Microsoft-Windows-BitLocker-Driver-Performance
46 events across 1 channel
Event ID 1: fve:ReadRequest
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
IrpPtr Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-Driver-Performance",
"guid": "{1DE130E1-C026-4CBF-BA0F-AB608E40AEEA}",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": "0x0000000000000020",
"time_created": "2026-06-02T05:41:26.365+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 15096
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"DevObjPtr": "0xFFFFBD09E2D09030",
"IrpPtr": "0xFFFFBD09F3553010"
},
"message": "fve:ReadRequest"
}
Event ID 2: fve:ReadRequest
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
IrpPtr Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-Driver-Performance",
"guid": "{1DE130E1-C026-4CBF-BA0F-AB608E40AEEA}",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": "0x0000000000000020",
"time_created": "2026-06-02T05:41:26.366+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 10660,
"thread_id": 13648
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"DevObjPtr": "0xFFFFBD09E2D09030",
"IrpPtr": "0xFFFFBD09F3553010"
},
"message": "fve:ReadRequest"
}
Event ID 3: fve:WriteRequest
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
IrpPtr Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-Driver-Performance",
"guid": "{1DE130E1-C026-4CBF-BA0F-AB608E40AEEA}",
"event_source_name": "",
"event_id": 3,
"version": 0,
"level": 4,
"task": 2,
"opcode": 1,
"keywords": "0x0000000000000020",
"time_created": "2026-06-02T05:41:25.566+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 1496
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"DevObjPtr": "0xFFFFBD09E2D09030",
"IrpPtr": "0xFFFFBD09F2E7F520"
},
"message": "fve:WriteRequest"
}
Event ID 4: fve:WriteRequest
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
IrpPtr Pointer |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-Driver-Performance",
"guid": "{1DE130E1-C026-4CBF-BA0F-AB608E40AEEA}",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 2,
"opcode": 2,
"keywords": "0x0000000000000020",
"time_created": "2026-06-02T05:41:25.567+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 14172,
"thread_id": 6176
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"DevObjPtr": "0xFFFFBD09E2D09030",
"IrpPtr": "0xFFFFBD09F2E7F520"
},
"message": "fve:WriteRequest"
}
Event ID 5: fve:ReadSubRequest
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
IrpPtr Pointer | |
SubIrpPtr Pointer |
Event ID 6: fve:WriteSubRequest
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
IrpPtr Pointer | |
SubIrpPtr Pointer |
Event ID 15: fve:MetadataWriteStart
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
Index UInt32 | |
Offset UInt64 |
Event ID 16: fve:MetadataWriteStop
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
Index UInt32 | |
Offset UInt64 |
Event ID 23: fve:ConversionStepStart
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
Offset UInt64 | |
Size UInt32 | |
Command UInt32 |
Event ID 24: fve:ConversionStepStop
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
Offset UInt64 | |
Size UInt32 | |
Command UInt32 |
Event ID 25: fve:SliderMoveStart
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
PrevOffset UInt64 | |
NextOffset UInt64 | |
Size UInt64 |
Event ID 26: fve:SliderMoveStop
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
PrevOffset UInt64 | |
NextOffset UInt64 | |
Size UInt64 |
Event ID 27: fve:IoDecryptRequestStart
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
SubIrpPtr Pointer | |
Offset UInt64 | |
Size UInt32 |
Event ID 28: fve:IoDecryptRequestStop
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
SubIrpPtr Pointer | |
Offset UInt64 | |
Size UInt32 |
Event ID 29: fve:IoEncryptRequestStart
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
SubIrpPtr Pointer | |
Offset UInt64 | |
Size UInt32 |
Event ID 30: fve:IoEncryptRequestStop
#Fields #
| Name | Description |
|---|---|
DevObjPtr Pointer | |
SubIrpPtr Pointer | |
Offset UInt64 | |
Size UInt32 |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {1DE130E1-C026-4CBF-BA0F-AB608E40AEEA}
Defined in fvevol.sys, the binary that emits these events.
Observed on:
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.4768, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4768, captured 2026-06-02