Microsoft-Windows-Hyper-V-Shared-VHDX

55 events across 3 channels

Event	Title	Channel	Sample
16	Shared VHDX filter started.	Operational	Y
32	Shared VHDX filter stopped.	Operational	N
48	Successfully attached to volume.	Operational	N
64	Skipped attaching to non-CSV volume.	Operational	Y
80	Error attaching to volume.	Operational	N
96	Successfully detached from volume.	Operational	N
112	Error detaching from volume.	Operational	N
128	Error opening handle for initiator.	Operational	N
129	A deduplicated file was detected for a Shared VHDX.	Operational	N
130	A reparse point was detected for a Shared VHDX file.	Operational	N
144	Error while mounting Shared VHDX file.	Operational	N
256	Shared VHDX file IO Failure.	Diagnostic	N
256	Event ID 256	Operational	N
272	Shared VHDX file IO took longer than TimeoutInMs ms.	Operational	N
288	System out of resources.	Operational	N
304	Error reading metadata from the Shared VHDX file.	Operational	N
305	No metadata found on the Shared VHDX file.	Diagnostic	N
305	Event ID 305	Operational	N
320	Error writing metadata to Shared VHDX file.	Operational	N
8208	Event ID 8208	Operational	N
8208	Persistent Reservation: REGISTER.	Reservation	N
8224	Event ID 8224	Operational	N
8224	Persistent Reservation: REGISTER AND IGNORE EXISTING KEY.	Reservation	N
8240	Event ID 8240	Operational	N
8240	Persistent Reservation: RESERVE.	Reservation	N
8256	Event ID 8256	Operational	N
8256	Persistent Reservation: RELEASE.	Reservation	N
8272	Event ID 8272	Operational	N
8272	Persistent Reservation: CLEAR.	Reservation	N
8288	Event ID 8288	Operational	N
8288	Persistent Reservation: PREEMPT.	Reservation	N
8304	Event ID 8304	Operational	N
8304	Persistent Reservation: PREEMPT AND ABORT.	Reservation	N
8320	Event ID 8320	Operational	N
8320	Persistent Reservation: Opening state.	Reservation	N
8336	Event ID 8336	Operational	N
8336	Persistent Reservation: Opening state.	Reservation	N
16400	Handle opened by initiator.	Diagnostic	N
16400	Event ID 16400	Operational	N
16416	Handle closed by initiator.	Diagnostic	N
16416	Event ID 16416	Operational	N
16432	Shared VHDX file was mounted.	Diagnostic	N
16432	Event ID 16432	Operational	N
16448	Shared VHDX file was dismounted.	Diagnostic	N
16448	Event ID 16448	Operational	N
16464	IO was completed.	Diagnostic	N
16464	Event ID 16464	Operational	N
16480	Persistent Reservation start.	Diagnostic	N
16480	Event ID 16480	Operational	N
16496	Persistent Reservation end.	Diagnostic	N
16496	Event ID 16496	Operational	N
16512	Persistent Reservation commit start.	Diagnostic	N
16512	Event ID 16512	Operational	N
16528	Persistent Reservation commit end.	Diagnostic	N
16528	Event ID 16528	Operational	N

Event ID 16: Shared VHDX filter started.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational
Level: Informational

Description

Shared VHDX filter started.

Message #

Shared VHDX filter started.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Shared-VHDX",
    "guid": "{BB510E5F-2EB9-491A-81E4-F04654388F2B}",
    "event_source_name": "",
    "event_id": 16,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-30T02:30:35.6310874+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 720
    },
    "channel": "Microsoft-Windows-Hyper-V-Shared-VHDX/Operational",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "Shared VHDX filter started."
}

Event ID 32: Shared VHDX filter stopped.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Shared VHDX filter stopped.

Message #

Shared VHDX filter stopped.

Event ID 48: Successfully attached to volume.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Successfully attached to volume. Volume: VolumeName.

Message #

Successfully attached to volume. Volume: %2.

Fields #

Name	Description
`VolumeNameLength` UInt16
`VolumeName` UnicodeString

Event ID 64: Skipped attaching to non-CSV volume.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational
Level: Verbose

Description

Skipped attaching to non-CSV volume. Volume: VolumeName.

Message #

Skipped attaching to non-CSV volume. Volume: %2.

Fields #

Name	Description
`VolumeNameLength` UInt16
`VolumeName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Hyper-V-Shared-VHDX",
    "guid": "{BB510E5F-2EB9-491A-81E4-F04654388F2B}",
    "event_source_name": "",
    "event_id": 64,
    "version": 0,
    "level": 5,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T05:12:17.3512172+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 7116,
      "thread_id": 4676
    },
    "channel": "Microsoft-Windows-Hyper-V-Shared-VHDX/Operational",
    "computer": "telemetry-DC-c.cell-c.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "VolumeNameLength": "33",
    "VolumeName": "\\Device\\HarddiskVolumeShadowCopy2"
  },
  "message": "Skipped attaching to non-CSV volume. Volume: \\Device\\HarddiskVolumeShadowCopy2."
}

Event ID 80: Error attaching to volume.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Error attaching to volume. Volume: VolumeName. Error: Status.

Message #

Error attaching to volume. Volume: %2. Error: %3.

Fields #

Name	Description
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 96: Successfully detached from volume.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Successfully detached from volume. Volume: VolumeName.

Message #

Successfully detached from volume. Volume: %2.

Fields #

Name	Description
`VolumeNameLength` UInt16
`VolumeName` UnicodeString

Event ID 112: Error detaching from volume.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Error detaching from volume. Volume: VolumeName. Error: Status.

Message #

Error detaching from volume. Volume: %2. Error: %3.

Fields #

Name	Description
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 128: Error opening handle for initiator.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Error opening handle for initiator. Initiator: Initiator. Hostname: HostName. File: FileName. Error: Status.

Message #

Error opening handle for initiator. Initiator: %1. Hostname: %3. File: %5. Error: %6.

Fields #

Name	Description
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString
`FileNameLength` UInt16
`FileName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 129: A deduplicated file was detected for a Shared VHDX.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

A deduplicated file was detected for a Shared VHDX.

Message #

A deduplicated file was detected for a Shared VHDX.

File: %2

Guidance:
Using a deduplicated file for a Shared VHDX file is not supported and may result in undefined behavior. Turn off data deduplication for the volume and run the PowerShell commandlet Expand-DedupFile on the file to recover.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`ReparseTag` HexInt32

Event ID 130: A reparse point was detected for a Shared VHDX file.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

A reparse point was detected for a Shared VHDX file.

Message #

A reparse point was detected for a Shared VHDX file.

File: %2
Reparse Point Tag:%3

Guidance:
Shared VHDX files do not support reparse points, such as those used for symbolic links, hierarchical storage, and other technologies. Opening such a file will result in undefined behavior. The type of reparse point found is identified by the reparse point tag located above. Contact your system vendor to determine how to remove the reparse point. Also see http://technet.microsoft.com/en-us/aa365503(v=vs.71).aspx for more information.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`ReparseTag` HexInt32

Event ID 144: Error while mounting Shared VHDX file.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Error while mounting Shared VHDX file. File: FileName. Error: Status.

Message #

Error while mounting Shared VHDX file. File: %2. Error: %3.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 256: Shared VHDX file IO Failure.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

Shared VHDX file IO Failure. File: FileName. SCSI operation: ScsiOperation. SRB status: SrbStatus. SCSI status: ScsiStatus. Sense error code: SenseErrorCode. Sense key: SenseKey. Additional sense code: AdditionalSenseCode. Qualifier: AdditionalSenseCodeQualifier. Error: RequestStatus.

Message #

Shared VHDX file IO Failure. File: %2. SCSI operation: %3. SRB status: %4. SCSI status: %5. Sense error code: %6. Sense key: %7. Additional sense code: %8. Qualifier: %9. Error: %10.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`ScsiOperation` UInt8
`SrbStatus` UInt8
`ScsiStatus` UInt8
`SenseErrorCode` UInt8
`SenseKey` UInt8
`AdditionalSenseCode` UInt8
`AdditionalSenseCodeQualifier` UInt8
`RequestStatus` HexInt32

Event ID 256

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Shared VHDX file IO Failure. File: . SCSI operation: . SRB status: . SCSI status: . Sense error code: . Sense key: . Additional sense code: . Qualifier: . Error: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`ScsiOperation` UInt8
`SrbStatus` UInt8
`ScsiStatus` UInt8
`SenseErrorCode` UInt8
`SenseKey` UInt8
`AdditionalSenseCode` UInt8
`AdditionalSenseCodeQualifier` UInt8
`RequestStatus` HexInt32

Event ID 272: Shared VHDX file IO took longer than TimeoutInMs ms.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Shared VHDX file IO took longer than TimeoutInMs ms. File FileName. SCSI operation: ScsiOperation. Operation time: TimeInMs ms.

Message #

Shared VHDX file IO took longer than %1 ms. File %3. SCSI operation: %4. Operation time: %5 ms.

Fields #

Name	Description
`TimeoutInMs` UInt32
`FileNameLength` UInt16
`FileName` UnicodeString
`ScsiOperation` UInt8
`TimeInMs` UInt32

Event ID 288: System out of resources.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

System out of resources.

Message #

System out of resources.

Event ID 304: Error reading metadata from the Shared VHDX file.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Message #

Error reading metadata from the Shared VHDX file. File: %2. Error: %3. This indicates a problem when loading the Persistent Reservation information from the VHDX file. The virtual machine may lose access to the shared VHDX file. The virtual machine might recover automatically, but you may need to perform manual recovery actions inside the virtual machine.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 305: No metadata found on the Shared VHDX file.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Message #

No metadata found on the Shared VHDX file. File: %2. Error: %3. There is no Persistent Reservation information in the VHDX file being opened. This is expected on the first time the Shared VHDX file is used.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 305

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 320: Error writing metadata to Shared VHDX file.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Error writing metadata to Shared VHDX file. File: FileName. Error: Status.

Message #

Error writing metadata to Shared VHDX file. File: %2. Error: %3.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 8208

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation: REGISTER. File: . Initiator . Hostname: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8208: Persistent Reservation: REGISTER.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Reservation

Description

Persistent Reservation: REGISTER. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Persistent Reservation: REGISTER. File: %2. Initiator %3. Hostname: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8224

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation: REGISTER AND IGNORE EXISTING KEY. File: . Initiator . Hostname: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8224: Persistent Reservation: REGISTER AND IGNORE EXISTING KEY.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Reservation

Description

Persistent Reservation: REGISTER AND IGNORE EXISTING KEY. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Persistent Reservation: REGISTER AND IGNORE EXISTING KEY. File: %2. Initiator %3. Hostname: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8240

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation: RESERVE. File: . Initiator . Hostname: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8240: Persistent Reservation: RESERVE.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Reservation

Description

Persistent Reservation: RESERVE. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Persistent Reservation: RESERVE. File: %2. Initiator %3. Hostname: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8256

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation: RELEASE. File: . Initiator . Hostname: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8256: Persistent Reservation: RELEASE.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Reservation

Description

Persistent Reservation: RELEASE. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Persistent Reservation: RELEASE. File: %2. Initiator %3. Hostname: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8272

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation: CLEAR. File: . Initiator . Hostname: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8272: Persistent Reservation: CLEAR.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Reservation

Description

Persistent Reservation: CLEAR. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Persistent Reservation: CLEAR. File: %2. Initiator %3. Hostname: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8288

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation: PREEMPT. File: . Initiator . Hostname: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8288: Persistent Reservation: PREEMPT.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Reservation

Description

Persistent Reservation: PREEMPT. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Persistent Reservation: PREEMPT. File: %2. Initiator %3. Hostname: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8304

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation: PREEMPT AND ABORT. File: . Initiator . Hostname: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8304: Persistent Reservation: PREEMPT AND ABORT.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Reservation

Description

Persistent Reservation: PREEMPT AND ABORT. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Persistent Reservation: PREEMPT AND ABORT. File: %2. Initiator %3. Hostname: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 8320

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation: Opening state. File: . Holder: . Key: . Scope: . Type: . Generation: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Holder` GUID
`Key` UInt64
`Scope` UInt8
`Type` UInt8
`Generation` UInt32

Event ID 8320: Persistent Reservation: Opening state.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Reservation

Description

Persistent Reservation: Opening state. File: FileName. Holder: Holder. Key: Key. Scope: Scope. Type: Type. Generation: Generation.

Message #

Persistent Reservation: Opening state. File: %2. Holder: %3. Key: %4. Scope: %5. Type: %6. Generation: %7.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Holder` GUID
`Key` UInt64
`Scope` UInt8
`Type` UInt8
`Generation` UInt32

Event ID 8336

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation: Opening state. File: . Initiator: . Registration key: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`RegistrationKey` UInt64

Event ID 8336: Persistent Reservation: Opening state.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Reservation

Description

Persistent Reservation: Opening state. File: FileName. Initiator: Initiator. Registration key: RegistrationKey.

Message #

Persistent Reservation: Opening state. File: %2. Initiator: %3. Registration key: %4.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`RegistrationKey` UInt64

Event ID 16400: Handle opened by initiator.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

Handle opened by initiator. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Handle opened by initiator. File: %2. Initiator %3. Hostname: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 16400

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Handle opened by initiator. File: . Initiator . Hostname: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 16416: Handle closed by initiator.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

Handle closed by initiator. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Handle closed by initiator. File: %2. Initiator %3. Hostname: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 16416

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Handle closed by initiator. File: . Initiator . Hostname: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 16432: Shared VHDX file was mounted.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

Shared VHDX file was mounted. File: FileName. Mount time: TimeInMs ms. Total Size: TotalSize. Log Size: LogSize.

Message #

Shared VHDX file was mounted. File: %2. Mount time: %3 ms. Total Size: %4. Log Size: %5.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`TimeInMs` UInt32
`TotalSize` UInt64
`LogSize` UInt64

Event ID 16432

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Shared VHDX file was mounted. File: . Mount time: ms. Total Size: . Log Size: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`TimeInMs` UInt32
`TotalSize` UInt64
`LogSize` UInt64

Event ID 16448: Shared VHDX file was dismounted.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

Shared VHDX file was dismounted. File: FileName.

Message #

Shared VHDX file was dismounted. File: %2.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 16448

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Shared VHDX file was dismounted. File: .

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString

Event ID 16464: IO was completed.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

IO was completed. File: FileName. SCSI operation: ScsiOperation. Operation time: TimeInMs ms.

Message #

IO was completed. File: %2. SCSI operation: %3. Operation time: %4 ms.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`ScsiOperation` UInt8
`TimeInMs` UInt32

Event ID 16464

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

IO was completed. File: . SCSI operation: . Operation time: ms.

Fields #

Name	Description
`FileNameLength` UInt16
`FileName` UnicodeString
`ScsiOperation` UInt8
`TimeInMs` UInt32

Event ID 16480: Persistent Reservation start.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

Persistent Reservation start. PR: PrOperation. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Persistent Reservation start. PR: %1. File: %3. Initiator %4. Hostname: %6.

Fields #

Name	Description
`PrOperation` UInt32
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 16480

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation start. PR: . File: . Initiator . Hostname: .

Fields #

Name	Description
`PrOperation` UInt32
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 16496: Persistent Reservation end.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

Persistent Reservation end. PR: . File: . Initiator . Hostname: . SRB status: . SCSI status: . Sense error code: . Sense key: . Additional sense code: . Qualifier: . Error: .

Message #

Persistent Reservation end. PR: %1. File: %3. Initiator %4. Hostname: %6. SRB status: %7. SCSI status: %8. Sense error code: %9. Sense key: %10. Additional sense code: %11. Qualifier: %12. Error: %13.

Fields #

Name	Description
`PrOperation` UInt32
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString
`SrbStatus` UInt8
`ScsiStatus` UInt8
`SenseErrorCode` UInt8
`SenseKey` UInt8
`AdditionalSenseCode` UInt8
`AdditionalSenseCodeQualifier` UInt8
`RequestStatus` HexInt32

Event ID 16496

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation end. PR: . File: . Initiator . Hostname: . SRB status: . SCSI status: . Sense error code: . Sense key: . Additional sense code: . Qualifier: . Error: .

Fields #

Name	Description
`PrOperation` UInt32
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString
`SrbStatus` UInt8
`ScsiStatus` UInt8
`SenseErrorCode` UInt8
`SenseKey` UInt8
`AdditionalSenseCode` UInt8
`AdditionalSenseCodeQualifier` UInt8
`RequestStatus` HexInt32

Event ID 16512: Persistent Reservation commit start.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

Persistent Reservation commit start. PR PrOperation. File: FileName. Initiator Initiator. Hostname: HostName.

Message #

Persistent Reservation commit start. PR %1. File: %3. Initiator %4. Hostname: %6.

Fields #

Name	Description
`PrOperation` UInt32
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 16512

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation commit start. PR . File: . Initiator . Hostname: .

Fields #

Name	Description
`PrOperation` UInt32
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString

Event ID 16528: Persistent Reservation commit end.

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Diagnostic

Description

Persistent Reservation commit end. PR: PrOperation. File: FileName. Initiator Initiator. Hostname: HostName. Status: Status.

Message #

Persistent Reservation commit end. PR: %1. File: %3. Initiator %4. Hostname: %6. Status: %7.

Fields #

Name	Description
`PrOperation` UInt32
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Event ID 16528

Provider: Microsoft-Windows-Hyper-V-Shared-VHDX
Channel: Operational

Description

Persistent Reservation commit end. PR: . File: . Initiator . Hostname: . Status: .

Fields #

Name	Description
`PrOperation` UInt32
`FileNameLength` UInt16
`FileName` UnicodeString
`Initiator` GUID
`HostNameLength` UInt16
`HostName` UnicodeString
`Status` HexInt32	NTSTATUS reference

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID bb510e5f-2eb9-491a-81e4-f04654388f2b

Defined in svhdxflt.sys, the binary that emits these events.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02

Downloads

Microsoft-Windows-Hyper-V-Shared-VHDX registered manifest XML (in the WS2022-20348.4893 manifest pack, 1.9 MB) manifest-xml

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)