Microsoft-Windows-Kernel-File

25 events across 1 channel

Event	Title	Channel	Sample
10	NameCreate	Analytic	Y
11	NameDelete	Analytic	Y
12	Create_V1	Analytic	Y
13	Cleanup_V1	Analytic	Y
14	Close_V1	Analytic	Y
15	Read_V1	Analytic	Y
16	Write_V1	Analytic	Y
17	SetInformation_V1	Analytic	Y
18	SetDelete_V1	Analytic	Y
19	Rename_V1	Analytic	Y
20	DirEnum_V1	Analytic	Y
21	Flush_V1	Analytic	Y
22	QueryInformation_V1	Analytic	Y
23	FSCTL_V1	Analytic	Y
24	OperationEnd	Analytic	Y
25	DirNotify_V1	Analytic	Y
26	DeletePath_V1	Analytic	Y
27	RenamePath_V1	Analytic	Y
28	SetLinkPath_V1	Analytic	N
29	Rename29_V1	Analytic	N
30	CreateNewFile_V1	Analytic	Y
31	SetSecurity_V1	Analytic	Y
32	QuerySecurity_V1	Analytic	Y
33	SetEA_V1	Analytic	N
34	QueryEA_V1	Analytic	Y

Event ID 10: NameCreate

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: NameCreate

Fields #

Name	Description
`FileKey` Pointer
`FileName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "10",
    "version": "0",
    "level": "4",
    "task": "10",
    "opcode": "0",
    "keywords": 9223372036854775824,
    "time_created": "2026-03-16T00:21:37.078046800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "8688",
      "thread_id": "2504"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "FileKey": "0xFFFF810C435113E0",
    "FileName": "\\Device\\HarddiskVolume4\\Temp\\etw_hv.etl"
  },
  "message": ""
}

Event ID 11: NameDelete

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: NameDelete

Fields #

Name	Description
`FileKey` Pointer
`FileName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "11",
    "version": "0",
    "level": "4",
    "task": "11",
    "opcode": "0",
    "keywords": 9223372036854775824,
    "time_created": "2026-03-16T00:21:37.779030500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6656"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "FileKey": "0xFFFF810C43172170",
    "FileName": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Beats\\9.2.3\\winlogbeat\\data\\.winlogbeat.yml.new"
  },
  "message": ""
}

Event ID 12: Create_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Create

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`IssuingThreadId` UInt32
`CreateOptions` UInt32
`CreateAttributes` UInt32
`ShareAccess` UInt32
`FileName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "12",
    "version": "1",
    "level": "4",
    "task": "12",
    "opcode": "0",
    "keywords": 9223372036854775968,
    "time_created": "2026-03-16T00:21:35.061838900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3264",
      "thread_id": "3448"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A105DBAD8",
    "FileObject": "0xFFFF980A11C43D80",
    "IssuingThreadId": "    3448",
    "CreateOptions": "0x1000060",
    "CreateAttributes": "0x0",
    "ShareAccess": "0x1",
    "FileName": "\\Device\\HarddiskVolume4\\Windows\\Prefetch\\LOGMAN.EXE-F6000818.pf"
  },
  "message": ""
}

Event ID 13: Cleanup_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Cleanup

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`IssuingThreadId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "13",
    "version": "1",
    "level": "4",
    "task": "13",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:35.057098000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "12824",
      "thread_id": "8012"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A1150BA98",
    "FileObject": "0xFFFF980A1586E480",
    "FileKey": "0xFFFF810C2F207700",
    "IssuingThreadId": "    8012"
  },
  "message": ""
}

Event ID 14: Close_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Close

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`IssuingThreadId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "14",
    "version": "1",
    "level": "4",
    "task": "14",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:35.057163300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "12824",
      "thread_id": "8012"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A1150BA98",
    "FileObject": "0xFFFF980A1586E480",
    "FileKey": "0xFFFF810C2F207700",
    "IssuingThreadId": "    8012"
  },
  "message": ""
}

Event ID 15: Read_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Read

Fields #

Name	Description
`ByteOffset` UInt64
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`IssuingThreadId` UInt32
`IOSize` UInt32
`IOFlags` UInt32
`ExtraFlags` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "15",
    "version": "1",
    "level": "4",
    "task": "15",
    "opcode": "0",
    "keywords": 9223372036854776096,
    "time_created": "2026-03-16T00:21:35.069305000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3264",
      "thread_id": "3448"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ByteOffset": "0x0",
    "Irp": "0xFFFF980A119BB0F8",
    "FileObject": "0xFFFF980A11C43D80",
    "FileKey": "0xFFFF810C52FFA170",
    "IssuingThreadId": "    3448",
    "IOSize": "0x2",
    "IOFlags": "0x0",
    "ExtraFlags": "0x0"
  },
  "message": ""
}

Event ID 16: Write_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Write

Fields #

Name	Description
`ByteOffset` UInt64
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`IssuingThreadId` UInt32
`IOSize` UInt32
`IOFlags` UInt32
`ExtraFlags` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "16",
    "version": "1",
    "level": "4",
    "task": "16",
    "opcode": "0",
    "keywords": 9223372036854776352,
    "time_created": "2026-03-16T00:21:35.057748500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "10452"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ByteOffset": "0x46000",
    "Irp": "0xFFFF980A0E10FB08",
    "FileObject": "0xFFFF980A1DA02520",
    "FileKey": "0xFFFF810C41087170",
    "IssuingThreadId": "   10452",
    "IOSize": "0x2000",
    "IOFlags": "0x60A01",
    "ExtraFlags": "0x0"
  },
  "message": ""
}

Event ID 17: SetInformation_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: SetInformation

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "17",
    "version": "1",
    "level": "4",
    "task": "17",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:36.406280900+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4",
      "thread_id": "10636"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A17BFA0F8",
    "FileObject": "0xFFFF980A10F6C260",
    "FileKey": "0xFFFF810C2E0681B0",
    "ExtraInformation": "0x1C",
    "IssuingThreadId": "   10636",
    "InfoClass": "      20"
  },
  "message": ""
}

Event ID 18: SetDelete_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: SetDelete

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "18",
    "version": "1",
    "level": "4",
    "task": "18",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:22:31.171200000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "7124",
      "thread_id": "4044"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A10A97758",
    "FileObject": "0xFFFF980A1585B7E0",
    "FileKey": "0xFFFF810C396CB170",
    "ExtraInformation": "0x1",
    "IssuingThreadId": "    4044",
    "InfoClass": "      64"
  },
  "message": ""
}

Event ID 19: Rename_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Rename

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "19",
    "version": "1",
    "level": "4",
    "task": "19",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:37.778249300+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6656"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A0DA56AF8",
    "FileObject": "0xFFFF980A126899A0",
    "FileKey": "0xFFFF810C43172170",
    "ExtraInformation": "0x0",
    "IssuingThreadId": "    6656",
    "InfoClass": "      10"
  },
  "message": ""
}

Event ID 20: DirEnum_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: DirEnum

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`IssuingThreadId` UInt32
`Length` UInt32
`InfoClass` UInt32
`FileIndex` UInt32
`FileName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "20",
    "version": "1",
    "level": "4",
    "task": "20",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:35.065257100+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "10736",
      "thread_id": "11352"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A17D957C8",
    "FileObject": "0xFFFF980A15851700",
    "FileKey": "0xFFFF810C2ACDE700",
    "IssuingThreadId": "   11352",
    "Length": "     616",
    "InfoClass": "       3",
    "FileIndex": "       0",
    "FileName": "logman\"*"
  },
  "message": ""
}

Event ID 21: Flush_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: Flush

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`IssuingThreadId` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "21",
    "version": "1",
    "level": "4",
    "task": "21",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:35.372972200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6972"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A0EF5A358",
    "FileObject": "0xFFFF980A11C3D0A0",
    "FileKey": "0xFFFF810C40FC5170",
    "IssuingThreadId": "    6972"
  },
  "message": ""
}

Event ID 22: QueryInformation_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: QueryInformation

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "22",
    "version": "1",
    "level": "4",
    "task": "22",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:35.052538600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3668",
      "thread_id": "9620"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A0EB930F8",
    "FileObject": "0xFFFF980A11C41EA0",
    "FileKey": "0xFFFF810C40FC5170",
    "ExtraInformation": "0x0",
    "IssuingThreadId": "    9620",
    "InfoClass": "      22"
  },
  "message": ""
}

Event ID 23: FSCTL_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: FSCTL

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "23",
    "version": "1",
    "level": "4",
    "task": "23",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:35.062034500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3264",
      "thread_id": "3448"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A11B41A08",
    "FileObject": "0xFFFF980A11C43D80",
    "FileKey": "0xFFFF810C52FFA170",
    "ExtraInformation": "0x0",
    "IssuingThreadId": "    3448",
    "InfoClass": "  590059"
  },
  "message": ""
}

Event ID 24: OperationEnd

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: OperationEnd

Fields #

Name	Description
`Irp` Pointer
`ExtraInformation` Pointer
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "24",
    "version": "0",
    "level": "4",
    "task": "24",
    "opcode": "0",
    "keywords": 9223372036854775904,
    "time_created": "2026-03-16T00:21:35.052579700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3668",
      "thread_id": "9620"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A0EB930F8",
    "ExtraInformation": "0x26",
    "Status": "0x0"
  },
  "message": ""
}

Event ID 25: DirNotify_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Level: Informational
Task: DirNotify

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`IssuingThreadId` UInt32
`Length` UInt32
`InfoClass` UInt32
`FileIndex` UInt32
`FileName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "25",
    "version": "1",
    "level": "4",
    "task": "25",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:23:59.612990800+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "12488",
      "thread_id": "13240"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A16FECAC8",
    "FileObject": "0xFFFF980A1598A500",
    "FileKey": "0xFFFF810C53AE7170",
    "IssuingThreadId": "   13240",
    "Length": "      32",
    "InfoClass": "       3",
    "FileIndex": "       0",
    "FileName": ""
  },
  "message": ""
}

Event ID 26: DeletePath_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: DeletePath

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32
`FilePath` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "26",
    "version": "1",
    "level": "4",
    "task": "26",
    "opcode": "0",
    "keywords": 9223372036854776832,
    "time_created": "2026-03-16T00:22:31.171214700+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "7124",
      "thread_id": "4044"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A10A97758",
    "FileObject": "0xFFFF980A1585B7E0",
    "FileKey": "0xFFFF810C396CB170",
    "ExtraInformation": "0x0",
    "IssuingThreadId": "    4044",
    "InfoClass": "      64",
    "FilePath": "\\Device\\HarddiskVolume4\\Users\\domainadmin\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2hphljyo.ubn.ps1"
  },
  "message": ""
}

Event ID 27: RenamePath_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: RenamePath

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32
`FilePath` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "27",
    "version": "1",
    "level": "4",
    "task": "27",
    "opcode": "0",
    "keywords": 9223372036854777856,
    "time_created": "2026-03-16T00:21:37.778427000+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "4168",
      "thread_id": "6656"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A0DA56AF8",
    "FileObject": "0xFFFF980A126899A0",
    "FileKey": "0xFFFF810C43172170",
    "ExtraInformation": "0x0",
    "IssuingThreadId": "    6656",
    "InfoClass": "      10",
    "FilePath": "\\Device\\HarddiskVolume4\\Program Files\\Elastic\\Beats\\9.2.3\\winlogbeat\\data\\.winlogbeat.yml"
  },
  "message": ""
}

Event ID 28: SetLinkPath_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Task: SetLinkPath

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32
`FilePath` UnicodeString

Event ID 29: Rename29_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Task: Rename

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Event ID 30: CreateNewFile_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: CreateNewFile

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`IssuingThreadId` UInt32
`CreateOptions` UInt32
`CreateAttributes` UInt32
`ShareAccess` UInt32
`FileName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "30",
    "version": "1",
    "level": "4",
    "task": "30",
    "opcode": "0",
    "keywords": 9223372036854779904,
    "time_created": "2026-03-16T00:21:35.067497500+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3264",
      "thread_id": "3448"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A105DBAD8",
    "FileObject": "0xFFFF980A11C43D80",
    "IssuingThreadId": "    3448",
    "CreateOptions": "0x5000060",
    "CreateAttributes": "0x0",
    "ShareAccess": "0x0",
    "FileName": "\\Device\\HarddiskVolume4\\Windows\\Prefetch\\LOGMAN.EXE-F6000818.pf"
  },
  "message": ""
}

Event ID 31: SetSecurity_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: SetSecurity

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "31",
    "version": "1",
    "level": "4",
    "task": "31",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:24:30.201502200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3436",
      "thread_id": "9824"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A1F3F90F8",
    "FileObject": "0xFFFF980A1598D900",
    "FileKey": "0xFFFF810C376F7170",
    "ExtraInformation": "0x0",
    "IssuingThreadId": "    9824",
    "InfoClass": "       0"
  },
  "message": ""
}

Event ID 32: QuerySecurity_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: QuerySecurity

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "32",
    "version": "1",
    "level": "4",
    "task": "32",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:35.065175200+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "10736",
      "thread_id": "11352"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A17D957C8",
    "FileObject": "0xFFFF980A15851700",
    "FileKey": "0xFFFF810C2ACDE700",
    "ExtraInformation": "0x0",
    "IssuingThreadId": "   11352",
    "InfoClass": "       0"
  },
  "message": ""
}

Event ID 33: SetEA_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Task: SetEA

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Event ID 34: QueryEA_V1

Provider: Microsoft-Windows-Kernel-File
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: QueryEA

Fields #

Name	Description
`Irp` Pointer
`FileObject` Pointer
`FileKey` Pointer
`ExtraInformation` Pointer
`IssuingThreadId` UInt32
`InfoClass` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-File",
    "guid": "{edd08927-9cc4-4e65-b970-c2560fb5c289}",
    "event_source_name": "",
    "event_id": "34",
    "version": "1",
    "level": "4",
    "task": "34",
    "opcode": "0",
    "keywords": 9223372036854775840,
    "time_created": "2026-03-16T00:21:35.061972600+00:00",
    "event_record_id": 0,
    "correlation": {
      "ActivityID": "{00000000-0000-0000-0000-000000000000}"
    },
    "execution": {
      "process_id": "3264",
      "thread_id": "3448"
    },
    "channel": "Microsoft-Windows-Kernel-File/Analytic",
    "computer": "",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Irp": "0xFFFF980A11B41A08",
    "FileObject": "0xFFFF980A11C43D80",
    "FileKey": "0xFFFF810C52FFA170",
    "ExtraInformation": "0x0",
    "IssuingThreadId": "    3448",
    "InfoClass": "       0"
  },
  "message": ""
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {EDD08927-9CC4-4E65-B970-C2560FB5C289}

Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3932, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Kernel-File

Event ID 10: NameCreate

Fields #

Example Event #

Event ID 11: NameDelete

Fields #

Example Event #

Event ID 12: Create_V1

Fields #

Example Event #

Event ID 13: Cleanup_V1

Fields #

Example Event #

Event ID 14: Close_V1

Fields #

Example Event #

Event ID 15: Read_V1

Fields #

Example Event #

Event ID 16: Write_V1

Fields #

Example Event #

Event ID 17: SetInformation_V1

Fields #

Example Event #

Event ID 18: SetDelete_V1

Fields #

Example Event #

Event ID 19: Rename_V1

Fields #

Example Event #

Event ID 20: DirEnum_V1

Fields #

Example Event #

Event ID 21: Flush_V1

Fields #

Example Event #

Event ID 22: QueryInformation_V1

Fields #

Example Event #

Event ID 23: FSCTL_V1

Fields #

Example Event #

Event ID 24: OperationEnd

Fields #

Example Event #

Event ID 25: DirNotify_V1

Fields #

Example Event #

Event ID 26: DeletePath_V1

Fields #

Example Event #

Event ID 27: RenamePath_V1

Fields #

Example Event #

Event ID 28: SetLinkPath_V1

Fields #

Event ID 29: Rename29_V1

Fields #

Event ID 30: CreateNewFile_V1

Fields #

Example Event #

Event ID 31: SetSecurity_V1

Fields #

Example Event #

Event ID 32: QuerySecurity_V1

Fields #

Example Event #

Event ID 33: SetEA_V1

Fields #

Event ID 34: QueryEA_V1

Fields #

Example Event #

Provenance

Downloads