Microsoft-Windows-Kernel-IO
14 events across 2 channels
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1 | Windows has started processing the volume mount request. | Operational | Y |
| 2 | The volume has been successfully mounted. | Operational | Y |
| 3 | Windows failed to mount the volume. | Operational | Y |
| 1205 | Windows is configured to block legacy file system filters. | System | N |
| 1206 | Legacy file system filters cannot attach to byte addressable volumes. | System | N |
| 1207 | Dumps are disabled on the machine since there was an error enabling dump … | System | N |
| 1212 | Failed to automatically attach a VHD during system startup. | System | N |
| 1213 | This volume is configured to block legacy file system filters. | System | N |
| 1300 | LoadBootHotPatchesStart | Operational | N |
| 1301 | LoadBootHotPatchesStop | Operational | N |
| 1302 | WheaInitializeStart | Operational | N |
| 1303 | WheaInitializeStop | Operational | N |
| 1304 | CrashDumpInitializeStart | Operational | N |
| 1305 | CrashDumpInitializeStop | Operational | N |
Event ID 1: Windows has started processing the volume mount request.
#Description
Windows has started processing the volume mount request.
Message #
Fields #
| Name | Description |
|---|---|
VolumeGuid GUID | |
VolumeNameLength UInt16 | |
VolumeName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-IO",
"guid": "{ABF1F586-2E50-4BA8-928D-49044E6F0DB7}",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": -9223372036854775807,
"time_created": "2026-06-13T14:12:00.0150855+00:00",
"event_record_id": 9917,
"correlation": {},
"execution": {
"process_id": 6740,
"thread_id": 4324
},
"channel": "Microsoft-Windows-Kernel-IO/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"VolumeGuid": "{4b41a8d4-e67f-11f0-964b-806e6f6e6963}",
"VolumeNameLength": "2",
"VolumeName": "D:"
},
"message": "Windows has started processing the volume mount request.\r\n\r\n Volume GUID: {4b41a8d4-e67f-11f0-964b-806e6f6e6963}\r\n Volume Name: D:\r\n"
}
Event ID 2: The volume has been successfully mounted.
#Description
The volume has been successfully mounted.
Message #
Fields #
| Name | Description |
|---|---|
VolumeGuid GUID | |
VolumeNameLength UInt16 | |
VolumeName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-IO",
"guid": "{ABF1F586-2E50-4BA8-928D-49044E6F0DB7}",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": -9223372036854775807,
"time_created": "2026-06-13T10:41:37.8437748+00:00",
"event_record_id": 9412,
"correlation": {},
"execution": {
"process_id": 5200,
"thread_id": 8140
},
"channel": "Microsoft-Windows-Kernel-IO/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeGuid": "{00000000-0000-0000-0000-000000000000}",
"VolumeNameLength": "0",
"VolumeName": ""
},
"message": "The volume has been successfully mounted.\r\n\r\n Volume GUID: {00000000-0000-0000-0000-000000000000}\r\n Volume Name: \r\n"
}
Event ID 3: Windows failed to mount the volume.
#Description
Windows failed to mount the volume.
Message #
Fields #
| Name | Description |
|---|---|
VolumeGuid GUID | |
VolumeNameLength UInt16 | |
VolumeName UnicodeString | |
Error HexInt32 | Status. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Kernel-IO",
"guid": "{ABF1F586-2E50-4BA8-928D-49044E6F0DB7}",
"event_source_name": "",
"event_id": 3,
"version": 0,
"level": 3,
"task": 1,
"opcode": 2,
"keywords": -9223372036854775807,
"time_created": "2026-06-13T14:12:00.0158348+00:00",
"event_record_id": 9918,
"correlation": {},
"execution": {
"process_id": 6740,
"thread_id": 4324
},
"channel": "Microsoft-Windows-Kernel-IO/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"VolumeGuid": "{4b41a8d4-e67f-11f0-964b-806e6f6e6963}",
"VolumeNameLength": "2",
"VolumeName": "D:",
"Error": "0xc0000013"
},
"message": "Windows failed to mount the volume.\r\n\r\n Status: {No Disk}\r\nThere is no disk in the drive.\r\nPlease insert a disk into drive %hs.\r\n Volume GUID: {4b41a8d4-e67f-11f0-964b-806e6f6e6963}\r\n Volume Name: D:\r\n"
}
Event ID 1205: Windows is configured to block legacy file system filters.
#Event ID 1206: Legacy file system filters cannot attach to byte addressable volumes.
#Event ID 1207: Dumps are disabled on the machine since there was an error enabling dump encryption: DumpEncryptionFailureReason.
#Event ID 1212: Failed to automatically attach a VHD during system startup.
#Description
Failed to automatically attach a VHD during system startup.
Message #
Fields #
| Name | Description |
|---|---|
NameLength UInt16 | |
Name UnicodeString | |
Status HexInt32 | NTSTATUS reference |
Event ID 1213: This volume is configured to block legacy file system filters.
#Event ID 1300: LoadBootHotPatchesStart
#Event ID 1301: LoadBootHotPatchesStop
#Event ID 1303: WheaInitializeStop
#Event ID 1304: CrashDumpInitializeStart
#Event ID 1305: CrashDumpInitializeStop
#Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {ABF1F586-2E50-4BA8-928D-49044E6F0DB7}
Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3932, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02