detection.wiki

Microsoft-Windows-Kernel-StoreMgr

19 events across 2 channels

EventTitleChannelSample
1StoreAdd_V2AnalyticN
2StoreRemove_V1AnalyticN
3StoreCreate_V3AnalyticN
4StoreDelete_V1AnalyticN
5StoreRundownAnalyticY
6VirtualAddress Virtual Address: Physical_Address Physical Address: …OperationalN
7StorePageRundownAnalyticY
8RegionEvict_V2AnalyticN
9RegionWrite_V2AnalyticN
10A ReadyBoost cache failed to persist across boot.OperationalN
11StoreIoStats_V1AnalyticN
12GlobalStats_V1AnalyticN
13StoreEmpty_V1AnalyticN
14RegionRelease_V1AnalyticN
15RegionCompactStart_V1AnalyticN
16RegionCompactStop_V1AnalyticN
17RegionRundownAnalyticY
18Device_name Device name: FailStatus Cache path: DeviceDescription.OperationalN
19task_0OperationalN

Event ID 1: StoreAdd_V2

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreAdd

Fields #

NameDescription
DataKey UInt32
DataMgr Pointer
StoreOffset UInt32
CompressedSize UInt16
Flags UInt16

Event ID 2: StoreRemove_V1

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreRemove

Fields #

NameDescription
DataKey UInt32
DataMgr Pointer
StoreOffset UInt32

Event ID 3: StoreCreate_V3

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreCreate
Opcode
Info

Fields #

NameDescription
StoreKey Pointer
StoreFileKey Pointer
UserDataMgr Pointer
MetadataMgr Pointer
RegionSize UInt32
RegionCount UInt32
BlockSize UInt32
SectorSize UInt32
EncryptionStrength UInt32
StoreType UInt16
StoreId UInt16
BlocksStored UInt32
RegionsInUse UInt32
TotalSpaceUsed UInt32
Flags UInt32
MetaRegionCount UInt32
MetaRegionsInUse UInt32
MetaRegionsSpaceUsed UInt32
StoreTime UInt32
OwnerProcessId UInt32
PartitionId UInt32

Event ID 4: StoreDelete_V1

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreDelete

Fields #

NameDescription
StoreKey Pointer

Event ID 5: StoreRundown

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Also via
realtime ETW trace
Level
Informational
Task
StoreRundown
Opcode
Info

Fields #

NameDescription
StoreKey Pointer
StoreFileKey Pointer
UserDataMgr Pointer
MetadataMgr Pointer
RegionSize UInt32
RegionCount UInt32
BlockSize UInt32
SectorSize UInt32
EncryptionStrength UInt32
StoreType UInt16
StoreId UInt16
BlocksStored UInt32
RegionsInUse UInt32
TotalSpaceUsed UInt32
Flags UInt32
MetaRegionCount UInt32
MetaRegionsInUse UInt32
MetaRegionsSpaceUsed UInt32
StoreTime UInt32
OwnerProcessId UInt32
PartitionId UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-StoreMgr",
    "guid": "{A6AD76E3-867A-4635-91B3-4904BA6374D7}",
    "event_source_name": "",
    "event_id": 5,
    "version": 4,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": "0x0000000000000100",
    "time_created": "2026-06-02T05:56:58.582+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 14692,
      "thread_id": 12248
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BlockSize": 4096,
    "BlocksStored": 58815,
    "EncryptionStrength": 0,
    "Flags": 3278848,
    "MetaRegionCount": 0,
    "MetaRegionsInUse": 0,
    "MetaRegionsSpaceUsed": 0,
    "MetadataMgr": "0xFFFFBD09EDC74970",
    "OwnerProcessId": 0,
    "PartitionId": 0,
    "RegionCount": 65504,
    "RegionSize": 131072,
    "RegionsInUse": 660,
    "SectorSize": 0,
    "StoreFileKey": "0x0",
    "StoreId": 1024,
    "StoreKey": "0xFFFFBD09EDC74000",
    "StoreTime": 0,
    "StoreType": 0,
    "TotalSpaceUsed": 4930635,
    "UserDataMgr": "0xFFFFBD09EDC74050"
  },
  "message": "StoreRundown"
}

Event ID 6: VirtualAddress Virtual Address: Physical_Address Physical Address: Corruption_Window_Size Corruption Window Size: DataMgr.

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Operational
Task
StoreCorruption

Description

FileBacked Virtual Address: VirtualAddress Physical Address: PhysicalAddress Corruption Window Size: Size

Message #

%5

Virtual Address: %2
Physical Address: %3
Corruption Window Size: %4

Fields #

NameDescription
DataMgr Pointer
VirtualAddress Pointer
PhysicalAddress UInt64
Size UInt16
FileBacked UInt8
CorruptionType UInt8
Flags UInt32

Event ID 7: StorePageRundown

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Also via
realtime ETW trace
Level
Informational
Task
StorePageRundown
Opcode
win:Info

Fields #

NameDescription
DataKey UInt32
DataMgr Pointer
StoreOffset UInt32
CompressedSize UInt16
Flags UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-StoreMgr",
    "guid": "{A6AD76E3-867A-4635-91B3-4904BA6374D7}",
    "event_source_name": "",
    "event_id": 7,
    "version": 1,
    "level": 4,
    "task": 7,
    "opcode": 0,
    "keywords": "0x0000000000000080",
    "time_created": "2026-06-02T05:56:58.591+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3040,
      "thread_id": 3320
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "CompressedSize": 26,
    "DataKey": 5,
    "DataMgr": "0xFFFFBD09EDC74050",
    "Flags": 0,
    "StoreOffset": 17826475
  },
  "message": "StorePageRundown"
}

Event ID 8: RegionEvict_V2

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionEvict

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 9: RegionWrite_V2

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionWrite

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 10: A ReadyBoost cache failed to persist across boot.

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Operational
Task
UnpersistFailure

Description

A ReadyBoost cache failed to persist across boot. This may happen if the cache device was modified on another computer or if this computer was booted into another operating system.

Message #

A ReadyBoost cache failed to persist across boot. This may happen if the cache device was modified on another computer or if this computer was booted into another operating system.

Fields #

NameDescription
FailReason UInt32
FailStatus HexInt32
ObjectPathLength UInt16
ObjectPath UnicodeString

Event ID 11: StoreIoStats_V1

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreIoStats

Fields #

NameDescription
StoreKey Pointer
Size UInt32
Data Binary

Event ID 12: GlobalStats_V1

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
GlobalStats

Fields #

NameDescription
Size UInt32
Data Binary

Event ID 13: StoreEmpty_V1

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
StoreEmpty

Fields #

NameDescription
StoreKey Pointer
Param Pointer

Event ID 14: RegionRelease_V1

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionRelease

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 15: RegionCompactStart_V1

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionCompact
Opcode
Start

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 16: RegionCompactStop_V1

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Task
RegionCompact
Opcode
Stop

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Event ID 17: RegionRundown

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Analytic
Also via
realtime ETW trace
Level
Informational
Task
RegionRundown
Opcode
win:Info

Fields #

NameDescription
DataMgr Pointer
RegionIndex UInt32
Status UInt32NTSTATUS reference
SpaceUsed UInt16
LastAccessTime UInt16

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-StoreMgr",
    "guid": "{A6AD76E3-867A-4635-91B3-4904BA6374D7}",
    "event_source_name": "",
    "event_id": 17,
    "version": 1,
    "level": 4,
    "task": 16,
    "opcode": 0,
    "keywords": "0x0000000000000080",
    "time_created": "2026-06-02T05:56:58.583+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 3040,
      "thread_id": 3320
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "DataMgr": "0xFFFFBD09EDC74050",
    "LastAccessTime": 0,
    "RegionIndex": 0,
    "SpaceUsed": 7573,
    "Status": 0
  },
  "message": "RegionRundown"
}

Event ID 18: Device_name Device name: FailStatus Cache path: DeviceDescription.

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Operational
Task
CacheTermination

Description

Reason Device name: DeviceDescription Cache path: ObjectPath

Message #

%1

Device name: %4
Cache path: %6

Fields #

NameDescription
Reason UInt8
FailStatus HexInt32
DeviceDescLength UInt16
DeviceDescription UnicodeString
ObjectPathLength UInt16
ObjectPath UnicodeString

Event ID 19: task_0

#
Provider
Microsoft-Windows-Kernel-StoreMgr
Channel
Operational
Opcode
Info

Fields #

NameDescription
SqmType UInt32
SqmSessionGuid GUID
SqmID UInt32
SqmStreamRowLength UInt32
SqmStreamRow Int16

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {A6AD76E3-867A-4635-91B3-4904BA6374D7}

Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.

Observed on:

  • Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.5074, captured 2026-06-02
  • WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
  • Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

Downloads