Microsoft-Windows-FileShareShadowCopyProvider
16 events across 1 channel
Event ID 0: Microsoft File Share Shadow Copy Provider is loaded
#Description
Microsoft File Share Shadow Copy Provider is loaded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-FileShareShadowCopyProvider",
"guid": "89300202-3CEC-4981-9171-19F59559E0F2",
"event_source_name": "",
"event_id": 0,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T18:21:04.651230+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 2648,
"thread_id": 6840
},
"channel": "Microsoft-Windows-FileShareShadowCopyProvider/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 1: Microsoft File Share Shadow Copy Provider is unloaded.
#Description
Microsoft File Share Shadow Copy Provider is unloaded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-FileShareShadowCopyProvider",
"guid": "89300202-3CEC-4981-9171-19F59559E0F2",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T18:30:17.625152+00:00",
"event_record_id": 3,
"correlation": {},
"execution": {
"process_id": 2648,
"thread_id": 9916
},
"channel": "Microsoft-Windows-FileShareShadowCopyProvider/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 2: Microsoft File Share Shadow Copy Provider primary metadata store is created.
#Description
Microsoft File Share Shadow Copy Provider primary metadata store is created.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-FileShareShadowCopyProvider",
"guid": "89300202-3CEC-4981-9171-19F59559E0F2",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T18:21:04.649421+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 2648,
"thread_id": 6840
},
"channel": "Microsoft-Windows-FileShareShadowCopyProvider/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 3: Microsoft File Share Shadow Copy Provider: Delete Shadow Copy: ShadowCopyId.
#Event ID 1000: Microsoft File Share Shadow Copy Provider Error: Fail to load the persistent metadata store.
#Description
Microsoft File Share Shadow Copy Provider Error: Fail to load the persistent metadata store.
Message #
Event ID 1001: Microsoft File Share Shadow Copy Provider Error: Fail to save the persistent metadata store.
#Description
Microsoft File Share Shadow Copy Provider Error: Fail to save the persistent metadata store.
Message #
Event ID 1002: Fail to open Microsoft File Share Shadow Copy Provider primary metadata store failed with error code: ErrorCode.
#Event ID 1003: Fail to open Microsoft File Share Shadow Copy Provider alternate metadata store failed with error code: ErrorCode.
#Event ID 1004: Microsoft File Share Shadow Copy Provider Error: Contents of the file share shadow copy set database are invalid.
#Description
Microsoft File Share Shadow Copy Provider Error: Contents of the file share shadow copy set database are invalid.
Message #
Event ID 1005: Microsoft File Share Shadow Copy Provider Error: Fail to negotiate with file server supported version.
#Event ID 1006: Microsoft File Share Shadow Copy Provider Error: Fail to finish preparing shadow copy creation within 30 minutes.
#Description
Microsoft File Share Shadow Copy Provider Error: Fail to finish preparing shadow copy creation within 30 minutes.
Message #
Event ID 1007: Microsoft File Share Shadow Copy Provider Error: Fail to commit all file servers within 60 seconds.
#Description
Microsoft File Share Shadow Copy Provider Error: Fail to commit all file servers within 60 seconds.
Message #
Event ID 1008: Microsoft File Share Shadow Copy Provider Error: Fail to expose the file share shadow copies within 30 minutes.
#Description
Microsoft File Share Shadow Copy Provider Error: Fail to expose the file share shadow copies within 30 minutes.
Message #
Event ID 1009: Microsoft File Share Shadow Copy Provider Error: Failed to connect to FssAgentRPC server: FileServerName with error code: ErrorCode.
#Event ID 1010: Microsoft File Share Shadow Copy Provider Error: Create worker thread for shadow copy creation on file server failed.
#Description
Microsoft File Share Shadow Copy Provider Error: Create worker thread for shadow copy creation on file server failed.
Message #
Event ID 1011: Microsoft File Share Shadow Copy Provider Error: The worker thread to create shadow copy on file server terminated unexpected.
#Description
Microsoft File Share Shadow Copy Provider Error: The worker thread to create shadow copy on file server terminated unexpected.
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {89300202-3CEC-4981-9171-19F59559E0F2}
Defined in fssProv.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02