Microsoft-Windows-Disk
22 events across 3 channels
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1 | Disk Cache Information | Operational | Y |
| 201 | Request servicing time taken by lower driver stack(s). | Analytic | N |
| 202 | Dispatching a read request. | Diagnose | N |
| 203 | Dispatching a write request. | Diagnose | N |
| 204 | Dispatching a read request. | Diagnose | N |
| 205 | Dispatching a write request. | Diagnose | N |
| 206 | Dispatching a read request. | Diagnose | N |
| 207 | Dispatching a write request. | Diagnose | N |
| 208 | Completing an IO (read/write) request. | Diagnose | N |
| 209 | Retrying an IO (read/write) request. | Diagnose | N |
| 210 | Flush request. | Diagnose | N |
| 211 | Flush request. | Diagnose | N |
| 212 | Dispatching an IOCTL. | Diagnose | Y |
| 213 | Dispatching a WMI request. | Diagnose | N |
| 214 | Completing a non-read/write request. | Diagnose | Y |
| 215 | Dispatching a power request. | Diagnose | N |
| 216 | Completing a power request. | Diagnose | N |
| 217 | Dispatching a PnP request. | Diagnose | N |
| 218 | Completing a PnP request. | Diagnose | N |
| 219 | Completing a PnP enumeration request. | Diagnose | N |
| 220 | Performing a queue-related operation. | Diagnose | N |
| 221 | Dispatching a PassThrough request. | Diagnose | N |
Event ID 1: Disk Cache Information
#Description
Disk Cache Information.
Message #
Fields #
| Name | Description |
|---|---|
ReadCacheEnabled UInt8 | |
WriteCacheEnabled UInt8 | |
ReadRetentionPriority UInt8 | |
WriteRetentionPriority UInt8 | |
PrefetchScalar UInt8 | |
DisablePrefetchTransferLength UInt16 | |
Minimum UInt16 | |
Maximum UInt16 | |
MaximumBlocks UInt16 | |
DeviceNumber UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Disk",
"guid": "{6B4DB0BC-9A3D-467D-81B9-A84C6F2F3D40}",
"event_source_name": "",
"event_id": 1,
"version": 1,
"level": 4,
"task": 1,
"opcode": 11,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:15:51.188+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4776,
"thread_id": 12500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DeviceNumber": 0,
"DisablePrefetchTransferLength": 0,
"Maximum": 0,
"MaximumBlocks": 0,
"Minimum": 0,
"PrefetchScalar": 0,
"ReadCacheEnabled": 1,
"ReadRetentionPriority": 0,
"WriteCacheEnabled": 1,
"WriteRetentionPriority": 0
},
"message": "TaskDiskCacheInfo"
}
Event ID 201: Request servicing time taken by lower driver stack(s).
#Event ID 202: Dispatching a read request.
#Event ID 203: Dispatching a write request.
#Event ID 204: Dispatching a read request.
#Event ID 205: Dispatching a write request.
#Event ID 206: Dispatching a read request.
#Event ID 207: Dispatching a write request.
#Event ID 208: Completing an IO (read/write) request.
#Description
Completing an IO (read/write) request.
Message #
Fields #
| Name | Description |
|---|---|
DeviceNumber UInt32 | |
Irp Pointer | |
NTStatus HexInt32 | NTSTATUS reference |
SrbStatus UInt8 | |
ScsiStatus UInt8 | |
SenseKey UInt8 | |
AddSense UInt8 | |
AddSenseQ UInt8 |
Event ID 209: Retrying an IO (read/write) request.
#Event ID 210: Flush request.
#Event ID 211: Flush request.
#Description
Flush request.
Message #
Fields #
| Name | Description |
|---|---|
DeviceNumber UInt32 | |
Irp Pointer | |
NTStatus HexInt32 | NTSTATUS reference |
SrbStatus UInt8 | |
ScsiStatus UInt8 | |
SenseKey UInt8 | |
AddSense UInt8 | |
AddSenseQ UInt8 |
Event ID 212: Dispatching an IOCTL.
#Description
Dispatching an IOCTL.
Message #
Fields #
| Name | Description |
|---|---|
DeviceNumber UInt32 | |
Irp Pointer | |
MajorFunction HexInt32 | |
MinorFunction HexInt32 | |
Parameter HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Disk",
"guid": "{6B4DB0BC-9A3D-467D-81B9-A84C6F2F3D40}",
"event_source_name": "",
"event_id": 212,
"version": 1,
"level": 4,
"task": 200,
"opcode": 100,
"keywords": "0x4000000040000000",
"time_created": "2026-06-02T05:15:44.029+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4624,
"thread_id": 8244
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DeviceNumber": 0,
"Irp": "0xFFFF878DC9F51CC0",
"MajorFunction": "0E000000",
"MinorFunction": "00000000",
"Parameter": "140C2D00"
},
"message": "Class"
}
Event ID 213: Dispatching a WMI request.
#Event ID 214: Completing a non-read/write request.
#Description
Completing a non-read/write request.
Message #
Fields #
| Name | Description |
|---|---|
DeviceNumber UInt32 | |
Irp Pointer | |
Status HexInt32 | NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Disk",
"guid": "{6B4DB0BC-9A3D-467D-81B9-A84C6F2F3D40}",
"event_source_name": "",
"event_id": 214,
"version": 1,
"level": 4,
"task": 200,
"opcode": 101,
"keywords": "0x40000000C0000000",
"time_created": "2026-06-02T05:15:51.188+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4776,
"thread_id": 12500
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DeviceNumber": 0,
"Irp": "0xFFFF878DC06EC010",
"Status": "850100C0"
},
"message": "Class"
}
Event ID 215: Dispatching a power request.
#Event ID 216: Completing a power request.
#Description
Completing a power request.
Message #
Fields #
| Name | Description |
|---|---|
DeviceNumber UInt32 | |
Irp Pointer | |
Status HexInt32 | NTSTATUS reference |
Event ID 217: Dispatching a PnP request.
#Event ID 218: Completing a PnP request.
#Description
Completing a PnP request.
Message #
Fields #
| Name | Description |
|---|---|
DeviceNumber UInt32 | |
Irp Pointer | |
Status HexInt32 | NTSTATUS reference |
Event ID 219: Completing a PnP enumeration request.
#Description
Completing a PnP enumeration request.
Message #
Fields #
| Name | Description |
|---|---|
DeviceNumber UInt32 | |
Irp Pointer | |
NumberOfChildren UInt32 | |
Status HexInt32 | NTSTATUS reference |
Event ID 220: Performing a queue-related operation.
#Description
Performing a queue-related operation.
Message #
Fields #
| Name | Description |
|---|---|
DeviceNumber UInt32 | |
QueueTag HexInt32 | |
Operation UInt8 | Known values
|
Status HexInt32 | NTSTATUS reference |
Event ID 221: Dispatching a PassThrough request.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {6B4DB0BC-9A3D-467D-81B9-A84C6F2F3D40}
Defined in disk.sys, the binary that emits these events.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02