Microsoft-Windows-Ntfs
72 events across 4 channels
Event ID 1: RundownStart
#Description
RundownStart.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 5,
"opcode": 1,
"keywords": "0x1000000000000010",
"time_created": "2026-06-02T05:29:46.295+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0001-D39A-828753F0DC01}"
},
"execution": {
"process_id": 13444,
"thread_id": 12168
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "Rundown"
}
Event ID 2: RundownComplete
#Description
RundownComplete.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 5,
"opcode": 2,
"keywords": "0x1000000000000010",
"time_created": "2026-06-02T05:29:46.295+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0001-D39A-828753F0DC01}"
},
"execution": {
"process_id": 13444,
"thread_id": 12168
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "Rundown"
}
Event ID 3: RundownVolumeInformation VolumeId: RundownVolumeInformation_VolumeId, DeviceName: Vcb.
#Description
RundownVolumeInformation VolumeId: RundownVolumeInformation_VolumeId, DeviceName: Vcb.
Message #
Fields #
| Name | Description |
|---|---|
Vcb Pointer | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 3,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": "0x1000000000000010",
"time_created": "2026-06-02T05:29:46.295+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{877F78A1-F053-0001-D39A-828753F0DC01}"
},
"execution": {
"process_id": 13444,
"thread_id": 12168
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"DeviceName": "\\Device\\HarddiskVolume1",
"DeviceNameLength": 23,
"Vcb": "0x0"
},
"message": "Rundown"
}
Event ID 4: The NTFS volume has been successfully mounted.
#Description
The NTFS volume has been successfully mounted.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeIdLength UInt16 | |
VolumeId UnicodeString | Volume name. |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | Device manufacturer. |
ProductIdLength UInt32 | |
ProductId UnicodeString | Device model. |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | Device revision. |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
Vcb Pointer | |
MountDurationUs UInt64 | |
MountDuration UnicodeString | Total mount duration. |
LongestStage UInt64 | |
LongestStageDuration UnicodeString | |
LongestStagePercentage UInt64 | |
SecondLongestStage UInt64 | |
SecondLongestStageDuration UnicodeString | |
SecondLongestStagePercentage UInt64 | |
RestartApplied Boolean | Volume restart applied. |
IsBootVolume Boolean | |
Stage1DurationUs UInt64 | |
Stage2DurationUs UInt64 | |
Stage3DurationUs UInt64 | |
Stage4DurationUs UInt64 | |
Stage5DurationUs UInt64 | |
Stage6DurationUs UInt64 | |
Stage7DurationUs UInt64 | |
Stage8DurationUs UInt64 | |
Stage9DurationUs UInt64 | |
Stage10DurationUs UInt64 | |
DeviceNumber | |
NativeNVMe |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 4,
"version": 1,
"level": 4,
"task": 6,
"opcode": 0,
"keywords": 4611967493404098592,
"time_created": "2026-05-29T16:32:44.9878791+00:00",
"event_record_id": 457,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 200
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "{77ac4d73-0000-0000-0000-100000000000}",
"VolumeIdLength": "2",
"VolumeId": "C:",
"VolumeLabelLength": "12",
"VolumeLabel": "Windows 2022",
"DeviceNameLength": "23",
"DeviceName": "\\Device\\HarddiskVolume1",
"DeviceGuid": "{5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}",
"VendorIdLength": "8",
"VendorId": "Red Hat ",
"ProductIdLength": "6",
"ProductId": "VirtIO",
"ProductRevisionLength": "4",
"ProductRevision": "0001",
"DeviceSerialNumberLength": "0",
"DeviceSerialNumber": "",
"BusType": "1",
"AdapterSerialNumberLength": "0",
"AdapterSerialNumber": "",
"Vcb": "0xffffd3853a0b61b0",
"MountDurationUs": "61931",
"MountDuration": "61 ms",
"LongestStage": "7",
"LongestStageDuration": "46 ms",
"LongestStagePercentage": "76",
"SecondLongestStage": "4",
"SecondLongestStageDuration": "15 ms",
"SecondLongestStagePercentage": "24",
"RestartApplied": "false",
"IsBootVolume": "true",
"Stage1DurationUs": "0",
"Stage2DurationUs": "0",
"Stage3DurationUs": "0",
"Stage4DurationUs": "15056",
"Stage5DurationUs": "0",
"Stage6DurationUs": "0",
"Stage7DurationUs": "46875",
"Stage8DurationUs": "0",
"Stage9DurationUs": "0",
"Stage10DurationUs": "0"
},
"message": "The NTFS volume has been successfully mounted.\r\n\r\n Volume correlation Id: {77ac4d73-0000-0000-0000-100000000000}\r\n Volume name: C:\r\n Volume label: Windows 2022\r\n\r\n Device name: \\Device\\HarddiskVolume1\r\n Device GUID: {5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}\r\n Device manufacturer: Red Hat \r\n Device model: VirtIO\r\n Device revision: 0001\r\n Device serial number: \r\n Bus type: SCSI\r\n\r\n Adapter serial number: \r\n \r\n Total mount duration: 61 ms\r\n Longest stage: 7. Duration 46 ms (76% of the total)\r\n Second longest stage: 4. Duration 15 ms (24% of the total)\r\n Volume restart applied: false\r\n"
}
Event ID 5: NTFS KSR data retrieved successfully.
#Event ID 6: NTFS KSR data retrieval failed.
#Event ID 7: Ntfs has detected torn write on a volume.
#Description
Ntfs has detected torn write on a volume.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString | |
FileReference UInt64 | |
FileNameLength UInt32 | |
FileName UnicodeString | |
BufferOffset UInt64 | |
TornStructureOffset UInt32 | |
BlockIndex UInt16 | |
ExpectedSequenceNumber UInt16 | |
ActualSequenceNumber UInt16 | |
FrsFileReference UInt64 | |
FrsFileNameLength UInt32 | |
FrsFileName UnicodeString | |
IsChildFRS Boolean |
Event ID 8: File's duplicate info has been updated during flush.
#Description
File's duplicate info has been updated during flush.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
FileReference UInt64 | |
FileNameLength UInt32 | |
FileName UnicodeString | |
FileLinkNameLength UInt32 | |
FileLinkName UnicodeString | |
ParentFileReference UInt64 | |
ParentFileNameLength UInt32 | |
ParentFileName UnicodeString | |
Reason HexInt32 | |
ReasonText UInt16 |
Event ID 9: NTFS scanned entire volume bitmap.
#Description
NTFS scanned entire volume bitmap.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeIdLength UInt16 | |
VolumeId UnicodeString | Volume name. |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | Device manufacturer. |
ProductIdLength UInt32 | |
ProductId UnicodeString | Device model. |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | Device revision. |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
DurationUs UInt32 | Duration (micro seconds). |
InputFlags HexInt32 | |
Reason UInt32 | |
Flags HexInt32 | |
NativeNVMe |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 9,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2026-05-29T16:32:44.9878759+00:00",
"event_record_id": 456,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 196
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "{77ac4d73-0000-0000-0000-100000000000}",
"VolumeIdLength": "2",
"VolumeId": "C:",
"VolumeLabelLength": "12",
"VolumeLabel": "Windows 2022",
"DeviceNameLength": "23",
"DeviceName": "\\Device\\HarddiskVolume1",
"DeviceGuid": "{5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}",
"VendorIdLength": "8",
"VendorId": "Red Hat ",
"ProductIdLength": "6",
"ProductId": "VirtIO",
"ProductRevisionLength": "4",
"ProductRevision": "0001",
"DeviceSerialNumberLength": "0",
"DeviceSerialNumber": "",
"BusType": "1",
"AdapterSerialNumberLength": "0",
"AdapterSerialNumber": "",
"DurationUs": "42083",
"InputFlags": "0xe",
"Reason": "1",
"Flags": "0x10"
},
"message": "NTFS scanned entire volume bitmap.\r\n\r\n Volume correlation Id: {77ac4d73-0000-0000-0000-100000000000}\r\n Volume name: C:\r\n Volume label: Windows 2022\r\n\r\n Device name: \\Device\\HarddiskVolume1\r\n Device GUID: {5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}\r\n Device manufacturer: Red Hat \r\n Device model: VirtIO\r\n Device revision: 0001\r\n Device serial number: \r\n Bus type: SCSI\r\n\r\n Adapter serial number: \r\n\r\n Duration (micro seconds): 42083\r\n InputFlags: 0xE\r\n Reason: Mount\r\n Flags: 0x10\r\n"
}
Event ID 10: NTFS cached runs statistics.
#Description
NTFS cached runs statistics.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeId UnicodeString | Volume name. |
VolumeLabel UnicodeString | |
DeviceName UnicodeString | |
DeviceGuid GUID | |
VendorId UnicodeString | Device manufacturer. |
ProductId UnicodeString | Device model. |
ProductRevision UnicodeString | Device revision. |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumber UnicodeString | |
MediaType | |
RunsCached | |
LongestRunCached | |
LongestRunCachedStr | |
MostPopulatedBinCount | |
MostPopulatedBinMinLength | |
MostPopulatedBinMinLengthStr | |
MostPopulatedBinMaxLength | |
MostPopulatedBinMaxLengthStr | |
TotalCachedRuns | |
CachedRunsLogged | |
CachedRunsAlignment | |
RunsInCachedRuns | |
LongestRunInCachedRuns | |
MostPopulatedBinCountInCachedRuns | |
MostPopulatedBinMinLengthInCachedRuns | |
MostPopulatedBinMaxLengthInCachedRuns | |
CapacityTierName | |
CapacityMediaType | |
CapacityRunsCached | |
CapacityLongestRunCached | |
CapacityLongestRunCachedStr | |
CapacityMostPopulatedBinCount | |
CapacityMostPopulatedBinMinLength | |
CapacityMostPopulatedBinMinLengthStr | |
CapacityMostPopulatedBinMaxLength | |
CapacityMostPopulatedBinMaxLengthStr | |
CapacityTotalCachedRuns | |
CapacityCachedRunsLogged | |
CapacityCachedRunsAlignment | |
CapacityRunsInCachedRuns | |
CapacityLongestRunInCachedRuns | |
CapacityMostPopulatedBinCountInCachedRuns | |
CapacityMostPopulatedBinMinLengthInCachedRuns | |
CapacityMostPopulatedBinMaxLengthInCachedRuns | |
PerfTierName | |
PerfMediaType | |
PerfRunsCached | |
PerfLongestRunCached | |
PerfLongestRunCachedStr | |
PerfMostPopulatedBinCount | |
PerfMostPopulatedBinMinLength | |
PerfMostPopulatedBinMinLengthStr | |
PerfMostPopulatedBinMaxLength | |
PerfMostPopulatedBinMaxLengthStr | |
PerfTotalCachedRuns | |
PerfCachedRunsLogged | |
PerfCachedRunsAlignment | |
PerfRunsInCachedRuns | |
PerfLongestRunInCachedRuns | |
PerfMostPopulatedBinCountInCachedRuns | |
PerfMostPopulatedBinMinLengthInCachedRuns | |
PerfMostPopulatedBinMaxLengthInCachedRuns |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 10,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2026-05-29T16:32:44.9878958+00:00",
"event_record_id": 458,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 196
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "{77ac4d73-0000-0000-0000-100000000000}",
"VolumeId": "C:",
"VolumeLabel": "Windows 2022",
"DeviceName": "\\Device\\HarddiskVolume1",
"DeviceGuid": "{5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}",
"VendorId": "Red Hat ",
"ProductId": "VirtIO",
"ProductRevision": "0001",
"DeviceSerialNumber": "",
"BusType": "1",
"AdapterSerialNumber": "",
"MediaType": "1",
"RunsCached": "818",
"LongestRunCached": "33034878976",
"LongestRunCachedStr": "30.77 GB",
"MostPopulatedBinCount": "278",
"MostPopulatedBinMinLength": "0",
"MostPopulatedBinMinLengthStr": "0 Bytes",
"MostPopulatedBinMaxLength": "4096",
"MostPopulatedBinMaxLengthStr": "4 KB",
"TotalCachedRuns": "1",
"CachedRunsLogged": "1",
"CachedRunsAlignment": "1",
"RunsInCachedRuns": "818",
"LongestRunInCachedRuns": "33034878976",
"MostPopulatedBinCountInCachedRuns": "278",
"MostPopulatedBinMinLengthInCachedRuns": "0",
"MostPopulatedBinMaxLengthInCachedRuns": "4096"
},
"message": "NTFS cached runs statistics.\r\n\r\n Volume correlation Id: {77ac4d73-0000-0000-0000-100000000000}\r\n Volume name: C:\r\n Volume label: Windows 2022\r\n\r\n Device name: \\Device\\HarddiskVolume1\r\n Device GUID: {5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}\r\n Device manufacturer: Red Hat \r\n Device model: VirtIO\r\n Device revision: 0001\r\n Device serial number: \r\n Bus type: SCSI\r\n\r\n Adapter serial number: \r\n\r\n Media type: Hard disk\r\n Runs cached: 818\r\n Longest run cached: 30.77 GB\r\n Most populated bin Count: 278\r\n Most populated bin's minimum length: 0 Bytes\r\n Most populated bin's maximum length: 4 KB\r\n"
}
Event ID 11: NTFS KSR data prepared successfully.
#Event ID 12: NTFS KSR data prepare failed.
#Event ID 13: NTFS KSR data filled successfully.
#Event ID 14: NTFS KSR data fill failed.
#Event ID 98: Volume DriveName (DeviceName) CorruptionActionState.
#Description
Volume DriveName (DeviceName) CorruptionActionState.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
DriveName UnicodeString | ||
DeviceName UnicodeString | 1 detection rule | |
CorruptionActionState UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 98,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775806,
"time_created": "2026-05-29T16:32:44.9878875+00:00",
"event_record_id": 6677,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 200
},
"channel": "System",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DriveName": "C:",
"DeviceName": "\\Device\\HarddiskVolume1",
"CorruptionActionState": "0"
},
"message": "Volume C: (\\Device\\HarddiskVolume1) is healthy. No action is needed."
}
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
Event ID 100: NTFS global corruption action state is now hc_stateid.
#Description
NTFS global corruption action state is now hc_stateid.
Message #
Fields #
| Name | Description |
|---|---|
hc_stateid UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 100,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693953,
"time_created": "2026-05-29T16:32:44.7906763+00:00",
"event_record_id": 16,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "Microsoft-Windows-Ntfs/WHC",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"hc_stateid": "0"
},
"message": "NTFS global corruption action state is now 0."
}
Event ID 139: The file system structure that maintains security information on volume DriveName (DeviceName) has grown excessively large and fragmented.
#Description
The file system structure that maintains security information on volume DriveName (DeviceName) has grown excessively large and fragmented. The structure has reached FragmentationLevel% of its maximum fragmentation limit. If the structure continues to grow and reaches this limit, it may not be possible to create new files on this volume. It is strongly recommended that the volume be taken offline for preventative maintenance.
Message #
Fields #
| Name | Description |
|---|---|
DriveName UnicodeString | |
DeviceName UnicodeString | |
FragmentationLevel UInt16 |
Event ID 140: The system failed to flush data to the transaction log.
#Description
The system failed to flush data to the transaction log. Corruption may occur in VolumeId: VolumeId, DeviceName: DeviceName.
Message #
Fields #
| Name | Description |
|---|---|
VolumeIdLength UInt32 | |
VolumeId UnicodeString | |
DeviceNameLength UInt32 | |
DeviceName UnicodeString | The system failed to flush data to the transaction log. Corruption may occur in VolumeId. |
Error HexInt32 | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString |
Event ID 141: An operation failed because the disk was full.
#Description
An operation failed because the disk was full.
Message #
Fields #
| Name | Description |
|---|---|
VolumeGuid GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
ProcessNameLength UInt32 | |
ProcessName UnicodeString | |
IsBootVolume Boolean | |
FreeSpaceInBytes UInt64 | |
TotalReservedSpaceInBytes UInt64 | |
TotalAbortReservationSpaceInBytes UInt64 | |
RequestedSpaceInBytes UInt64 | |
PageFileSize UInt64 | |
SourceTag HexInt64 |
Event ID 142: Summary of disk space usage, since last event.
#Description
Summary of disk space usage, since last event.
Message #
Fields #
| Name | Description |
|---|---|
VolumeGuid GUID | [Summary of disk space usage, since last event] Volume guid. |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | [Summary of disk space usage, since last event] Volume name. |
IsBootVolume Boolean | [Summary of disk space usage, since last event] Is boot volume. |
ElapsedSeconds UInt64 | [Summary of disk space usage, since last event] Elapsed seconds. |
AvailabeSpaceMinStr UnicodeString | |
AvailabeSpaceMaxStr UnicodeString | |
AvailabeSpaceDeltaStr UnicodeString | [Summary of disk space usage, since last event] Change in available space. |
AvailableClustersMin UInt64 | [Summary of disk space usage, since last event] Available clusters were between. |
AvailableClustersMax UInt64 | |
UnallocatedClustersMin UInt64 | |
UnallocatedClustersMax UInt64 | |
ReservedClustersMin UInt64 | [Summary of disk space usage, since last event] Reserved clusters were between. |
ReservedClustersMax UInt64 | |
TxfAbortReservedClustersMin UInt64 | [Summary of disk space usage, since last event] Txf abort reserved clusters were between. |
TxfAbortReservedClustersMax UInt64 | |
PageFileSizeInBytes UInt64 | |
PageFileSizeStr UnicodeString | [Summary of disk space usage, since last event] Pagefile size. |
VolumeSizeInBytes UInt64 | |
VolumeSizeStr UnicodeString | [Summary of disk space usage, since last event] Volume size. |
ClusterSize UInt64 | [Summary of disk space usage, since last event] Bytes per cluster. |
CachedRunsMissCountForMft UInt32 | |
CachedRunsMissCountForMftZone UInt32 | [Summary of disk space usage, since last event] Slab size. |
CachedRunsMissCount UInt32 | [Summary of disk space usage, since last event] Slabs in use. |
SlabSizeInClusters | |
SlabSizeStr | |
SlabsInUse | |
TotalSlabsCount | |
MapFailureCount |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 142,
"version": 3,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2026-06-13T13:39:59.5439065+00:00",
"event_record_id": 591,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4356
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeGuid": "{77ac4d73-0000-0000-0000-100000000000}",
"VolumeNameLength": "2",
"VolumeName": "C:",
"IsBootVolume": "true",
"ElapsedSeconds": "3603",
"AvailabeSpaceMinStr": "228.07 GB",
"AvailabeSpaceMaxStr": "228.11 GB",
"AvailabeSpaceDeltaStr": "38.99 MB",
"AvailableClustersMin": "59785775",
"AvailableClustersMax": "59795755",
"UnallocatedClustersMin": "59911572",
"UnallocatedClustersMax": "59921552",
"ReservedClustersMin": "124288",
"ReservedClustersMax": "124288",
"TxfAbortReservedClustersMin": "1024",
"TxfAbortReservedClustersMax": "1024",
"PageFileSizeInBytes": "2550136832",
"PageFileSizeStr": "2.38 GB",
"VolumeSizeInBytes": "268433354752",
"VolumeSizeStr": "250 GB",
"ClusterSize": "4096",
"CachedRunsMissCountForMft": "0",
"CachedRunsMissCountForMftZone": "0",
"CachedRunsMissCount": "0"
},
"message": "Summary of disk space usage, since last event:\r\n\r\n Available space was between 228.07 GB and 228.11 GB\r\n Change in available space: 38.99 MB\r\n \r\n Available clusters were between: 59785775 and 59795755\r\n Reserved clusters were between: 124288 and 124288\r\n Txf abort reserved clusters were between: 1024 and 1024\r\n \r\n Elapsed seconds: 3603\r\n \r\n Pagefile size: 2.38 GB\r\n Volume size: 250 GB\r\n Bytes per cluster: 4096\r\n \r\n Volume guid: {77ac4d73-0000-0000-0000-100000000000}\r\n Volume name: C:\r\n Is boot volume: true\r\n \r\n Cached runs miss counts:\r\n For MFT: 0\r\n For MFT zone: 0\r\n Everything else: 0\r\n"
}
Event ID 143: Surprise removal of a persistent memory device with active DAX mappings.
#Description
Surprise removal of a persistent memory device with active DAX mappings. This might lead to data corruption.
Message #
Fields #
| Name | Description |
|---|---|
Vcb Pointer | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
VolumeGuid GUID | |
VolumeNameLength UInt16 | |
VolumeName UnicodeString | |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString |
Event ID 144: A volume that already has DAX mappings is being mounted.
#Description
A volume that already has DAX mappings is being mounted. This generally occurs after surprise removal. This might lead to data corruption.
Message #
Fields #
| Name | Description |
|---|---|
Vcb Pointer | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
VolumeGuid GUID | |
VolumeNameLength UInt16 | |
VolumeName UnicodeString |
Event ID 145: IO latency summary common data for volume.
#Description
IO latency summary common data for volume.
Message #
Fields #
| Name | Description |
|---|---|
Version UInt32 | |
VolumeCorrelationId GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
IsBootVolume Boolean | |
TierIndex UInt32 | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
MaxLatencyMs UInt64 | |
ReadWriteLatencyBucket1 Int64 | |
ReadWriteLatencyBucket2 Int64 | |
ReadWriteLatencyBucket3 Int64 | |
ReadWriteLatencyBucket4 Int64 | |
ReadWriteLatencyBucket5 Int64 | |
ReadWriteLatencyBucket6 Int64 | |
ReadWriteLatencyBucket7 Int64 | |
TrimLatencyBucket1 Int64 | |
TrimLatencyBucket2 Int64 | |
TrimLatencyBucket3 Int64 | |
TrimLatencyBucket4 Int64 | |
TrimLatencyBucket5 Int64 | |
TrimLatencyBucket6 Int64 | |
TrimLatencyBucket7 Int64 | |
FlushLatencyBucket1 Int64 | |
FlushLatencyBucket2 Int64 | |
FlushLatencyBucket3 Int64 | |
FlushLatencyBucket4 Int64 | |
FlushLatencyBucket5 Int64 | |
FlushLatencyBucket6 Int64 | |
FlushLatencyBucket7 Int64 |
Event ID 146: IO latency summary.
#Description
IO latency summary.
Message #
Fields #
| Name | Description |
|---|---|
Version UInt32 | |
VolumeCorrelationId GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
IsBootVolume Boolean | |
TierIndex UInt32 | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
MaxLatencyMs UInt64 | |
ReadWriteLatencyBucket1 Int64 | |
ReadWriteLatencyBucket2 Int64 | |
ReadWriteLatencyBucket3 Int64 | |
ReadWriteLatencyBucket4 Int64 | |
ReadWriteLatencyBucket5 Int64 | |
ReadWriteLatencyBucket6 Int64 | |
ReadWriteLatencyBucket7 Int64 | |
TrimLatencyBucket1 Int64 | |
TrimLatencyBucket2 Int64 | |
TrimLatencyBucket3 Int64 | |
TrimLatencyBucket4 Int64 | |
TrimLatencyBucket5 Int64 | |
TrimLatencyBucket6 Int64 | |
TrimLatencyBucket7 Int64 | |
FlushLatencyBucket1 Int64 | |
FlushLatencyBucket2 Int64 | |
FlushLatencyBucket3 Int64 | |
FlushLatencyBucket4 Int64 | |
FlushLatencyBucket5 Int64 | |
FlushLatencyBucket6 Int64 | |
FlushLatencyBucket7 Int64 | |
HighIoLatencyCount UInt32 | |
IntervalDurationUs Int64 | |
NCReadIOCount UInt64 | |
NCReadTotalBytes UInt64 | |
NCReadAvgLatencyNs UInt64 | |
NCWriteIOCount UInt64 | |
NCWriteTotalBytes UInt64 | |
NCWriteAvgLatencyNs UInt64 | |
FileFlushCount UInt64 | |
FileFlushAvgLatencyNs UInt64 | |
DirectoryFlushCount UInt64 | |
DirectoryFlushAvgLatencyNs UInt64 | |
VolumeFlushCount UInt64 | |
VolumeFlushAvgLatencyNs UInt64 | |
FileLevelTrimCount UInt64 | |
FileLevelTrimTotalBytes UInt64 | |
FileLevelTrimExtentsCount UInt64 | |
FileLevelTrimAvgLatencyNs UInt64 | |
VolumeTrimCount UInt64 | |
VolumeTrimTotalBytes UInt64 | |
VolumeTrimExtentsCount UInt64 | |
VolumeTrimAvgLatencyNs UInt64 | |
IoBucketsCount UInt8 | |
TotalBytesBucketsCount UInt8 | |
ExtentsBucketsCount UInt8 | |
IoCount UInt64 | |
TotalLatencyUs UInt64 | |
TotalBytes UInt64 | |
TrimExtentsCount UInt64 | |
IoTypeIndex UInt16 | |
VcbExAcquireCount UInt32 | |
VcbExMaxWaitDurationMs UInt64 | |
VcbExAvgWaitDurationMs UInt64 | |
VcbExMaxHoldDurationMs UInt64 | |
VcbExAvgHoldDurationMs UInt64 | |
VcbExMaxCombinedDurationMs UInt64 | |
VcbExAvgCombinedDurationMs UInt64 |
Event ID 147: An IO took more than MaxLatencyMs ms to complete.
#Description
An IO took more than MaxLatencyMs ms to complete.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | Volume Id. |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
IsBootVolume Boolean | |
MaxLatencyMs UInt64 | |
ProcessId UInt32 | |
ProcessName AnsiString | |
FileNameLength UInt32 | |
FileName UnicodeString | |
FileIdHigh HexInt64 | |
FileIdLow HexInt64 | |
IoType UInt16 | |
IoTypeStr UnicodeString | IO Type. |
LatencyMs UInt64 | |
DeviceGuid GUID | Device model. |
VendorIdLength UInt32 | |
VendorId UnicodeString | Device revision. |
ProductIdLength UInt32 | |
ProductId UnicodeString | Device serial number. |
ProductRevisionLength UInt32 | Bus type. |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | Adapter serial number. |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
NativeNVMe |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 147,
"version": 5,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611967493406195712,
"time_created": "2026-06-13T04:35:04.3813224+00:00",
"event_record_id": 287,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 5044
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "{77ac4d73-0000-0000-0000-100000000000}",
"VolumeNameLength": "2",
"VolumeName": "C:",
"IsBootVolume": "true",
"MaxLatencyMs": "30000",
"ProcessId": "1544",
"ProcessName": "svchost.exe",
"FileNameLength": "50",
"FileName": "\\Windows\\ServiceState\\EventLog\\Data\\lastalive0.dat",
"FileIdHigh": "0x0",
"FileIdLow": "0xa000000010f88",
"IoType": "25",
"IoTypeStr": "Open file",
"LatencyMs": "30047",
"DeviceGuid": "{5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}",
"VendorIdLength": "8",
"VendorId": "Red Hat ",
"ProductIdLength": "6",
"ProductId": "VirtIO",
"ProductRevisionLength": "4",
"ProductRevision": "0001",
"DeviceSerialNumberLength": "0",
"DeviceSerialNumber": "",
"BusType": "1",
"AdapterSerialNumberLength": "0",
"AdapterSerialNumber": ""
},
"message": "An IO took more than 30000 ms to complete:\r\n\r\n Process Id: 1544\r\n Process name: svchost.exe\r\n File name: \\Windows\\ServiceState\\EventLog\\Data\\lastalive0.dat\r\n IO Type: Open file\r\n Latency: 30047 ms\r\n\r\n Volume Id: {77ac4d73-0000-0000-0000-100000000000}\r\n Volume name: C:\r\n Is boot volume: true\r\n\r\n Device GUID: {5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}\r\n Device manufacturer: Red Hat \r\n Device model: VirtIO\r\n Device revision: 0001\r\n Device serial number: \r\n Bus type: SCSI\r\n\r\n Adapter serial number: \r\n"
}
Event ID 148: A FileIdHigh failed with StartingLcn.
#Description
A FileIdHigh failed with StartingLcn.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
IsBootVolume Boolean | |
ProcessId UInt32 | |
ProcessName AnsiString | |
FileNameLength UInt32 | |
FileName UnicodeString | |
FileIdHigh HexInt64 | |
FileIdLow HexInt64 | |
IoType UInt32 | |
IoSize UInt32 | |
FileOffset UInt64 | |
StartingLcn UInt64 | |
ClustersCount UInt32 | |
FailureStatus HexInt32 | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
NativeNVMe Boolean | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString |
Event ID 149: In the past SecondsElapsed seconds we had high latency IOs and/or IO failures.
#Description
In the past SecondsElapsed seconds we had high latency IOs and/or IO failures.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | Volume Id. |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
IsBootVolume Boolean | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | Device manufacturer. |
ProductIdLength UInt32 | |
ProductId UnicodeString | Device model. |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | Device revision. |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
NativeNVMe | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
SecondsElapsed UInt32 | |
HighLatencyCount UInt32 | High latency IO count. |
FailedWriteCount UInt32 | Failed writes. |
FailedReadCount UInt32 | Failed reads. |
BadClusterHotfixCount UInt32 | Bad clusters relocated. |
ValuesCount UInt32 | |
HighLatencyArray UInt32 | |
FailedWriteArray UInt32 | |
FailedReadArray UInt32 | |
BadClusterHotfixArray UInt32 | |
StatusArray HexInt32 | |
TableIndexArray UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
"event_source_name": "",
"event_id": 149,
"version": 2,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611967493406195712,
"time_created": "2023-11-06T01:32:12.814212+00:00",
"event_record_id": 249,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 18088
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
"VolumeNameLength": 2,
"VolumeName": "C:",
"IsBootVolume": true,
"DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
"VendorIdLength": 8,
"VendorId": "VMware, ",
"ProductIdLength": 16,
"ProductId": "VMware Virtual S",
"ProductRevisionLength": 4,
"ProductRevision": "1.0 ",
"DeviceSerialNumberLength": 0,
"DeviceSerialNumber": "",
"BusType": 10,
"AdapterSerialNumberLength": 0,
"AdapterSerialNumber": "",
"SecondsElapsed": 3602,
"HighLatencyCount": 4,
"FailedWriteCount": 0,
"FailedReadCount": 0,
"BadClusterHotfixCount": 0,
"ValuesCount": 3,
"HighLatencyArray": 1,
"FailedWriteArray": 0,
"FailedReadArray": 0,
"BadClusterHotfixArray": 0,
"StatusArray": "0x0",
"TableIndexArray": 3
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 150: An IO failed with FailureStatus and NTFS has relocated the clusters.
#Description
An IO failed with FailureStatus and NTFS has relocated the clusters. The original clusters are now marked as bad and they will not be reused.
Message #
Fields #
| Name | Description |
|---|---|
VolumeGuid GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
IsBootVolume Boolean | |
ProcessId UInt32 | |
ProcessName AnsiString | |
FileNameLength UInt32 | |
FileName UnicodeString | |
BadFileOffset UInt64 | |
BadLcn UInt64 | |
ClustersCount UInt32 | |
FailureStatus HexInt32 |
Event ID 151: In the past SecondsElapsed seconds TotalCountDeleteFile files were deleted from the user's popular known folders.
#Description
In the past SecondsElapsed seconds TotalCountDeleteFile files were deleted from the user's popular known folders (i.e. Desktop, Documents, Downloads, Music, Pictures, Videos, etc.).
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
IsBootVolume Boolean | |
SecondsElapsed UInt32 | |
TotalCountDeleteFile UInt32 | |
TotalCountDeleteFileLogged UInt32 | |
ProcessNamesArray AnsiString | |
CountDeletesInDesktopArray AnsiString | |
CountDeletesInDocumentsArray AnsiString | |
CountDeletesInDownloadsArray AnsiString | |
CountDeletesInMusicArray AnsiString | |
CountDeletesInPicturesArray AnsiString | |
CountDeletesInVideosArray AnsiString | |
CountDeletesInOtherArray AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
"event_source_name": "",
"event_id": 151,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2026-03-13T17:16:12.046261+00:00",
"event_record_id": 5903,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8128
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "77AC4D73-0000-0000-0000-100000000000",
"VolumeNameLength": 2,
"VolumeName": "C:",
"IsBootVolume": true,
"SecondsElapsed": 3601,
"TotalCountDeleteFile": 2,
"TotalCountDeleteFileLogged": 2,
"ProcessNamesArray": "powershell_ise",
"CountDeletesInDesktopArray": "0",
"CountDeletesInDocumentsArray": "2",
"CountDeletesInDownloadsArray": "0",
"CountDeletesInMusicArray": "0",
"CountDeletesInPicturesArray": "0",
"CountDeletesInVideosArray": "0",
"CountDeletesInOtherArray": "0"
},
"message": ""
}
Event ID 152: A process has not acknowledged an NTFS oplock break in a long time.
#Event ID 154: System file pages are now locked into memory.
#Event ID 155: System file pages are no longer locked into memory.
#Event ID 156: VCB exclusive resource acquires.
#Description
VCB exclusive resource acquires.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | [VCB exclusive resource acquires] Volume Id. |
VolumeNameLength UInt16 | |
VolumeName UnicodeString | [VCB exclusive resource acquires] Volume name. |
IsBootVolume Boolean | [VCB exclusive resource acquires] Is boot volume. |
DeviceGuid GUID | [VCB exclusive resource acquires] Device GUID. |
VendorIdLength UInt16 | |
VendorId UnicodeString | [VCB exclusive resource acquires] Device manufacturer. |
ProductIdLength UInt16 | |
ProductId UnicodeString | [VCB exclusive resource acquires] Device model. |
ProductRevisionLength UInt16 | |
ProductRevision UnicodeString | [VCB exclusive resource acquires] Device revision. |
DeviceSerialNumberLength UInt16 | |
DeviceSerialNumber UnicodeString | [VCB exclusive resource acquires] Device serial number. |
BusType UInt32 | [VCB exclusive resource acquires] Bus type. |
NativeNVMe | |
AdapterSerialNumberLength UInt16 | |
AdapterSerialNumber UnicodeString | [VCB exclusive resource acquires] Adapter serial number. |
IntervalDurationMs UInt64 | |
IntervalDurationStr UnicodeString | [VCB exclusive resource acquires] Interval duration. |
VcbExAcquireCount UInt32 | [VCB exclusive resource acquires] Acquire count. |
VcbExMaxWaitDurationMs UInt64 | [VCB exclusive resource acquires] Max wait duration. |
VcbExAvgWaitDurationMs UInt64 | [VCB exclusive resource acquires] Avg wait duration. |
VcbExMaxHoldDurationMs UInt64 | [VCB exclusive resource acquires] Max hold duration. |
VcbExAvgHoldDurationMs UInt64 | [VCB exclusive resource acquires] Avg hold duration. |
VcbExMaxCombinedDurationMs UInt64 | [VCB exclusive resource acquires] Max combined duration. |
VcbExAvgCombinedDurationMs UInt64 | [VCB exclusive resource acquires] Avg combined duration. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
"event_source_name": "",
"event_id": 156,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2023-11-06T01:32:12.811781+00:00",
"event_record_id": 230,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 18088
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
"VolumeNameLength": 2,
"VolumeName": "C:",
"IsBootVolume": true,
"DeviceGuid": "22A04354-7C2B-11EE-936C-806E6F6E6963",
"VendorIdLength": 8,
"VendorId": "VMware, ",
"ProductIdLength": 16,
"ProductId": "VMware Virtual S",
"ProductRevisionLength": 4,
"ProductRevision": "1.0 ",
"DeviceSerialNumberLength": 0,
"DeviceSerialNumber": "",
"BusType": 10,
"AdapterSerialNumberLength": 0,
"AdapterSerialNumber": "",
"IntervalDurationMs": 3602451,
"IntervalDurationStr": "3602 s",
"VcbExAcquireCount": 171,
"VcbExMaxWaitDurationMs": 15210,
"VcbExAvgWaitDurationMs": 90,
"VcbExMaxHoldDurationMs": 18627,
"VcbExAvgHoldDurationMs": 237,
"VcbExMaxCombinedDurationMs": 18627,
"VcbExAvgCombinedDurationMs": 327
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 157: An exclusive resource duration exceeded MaxDurationMs ms.
#Description
An exclusive resource duration exceeded MaxDurationMs ms.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
IsBootVolume Boolean | |
MaxDurationMs UInt64 | |
ProcessId UInt32 | |
ProcessName AnsiString | |
MajorFunction UInt8 | |
MinorFunction UInt8 | |
ControlCode UInt32 | |
ResourceName UInt32 | |
WaitDurationMs UInt64 | |
HoldDurationMs UInt64 | |
CombinedDurationMs UInt64 | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
NativeNVMe Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 157,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2026-04-17T04:05:09.8163657+00:00",
"event_record_id": 1110,
"correlation": {},
"execution": {
"process_id": 4468,
"thread_id": 15840
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "{ce657ebb-70c7-4b8b-a13f-ff11b9725249}",
"VolumeNameLength": "2",
"VolumeName": "C:",
"IsBootVolume": "true",
"MaxDurationMs": "30000",
"ProcessId": "4468",
"ProcessName": "SenseIR.exe",
"MajorFunction": "3",
"MinorFunction": "0",
"ControlCode": "0",
"ResourceName": "32",
"WaitDurationMs": "0",
"HoldDurationMs": "88671",
"CombinedDurationMs": "88671",
"DeviceGuid": "{5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}",
"VendorIdLength": "8",
"VendorId": "Red Hat ",
"ProductIdLength": "6",
"ProductId": "VirtIO",
"ProductRevisionLength": "4",
"ProductRevision": "0001",
"DeviceSerialNumberLength": "0",
"DeviceSerialNumber": "",
"BusType": "1",
"AdapterSerialNumberLength": "0",
"AdapterSerialNumber": ""
},
"message": "An exclusive resource duration exceeded 30000 ms:\r\n\r\n Process Id: 4468\r\n Process name: SenseIR.exe\r\n Major function: 0x3\r\n Minor function: 0x0\r\n Control code: 0\r\n Resource name: VCB\r\n Wait duration: 0 ms\r\n Hold duration: 88671 ms\r\n Combined duration: 88671 ms\r\n\r\n Volume Id: {ce657ebb-70c7-4b8b-a13f-ff11b9725249}\r\n Volume name: C:\r\n Is boot volume: true\r\n\r\n Device GUID: {5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}\r\n Device manufacturer: Red Hat \r\n Device model: VirtIO\r\n Device revision: 0001\r\n Device serial number: \r\n Bus type: SCSI\r\n\r\n Adapter serial number: \r\n"
}
Event ID 158: NTFS metadata statistics for volume.
#Description
NTFS metadata statistics for volume.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | [NTFS metadata statistics for volume] Volume Id. |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | [NTFS metadata statistics for volume] Volume name. |
UserFileReads UInt64 | [NTFS metadata statistics for volume] UserFileReads. |
UserFileReadBytes UInt64 | [NTFS metadata statistics for volume] UserFileReadBytes. |
UserDiskReads UInt64 | [NTFS metadata statistics for volume] UserDiskReads. |
UserFileWrites UInt64 | [NTFS metadata statistics for volume] UserFileWrites. |
UserFileWriteBytes UInt64 | [NTFS metadata statistics for volume] UserFileWriteBytes. |
UserDiskWrites UInt64 | [NTFS metadata statistics for volume] UserDiskWrites. |
MetaDataReads UInt64 | [NTFS metadata statistics for volume] MetaDataReads. |
MetaDataReadBytes UInt64 | [NTFS metadata statistics for volume] MetaDataReadBytes. |
MetaDataDiskReads UInt64 | [NTFS metadata statistics for volume] MetaDataDiskReads. |
MetaDataWrites UInt64 | [NTFS metadata statistics for volume] MetaDataWrites. |
MetaDataWriteBytes UInt64 | [NTFS metadata statistics for volume] MetaDataWriteBytes. |
MetaDataDiskWrites UInt64 | [NTFS metadata statistics for volume] MetaDataDiskWrites. |
MftReads UInt64 | [NTFS metadata statistics for volume] MftReads. |
MftReadBytes UInt64 | [NTFS metadata statistics for volume] MftReadBytes. |
MftWrites UInt64 | [NTFS metadata statistics for volume] MftWrites. |
MftWriteBytes UInt64 | [NTFS metadata statistics for volume] MftWriteBytes. |
Mft2Writes UInt64 | [NTFS metadata statistics for volume] Mft2Writes. |
Mft2WriteBytes UInt64 | [NTFS metadata statistics for volume] Mft2WriteBytes. |
RootIndexReads UInt64 | [NTFS metadata statistics for volume] RootIndexReads. |
RootIndexReadBytes UInt64 | [NTFS metadata statistics for volume] RootIndexReadBytes. |
RootIndexWrites UInt64 | [NTFS metadata statistics for volume] RootIndexWrites. |
RootIndexWriteBytes UInt64 | [NTFS metadata statistics for volume] RootIndexWriteBytes. |
BitmapReads UInt64 | [NTFS metadata statistics for volume] BitmapReads. |
BitmapReadBytes UInt64 | [NTFS metadata statistics for volume] BitmapReadBytes. |
BitmapWrites UInt64 | [NTFS metadata statistics for volume] BitmapWrites. |
BitmapWriteBytes UInt64 | [NTFS metadata statistics for volume] BitmapWriteBytes. |
MftBitmapReads UInt64 | [NTFS metadata statistics for volume] MftBitmapReads. |
MftBitmapReadBytes UInt64 | [NTFS metadata statistics for volume] MftBitmapReadBytes. |
MftBitmapWrites UInt64 | [NTFS metadata statistics for volume] MftBitmapWrites. |
MftBitmapWriteBytes UInt64 | [NTFS metadata statistics for volume] MftBitmapWriteBytes. |
UserIndexReads UInt64 | [NTFS metadata statistics for volume] UserIndexReads. |
UserIndexReadBytes UInt64 | [NTFS metadata statistics for volume] UserIndexReadBytes. |
UserIndexWrites UInt64 | [NTFS metadata statistics for volume] UserIndexWrites. |
UserIndexWriteBytes UInt64 | [NTFS metadata statistics for volume] UserIndexWriteBytes. |
LogFileReads UInt64 | [NTFS metadata statistics for volume] LogFileReads. |
LogFileReadBytes UInt64 | [NTFS metadata statistics for volume] LogFileReadBytes. |
LogFileWrites UInt64 | [NTFS metadata statistics for volume] LogFileWrites. |
LogFileWriteBytes UInt64 | [NTFS metadata statistics for volume] LogFileWriteBytes. |
LogFileFull UInt64 | [NTFS metadata statistics for volume] LogFileFull. |
LogFileFullReasonBucket1 UInt64 | [LogFileFullReasons] LF_LOG_SPACE. |
LogFileFullReasonBucket2 UInt64 | [LogFileFullReasons] LF_DIRTY_PAGES. |
LogFileFullReasonBucket3 UInt64 | [LogFileFullReasons] LF_OPEN_ATTRIBUTES. |
LogFileFullReasonBucket4 UInt64 | [LogFileFullReasons] LF_TRANSACTION_DRAIN. |
LogFileFullReasonBucket5 UInt64 | [LogFileFullReasons] LF_FASTIO_CALLBACK. |
LogFileFullReasonBucket6 UInt64 | [LogFileFullReasons] LF_DEALLOCATED_CLUSTERS. |
LogFileFullReasonBucket7 UInt64 | [LogFileFullReasons] LF_DEALLOCATED_CLUSTERS_MEM. |
LogFileFullReasonBucket8 UInt64 | [LogFileFullReasons] LF_RECORD_STACK_CHECK. |
LogFileFullReasonBucket9 UInt64 | [LogFileFullReasons] LF_DISMOUNT. |
LogFileFullReasonBucket10 UInt64 | [LogFileFullReasons] LF_COMPRESSION. |
LogFileFullReasonBucket11 UInt64 | [LogFileFullReasons] LF_SNAPSHOT. |
LogFileFullReasonBucket12 UInt64 | [LogFileFullReasons] LF_MOUNT. |
LogFileFullReasonBucket13 UInt64 | [LogFileFullReasons] LF_SHUTDOWN. |
LogFileFullReasonBucket14 UInt64 | [LogFileFullReasons] LF_RECURSIVE_COMPRESSION. |
LogFileFullReasonBucket15 UInt64 | [LogFileFullReasons] LF_TESTING. |
DiskResourceFailure UInt64 | [LogFileFullReasons] DiskResourceFailure. |
VolumeTrimCount UInt64 | |
VolumeTrimTime UInt64 | [LogFileFullReasons] VolumeTrimTime (ms). |
VolumeTrimSize UInt64 | [LogFileFullReasons] VolumeTrimSize (KB). |
AvgVolumeTrimTime UInt64 | [LogFileFullReasons] AvgVolumeTrimTime (ms). |
AvgVolumeTrimSize UInt64 | [LogFileFullReasons] AvgVolumeTrimSize (KB). |
VolumeTrimSkippedCount UInt64 | [LogFileFullReasons] VolumeTrimSkippedCount. |
VolumeTrimSkippedSize UInt64 | [LogFileFullReasons] VolumeTrimSkippedSize (KB). |
FileLevelTrimCount UInt64 | [LogFileFullReasons] FileLevelTrimCount. |
FileLevelTrimTime UInt64 | [LogFileFullReasons] FileLevelTrimTime (ms). |
FileLevelTrimSize UInt64 | [LogFileFullReasons] FileLevelTrimSize (KB). |
AvgFileLevelTrimTime UInt64 | [LogFileFullReasons] AvgFileLevelTrimTime (ms). |
AvgFileLevelTrimSize UInt64 | [LogFileFullReasons] AvgFileLevelTrimSize (KB). |
NtfsFillStatInfoFromMftRecordCalledCount UInt64 | [LogFileFullReasons] NtfsFillStatInfoFromMftRecordCalledCount. |
NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount UInt64 | [LogFileFullReasons] NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount. |
NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount UInt64 | [LogFileFullReasons] NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 158,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2026-06-13T05:39:34.3289115+00:00",
"event_record_id": 491,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 4312
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "{77ac4d73-0000-0000-0000-100000000000}",
"VolumeNameLength": "2",
"VolumeName": "C:",
"UserFileReads": "62240",
"UserFileReadBytes": "1887262720",
"UserDiskReads": "62333",
"UserFileWrites": "14033",
"UserFileWriteBytes": "2973306880",
"UserDiskWrites": "15109",
"MetaDataReads": "1887",
"MetaDataReadBytes": "7729152",
"MetaDataDiskReads": "2728",
"MetaDataWrites": "8027",
"MetaDataWriteBytes": "38236160",
"MetaDataDiskWrites": "9384",
"MftReads": "1587",
"MftReadBytes": "6500352",
"MftWrites": "5609",
"MftWriteBytes": "26447872",
"Mft2Writes": "1",
"Mft2WriteBytes": "4096",
"RootIndexReads": "0",
"RootIndexReadBytes": "0",
"RootIndexWrites": "0",
"RootIndexWriteBytes": "0",
"BitmapReads": "0",
"BitmapReadBytes": "0",
"BitmapWrites": "1696",
"BitmapWriteBytes": "8228864",
"MftBitmapReads": "0",
"MftBitmapReadBytes": "0",
"MftBitmapWrites": "273",
"MftBitmapWriteBytes": "1183744",
"UserIndexReads": "1130",
"UserIndexReadBytes": "4628480",
"UserIndexWrites": "1263",
"UserIndexWriteBytes": "5763072",
"LogFileReads": "0",
"LogFileReadBytes": "0",
"LogFileWrites": "5918",
"LogFileWriteBytes": "61857792",
"LogFileFull": "0",
"LogFileFullReasonBucket1": "0",
"LogFileFullReasonBucket2": "0",
"LogFileFullReasonBucket3": "0",
"LogFileFullReasonBucket4": "0",
"LogFileFullReasonBucket5": "0",
"LogFileFullReasonBucket6": "0",
"LogFileFullReasonBucket7": "0",
"LogFileFullReasonBucket8": "0",
"LogFileFullReasonBucket9": "0",
"LogFileFullReasonBucket10": "0",
"LogFileFullReasonBucket11": "0",
"LogFileFullReasonBucket12": "0",
"LogFileFullReasonBucket13": "0",
"LogFileFullReasonBucket14": "0",
"LogFileFullReasonBucket15": "0",
"DiskResourceFailure": "0",
"VolumeTrimCount": "1969",
"VolumeTrimTime": "15764",
"VolumeTrimSize": "3106796",
"AvgVolumeTrimTime": "8",
"AvgVolumeTrimSize": "1577",
"VolumeTrimSkippedCount": "0",
"VolumeTrimSkippedSize": "0",
"FileLevelTrimCount": "0",
"FileLevelTrimTime": "0",
"FileLevelTrimSize": "0",
"AvgFileLevelTrimTime": "0",
"AvgFileLevelTrimSize": "0",
"NtfsFillStatInfoFromMftRecordCalledCount": "0",
"NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount": "0",
"NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount": "0"
},
"message": "NTFS metadata statistics for volume:\r\n\r\n Volume Id: {77ac4d73-0000-0000-0000-100000000000}\r\n Volume name: C:\r\n\r\n UserFileReads: 62240\r\n UserFileReadBytes: 1887262720\r\n UserDiskReads: 62333\r\n UserFileWrites: 14033\r\n UserFileWriteBytes: 2973306880\r\n UserDiskWrites: 15109\r\n\r\n MetaDataReads: 1887\r\n MetaDataReadBytes: 7729152\r\n MetaDataDiskReads: 2728\r\n MetaDataWrites: 8027\r\n MetaDataWriteBytes: 38236160\r\n MetaDataDiskWrites: 9384\r\n\r\n MftReads: 1587\r\n MftReadBytes: 6500352\r\n MftWrites: 5609\r\n MftWriteBytes: 26447872\r\n Mft2Writes: 1\r\n Mft2WriteBytes: 4096\r\n RootIndexReads: 0\r\n RootIndexReadBytes: 0\r\n RootIndexWrites: 0\r\n RootIndexWriteBytes: 0\r\n BitmapReads: 0\r\n BitmapReadBytes: 0\r\n BitmapWrites: 1696\r\n BitmapWriteBytes: 8228864\r\n MftBitmapReads: 0\r\n MftBitmapReadBytes: 0\r\n MftBitmapWrites: 273\r\n MftBitmapWriteBytes: 1183744\r\n UserIndexReads: 1130\r\n UserIndexReadBytes: 4628480\r\n UserIndexWrites: 1263\r\n UserIndexWriteBytes: 5763072\r\n LogFileReads: 0\r\n LogFileReadBytes: 0\r\n LogFileWrites: 5918\r\n LogFileWriteBytes: 61857792\r\n LogFileFull: 0\r\n LogFileFullReasons:\r\n LF_LOG_SPACE: 0\r\n LF_DIRTY_PAGES: 0\r\n LF_OPEN_ATTRIBUTES: 0\r\n LF_TRANSACTION_DRAIN: 0\r\n LF_FASTIO_CALLBACK: 0\r\n LF_DEALLOCATED_CLUSTERS: 0\r\n LF_DEALLOCATED_CLUSTERS_MEM: 0\r\n LF_RECORD_STACK_CHECK: 0\r\n LF_DISMOUNT: 0\r\n LF_COMPRESSION: 0\r\n LF_SNAPSHOT: 0\r\n LF_MOUNT: 0\r\n LF_SHUTDOWN: 0\r\n LF_RECURSIVE_COMPRESSION: 0\r\n LF_TESTING: 0\r\n\r\n DiskResourceFailure: 0\r\n VolumeTrimCount: 1969\r\n VolumeTrimTime (ms): 15764\r\n VolumeTrimSize (KB): 3106796\r\n AvgVolumeTrimTime (ms): 8\r\n AvgVolumeTrimSize (KB): 1577\r\n VolumeTrimSkippedCount: 0\r\n VolumeTrimSkippedSize (KB): 0\r\n FileLevelTrimCount: 0\r\n FileLevelTrimTime (ms): 0\r\n FileLevelTrimSize (KB): 0\r\n AvgFileLevelTrimTime (ms): 0\r\n AvgFileLevelTrimSize (KB): 0\r\n NtfsFillStatInfoFromMftRecordCalledCount: 0\r\n NtfsFillStatInfoFromMftRecordBailedBecauseOfAttributeListCount: 0\r\n NtfsFillStatInfoFromMftRecordBailedBecauseOfNonResReparsePointCount: 0\r\n"
}
Event ID 159: NTFS has successfully completed the VolumeSizeChangeRequestType request in CombinedDurationMs ms when trying to VolumeSizeChangeOperation the volume size from FromSize (MB) to ToSize (MB).
#Description
NTFS has successfully completed the VolumeSizeChangeRequestType request in CombinedDurationMs ms when trying to VolumeSizeChangeOperation the volume size from FromSize (MB) to ToSize (MB).
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | Volume Id. |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
FromSize UInt64 | |
ToSize UInt64 | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | Device manufacturer. |
ProductIdLength UInt32 | |
ProductId UnicodeString | Device model. |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | Device revision. |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
NativeNVMe | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
VolumeSizeChangeOperation UInt16 | Operation. |
VolumeSizeChangeRequestType UInt16 | Request Type. |
CombinedDurationMs UInt64 | |
Stage1DurationMs UInt64 | [Stage Durations] Stage 1. Verify input and calculate new volume size (ms). |
Stage2DurationMs UInt64 | [Stage Durations] Stage 2. Set boundary and allocate/deallocate cluster (ms). |
Stage3DurationMs UInt64 | [Stage Durations] Stage 3. Update bitmap (ms). |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
"event_source_name": "",
"event_id": 159,
"version": 0,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2022-04-07T16:45:03.658483+00:00",
"event_record_id": 8,
"correlation": {},
"execution": {
"process_id": 4476,
"thread_id": 4512
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "ADDC92DC-EB36-4896-AAEB-9547FEEB7B8C",
"VolumeNameLength": 2,
"VolumeName": "C:",
"FromSize": 102281,
"ToSize": 101756,
"DeviceGuid": "7B6F1752-BD95-6E22-E3A5-6EE8419ECAD7",
"VendorIdLength": 0,
"VendorId": "",
"ProductIdLength": 24,
"ProductId": "VMware Virtual NVMe Disk",
"ProductRevisionLength": 3,
"ProductRevision": "1.0",
"DeviceSerialNumberLength": 16,
"DeviceSerialNumber": "VMWare NVME_0000",
"BusType": 17,
"AdapterSerialNumberLength": 16,
"AdapterSerialNumber": "VMWare NVME_0000",
"VolumeSizeChangeOperation": 1,
"VolumeSizeChangeRequestType": 2,
"CombinedDurationMs": 62,
"Stage1DurationMs": 0,
"Stage2DurationMs": 0,
"Stage3DurationMs": 62
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 160: NTFS has failed to complete the VolumeSizeChangeOperation request after VolumeSizeChangeRequestType ms when trying to AdapterSerialNumber the volume size from FromSize (MB) to ToSize (MB).
#Description
NTFS has failed to complete the VolumeSizeChangeOperation request after VolumeSizeChangeRequestType ms when trying to AdapterSerialNumber the volume size from FromSize (MB) to ToSize (MB).
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
FromSize UInt64 | |
ToSize UInt64 | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
NativeNVMe Boolean | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
VolumeSizeChangeOperation UInt16 | |
VolumeSizeChangeRequestType UInt16 | |
CombinedDurationMs UInt64 | |
Stage1DurationMs UInt64 | |
Stage2DurationMs UInt64 | |
Stage3DurationMs UInt64 | |
FailureStage UInt16 | |
FailureStatusCode UInt32 | |
FailureReason HexInt32 | Known values
|
Event ID 161: An operation has failed due to a file system limitation.
#Event ID 162: The data read from the storage does not match what was previously written or read.
#Description
The data read from the storage does not match what was previously written or read.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeIdLength UInt16 | |
VolumeId UnicodeString | |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
FileReference UInt64 | |
FileNameLength UInt16 | |
FileName UnicodeString | |
AttributeTypeCode HexInt32 | |
AttributeNameLength UInt16 | |
AttributeName UnicodeString | |
FileOffset HexInt64 | |
VolumeOffset HexInt64 | |
Length HexInt32 | |
CalledFromWorker Boolean | |
WorkerStatus HexInt32 | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
NativeNVMe Boolean | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
ReadDataValidOffset UInt16 | |
ReadDataValidLength UInt16 | |
ReadData Binary | |
PrevDataValidOffset UInt16 | |
PrevDataValidLength UInt16 | |
PrevData Binary |
Event ID 163: MftBitmap is not big enough for MftData or does not have required allocations.
#Description
MftBitmap is not big enough for MftData or does not have required allocations.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeIdLength UInt16 | |
VolumeId UnicodeString | |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
NativeNVMe Boolean | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
MftDataAllocationSize HexInt64 | |
MftDataFileSize HexInt64 | |
MftBitmapAllocationSize HexInt64 | |
MftBitmapFileSize HexInt64 | |
BytesPerFRS HexInt32 | |
MftDataAttrAllocatedLength HexInt64 | |
MftDataAttrFileSize HexInt64 | |
MftBitmapAttrHighestVcn HexInt64 | |
MftBitmapAttrAllocatedLength HexInt64 | |
MftBitmapAttrFileSize HexInt64 | |
MftLastDataAndBitmapInSameFrs UInt8 | |
CalledFromWorker Boolean | |
WorkerStatus HexInt32 | |
MajorFunction UInt8 | |
MinorFunction UInt8 | |
SourceTag HexInt64 |
Event ID 170: IO latency summary.
#Description
IO latency summary.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | [IO latency summary] Volume Id. |
VolumeNameLength UInt16 | |
VolumeName UnicodeString | [IO latency summary] Volume name. |
IsBootVolume Boolean | [IO latency summary] Is boot volume. |
DeviceGuid GUID | [IO latency summary] Device GUID. |
VendorIdLength UInt16 | |
VendorId UnicodeString | [IO latency summary] Device manufacturer. |
ProductIdLength UInt16 | |
ProductId UnicodeString | [IO latency summary] Device model. |
ProductRevisionLength UInt16 | |
ProductRevision UnicodeString | [IO latency summary] Device revision. |
DeviceSerialNumberLength UInt16 | |
DeviceSerialNumber UnicodeString | [IO latency summary] Device serial number. |
BusType UInt32 | [IO latency summary] Bus type. |
AdapterSerialNumberLength UInt16 | |
AdapterSerialNumber UnicodeString | [IO latency summary] Adapter serial number. |
IntervalDurationMs UInt64 | |
IntervalDurationStr UnicodeString | [IO latency summary] Interval duration. |
IoType UInt16 | |
IoTypeStr UnicodeString | [IO latency summary] IO type. |
MaxLatencyMs | |
MaxLatencyStr UnicodeString | [IO latency summary] Max latency. |
HighLatencyIoCount UInt32 | [IO latency summary] High Latency IOs. |
TotalIoCount UInt64 | [IO latency summary] IO count. |
AverageIops UInt64 | [IO latency summary] Avg IOPS. |
AverageLatencyNs UInt64 | |
AverageLatencyStr UnicodeString | [IO latency summary] Avg latency. |
LatencyBuckets UnicodeString | |
IoCount0 UInt64 | |
IoCount1 UInt64 | |
IoCount2 UInt64 | |
IoCount3 UInt64 | |
IoCount4 UInt64 | |
IoCount5 UInt64 | |
IoCount6 UInt64 | |
IoCount7 UInt64 | |
IoCount8 UInt64 | |
IoCount9 UInt64 | |
IoCount10 UInt64 | |
IoCount11 UInt64 | |
TotalTimeNs0 UInt64 | |
TotalTimeNs1 UInt64 | |
TotalTimeNs2 UInt64 | |
TotalTimeNs3 UInt64 | |
TotalTimeNs4 UInt64 | |
TotalTimeNs5 UInt64 | |
TotalTimeNs6 UInt64 | |
TotalTimeNs7 UInt64 | |
TotalTimeNs8 UInt64 | |
TotalTimeNs9 UInt64 | |
TotalTimeNs10 UInt64 | |
TotalTimeNs11 UInt64 | |
SummaryId UInt64 | |
HighLatencyMs | |
HighLatencyStr | [IO latency summary] Max Acceptable IO Latency. |
TotalIoTimeNs | |
MaxLatencyNs UInt64 | |
IoCount12 UInt64 | |
IoCount13 UInt64 | |
IoCount14 UInt64 | |
IoCount15 UInt64 | |
TotalTimeNs12 UInt64 | |
TotalTimeNs13 UInt64 | |
TotalTimeNs14 UInt64 | |
TotalTimeNs15 UInt64 | |
TotalBytes | |
AverageBps | |
TotalBytes0 | |
TotalBytes1 | |
TotalBytes2 | |
TotalBytes3 | |
TotalBytes4 | |
TotalBytes5 | |
TotalBytes6 | |
TotalBytes7 | |
TotalBytes8 | |
TotalBytes9 | |
TotalBytes10 | |
TotalBytes11 | |
TotalBytes12 | |
TotalBytes13 | |
TotalBytes14 | |
TotalBytes15 | |
TotalExtents | |
TotalExtents0 | |
TotalExtents1 | |
TotalExtents2 | |
TotalExtents3 | |
TotalExtents4 | |
TotalExtents5 | |
TotalExtents6 | |
TotalExtents7 | |
TotalExtents8 | |
TotalExtents9 | |
TotalExtents10 | |
TotalExtents11 | |
TotalExtents12 | |
TotalExtents13 | |
TotalExtents14 | |
TotalExtents15 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 170,
"version": 1,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611967493406195712,
"time_created": "2026-06-13T13:22:17.4336943+00:00",
"event_record_id": 590,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 5376
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "{77ac4d73-0000-0000-0000-100000000000}",
"VolumeNameLength": "2",
"VolumeName": "C:",
"IsBootVolume": "true",
"DeviceGuid": "{5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}",
"VendorIdLength": "8",
"VendorId": "Red Hat ",
"ProductIdLength": "6",
"ProductId": "VirtIO",
"ProductRevisionLength": "4",
"ProductRevision": "0001",
"DeviceSerialNumberLength": "0",
"DeviceSerialNumber": "",
"BusType": "1",
"AdapterSerialNumberLength": "0",
"AdapterSerialNumber": "",
"IntervalDurationMs": "3603390",
"IntervalDurationStr": "3603 s",
"IoType": "25",
"IoTypeStr": "Open file",
"MaxLatencyMs": "30000",
"MaxLatencyStr": "30 s",
"HighLatencyIoCount": "0",
"TotalIoCount": "127270",
"AverageIops": "80820",
"AverageLatencyNs": "12373",
"AverageLatencyStr": "12 us",
"LatencyBuckets": "256 us, 1 ms, 4 ms, 16 ms, 64 ms, 128 ms, 256 ms, 2 s, 6 s, 10 s, 20 s, > 20 s",
"IoCount0": "127146",
"IoCount1": "123",
"IoCount2": "1",
"IoCount3": "0",
"IoCount4": "0",
"IoCount5": "0",
"IoCount6": "0",
"IoCount7": "0",
"IoCount8": "0",
"IoCount9": "0",
"IoCount10": "0",
"IoCount11": "0",
"TotalTimeNs0": "1505343400",
"TotalTimeNs1": "68184200",
"TotalTimeNs2": "1195600",
"TotalTimeNs3": "0",
"TotalTimeNs4": "0",
"TotalTimeNs5": "0",
"TotalTimeNs6": "0",
"TotalTimeNs7": "0",
"TotalTimeNs8": "0",
"TotalTimeNs9": "0",
"TotalTimeNs10": "0",
"TotalTimeNs11": "0"
},
"message": "IO latency summary:\r\n\r\n Volume Id: {77ac4d73-0000-0000-0000-100000000000}\r\n Volume name: C:\r\n Is boot volume: true\r\n \r\n IO type: Open file\r\n \r\n Interval duration: 3603 s\r\n \r\n Max Acceptable IO Latency: 30 s\r\n High Latency IOs: 0\r\n \r\n IO count: 127270\r\n Avg IOPS: 80820\r\n Avg latency: 12 us\r\n \r\n Latency buckets: [256 us, 1 ms, 4 ms, 16 ms, 64 ms, 128 ms, 256 ms, 2 s, 6 s, 10 s, 20 s, > 20 s]\r\n IO count buckets: [127146, 123, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0]\r\n Total time buckets (ns): [1505343400, 68184200, 1195600, 0, 0, 0, 0, 0, 0, 0, 0, 0]\r\n \r\n Device GUID: {5a7d9ced-a852-a1ac-e3da-7b3e59928b2a}\r\n Device manufacturer: Red Hat \r\n Device model: VirtIO\r\n Device revision: 0001\r\n Device serial number: \r\n Bus type: SCSI\r\n \r\n Adapter serial number: \r\n \r\n For more details see the details tab.\r\n"
}
Event ID 171: File-Level Trim Summary.
#Description
File-Level Trim Summary.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | [File-Level Trim Summary] Volume Id. |
VolumeNameLength UInt16 | |
VolumeName UnicodeString | [File-Level Trim Summary] Volume name. |
IsBootVolume Boolean | [File-Level Trim Summary] Is boot volume. |
PeriodDurationMicrosSec Int64 | [File-Level Trim Summary] Period duration (us). |
OperationCount UInt64 | [File-Level Trim Summary] Operation count. |
RepostedOperationCount UInt64 | [File-Level Trim Summary] Reposted operation count. |
FailedOperationCount UInt64 | [File-Level Trim Summary] Failed operation count. |
OperationRangeCount UInt64 | [File-Level Trim Summary] Operation range count. |
OperationByteCount UInt64 | [File-Level Trim Summary] Operation byte count. |
OperationLongRangeByteCount UInt64 | |
UnalignedRangeCount UInt64 | [File-Level Trim Summary] Unaligned range count. |
BytesInUnalignedRanges UInt64 | [File-Level Trim Summary] Bytes in unaligned ranges. |
OperationTrimExtentCount UInt64 | [File-Level Trim Summary] Operation trim extent count. |
NonBlockAlignedTrimByteCount UInt64 | [File-Level Trim Summary] Non-blocking aligned trim byte count. |
ReclaimedByteCount UInt64 | [File-Level Trim Summary] Reclaimed byte count. |
ByteCountLabelsLength UInt16 | |
ByteCountLabels UnicodeString | |
OperationCountBuckets1 UInt64 | |
OperationCountBuckets2 UInt64 | |
OperationCountBuckets3 UInt64 | |
OperationCountBuckets4 UInt64 | |
OperationCountBuckets5 UInt64 | |
OperationCountBuckets6 UInt64 | |
OperationCountBuckets7 UInt64 | |
OperationCountBuckets8 UInt64 | |
OperationCountBuckets9 UInt64 | |
OperationCountBuckets10 UInt64 | |
OperationCountBuckets11 UInt64 | |
OperationCountBuckets12 UInt64 | |
OperationByteCountBuckets1 UInt64 | |
OperationByteCountBuckets2 UInt64 | |
OperationByteCountBuckets3 UInt64 | |
OperationByteCountBuckets4 UInt64 | |
OperationByteCountBuckets5 UInt64 | |
OperationByteCountBuckets6 UInt64 | |
OperationByteCountBuckets7 UInt64 | |
OperationByteCountBuckets8 UInt64 | |
OperationByteCountBuckets9 UInt64 | |
OperationByteCountBuckets10 UInt64 | |
OperationByteCountBuckets11 UInt64 | |
OperationByteCountBuckets12 UInt64 | |
OperationBytesReclaimedBuckets1 UInt64 | |
OperationBytesReclaimedBuckets2 UInt64 | |
OperationBytesReclaimedBuckets3 UInt64 | |
OperationBytesReclaimedBuckets4 UInt64 | |
OperationBytesReclaimedBuckets5 UInt64 | |
OperationBytesReclaimedBuckets6 UInt64 | |
OperationBytesReclaimedBuckets7 UInt64 | |
OperationBytesReclaimedBuckets8 UInt64 | |
OperationBytesReclaimedBuckets9 UInt64 | |
OperationBytesReclaimedBuckets10 UInt64 | |
OperationBytesReclaimedBuckets11 UInt64 | |
OperationBytesReclaimedBuckets12 UInt64 | |
OperationLatencyBuckets1 UInt64 | |
OperationLatencyBuckets2 UInt64 | |
OperationLatencyBuckets3 UInt64 | |
OperationLatencyBuckets4 UInt64 | |
OperationLatencyBuckets5 UInt64 | |
OperationLatencyBuckets6 UInt64 | |
OperationLatencyBuckets7 UInt64 | |
OperationLatencyBuckets8 UInt64 | |
OperationLatencyBuckets9 UInt64 | |
OperationLatencyBuckets10 UInt64 | |
OperationLatencyBuckets11 UInt64 | |
OperationLatencyBuckets12 UInt64 | |
LatencyBucketLabelsLength UInt16 | |
LatencyBucketLabelsLabels UnicodeString | |
OperationCountLatencyBuckets1 UInt64 | |
OperationCountLatencyBuckets2 UInt64 | |
OperationCountLatencyBuckets3 UInt64 | |
OperationCountLatencyBuckets4 UInt64 | |
OperationCountLatencyBuckets5 UInt64 | |
OperationCountLatencyBuckets6 UInt64 | |
OperationCountLatencyBuckets7 UInt64 | |
OperationCountLatencyBuckets8 UInt64 | |
OperationCountLatencyBuckets9 UInt64 | |
OperationCountLatencyBuckets10 UInt64 | |
OperationCountLatencyBuckets11 UInt64 | |
OperationCountLatencyBuckets12 UInt64 | |
OperationCountLatencyBuckets13 UInt64 | |
OperationCountLatencyBuckets14 UInt64 | |
OperationCountLatencyBuckets15 UInt64 | |
OperationFailureStatusCode1 HexInt32 | Top failure status codes and instance counts |
OperationFailureCount1 UInt64 | |
OperationFailureStatusCode2 HexInt32 | |
OperationFailureCount2 UInt64 | |
OperationFailureStatusCode3 HexInt32 | |
OperationFailureCount3 UInt64 | |
OperationFailureStatusCode4 HexInt32 | |
OperationFailureCount4 UInt64 | |
OperationFailureStatusCode5 HexInt32 | |
OperationFailureCount5 UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
"event_source_name": "",
"event_id": 171,
"version": 3,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611967493406195712,
"time_created": "2023-11-05T22:47:04.962167+00:00",
"event_record_id": 182,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 52
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
"VolumeNameLength": 2,
"VolumeName": "C:",
"IsBootVolume": true,
"PeriodDurationMicrosSec": 899757629,
"OperationCount": 2,
"RepostedOperationCount": 0,
"FailedOperationCount": 0,
"OperationRangeCount": 2,
"OperationByteCount": 0,
"OperationLongRangeByteCount": 18446744073709551614,
"UnalignedRangeCount": 0,
"BytesInUnalignedRanges": 0,
"OperationTrimExtentCount": 2,
"NonBlockAlignedTrimByteCount": 0,
"ReclaimedByteCount": 2030043136,
"ByteCountLabelsLength": 80,
"ByteCountLabels": "4 KB, 64 KB, 1 MB, 16 MB, 128 MB, 1 GB, 16 GB, 128 GB, 1 TB, 16 TB, 1 EB, 1+ EB",
"OperationCountBuckets1": 0,
"OperationCountBuckets2": 0,
"OperationCountBuckets3": 0,
"OperationCountBuckets4": 0,
"OperationCountBuckets5": 0,
"OperationCountBuckets6": 0,
"OperationCountBuckets7": 0,
"OperationCountBuckets8": 0,
"OperationCountBuckets9": 0,
"OperationCountBuckets10": 0,
"OperationCountBuckets11": 0,
"OperationCountBuckets12": 2,
"OperationByteCountBuckets1": 0,
"OperationByteCountBuckets2": 0,
"OperationByteCountBuckets3": 0,
"OperationByteCountBuckets4": 0,
"OperationByteCountBuckets5": 0,
"OperationByteCountBuckets6": 0,
"OperationByteCountBuckets7": 0,
"OperationByteCountBuckets8": 0,
"OperationByteCountBuckets9": 0,
"OperationByteCountBuckets10": 0,
"OperationByteCountBuckets11": 0,
"OperationByteCountBuckets12": 0,
"OperationBytesReclaimedBuckets1": 0,
"OperationBytesReclaimedBuckets2": 0,
"OperationBytesReclaimedBuckets3": 0,
"OperationBytesReclaimedBuckets4": 0,
"OperationBytesReclaimedBuckets5": 54,
"OperationBytesReclaimedBuckets6": 0,
"OperationBytesReclaimedBuckets7": 70,
"OperationBytesReclaimedBuckets8": 0,
"OperationBytesReclaimedBuckets9": 0,
"OperationBytesReclaimedBuckets10": 0,
"OperationBytesReclaimedBuckets11": 0,
"OperationBytesReclaimedBuckets12": 0,
"OperationLatencyBuckets1": 0,
"OperationLatencyBuckets2": 0,
"OperationLatencyBuckets3": 0,
"OperationLatencyBuckets4": 0,
"OperationLatencyBuckets5": 0,
"OperationLatencyBuckets6": 0,
"OperationLatencyBuckets7": 0,
"OperationLatencyBuckets8": 0,
"OperationLatencyBuckets9": 0,
"OperationLatencyBuckets10": 0,
"OperationLatencyBuckets11": 0,
"OperationLatencyBuckets12": 248,
"LatencyBucketLabelsLength": 79,
"LatencyBucketLabelsLabels": "256us, 1ms, 4ms, 16ms, 64ms, 128ms, 256ms, 2s, 6s, 10s, 20s, 1m, 5m, 15m, 15m+",
"OperationCountLatencyBuckets1": 2,
"OperationCountLatencyBuckets2": 0,
"OperationCountLatencyBuckets3": 0,
"OperationCountLatencyBuckets4": 0,
"OperationCountLatencyBuckets5": 0,
"OperationCountLatencyBuckets6": 0,
"OperationCountLatencyBuckets7": 0,
"OperationCountLatencyBuckets8": 0,
"OperationCountLatencyBuckets9": 0,
"OperationCountLatencyBuckets10": 0,
"OperationCountLatencyBuckets11": 0,
"OperationCountLatencyBuckets12": 0,
"OperationCountLatencyBuckets13": 0,
"OperationCountLatencyBuckets14": 0,
"OperationCountLatencyBuckets15": 0,
"OperationFailureStatusCode1": "0x0",
"OperationFailureCount1": 0,
"OperationFailureStatusCode2": "0x0",
"OperationFailureCount2": 0,
"OperationFailureStatusCode3": "0x0",
"OperationFailureCount3": 0,
"OperationFailureStatusCode4": "0x0",
"OperationFailureCount4": 0,
"OperationFailureStatusCode5": "0x0",
"OperationFailureCount5": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 201: NtfsLogFileFull VolumeId: NtfsLogFileFull_VolumeId, Reason: Reason.
#Event ID 202: PeriodicCheckpointStart VolumeId: PeriodicCheckpointStart_VolumeId, Reason: Reason, Usage: Usage%.
#Description
PeriodicCheckpointStart VolumeId: PeriodicCheckpointStart_VolumeId, Reason: Reason, Usage: Usage%.
Message #
Fields #
| Name | Description |
|---|---|
Vcb Pointer | |
LogFileFullReason UInt16 | |
LogFileUsePercentage UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 202,
"version": 0,
"level": 4,
"task": 1,
"opcode": 1,
"keywords": "0x1000000000000A00",
"time_created": "2026-06-02T06:00:05.123+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{405E6FE6-7C77-466B-8D93-5F354CA37E8C}"
},
"execution": {
"process_id": 4,
"thread_id": 6140
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"LogFileFullReason": 0,
"LogFileUsePercentage": 9,
"Vcb": "0x0"
},
"message": "Checkpoint"
}
Event ID 203: PeriodicCheckpointComplete VolumeId: PeriodicCheckpointComplete_VolumeId, DirtyMetaDataPages: DirtyMetaDataPages.
#Description
PeriodicCheckpointComplete VolumeId: PeriodicCheckpointComplete_VolumeId, DirtyMetaDataPages: DirtyMetaDataPages.
Message #
Fields #
| Name | Description |
|---|---|
Vcb Pointer | |
DirtyMetaDataPages UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 203,
"version": 0,
"level": 4,
"task": 1,
"opcode": 2,
"keywords": "0x1000000000000A00",
"time_created": "2026-06-02T06:00:05.124+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{405E6FE6-7C77-466B-8D93-5F354CA37E8C}"
},
"execution": {
"process_id": 4,
"thread_id": 6140
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"DirtyMetaDataPages": 144,
"Vcb": "0x0"
},
"message": "Checkpoint"
}
Event ID 204: CleanCheckpointStart VolumeId: CleanCheckpointStart_VolumeId, Reason: Reason, Usage: Usage%.
#Event ID 205: CleanCheckpointComplete VolumeId: CleanCheckpointComplete_VolumeId, DirtyMetaDataPages: DirtyMetaDataPages.
#Event ID 206: MftRecordRead VolumeId: MftRecordRead_VolumeId, BaseFileId: BaseFileId, FileId: FileId, CacheHit: CacheHit.
#Description
MftRecordRead VolumeId: MftRecordRead_VolumeId, BaseFileId: BaseFileId, FileId: FileId, CacheHit: CacheHit.
Message #
Fields #
| Name | Description |
|---|---|
Vcb Pointer | |
BaseFileId HexInt32 | |
FileId HexInt32 | |
CacheHit Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 206,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": "0x1000000000001000",
"time_created": "2026-06-02T05:29:46.301+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 22516
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"BaseFileId": "0A100000",
"CacheHit": false,
"FileId": "0A100000",
"Vcb": "0x0"
},
"message": "MftRecordRead"
}
Event ID 208: MftRecordRead VolumeId: MftRecordRead_VolumeId, BaseFileId: BaseFileId, FileId: FileId.
#Event ID 210: Thinly provisioned volume VolumeId (DeviceName).
#Event ID 211: Thinly provisioned volume VolumeId (DeviceName).
#Event ID 230: WorkItem queued, WorkItem: WorkItem_queued_WorkItem, Reason: Reason.
#Description
WorkItem queued, WorkItem: WorkItem_queued_WorkItem, Reason: Reason.
Message #
Fields #
| Name | Description |
|---|---|
WorkItem Pointer | |
Reason UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 230,
"version": 0,
"level": 4,
"task": 7,
"opcode": 0,
"keywords": "0x1000000000010000",
"time_created": "2026-06-02T06:00:02.768+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 3756,
"thread_id": 4588
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Reason": 2,
"WorkItem": "0x0"
},
"message": "WorkItem"
}
Event ID 231: WorkItem queue failed, WorkItem: WorkItem_queue_failed_WorkItem, Reason: Reason, Error: Error.
#Event ID 232: WorkItem started, WorkItem: WorkItem_started_WorkItem, Reason: Reason.
#Description
WorkItem started, WorkItem: WorkItem_started_WorkItem, Reason: Reason.
Message #
Fields #
| Name | Description |
|---|---|
WorkItem Pointer | |
Reason UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 232,
"version": 0,
"level": 4,
"task": 7,
"opcode": 1,
"keywords": "0x1000000000010000",
"time_created": "2026-06-02T06:00:05.123+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{405E6FE6-7C77-466B-8D93-5F354CA37E8C}"
},
"execution": {
"process_id": 4,
"thread_id": 6140
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Reason": 1,
"WorkItem": "0x0"
},
"message": "WorkItem"
}
Event ID 233: WorkItem completed, WorkItem: WorkItem_completed_WorkItem, Reason: Reason.
#Description
WorkItem completed, WorkItem: WorkItem_completed_WorkItem, Reason: Reason.
Message #
Fields #
| Name | Description |
|---|---|
WorkItem Pointer | |
Reason UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 233,
"version": 0,
"level": 4,
"task": 7,
"opcode": 2,
"keywords": "0x1000000000010000",
"time_created": "2026-06-02T06:00:05.124+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{405E6FE6-7C77-466B-8D93-5F354CA37E8C}"
},
"execution": {
"process_id": 4,
"thread_id": 6140
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"Reason": 1,
"WorkItem": "0x0"
},
"message": "WorkItem"
}
Event ID 240: File metadata optimization started.
#Event ID 241: File metadata optimization completed.
#Event ID 300: NTFS volume dismount has started.
#Description
NTFS volume dismount has started.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeIdLength UInt16 | |
VolumeId UnicodeString | Volume name. |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | Device manufacturer. |
ProductIdLength UInt32 | |
ProductId UnicodeString | Device model. |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | Device revision. |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
Vcb Pointer | |
ProcessId UInt32 | |
ProcessName AnsiString | |
DismountReason AnsiString | Reason. |
NativeNVMe |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 300,
"version": 1,
"level": 4,
"task": 8,
"opcode": 1,
"keywords": 4611686018427387936,
"time_created": "2026-05-28T11:11:54.0183900+00:00",
"event_record_id": 113,
"correlation": {},
"execution": {
"process_id": 4844,
"thread_id": 4912
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "{ee0f27ce-5a85-11f1-9650-d85cd7107d86}",
"VolumeIdLength": "0",
"VolumeId": "",
"VolumeLabelLength": "12",
"VolumeLabel": "Windows 2022",
"DeviceNameLength": "33",
"DeviceName": "\\Device\\HarddiskVolumeShadowCopy3",
"DeviceGuid": "{00000000-0000-0000-0000-000000000000}",
"VendorIdLength": "0",
"VendorId": "",
"ProductIdLength": "0",
"ProductId": "",
"ProductRevisionLength": "0",
"ProductRevision": "",
"DeviceSerialNumberLength": "0",
"DeviceSerialNumber": "",
"BusType": "0",
"AdapterSerialNumberLength": "0",
"AdapterSerialNumber": "",
"Vcb": "0xffffd70d7e8761b0",
"ProcessId": "4844",
"ProcessName": "svchost.exe",
"DismountReason": "User request"
},
"message": "NTFS volume dismount has started.\r\n\r\n Volume correlation Id: {ee0f27ce-5a85-11f1-9650-d85cd7107d86}\r\n Volume name: \r\n Volume label: Windows 2022\r\n\r\n Device name: \\Device\\HarddiskVolumeShadowCopy3\r\n Device GUID: {00000000-0000-0000-0000-000000000000}\r\n Device manufacturer: \r\n Device model: \r\n Device revision: \r\n Device serial number: \r\n Bus type: <unknown>\r\n \r\n Adapter serial number: \r\n \r\n Process Id: 4844\r\n Process name: svchost.exe\r\n \r\n Reason: User request\r\n"
}
Event ID 301: NTFS has sent volume dismount event notification and is waiting for the notifications to complete.
#Description
NTFS has sent volume dismount event notification and is waiting for the notifications to complete.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 301,
"version": 0,
"level": 4,
"task": 8,
"opcode": 8,
"keywords": 4611686018427387936,
"time_created": "2026-05-28T11:11:54.0183925+00:00",
"event_record_id": 114,
"correlation": {},
"execution": {
"process_id": 4844,
"thread_id": 4912
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "NTFS has sent volume dismount event notification and is waiting for the notifications to complete."
}
Event ID 302: The volume dismount event notification on the NTFS volume has completed.
#Description
The volume dismount event notification on the NTFS volume has completed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 302,
"version": 0,
"level": 4,
"task": 8,
"opcode": 7,
"keywords": 4611686018427387936,
"time_created": "2026-05-28T11:11:54.0184862+00:00",
"event_record_id": 115,
"correlation": {},
"execution": {
"process_id": 4844,
"thread_id": 4912
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "The volume dismount event notification on the NTFS volume has completed."
}
Event ID 303: The NTFS volume has successfully dismounted.
#Description
The NTFS volume has successfully dismounted.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeIdLength UInt16 | |
VolumeId UnicodeString | Volume name. |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | Device manufacturer. |
ProductIdLength UInt32 | |
ProductId UnicodeString | Device model. |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | Device revision. |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
Vcb Pointer | |
ProcessId UInt32 | |
ProcessName AnsiString | |
DismountReason AnsiString | Reason. |
NativeNVMe |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 303,
"version": 1,
"level": 4,
"task": 8,
"opcode": 2,
"keywords": 4611686018427387936,
"time_created": "2026-05-28T11:11:54.0200205+00:00",
"event_record_id": 116,
"correlation": {},
"execution": {
"process_id": 4844,
"thread_id": 4912
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"VolumeCorrelationId": "{ee0f27ce-5a85-11f1-9650-d85cd7107d86}",
"VolumeIdLength": "12",
"VolumeId": "Windows 2022",
"VolumeLabelLength": "12",
"VolumeLabel": "Windows 2022",
"DeviceNameLength": "33",
"DeviceName": "\\Device\\HarddiskVolumeShadowCopy3",
"DeviceGuid": "{00000000-0000-0000-0000-000000000000}",
"VendorIdLength": "0",
"VendorId": "",
"ProductIdLength": "0",
"ProductId": "",
"ProductRevisionLength": "0",
"ProductRevision": "",
"DeviceSerialNumberLength": "0",
"DeviceSerialNumber": "",
"BusType": "0",
"AdapterSerialNumberLength": "0",
"AdapterSerialNumber": "",
"Vcb": "0xffffd70d7e8761b0",
"ProcessId": "4844",
"ProcessName": "svchost.exe",
"DismountReason": "User request"
},
"message": "The NTFS volume has successfully dismounted.\r\n\r\n Volume correlation Id: {ee0f27ce-5a85-11f1-9650-d85cd7107d86}\r\n Volume name: Windows 2022\r\n Volume label: Windows 2022\r\n\r\n Device name: \\Device\\HarddiskVolumeShadowCopy3\r\n Device GUID: {00000000-0000-0000-0000-000000000000}\r\n Device manufacturer: \r\n Device model: \r\n Device revision: \r\n Device serial number: \r\n Bus type: <unknown>\r\n\r\n Adapter serial number: \r\n \r\n Process Id: 4844\r\n Process name: svchost.exe\r\n \r\n Reason: User request\r\n"
}
Event ID 304: The NTFS volume dismount failed.
#Description
The NTFS volume dismount failed.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeIdLength UInt16 | |
VolumeId UnicodeString | |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
NativeNVMe Boolean | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
Vcb Pointer | |
Error HexInt32 | Volume correlation Id. |
Event ID 305: NTFS failed to mount the volume.
#Description
NTFS failed to mount the volume.
Message #
Fields #
| Name | Description |
|---|---|
VolumeCorrelationId GUID | |
VolumeIdLength UInt16 | |
VolumeId UnicodeString | |
VolumeLabelLength UInt16 | |
VolumeLabel UnicodeString | |
DeviceNameLength UInt16 | |
DeviceName UnicodeString | |
DeviceGuid GUID | |
VendorIdLength UInt32 | |
VendorId UnicodeString | |
ProductIdLength UInt32 | |
ProductId UnicodeString | |
ProductRevisionLength UInt32 | |
ProductRevision UnicodeString | |
DeviceSerialNumberLength UInt32 | |
DeviceSerialNumber UnicodeString | |
BusType UInt32 | |
DeviceNumber UInt32 | |
IsBootVolume Boolean | |
NativeNVMe Boolean | |
AdapterSerialNumberLength UInt32 | |
AdapterSerialNumber UnicodeString | |
Error HexInt32 | Volume correlation Id. |
RestartApplied Boolean | |
MountStageSourceTag HexInt64 |
Event ID 401: Efs offloading initiated.
#Event ID 402: Efs offloading read regular file.
#Event ID 403: Efs offloading write regular file.
#Event ID 404: Efs legacy initiated.
#Description
Efs legacy initiated.
Message #
Fields #
| Name | Description |
|---|---|
VolumeSerialNumber Int64 | |
FileReference UInt64 | |
FileNameLength UInt32 | |
FileName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}",
"event_source_name": "",
"event_id": 404,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": "0x1000000000800000",
"time_created": "2026-06-02T05:29:47.644+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 952,
"thread_id": 4780
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"FileName": "",
"FileNameLength": 0,
"FileReference": 3096224743917653,
"VolumeSerialNumber": -8062353066713383766
},
"message": "EfsTest"
}
Event ID 405: Efs legacy read regular file.
#Event ID 406: Efs legacy write regular file.
#Event ID 500: A process has created a USN journal on a volume.
#Description
A process has created a USN journal on a volume.
Message #
Fields #
| Name | Description |
|---|---|
ProcessName AnsiString | Process. |
VolumeCorrelationId GUID | Volume Id. |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
JournalId HexInt64 | |
MaximumSize HexInt64 | |
AllocationDelta HexInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
"event_source_name": "",
"event_id": 500,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2023-10-26T04:16:37.820075+00:00",
"event_record_id": 7,
"correlation": {},
"execution": {
"process_id": 428,
"thread_id": 432
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ProcessName": "System",
"VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
"VolumeNameLength": 2,
"VolumeName": "C:",
"JournalId": "0x1da07c336abde45",
"MaximumSize": "0x2000000",
"AllocationDelta": "0x800000"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 501: A process has deleted a USN journal on a volume.
#Description
A process has deleted a USN journal on a volume.
Message #
Fields #
| Name | Description |
|---|---|
ProcessName AnsiString | Process. |
VolumeCorrelationId GUID | Volume Id. |
VolumeNameLength UInt32 | |
VolumeName UnicodeString | |
JournalId HexInt64 | |
CurrentUsn HexInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Ntfs",
"guid": "3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482",
"event_source_name": "",
"event_id": 501,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018429485056,
"time_created": "2023-11-06T06:25:51.720407+00:00",
"event_record_id": 151,
"correlation": {},
"execution": {
"process_id": 5004,
"thread_id": 5064
},
"channel": "Microsoft-Windows-Ntfs/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ProcessName": "SearchIndexer.",
"VolumeCorrelationId": "7597D2A3-4404-4F99-B979-6233378A81BF",
"VolumeNameLength": 2,
"VolumeName": "C:",
"JournalId": "0x1da07c336abde45",
"CurrentUsn": "0x0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 502: File has been opened by an isolated reader.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482}
Defined in ntfs.sys, the binary that emits these events.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.3328, captured 2026-06-02
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3328, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02