of other volumes whose diff areas are on the offlining volume are destroyed, unless those volumes are in snapshot protection mode.  In that case those volumes are taken offline.

If the error is STATUS_INSUFFICIENT_RESOURCES (0xc000009a), the volume snapshot driver may have been unable to allocate memory.  Other error codes originate from lower drivers.  Please check their log(s) for further information.

Fields

Message

The volume snapshot driver encountered an error while performing processing for dismount.

Error: %3
Error Details: %2

Volume GUID: %1

Guidance:
When a volume is dismounted, the volume snapshot driver closes any handles it may have open on the dismounting volume, such as handles to diff areas.  All auto-release snapshots that have diff areas on the dismounting volume are deleted at this time. The volume snapshot driver may also perform some work to detect whether any future direct writes to the volume are to diff area space for persistent snapshots.  If such writes occur this detection work allows the volume snapshot driver to destroy the snapshots, since the direct volume writes may corrupt them.

A failure during this process results in loss of all snapshots whose diff area files are located on the volume, unless those snapshots are of volumes that are in snapshot protection mode.

Fields

Message

Activation of discovered snapshots took too long and was aborted.

Volume GUID: %1
Timeout Value (in seconds): %2

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  This process took longer than the amount of time allowed on this system, so activation has been aborted.  Unless the volume is in snapshot protection mode, all snapshots on this volume have been deleted.

Fields

Message

The volume snapshot driver was unable to log an event to the legacy System event log.

Volume Name: %2
Diff Volume Name (if applicable): %4
Original Error Event Code: %5
Original Error Status: %6
Cause of Logging Failure:%10

Fields

Message

The volume snapshot driver encountered an error when attempting to determine whether the volume is clustered.

Error: %2

Volume GUID: %1

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  This process attempts to determine whether the volume is part of a cluster shared resource, but the query to determine this failed.

This error does not indicate that any snapshots have been deleted.  You should expect this event if the volume is on a dynamic disk or is managed by a third-party volume manager.

Fields

Message

Persistent snapshots are not supported on this edition of Windows.

Guidance:
This edition of Windows does not support creation of persistent snapshots.  Autorelease snapshots are supported.

Fields

Message

PrepareForSnapshot (Enter)

Fields

Message

PrepareForSnapshot (Leave)

Fields

Message

PreExposure (Enter)

Fields

Message

PreExposure (Leave)

Fields

Message

AdjustBitmap (Enter)

Fields

Message

AdjustBitmap (Leave)

Fields

Message

EndCommit (Enter)

Fields

Message

EndCommit (Leave)

Fields

Message

Activate (Enter)

Fields

Message

Activate (Leave)

Fields

Message

SetIgnorable (Enter)

Fields

Message

SetIgnorable (Leave)

Fields

Message

ComputeIgnorableProduct (Enter)

Fields

Message

ComputeIgnorableProduct (Leave)

Fields

Message

Dismount (Enter)

Fields

Message

Dismount (Leave)

Fields

Message

Remount (Enter)

Fields

Message

Remount (Leave)

Fields

Message

DeleteProcess (Enter)

Fields

Message

DeleteProcess (Leave)

Fields

Message

Revert (Enter)

Fields

Message

Revert (Leave)

Fields

Message

ComputeProtectedBitmap (Enter)

Fields

Message

ComputeProtectedBitmap (Leave)

Fields

Message

FlushHoldFs (Enter)

Fields

Message

FlushHoldFs (Leave)

Fields

Message

ActivateLoop (Enter)

Fields

Message

ActivateLoop (Leave)

Fields

Message

ValidateDiffAreaFiles (Enter)

Fields

Message

ValidateDiffAreaFiles (Leave)

Fields

Message

VolumesSafeForWrite (Enter)

Fields

Message

VolumesSafeForWrite (Leave)

Fields

Message

DiscoverSnapshots (Enter)

Fields

Message

DiscoverSnapshots (Leave)

Fields