detection.wiki

Microsoft-Windows-VolumeSnapshot-Driver › Event 114

Event ID 114 — The volume snapshot driver has begun processing for dismount.

Provider
Microsoft-Windows-VolumeSnapshot-Driver
Channel
Operational
Level
Informational
Opcode
Start

Description

The volume snapshot driver has begun processing for dismount.

Message #

The volume snapshot driver has begun processing for dismount.

Volume GUID: %1

Guidance:
When a volume is dismounted, the volume snapshot driver closes any handles it may have open on the dismounting volume, such as handles to diff areas.  All auto-release snapshots that have diff areas on the dismounting volume are deleted at this time. The volume snapshot driver may also perform some work to detect whether any future direct writes to the volume are to diff area space for persistent snapshots.  If such writes occur this detection work allows the volume snapshot driver to destroy the snapshots, since the direct volume writes may corrupt them.

You should expect this event when a volume dismounts.  No user action is required.

Fields #

NameDescription
TargetVolumeGuid GUID
SourceFile HexInt32
SourceLine UInt16
SourceTag UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 114,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T16:45:03.737710+00:00",
    "event_record_id": 9,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 32
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "E856EAFF-60EA-4D9C-8467-32D0B50DBFFC",
    "SourceFile": "0x1",
    "SourceLine": 37521,
    "SourceTag": 119
  },
  "message": ""
}

References #