Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic

110 events across 3 channels

Event	Title	Channel	Sample
16	Event ID 16	Operational	N
16	Activity Transfer.	Diagnostic	N
256	Event ID 256	Operational	N
256	Openning file FileName.	Diagnostic	N
512	Event ID 512	Operational	N
512	Closing file object FileName.	Diagnostic	N
768	Event ID 768	Operational	N
768	Cleaning file object FileName.	Diagnostic	N
848	Event ID 848	Operational	N
848	All file objects for the stream Scb are invalidated.	Diagnostic	N
864	Event ID 864	Operational	N
864	All file objects for the stream Scb of file id FileIdHi.	Operational	N
885	Event ID 885	Operational	N
885	File handle FileObject for the stream Ccb is invalidated.	Diagnostic	N
896	Event ID 896	Operational	N
896	File handle FileObject for the stream Scb file id .	Operational	N
1024	Event ID 1024	Operational	N
1024	Query Volume Information completed with status status.	Diagnostic	N
1280	Event ID 1280	Operational	N
1280	Down-level File Object FileName is opened with status Status.	Diagnostic	N
1536	Event ID 1536	Operational	N
1536	Down-level File Object FileName is closed.	Diagnostic	N
1792	Event ID 1792	Operational	N
1792	Down-level File Object FileName is released.	Diagnostic	N
2048	Event ID 2048	Operational	N
2048	Paging File Object FileNameLength is opened with status AttributeFlags.	Diagnostic	N
2304	Event ID 2304	Operational	N
2304	Paging File Object FileNameLength is closed.	Diagnostic	N
4096	Event ID 4096	Operational	N
4096	Paging File Object FileNameLength is released.	Diagnostic	N
6144	Event ID 6144	Operational	N
6144	Received Byte Range Lock Request MinorFunction.	Diagnostic	N
6400	Event ID 6400	Operational	N
6400	Completed Byte Range Lock Request MinorFunction.	Diagnostic	N
8192	Event ID 8192	Operational	N
8192	Removed Lock.	Diagnostic	N
8208	Event ID 8208	Operational	N
8208	Cleanup Locks.	Diagnostic	N
8224	Event ID 8224	Operational	N
8224	Resume Lock.	Diagnostic	N
8272	Event ID 8272	Operational	N
8272	Resuming oplock to level OplockLevel completed with status Status.	Diagnostic	N
8448	Event ID 8448	Operational	N
8448	Enqueuing Single Client Notify.	Diagnostic	N
8464	Event ID 8464	Operational	N
8464	Single Client Notify Completion.	Diagnostic	N
8704	Event ID 8704	Operational	N
8704	Volume VolumeId transitioning from CurrentState to SetDownlevel.	Operational	N
8960	Event ID 8960	Operational	N
8960	Volume VolumeId transitioning from CurrentState to NewState.	Operational	N
9216	Event ID 9216	Operational	N
9216	Volume VolumeId moved to state State.	Operational	N
9296	Event ID 9296	Operational	N
9296	Volume VolumeId is autopaused.	Operational	N
9312	Event ID 9312	Operational	N
9312	Volume was renamed.	Operational	N
9328	Event ID 9328	Operational	N
9328	Count IOs timed out on the volume VolumeId.	Operational	N
9472	Event ID 9472	Operational	N
9472	Start IO Irp on FileObject (FileName).	Diagnostic	N
9728	Event ID 9728	Operational	N
9728	Completed IO Irp.	Diagnostic	N
9984	Event ID 9984	Operational	N
9984	Posted IO Irp.	Diagnostic	N
10240	Event ID 10240	Operational	N
10240	Continue IO Irp.	Diagnostic	N
10496	Event ID 10496	Operational	N
10496	Pause IO Irp.	Diagnostic	N
12288	Event ID 12288	Operational	N
12288	Resume IO Irp.	Diagnostic	N
12320	Event ID 12320	Operational	N
12320	Direct IO Irp.	Diagnostic	N
12336	Event ID 12336	Operational	N
12336	Redirect IO Irp.	Diagnostic	N
12368	Event ID 12368	Operational	N
12368	Current Node Id NodeId.	Operational	Y
12544	Event ID 12544	Operational	N
12544	Volume VolumeId, CountersName.	Operational	N
12800	Event ID 12800	Operational	N
12800	File FileName.	Diagnostic	N
13056	Event ID 13056	Operational	N
13056	Lock.	Diagnostic	N
16384	Event ID 16384	Operational	N
16384	Tunnel operation TunnelOperationCode.	Diagnostic	N
20480	Event ID 20480	Operational	N
20480	Stream was flushed and purged from offset FileOffset, length Length.	Diagnostic	N
24576	Event ID 24576	Operational	N
24576	Stream was flushed from offset FileOffset, length Length.	Diagnostic	N
28672	Event ID 28672	Operational	N
28672	Stream was purged from offset FileOffset, length Length.	Diagnostic	N
32768	Event ID 32768	Operational	N
32768	Volume was purged.	Diagnostic	N
36864	Event ID 36864	Operational	N
36864	Bookmark: Bookmark.	Diagnostic	N
40960	Event ID 40960	Operational	N
40960	Driver loaded.	Operational	Y
45056	Event ID 45056	Operational	N
45056	Cluster service connected.	Operational	N
49152	Event ID 49152	Operational	N
49152	Cluster service disconnected.	Operational	N
53248	Event ID 53248	Operational	N
53248	Data section created.	Diagnostic	N
57344	Event ID 57344	Operational	N
57344	Shared Cahce Map Initialized.	Diagnostic	N
61440	Event ID 61440	Operational	N
61440	Shared Cahce Map Uninitialized.	Diagnostic	N
61696	Event ID 61696	Operational	N
61696	Capture full payload.	Diagnostic	N
61952	Event ID 61952	Operational	N
61952	Capture payload segment.	Diagnostic	N

Event ID 16

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ActivityTransfer
Opcode: Send

Description

Activity Transfer.

Event ID 16: Activity Transfer.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: ActivityTransfer
Opcode: Send

Description

Activity Transfer.

Message #

Activity Transfer.

Event ID 256

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileOpen

Description

Openning file .

Fields #

Name	Description
`Irp` Pointer
`Volume` Pointer
`VolumeId` GUID
`FileObject` Pointer
`RelativeFileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`DesiredAccess` HexInt32	Process access rights reference
`Options` HexInt32
`SharedAccess` HexInt32
`AttributeFlags` HexInt32

Event ID 256: Openning file FileName.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: UpLevelFileOpen

Description

Openning file FileName.

Message #

Openning file %7.

Fields #

Name	Description
`Irp` Pointer
`Volume` Pointer
`VolumeId` GUID
`FileObject` Pointer
`RelativeFileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`DesiredAccess` HexInt32	Process access rights reference
`Options` HexInt32
`SharedAccess` HexInt32
`AttributeFlags` HexInt32

Event ID 512

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileClosed

Description

Closing file object .

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 512: Closing file object FileName.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: UpLevelFileClosed

Description

Closing file object FileName.

Message #

Closing file object %5.

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 768

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileReleased

Description

Cleaning file object .

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 768: Cleaning file object FileName.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: UpLevelFileReleased

Description

Cleaning file object FileName.

Message #

Cleaning file object %5.

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 848

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileInvalidated

Description

All file objects for the stream Scb are invalidated. Reason: 'Reason'.

Fields #

Name	Description
`Scb` Pointer
`Condition` HexInt32
`Reason` HexInt32
`Vcb` Pointer
`VolumeId` GUID
`Status` HexInt32	NTSTATUS reference

Event ID 848: All file objects for the stream Scb are invalidated.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: UpLevelFileInvalidated

Description

All file objects for the stream Scb are invalidated. Reason: 'Reason'.

Message #

All file objects for the stream %1 are invalidated. Reason: '%3'

Fields #

Name	Description
`Scb` Pointer
`Condition` HexInt32
`Reason` HexInt32
`Vcb` Pointer
`VolumeId` GUID
`Status` HexInt32	NTSTATUS reference

Event ID 864

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileInvalidated

Description

All file objects for the stream Scb of file id FileIdHi.FileId are invalidated. Reason: 'Reason'.

Fields #

Name	Description
`FileId` HexInt64
`FileIdHi` HexInt64
`Scb` Pointer
`Condition` HexInt32
`Reason` HexInt32
`Volume` Pointer
`VolumeId` GUID
`Status` HexInt32	NTSTATUS reference

Event ID 864: All file objects for the stream Scb of file id FileIdHi.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileInvalidated

Description

All file objects for the stream Scb of file id FileIdHi.FileId are invalidated. Reason: 'Reason'.

Message #

All file objects for the stream %3 of file id %2.%1 are invalidated. Reason: '%5'

Fields #

Name	Description
`FileId` HexInt64
`FileIdHi` HexInt64
`Scb` Pointer
`Condition` HexInt32
`Reason` HexInt32
`Volume` Pointer
`VolumeId` GUID
`Status` HexInt32	NTSTATUS reference

Event ID 885

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileHandleInvalidated

Description

File handle FileObject for the stream Ccb is invalidated. Reason: 'Reason'.

Fields #

Name	Description
`FileObject` Pointer
`Ccb` Pointer
`Scb` Pointer
`Flags` HexInt32
`Reason` HexInt32
`Vcb` Pointer
`VolumeId` GUID
`Status` HexInt32	NTSTATUS reference

Event ID 885: File handle FileObject for the stream Ccb is invalidated.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: UpLevelFileHandleInvalidated

Description

File handle FileObject for the stream Ccb is invalidated. Reason: 'Reason'.

Message #

File handle %1 for the stream %2 is invalidated. Reason: '%5'

Fields #

Name	Description
`FileObject` Pointer
`Ccb` Pointer
`Scb` Pointer
`Flags` HexInt32
`Reason` HexInt32
`Vcb` Pointer
`VolumeId` GUID
`Status` HexInt32	NTSTATUS reference

Event ID 896

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileHandleInvalidated

Description

File handle FileObject for the stream Scb file id .FileIdHi.FileId is invalidated. Reason: 'Reason'. File name: 'FileName'.

Fields #

Name	Description
`FileId` HexInt64
`FileIdHi` HexInt64
`FileNameLength` UInt16
`FileName` UnicodeString
`FileObject` Pointer
`Ccb` Pointer
`Scb` Pointer
`Flags` HexInt32
`Reason` HexInt32
`Volume` Pointer
`VolumeId` GUID
`Status` HexInt32	NTSTATUS reference

Event ID 896: File handle FileObject for the stream Scb file id .

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileHandleInvalidated

Description

File handle FileObject for the stream Scb file id .FileIdHi.FileId is invalidated. Reason: 'Reason'. File name: 'FileName'.

Message #

File handle %5 for the stream %7 file id .%2.%1 is invalidated. Reason: '%9'. File name: '%4'

Fields #

Name	Description
`FileId` HexInt64
`FileIdHi` HexInt64
`FileNameLength` UInt16
`FileName` UnicodeString
`FileObject` Pointer
`Ccb` Pointer
`Scb` Pointer
`Flags` HexInt32
`Reason` HexInt32
`Volume` Pointer
`VolumeId` GUID
`Status` HexInt32	NTSTATUS reference

Event ID 1024

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: QueryVolumeInformation

Description

Query Volume Information completed with status .

Fields #

Name	Description
`Vcb` Pointer
`BytesPerSector` HexInt64
`BytesPerCluster` HexInt64
`BytesPerFileRecordSegment` HexInt64
`status` HexInt32	NTSTATUS reference

Event ID 1024: Query Volume Information completed with status status.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: QueryVolumeInformation

Description

Query Volume Information completed with status status.

Message #

Query Volume Information completed with status %5.

Fields #

Name	Description
`Vcb` Pointer
`BytesPerSector` HexInt64
`BytesPerCluster` HexInt64
`BytesPerFileRecordSegment` HexInt64
`status` HexInt32	NTSTATUS reference

Event ID 1280

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: DownLevelFileOpen

Description

Down-level File Object is opened with status .

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`CreateDisposition` HexInt32
`DesiredAccess` HexInt32	Process access rights reference
`SharedAccess` HexInt32
`CreateFlags` HexInt32
`AttributeFlags` HexInt32
`Status` HexInt32	NTSTATUS reference

Event ID 1280: Down-level File Object FileName is opened with status Status.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: DownLevelFileOpen

Description

Down-level File Object FileName is opened with status Status.

Message #

Down-level File Object %4 is opened with status %10.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`CreateDisposition` HexInt32
`DesiredAccess` HexInt32	Process access rights reference
`SharedAccess` HexInt32
`CreateFlags` HexInt32
`AttributeFlags` HexInt32
`Status` HexInt32	NTSTATUS reference

Event ID 1536

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: DownLevelFileClosed

Description

Down-level File Object is closed.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 1536: Down-level File Object FileName is closed.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: DownLevelFileClosed

Description

Down-level File Object FileName is closed.

Message #

Down-level File Object %4 is closed.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 1792

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: DownLevelFileReleased

Description

Down-level File Object is released.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 1792: Down-level File Object FileName is released.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: DownLevelFileReleased

Description

Down-level File Object FileName is released.

Message #

Down-level File Object %4 is released.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 2048

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: PagingFileOpen

Description

Paging File Object is opened with status .

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`CreateDisposition` HexInt32
`DesiredAccess` HexInt32	Process access rights reference
`SharedAccess` HexInt32
`CreateFlags` HexInt32
`AttributeFlags` HexInt32
`Status` HexInt32	NTSTATUS reference

Event ID 2048: Paging File Object FileNameLength is opened with status AttributeFlags.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: PagingFileOpen

Description

Paging File Object FileNameLength is opened with status AttributeFlags.

Message #

Paging File Object %3 is opened with status %9.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`CreateDisposition` HexInt32
`DesiredAccess` HexInt32	Process access rights reference
`SharedAccess` HexInt32
`CreateFlags` HexInt32
`AttributeFlags` HexInt32
`Status` HexInt32	NTSTATUS reference

Event ID 2304

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: PagingFileClosed

Description

Paging File Object is closed.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 2304: Paging File Object FileNameLength is closed.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: PagingFileClosed

Description

Paging File Object FileNameLength is closed.

Message #

Paging File Object %3 is closed.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 4096

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: PagingFileReleased

Description

Paging File Object is released.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 4096: Paging File Object FileNameLength is released.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: PagingFileReleased

Description

Paging File Object FileNameLength is released.

Message #

Paging File Object %3 is released.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 6144

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ByteRangeLock

Description

Received Byte Range Lock Request . At ; Length ; Key ; Fags .

Fields #

Name	Description
`File` Pointer
`Scb` Pointer
`Irp` Pointer
`MinorFunction` HexInt32
`Flags` HexInt32
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`FailImmediately` Boolean
`Exclusive` Boolean

Event ID 6144: Received Byte Range Lock Request MinorFunction.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: ByteRangeLock

Description

Received Byte Range Lock Request MinorFunction. At Offset; Length Length; Key Key; Fags Flags.

Message #

Received Byte Range Lock Request %4. At %7; Length %8; Key %9; Fags %5.

Fields #

Name	Description
`File` Pointer
`Scb` Pointer
`Irp` Pointer
`MinorFunction` HexInt32
`Flags` HexInt32
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`FailImmediately` Boolean
`Exclusive` Boolean

Event ID 6400

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ByteRangeLock

Description

Completed Byte Range Lock Request . At ; Length ; Key ; Fags .

Fields #

Name	Description
`File` Pointer
`Scb` Pointer
`Irp` Pointer
`MinorFunction` HexInt32
`Flags` HexInt32
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`FailImmediately` Boolean
`Exclusive` Boolean
`Status` HexInt32	NTSTATUS reference

Event ID 6400: Completed Byte Range Lock Request MinorFunction.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: ByteRangeLock

Description

Completed Byte Range Lock Request MinorFunction. At Offset; Length Length; Key Key; Fags Flags.

Message #

Completed Byte Range Lock Request %4. At %7; Length %8; Key %9; Fags %5.

Fields #

Name	Description
`File` Pointer
`Scb` Pointer
`Irp` Pointer
`MinorFunction` HexInt32
`Flags` HexInt32
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`FailImmediately` Boolean
`Exclusive` Boolean
`Status` HexInt32	NTSTATUS reference

Event ID 8192

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ByteRangeLock

Description

Removed Lock. At ; Length ; Key ; Exclusive .

Fields #

Name	Description
`File` Pointer
`Irp` Pointer
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`Exclusive` Boolean
`Context` Pointer

Event ID 8192: Removed Lock.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: ByteRangeLock

Description

Removed Lock. At Offset; Length Length; Key Key; Exclusive Exclusive.

Message #

Removed Lock. At %4; Length %5; Key %6; Exclusive %7.

Fields #

Name	Description
`File` Pointer
`Irp` Pointer
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`Exclusive` Boolean
`Context` Pointer

Event ID 8208

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ByteRangeLock

Description

Cleanup Locks. Status . Downlevel status .

Fields #

Name	Description
`File` Pointer
`Process` Pointer
`Status` HexInt32	NTSTATUS reference
`DownLevelStatus` HexInt32

Event ID 8208: Cleanup Locks.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: ByteRangeLock

Description

Cleanup Locks. Status Status. Downlevel status DownLevelStatus.

Message #

Cleanup Locks. Status %3. Downlevel status %4.

Fields #

Name	Description
`File` Pointer
`Process` Pointer
`Status` HexInt32	NTSTATUS reference
`DownLevelStatus` HexInt32

Event ID 8224

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ByteRangeLock

Description

Resume Lock. At ; Length ; Key ; Exclusive . Status .

Fields #

Name	Description
`File` Pointer
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`Exclusive` Boolean
`Status` HexInt32	NTSTATUS reference

Event ID 8224: Resume Lock.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: ByteRangeLock

Description

Resume Lock. At Offset; Length Length; Key Key; Exclusive Exclusive. Status Status.

Message #

Resume Lock. At %3; Length %4; Key %5; Exclusive %6. Status %7.

Fields #

Name	Description
`File` Pointer
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`Exclusive` Boolean
`Status` HexInt32	NTSTATUS reference

Event ID 8272

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: Oplock

Description

Resuming oplock to level completed with status .

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`OplockLevel` HexInt32
`Status` HexInt32	NTSTATUS reference

Event ID 8272: Resuming oplock to level OplockLevel completed with status Status.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: Oplock

Description

Resuming oplock to level OplockLevel completed with status Status.

Message #

Resuming oplock to level %3 completed with status %4.

Fields #

Name	Description
`FileObject` Pointer
`Scb` Pointer
`OplockLevel` HexInt32
`Status` HexInt32	NTSTATUS reference

Event ID 8448

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: OplockUpgrade

Description

Enqueuing Single Client Notify. For File ; Oplock Level is ; Ignore Current Conditions .

Fields #

Name	Description
`File` Pointer
`Scb` Pointer
`FullPathLength` UInt16
`FullPath` UnicodeString
`OplockLevel` HexInt32
`IgnoreCurrentConditions` Boolean

Event ID 8448: Enqueuing Single Client Notify.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: OplockUpgrade

Description

Enqueuing Single Client Notify. For File FullPathLength; Oplock Level is OplockLevel; Ignore Current Conditions IgnoreCurrentConditions.

Message #

Enqueuing Single Client Notify.  For File %3; Oplock Level is %5; Ignore Current Conditions %6.

Fields #

Name	Description
`File` Pointer
`Scb` Pointer
`FullPathLength` UInt16
`FullPath` UnicodeString
`OplockLevel` HexInt32
`IgnoreCurrentConditions` Boolean

Event ID 8464

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: OplockUpgrade

Description

Single Client Notify Completion. For File ; Oplock Level is ; Status ; Is Event Completion .

Fields #

Name	Description
`File` Pointer
`Scb` Pointer
`FullPathLength` UInt16
`FullPath` UnicodeString
`OplockLevel` HexInt32
`Status` HexInt32	NTSTATUS reference
`IsEventCompletion` Boolean

Event ID 8464: Single Client Notify Completion.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: OplockUpgrade

Description

Single Client Notify Completion. For File FullPath; Oplock Level is OplockLevel; Status Status; Is Event Completion IsEventCompletion.

Message #

Single Client Notify Completion.  For File %4; Oplock Level is %5; Status %6; Is Event Completion %7.

Fields #

Name	Description
`File` Pointer
`Scb` Pointer
`FullPathLength` UInt16
`FullPath` UnicodeString
`OplockLevel` HexInt32
`Status` HexInt32	NTSTATUS reference
`IsEventCompletion` Boolean

Event ID 8704

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeStateChangeStarted
Opcode: Start

Description

Volume transitioning from to SetDownlevel. Local ; Flags ; CountersName ; Volume target path ; File System target path .

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`CurrentState` UInt32
`IsLocal` Boolean
`Flags` HexInt32
`CountersName` UnicodeString
`VolumeTargetPath` UnicodeString
`FsTargetPath` UnicodeString
`EnableCOW` Boolean
`EnableDirectIo` Boolean
`ForceWriteThrough` Int32
`TargetNodeId` Int32
`DcmSequenceId` UnicodeString
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceLastStateTransition` UInt64
`Lifetime` UInt64

Event ID 8704: Volume VolumeId transitioning from CurrentState to SetDownlevel.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeStateChangeStarted
Opcode: Start

Description

Volume VolumeId transitioning from CurrentState to SetDownlevel. Local IsLocal; Flags Flags; CountersName CountersName; Volume target path VolumeTargetPath; File System target path FsTargetPath.

Message #

Volume %2 transitioning from %3 to SetDownlevel. Local %4; Flags %5; CountersName %6; Volume target path %7; File System target path %8.

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`CurrentState` UInt32
`IsLocal` Boolean
`Flags` HexInt32
`CountersName` UnicodeString
`VolumeTargetPath` UnicodeString
`FsTargetPath` UnicodeString
`EnableCOW` Boolean
`EnableDirectIo` Boolean
`ForceWriteThrough` Int32
`TargetNodeId` Int32
`DcmSequenceId` UnicodeString
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceLastStateTransition` UInt64
`Lifetime` UInt64

Event ID 8960

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeStateChangeStarted
Opcode: Start

Description

Volume transitioning from to .

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`CurrentState` UInt32
`NewState` UInt32
`DcmSequenceId` UnicodeString
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceLastStateTransition` UInt64
`Lifetime` UInt64

Event ID 8960: Volume VolumeId transitioning from CurrentState to NewState.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeStateChangeStarted
Opcode: Start

Description

Volume VolumeId transitioning from CurrentState to NewState.

Message #

Volume %2 transitioning from %3 to %4.

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`CurrentState` UInt32
`NewState` UInt32
`DcmSequenceId` UnicodeString
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceLastStateTransition` UInt64
`Lifetime` UInt64

Event ID 9216

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeStateChangeCompleted
Opcode: Stop

Description

Volume moved to state . Reason ; Status .

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`State` UInt32
`Source` UInt32
`Status` HexInt32	NTSTATUS reference
`DcmSequenceId` UnicodeString
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceStateTransitionStart` UInt64
`Lifetime` UInt64
`InvalidationReason` UInt32

Event ID 9216: Volume VolumeId moved to state State.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeStateChangeCompleted
Opcode: Stop

Description

Volume VolumeId moved to state State. Reason Source; Status Status.

Message #

Volume %2 moved to state %3. Reason %4; Status %5.

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`State` UInt32
`Source` UInt32
`Status` HexInt32	NTSTATUS reference
`DcmSequenceId` UnicodeString
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceStateTransitionStart` UInt64
`Lifetime` UInt64
`InvalidationReason` UInt32

Event ID 9296

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeAutopause

Description

Volume is autopaused. Status . Source: .

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`CountersName` UnicodeString
`FromDirectIo` Boolean
`Irp` Pointer
`Status` HexInt32	NTSTATUS reference
`Source` UInt32
`Parameter1` HexInt64
`Parameter2` HexInt64
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceLastStateTransition` UInt64
`Lifetime` UInt64

Event ID 9296: Volume VolumeId is autopaused.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeAutopause

Description

Volume VolumeId is autopaused. Status Status. Source: Source.

Message #

Volume %2 is autopaused. Status %6. Source: %7.

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`CountersName` UnicodeString
`FromDirectIo` Boolean
`Irp` Pointer
`Status` HexInt32	NTSTATUS reference
`Source` UInt32
`Parameter1` HexInt64
`Parameter2` HexInt64
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceLastStateTransition` UInt64
`Lifetime` UInt64

Event ID 9312

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeRenamed

Description

Volume was renamed. New name .

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`CountersName` UnicodeString
`CurrentState` UInt32
`DcmSequenceId` UnicodeString
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceLastStateTransition` UInt64
`Lifetime` UInt64

Event ID 9312: Volume was renamed.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeRenamed

Description

Volume was renamed. New name VolumeId.

Message #

Volume was renamed. New name %2.

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`CountersName` UnicodeString
`CurrentState` UInt32
`DcmSequenceId` UnicodeString
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceLastStateTransition` UInt64
`Lifetime` UInt64

Event ID 9328

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: IOTimedOut

Description

IOs timed out on the volume .

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`Count` UInt64
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceStateTransitionStart` UInt64
`Lifetime` UInt64

Event ID 9328: Count IOs timed out on the volume VolumeId.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: IOTimedOut

Description

Count IOs timed out on the volume VolumeId.

Message #

%3 IOs timed out on the volume %2.

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`Count` UInt64
`LastUptime` UInt64
`CurrentDowntime` UInt64
`TimeSinceStateTransitionStart` UInt64
`Lifetime` UInt64

Event ID 9472

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: IOStarted
Opcode: Start

Description

Start IO on (). Major Code . Minor Code .

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`FileObject` Pointer
`Vcb` Pointer
`Scb` Pointer
`Ccb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`IrpFlags` HexInt32
`IrpContextFlags` HexInt32
`MajorFunction` HexInt32
`MinorFunction` HexInt32
`IrpSlFlags` HexInt32
`Control` HexInt32
`Parameter1` HexInt64
`Parameter2` HexInt64
`Parameter3` HexInt64
`Parameter4` HexInt64
`IrpContextFlagsUpper` HexInt32

Event ID 9472: Start IO Irp on FileObject (FileName).

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: IOStarted
Opcode: Start

Description

Start IO Irp on FileObject (FileName). Major Code MajorFunction. Minor Code MinorFunction.

Message #

Start IO %1 on %3 (%8). Major Code %11. Minor Code %12.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`FileObject` Pointer
`Vcb` Pointer
`Scb` Pointer
`Ccb` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`IrpFlags` HexInt32
`IrpContextFlags` HexInt32
`MajorFunction` HexInt32
`MinorFunction` HexInt32
`IrpSlFlags` HexInt32
`Control` HexInt32
`Parameter1` HexInt64
`Parameter2` HexInt64
`Parameter3` HexInt64
`Parameter4` HexInt64
`IrpContextFlagsUpper` HexInt32

Event ID 9728

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: IOCompleted
Opcode: Stop

Description

Completed IO . Status . Information .

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`Status` HexInt32	NTSTATUS reference
`Information` HexInt64

Event ID 9728: Completed IO Irp.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: IOCompleted
Opcode: Stop

Description

Completed IO Irp. Status Status. Information Information.

Message #

Completed IO %1. Status %3. Information %4.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`Status` HexInt32	NTSTATUS reference
`Information` HexInt64

Event ID 9984

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: IOPosted

Description

Posted IO .

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer

Event ID 9984: Posted IO Irp.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: IOPosted

Description

Posted IO Irp.

Message #

Posted IO %1.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer

Event ID 10240

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: IOContinue

Description

Continue IO .

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer

Event ID 10240: Continue IO Irp.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: IOContinue

Description

Continue IO Irp.

Message #

Continue IO %1.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer

Event ID 10496

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: IOPause
Opcode: Suspend

Description

Pause IO . Status . Information .

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`IrpContextFlags` HexInt32
`Status` HexInt32	NTSTATUS reference
`Information` HexInt64
`IrpContextFlagsUpper` HexInt32

Event ID 10496: Pause IO Irp.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: IOPause
Opcode: Suspend

Description

Pause IO Irp. Status IrpContextFlags. Information Status.

Message #

Pause IO %1. Status %3. Information %4.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`IrpContextFlags` HexInt32
`Status` HexInt32	NTSTATUS reference
`Information` HexInt64
`IrpContextFlagsUpper` HexInt32

Event ID 12288

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: IOResume
Opcode: Resume

Description

Resume IO .

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer

Event ID 12288: Resume IO Irp.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: IOResume
Opcode: Resume

Description

Resume IO Irp.

Message #

Resume IO %1.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer

Event ID 12320

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: DirectIOCompleted

Description

Direct IO . Status . Information . Duration 100s nanoseconds.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`Status` HexInt32	NTSTATUS reference
`Information` HexInt64
`Duration` HexInt64
`RedirectionReason` HexInt32

Event ID 12320: Direct IO Irp.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: DirectIOCompleted

Description

Direct IO Irp. Status Status. Information Information. Duration Duration 100s nanoseconds.

Message #

Direct IO %1. Status %3. Information %4. Duration %5 100s nanoseconds.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`Status` HexInt32	NTSTATUS reference
`Information` HexInt64
`Duration` HexInt64
`RedirectionReason` HexInt32

Event ID 12336

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: RedirectedIOCompleted

Description

Redirect IO . Status . Information . Duration 100s nanoseconds.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`Status` HexInt32	NTSTATUS reference
`Information` HexInt64
`Duration` HexInt64
`RedirectionReason` HexInt32

Event ID 12336: Redirect IO Irp.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: RedirectedIOCompleted

Description

Redirect IO Irp. Status Status. Information Information. Duration Duration 100s nanoseconds.

Message #

Redirect IO %1. Status %3. Information %4. Duration %5 100s nanoseconds.

Fields #

Name	Description
`Irp` Pointer
`IrpContext` Pointer
`Status` HexInt32	NTSTATUS reference
`Information` HexInt64
`Duration` HexInt64
`RedirectionReason` HexInt32

Event ID 12368

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: NodeStateRundown

Description

Current Node Id .

Fields #

Name	Description
`NodeId` Int32
`ReportCsvFs` Boolean

Event ID 12368: Current Node Id NodeId.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Level: Informational
Task: NodeStateRundown

Description

Current Node Id NodeId.

Message #

Current Node Id %1.

Fields #

Name	Description
`NodeId` Int32
`ReportCsvFs` Boolean

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic",
    "guid": "{6A86AE90-4E9B-4186-B1D1-9CE0E02BCBC1}",
    "event_source_name": "",
    "event_id": 12368,
    "version": 0,
    "level": 4,
    "task": 11300,
    "opcode": 0,
    "keywords": 4611686018427388928,
    "time_created": "2026-06-13T15:14:00.7018252+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 7992
    },
    "channel": "Microsoft-Windows-FailoverClustering-CsvFs/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "NodeId": "0",
    "ReportCsvFs": "false"
  },
  "message": "Current Node Id 0."
}

Event ID 12544

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeStateRundown

Description

Volume , .

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`VpbFlags` Int32
`State` UInt32
`CountersName` UnicodeString
`VolumeTargetPath` UnicodeString
`FsTargetPath` UnicodeString
`EnableCOW` Boolean
`EnableDirectIo` Boolean
`ForceWriteThrough` Int32
`TargetNodeId` Int32

Event ID 12544: Volume VolumeId, CountersName.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumeStateRundown

Description

Volume VolumeId, CountersName.

Message #

Volume %2, %5.

Fields #

Name	Description
`Volume` Pointer
`VolumeId` GUID
`VpbFlags` Int32
`State` UInt32
`CountersName` UnicodeString
`VolumeTargetPath` UnicodeString
`FsTargetPath` UnicodeString
`EnableCOW` Boolean
`EnableDirectIo` Boolean
`ForceWriteThrough` Int32
`TargetNodeId` Int32

Event ID 12800

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: UpLevelFileStateRundown

Fields #

Name	Description
`Vcb` Pointer
`Scb` Pointer
`ScbState` HexInt32
`ScbCondition` HexInt32
`ScbConditionStatus` HexInt32
`ScbDownlevelOplockLevel` HexInt32
`FileId` HexInt64
`Ccb` Pointer
`CcbFlags` HexInt32
`ShadowFileObject` Pointer
`RealFileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`CreateDisposition` HexInt32
`DesiredAccess` HexInt32	Process access rights reference
`SharedAccess` HexInt32
`CreateFlags` HexInt32
`AttributeFlags` HexInt32
`FileIdHi` HexInt64

Event ID 12800: File FileName.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: UpLevelFileStateRundown

Message #

File %13.

Fields #

Name	Description
`Vcb` Pointer
`Scb` Pointer
`ScbState` HexInt32
`ScbCondition` HexInt32
`ScbConditionStatus` HexInt32
`ScbDownlevelOplockLevel` HexInt32
`FileId` HexInt64
`Ccb` Pointer
`CcbFlags` HexInt32
`ShadowFileObject` Pointer
`RealFileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`CreateDisposition` HexInt32
`DesiredAccess` HexInt32	Process access rights reference
`SharedAccess` HexInt32
`CreateFlags` HexInt32
`AttributeFlags` HexInt32
`FileIdHi` HexInt64

Event ID 13056

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ByteRangeLockRundown

Description

Lock. At ; Length ; Key ; Exclusive .

Fields #

Name	Description
`Scb` Pointer
`File` Pointer
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`Exclusive` Boolean
`Context` Pointer

Event ID 13056: Lock.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: ByteRangeLockRundown

Description

Lock. At Offset; Length Length; Key Key; Exclusive Exclusive.

Message #

Lock. At %4; Length %5; Key %6; Exclusive %7.

Fields #

Name	Description
`Scb` Pointer
`File` Pointer
`Process` Pointer
`Offset` HexInt64
`Length` HexInt64
`Key` HexInt32
`Exclusive` Boolean
`Context` Pointer

Event ID 16384

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: Tunneling

Description

Tunnel operation . Result .

Fields #

Name	Description
`TunnelOperationCode` HexInt32
`TunnelActivityId` HexInt32
`status` HexInt32	NTSTATUS reference

Event ID 16384: Tunnel operation TunnelOperationCode.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: Tunneling

Description

Tunnel operation TunnelOperationCode. Result status.

Message #

Tunnel operation %1. Result %3.

Fields #

Name	Description
`TunnelOperationCode` HexInt32
`TunnelActivityId` HexInt32
`status` HexInt32	NTSTATUS reference

Event ID 20480

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: StreamFlushAndPurge

Description

Stream was flushed and purged from offset , length . Result .

Fields #

Name	Description
`Scb` Pointer
`FileOffset` HexInt64
`Length` HexInt32
`Flags` HexInt32
`status` HexInt32	NTSTATUS reference

Event ID 20480: Stream was flushed and purged from offset FileOffset, length Length.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: StreamFlushAndPurge

Description

Stream was flushed and purged from offset FileOffset, length Length. Result status.

Message #

Stream was flushed and purged from offset %2, length %3. Result %5.

Fields #

Name	Description
`Scb` Pointer
`FileOffset` HexInt64
`Length` HexInt32
`Flags` HexInt32
`status` HexInt32	NTSTATUS reference

Event ID 24576

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: StreamFlush

Description

Stream was flushed from offset , length . Result .

Fields #

Name	Description
`Scb` Pointer
`FileOffset` HexInt64
`Length` HexInt32
`status` HexInt32	NTSTATUS reference

Event ID 24576: Stream was flushed from offset FileOffset, length Length.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: StreamFlush

Description

Stream was flushed from offset FileOffset, length Length. Result status.

Message #

Stream was flushed from offset %2, length %3. Result %4.

Fields #

Name	Description
`Scb` Pointer
`FileOffset` HexInt64
`Length` HexInt32
`status` HexInt32	NTSTATUS reference

Event ID 28672

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: StreamPurge

Description

Stream was purged from offset , length . Result .

Fields #

Name	Description
`Scb` Pointer
`FileOffset` HexInt64
`Length` HexInt32
`status` HexInt32	NTSTATUS reference

Event ID 28672: Stream was purged from offset FileOffset, length Length.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: StreamPurge

Description

Stream was purged from offset FileOffset, length Length. Result status.

Message #

Stream was purged from offset %2, length %3. Result %4.

Fields #

Name	Description
`Scb` Pointer
`FileOffset` HexInt64
`Length` HexInt32
`status` HexInt32	NTSTATUS reference

Event ID 32768

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: VolumePurge

Description

Volume was purged. Result .

Fields #

Name	Description
`Vcb` Pointer
`status` HexInt32	NTSTATUS reference

Event ID 32768: Volume was purged.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: VolumePurge

Description

Volume was purged. Result status.

Message #

Volume was purged. Result %2.

Fields #

Name	Description
`Vcb` Pointer
`status` HexInt32	NTSTATUS reference

Event ID 36864

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: Bookmark

Description

Bookmark: .

Fields #

Name	Description
`Vcb` Pointer
`Scb` Pointer
`FileId` HexInt64
`Ccb` Pointer
`ShadowFileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`BookmarkLength` UInt16
`Bookmark` UnicodeString
`FileIdHi` HexInt64

Event ID 36864: Bookmark: Bookmark.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: Bookmark

Description

Bookmark: Bookmark.

Message #

Bookmark: %9.

Fields #

Name	Description
`Vcb` Pointer
`Scb` Pointer
`FileId` HexInt64
`Ccb` Pointer
`ShadowFileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`BookmarkLength` UInt16
`Bookmark` UnicodeString
`FileIdHi` HexInt64

Event ID 40960

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: DriverLoad

Description

Driver loaded.

Fields #

Name	Description
`MaxLookAsideDepth` UInt64
`CpuCount` UInt64
`Status` HexInt32	NTSTATUS reference

Event ID 40960: Driver loaded.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Level: Informational
Task: DriverLoad

Description

Driver loaded.

Message #

Driver loaded.

Fields #

Name	Description
`MaxLookAsideDepth` UInt64
`CpuCount` UInt64
`Status` HexInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic",
    "guid": "{6A86AE90-4E9B-4186-B1D1-9CE0E02BCBC1}",
    "event_source_name": "",
    "event_id": 40960,
    "version": 0,
    "level": 4,
    "task": 10100,
    "opcode": 0,
    "keywords": 4611686018427387905,
    "time_created": "2026-06-13T15:14:00.7082049+00:00",
    "event_record_id": 3,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 7992
    },
    "channel": "Microsoft-Windows-FailoverClustering-CsvFs/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "MaxLookAsideDepth": "16",
    "CpuCount": "8",
    "Status": "0x0"
  },
  "message": "Driver loaded."
}

Event ID 45056

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ClusterConnected

Description

Cluster service connected.

Fields #

Name	Description
`FileObject` Pointer
`ProcessId` Pointer
`Status` HexInt32	NTSTATUS reference

Event ID 45056: Cluster service connected.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ClusterConnected

Description

Cluster service connected.

Message #

Cluster service connected.

Fields #

Name	Description
`FileObject` Pointer
`ProcessId` Pointer
`Status` HexInt32	NTSTATUS reference

Event ID 49152

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ClusterDisconnected

Description

Cluster service disconnected.

Fields #

Name	Description
`FileObject` Pointer
`ProcessId` Pointer

Event ID 49152: Cluster service disconnected.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: ClusterDisconnected

Description

Cluster service disconnected.

Message #

Cluster service disconnected.

Fields #

Name	Description
`FileObject` Pointer
`ProcessId` Pointer

Event ID 53248

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: AcquireForCreateSection

Description

Data section created.

Fields #

Name	Description
`FileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`Scb` Pointer
`Ccb` Pointer
`Operation` UInt16	Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`SyncType` UInt32
`Status` HexInt32	NTSTATUS reference

Event ID 53248: Data section created.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: AcquireForCreateSection

Description

Data section created.

Message #

Data section created.

Fields #

Name	Description
`FileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`Scb` Pointer
`Ccb` Pointer
`Operation` UInt16	Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`SyncType` UInt32
`Status` HexInt32	NTSTATUS reference

Event ID 57344

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: SharedCacheMapInitialized

Description

Shared Cahce Map Initialized.

Fields #

Name	Description
`FileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`Scb` Pointer
`Ccb` Pointer

Event ID 57344: Shared Cahce Map Initialized.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: SharedCacheMapInitialized

Description

Shared Cahce Map Initialized.

Message #

Shared Cahce Map Initialized.

Fields #

Name	Description
`FileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`Scb` Pointer
`Ccb` Pointer

Event ID 61440

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: SharedCacheMapUninitialized

Description

Shared Cahce Map Uninitialized.

Fields #

Name	Description
`FileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`Scb` Pointer
`Ccb` Pointer
`TruncateSize` HexInt64
`HasEvent` Boolean
`Result` Boolean

Event ID 61440: Shared Cahce Map Uninitialized.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: SharedCacheMapUninitialized

Description

Shared Cahce Map Uninitialized.

Message #

Shared Cahce Map Uninitialized.

Fields #

Name	Description
`FileObject` Pointer
`FileNameLength` UInt16
`FileName` UnicodeString
`Scb` Pointer
`Ccb` Pointer
`TruncateSize` HexInt64
`HasEvent` Boolean
`Result` Boolean

Event ID 61696

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: Capture

Description

Capture full payload.

Fields #

Name	Description
`FileObject` Pointer
`Ccb` Pointer
`Scb` Pointer
`Fcb` Pointer
`FileId` HexInt64
`FileIdHi` HexInt64
`StreamId` HexInt64
`OplockLevel` HexInt32
`Flags` HexInt32
`Offset` HexInt64
`Length` HexInt32
`Data` Binary
`Status` HexInt32	NTSTATUS reference

Event ID 61696: Capture full payload.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: Capture

Description

Capture full payload.

Message #

Capture full payload.

Fields #

Name	Description
`FileObject` Pointer
`Ccb` Pointer
`Scb` Pointer
`Fcb` Pointer
`FileId` HexInt64
`FileIdHi` HexInt64
`StreamId` HexInt64
`OplockLevel` HexInt32
`Flags` HexInt32
`Offset` HexInt64
`Length` HexInt32
`Data` Binary
`Status` HexInt32	NTSTATUS reference

Event ID 61952

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Operational
Task: Capture

Description

Capture payload segment.

Fields #

Name	Description
`FileObject` Pointer
`Ccb` Pointer
`Scb` Pointer
`Fcb` Pointer
`FileId` HexInt64
`FileIdHi` HexInt64
`StreamId` HexInt64
`OplockLevel` HexInt32
`Flags` HexInt32
`Offset` HexInt64
`Length` HexInt32
`FragmentOffset` HexInt64
`FragmentLength` HexInt32
`Data` Binary
`Status` HexInt32	NTSTATUS reference

Event ID 61952: Capture payload segment.

Provider: Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic
Channel: Diagnostic
Task: Capture

Description

Capture payload segment.

Message #

Capture payload segment.

Fields #

Name	Description
`FileObject` Pointer
`Ccb` Pointer
`Scb` Pointer
`Fcb` Pointer
`FileId` HexInt64
`FileIdHi` HexInt64
`StreamId` HexInt64
`OplockLevel` HexInt32
`Flags` HexInt32
`Offset` HexInt64
`Length` HexInt32
`FragmentOffset` HexInt64
`FragmentLength` HexInt32
`Data` Binary
`Status` HexInt32	NTSTATUS reference

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 6a86ae90-4e9b-4186-b1d1-9ce0e02bcbc1

Defined in CsvFs.sys, the binary that emits these events.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02

Downloads

Microsoft-Windows-FailoverClustering-CsvFs-Diagnostic registered manifest XML (in the WS2022-20348.4893 manifest pack, 1.9 MB) manifest-xml

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)