Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742

505 events across 1 channel

Event	Title	Channel	Sample
10	NtfsLookupRealAllocation: Vcn .	Operational	N
11	NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:.	Operational	N
12	FileObject: .	Operational	N
13	NtfsAddAllocation IC:.	Operational	N
14	Purge failed: Scb: .	Operational	N
15	Purge failed: Scb: .	Operational	N
16	NtfsGetLastVcnForNewMappingPairSize IC:.	Operational	N
17	Can't find StdInfo in FileRef .	Operational	N
18	Can't find StdInfo in FileRef .	Operational	N
19	NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:.	Operational	N
20	NtfsAddAttributeAllocation(.	Operational	N
21	NtfsAddAttributeAllocation(.	Operational	N
22	NtfsAddAttributeAllocation(.	Operational	N
23	NtfsAddAttributeAllocation(.	Operational	N
24	NtfsAddAttributeAllocation(.	Operational	N
25	NtfsAddAttributeAllocation(.	Operational	N
26	NtfsRestartRemoveAttribute FileRef:0x.	Operational	N
27	NtfsRestartChangeValue FileRef:0x.	Operational	N
28	AddToAttributeList(.	Operational	N
29	DeleteFromAttributeList(.	Operational	N
30	MakeRoomForAttribute Moving Mft's attribute IC:.	Operational	N
31	MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:.	Operational	N
32	MoveAttributeToOwnRecord IC:.	Operational	N
33	NtfsRestartZeroEndOfFileRecord FileRef:0x.	Operational	N
34	MergeFRS2(.	Operational	N
35	MergeFRS2(.	Operational	N
36	MergeFRS2(.	Operational	N
37	MergeFRS2(.	Operational	N
38	MergeFRS2(.	Operational	N
39	MergeFRS2(.	Operational	N
40	MergeFRS2(.	Operational	N
41	MergeFRS2(.	Operational	N
42	MergeFRS2(.	Operational	N
43	MergeFRS2(.	Operational	N
44	MergeFRS2(.	Operational	N
45	MergeFRS2(.	Operational	N
46	MergeFRS2(.	Operational	N
47	MergeFRS2(.	Operational	N
48	RedoAttribute(.	Operational	N
49	RedoAttribute(.	Operational	N
50	NtfsConsolidateAllFileRecords: Invalid Vcb.	Operational	N
51	NtfsConsolidateAllFileRecords: Volume is locked.	Operational	N
52	NtfsConsolidateAllFileRecords(.	Operational	N
53	NtfsConsolidateAllFileRecords(.	Operational	N
54	NtfsConsolidateAllFileRecords(.	Operational	N
55	NtfsConsolidateAllFileRecords(.	Operational	N
56	NtfsConsolidateAllFileRecords(.	Operational	N
57	NtfsConsolidateAllFileRecords(.	Operational	N
58	NtfsConsolidateAllFileRecords(.	Operational	N
59	NtfsConsolidateAllFileRecords(.	Operational	N
60	NtfsConsolidateAllFileRecords(.	Operational	N
61	NtfsConsolidateAllFileRecords(.	Operational	N
62	NtfsConsolidateAllFileRecords(.	Operational	N
63	NtfsConsolidateAllFileRecords(.	Operational	N
64	NtfsConsolidateAllFileRecords(.	Operational	N
65	NtfsConsolidateAllFileRecords(.	Operational	N
66	UpdateLCS: Vcb .	Operational	N
67	NtfsAllocateClustersPriv IC: .	Operational	N
68	NtfsAllocateClustersPriv IC: .	Operational	N
69	NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.	Operational	N
70	NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.	Operational	N
71	NtfsAllocateClustersPriv IC: .	Operational	N
72	NtfsAllocateClustersPriv IC: .	Operational	N
73	NtfsDeallocateClusters IC: .	Operational	N
74	NtfsDeallocateClusters: Vcb .	Operational	N
75	NtfsDeallocateClusters IC: .	Operational	N
76	NtfsDeallocateClusters: Vcb .	Operational	N
77	NtfsDeallocateClusters: Vcb .	Operational	N
78	NtfsDeallocateClusters: Vcb .	Operational	N
79	NtfsDeallocateClusters: Decremented TotalAllocated by 0x.	Operational	N
80	NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.	Operational	N
81	NtfsDeallocateClusters: Vcb .	Operational	N
82	NtfsDeallocateClusters IC: .	Operational	N
83	NtfsDeallocateClusters IC: .	Operational	N
84	NtfsModifyBitsInBitmap IC: .	Operational	N
85	NtfsModifyBitsInBitmap IC: .	Operational	N
86	NtfsAllocateBitmapRun IC: .	Operational	N
87	NtfsAllocateBitmapRun IC: .	Operational	N
88	NtfsRestartSetBitsInBitMap IC: .	Operational	N
89	NtfsFreeBitmapRun IC: .	Operational	N
90	NtfsFreeBitmapRun IC: .	Operational	N
91	NtfsRestartClearBitsInBitMap IC: .	Operational	N
92	NtfsSetOrClearBitsUsingBaseMcb IC: .	Operational	N
93	NtfsSetOrClearBitsUsingBaseMcb IC: .	Operational	N
94	NtfsSetOrClearBitsUsingBaseMcb IC: .	Operational	N
95	System files not marked as in use in the MFT bitmap.	Operational	N
96	Length: 0 --> BinIndex : 0 - Unexpected length	Operational	N
97	Length: .	Operational	N
98	Length: .	Operational	N
99	BinIndex: .	Operational	N
100	BinIndex: .	Operational	N
101	BinGroupShift: .	Operational	N
102	BinIndex: .	Operational	N
103	Searched committed allocations but didnt find enough free space.	Operational	N
104	NtfsRemoveClustersFromTPMap: Vcb .	Operational	N
105	NtfsRemoveClustersFromTPMap: Vcb .	Operational	N
106	NtfsRemoveClustersFromTPMap: Vcb .	Operational	N
107	NtfsRemoveClustersFromTPMap: Vcb .	Operational	N
108	NtfsRemoveClustersFromTPMap: Vcb .	Operational	N
109	NtfsValidateTotalClustersCommitted(.	Operational	N
110	Illegal MDL Complete for major code .	Operational	N
111	Entering: Scb: .	Operational	N
112	RunEntry ==> .	Operational	N
113	Offset is beyond this extent skipping the extent.	Operational	N
114	Shrinking LengthInExtent (0x.	Operational	N
115	Zeroing: StartingPhysicalAddr: 0x.	Operational	N
116	Exiting: ExtentsDescriptorIndex: .	Operational	N
117	Entering: Scb: .	Operational	N
118	Dsm Ranges[.	Operational	N
119	RemainingClusterCount: 0x.	Operational	N
120	Dsm: TotalNumberOfRanges: .	Operational	N
121	DsmOut Ranges[.	Operational	N
122	Zeroing: StartingPhysicalAddr: 0x.	Operational	N
123	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational	N
124	Entering: Scb: .	Operational	N
125	Updating ExtentsDescriptor Index and StartOffset from Locals: …	Operational	N
126	IrpContext: .	Operational	N
127	Return.	Operational	N
128	Unexpected open type received: .	Operational	N
129	Raising STATUS_SUCCESS from NtfsCommonCleanup: .	Operational	N
130	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational	N
131	Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.	Operational	N
132	Irp: .	Operational	N
133	Irp: .	Operational	N
134	NtfsCommonCreate: Volume is locked.	Operational	N
135	NtfsCommonVolumeOpen: Invalid create disposition for volume open.	Operational	N
136	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational	N
137	NtfsCommonVolumeOpen: Thread: .	Operational	N
138	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.	Operational	N
139	NtfsCommonVolumeOpen: Conlicting file objects.	Operational	N
140	NtfsHandlePagingFile: Paging file already open, paging files can only be opened …	Operational	N
141	NtfsHandlePagingFile: Cannot open system file as paging file.	Operational	N
142	NtfsHandlePagingFile: Persisted paging file already exists.	Operational	N
143	NtfsOpenFcbById: Invalid system file access.	Operational	N
144	NtfsOpenExistingPrefixFcb: Can not directly open txf directory.	Operational	N
145	NtfsOpenExistingPrefixFcb: Invalid system file access.	Operational	N
146	NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system …	Operational	N
147	NtfsOpenFile: Invalid system file access.	Operational	N
148	NtfsOpenFile: Deny open when txf rm is active.	Operational	N
149	NtfsCreateNewFile: Deny creation in system directory (except root).	Operational	N
150	NtfsCreateNewFile: Unable to create Ea for the file.	Operational	N
151	NtfsCreateNewFile: Unable to create in the $txf directory.	Operational	N
152	NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.	Operational	N
153	NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.	Operational	N
154	NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.	Operational	N
155	NtfsOpenAttributeInExistingFile: Denying access for volume root directory.	Operational	N
156	NtfsCreateNewFile: Not allowed to create streams on system files.	Operational	N
157	NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging …	Operational	N
158	NtfsOverwriteAttr: Denying access due to user being Ea blind.	Operational	N
159	NtfsOverwriteAttr: Deny access due to encryption happening on the stream.	Operational	N
160	NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this …	Operational	N
161	NtfsCheckValidAttributeAccess: Only read attributes access is supported on this …	Operational	N
162	NtfsCheckValidAttributeAccess: Deny access for protected system attributes.	Operational	N
163	NtfsOpenAttributeCheck: File already has user writable references.	Operational	N
164	NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.	Operational	N
165	NtfsOpenAttributeCheck: File was granted write access but has image section.	Operational	N
166	NtfsOpenAttribute: Denying write access on disallowed writes.	Operational	N
167	NtfsOpenAttribute: File already has user writable references.	Operational	N
168	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational	N
169	NtfsOpenAttribute: File already has user writable references.	Operational	N
170	NtfsOpenAttribute: Open for exclusive read access is not allowed.	Operational	N
171	NtfsCheckExistingFile: Desired access conflicts with read-only state.	Operational	N
172	NtfsOpenExistingEncryptedStream: No encryption driver found.	Operational	N
173	NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on …	Operational	N
174	NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for …	Operational	N
175	NtfsFindStartingNode: Opening not allowed for txf name when RM is active.	Operational	N
176	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational	N
177	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational	N
178	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.	Operational	N
179	NtfsReCheckShareAccess: Does not meet allow open requirement.	Operational	N
180	...:...!d! Status: ...!S! ProcessName: ...!S!	Operational	N
181	...:...!d! Status: ...!S! ProcessName: ...!S!	Operational	N
182	...:...!d! Status: ...!S! ProcessName: ...!S!	Operational	N
183	...:...!d! Status: ...!S! ProcessName: ...!S!	Operational	N
184	NtfsSendUnusedClustersHint: Vcb .	Operational	N
185	NtfsSendUnusedClustersHint: Vcb .	Operational	N
186	NtfsSendUnusedClustersHint: Vcb .	Operational	N
187	NtfsSendUnusedClustersHint: Vcb .	Operational	N
188	NtfsSendUnusedClustersHint: Vcb .	Operational	N
189	NtfsSendUnusedClustersHint: Vcb .	Operational	N
190	NtfsSendUnusedClustersHint: Vcb .	Operational	N
191	NtfsTransferMaxDataSetRanges: Src .	Operational	N
192	NtfsTransferMaxDataSetRanges: Src .	Operational	N
193	NtfsMarkUnusedContextPostTrimProcessing: Entering	Operational	N
194	NtfsMarkUnusedContextPostTrimProcessing: Vcb .	Operational	N
195	NtfsMarkUnusedContextPostTrimProcessing: Vcb .	Operational	N
196	NtfsMarkUnusedContextPostTrimProcessing: Vcb .	Operational	N
197	NtfsMarkUnusedContextPostTrimProcessing: Vcb .	Operational	N
198	NtfsMarkUnusedContextPostTrimProcessing: Leaving	Operational	N
199	NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp .	Operational	N
200	NtfsMarkUnusedContextPreTrimProcessing: Vcb .	Operational	N
201	NtfsMarkUnusedContextPreTrimProcessing: Vcb .	Operational	N
202	NtfsMarkUnusedContextPreTrimProcessing: Vcb .	Operational	N
203	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb .	Operational	N
204	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational	N
205	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational	N
206	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational	N
207	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational	N
208	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational	N
209	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational	N
210	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational	N
211	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational	N
212	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .	Operational	N
213	NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving	Operational	N
214	NtfsWakeupDeallocatedClustersWaiters: Vcb .	Operational	N
215	NtfsWakeupDeallocatedClustersWaiters: Vcb .	Operational	N
216	NtfsWakeupDeallocatedClustersWaiters: Vcb .	Operational	N
217	NtfsWaitForDeallocatedClustersToDrain: Vcb .	Operational	N
218	NtfsWaitForDeallocatedClustersToDrain: Vcb .	Operational	N
219	NtfsWaitForDeallocatedClustersToDrain: Vcb .	Operational	N
220	NtfsWaitForDeallocatedClustersToDrain: Vcb .	Operational	N
221	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .	Operational	N
222	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .	Operational	N
223	NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .	Operational	N
224	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb .	Operational	N
225	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .	Operational	N
226	NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .	Operational	N
227	NtfsCheckForTrimThrottling: Vcb .	Operational	N
228	NtfsUpdateSmartTrimState: Vcb .	Operational	N
229	NtfsUpdateSmartTrimState: Vcb .	Operational	N
230	NtfsUpdateSmartTrimState: Vcb .	Operational	N
231	NtfsUpdateSmartTrimState: Vcb .	Operational	N
232	NtfsUpdateSmartTrimState: Vcb .	Operational	N
233	NtfsUpdateSmartTrimState: Vcb .	Operational	N
234	NtfsUpdateSmartTrimState: Vcb .	Operational	N
235	NtfsUpdateSmartTrimState: Vcb .	Operational	N
236	NtfsUpdateSmartTrimState: Vcb .	Operational	N
237	NtfsUpdateSmartTrimState: Vcb .	Operational	N
238	NtfsUpdateSmartTrimState: Vcb .	Operational	N
239	NtfsEvalSmartTrimState: Vcb .	Operational	N
240	NtfsEvalSmartTrimState: Vcb .	Operational	N
241	NtfsEvalSmartTrimState: Vcb .	Operational	N
242	NtfsEvalSmartTrimState: Vcb .	Operational	N
243	NtfsEvalSmartTrimState: Vcb .	Operational	N
244	NtfsEvalSmartTrimState: Vcb .	Operational	N
245	NtfsEvalSmartTrimState: Vcb .	Operational	N
246	NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.	Operational	N
247	NtfsVolumeDasdIo: Data section blocking flush.	Operational	N
248	Could not find paging file run.	Operational	N
249	Could not find paging file MCB entry.	Operational	N
250	Could not find paging file run.	Operational	N
251	Writing to $Bitmap.	Operational	N
252	NTFS: Posting hotfix on file object: .	Operational	N
253	NTFS: Freeing Bad Vcn: .	Operational	N
254	NTFS: Retiring Bad Lcn: .	Operational	N
255	NTFS: Reallocating Bad Vcn	Operational	N
256	NTFS: Bad Cluster replaced	Operational	N
257	IrpContext: .	Operational	N
258	Compression buffers are already big enough.	Operational	N
259	Event ID 259	Operational	N
260	IrpContext: .	Operational	N
261	Compression buffers are already big enough.	Operational	N
262	Event ID 262	Operational	N
263	NtfsDefragFileInternal: Defrag is denied.	Operational	N
264	NtfsDefragFileInternal: Vcb .	Operational	N
265	NtfsDefragFileInternal: Vcb .	Operational	N
266	NtfsDefragFileInternal: Defrag is denied.	Operational	N
267	NtfsDefragFileInternal(.	Operational	N
268	NtfsDefragFileInternal(.	Operational	N
269	NtfsDefragFileInternal(.	Operational	N
270	NtfsDefragFileInternal(.	Operational	N
271	NtfsDefragFileInternal(.	Operational	N
272	NtfsDefragFileInternal(.	Operational	N
273	NtfsDefragFile: Defrag is denied without manage volume access.	Operational	N
274	NtfsEncryptDecryptOnline: Defrag is denied.	Operational	N
275	NtfsEncryptDecryptOnline: Vcb .	Operational	N
276	NtfsEncryptDecryptOnline: Vcb .	Operational	N
277	NtfsEncryptDecryptOnline: Defrag is denied.	Operational	N
278	SCB: .	Operational	N
279	StartOff=0x.	Operational	N
280	NumberOfValidRuns: 0	Operational	N
281	RemainingClusterCount: 0x.	Operational	N
282	STATUS_BUFFER_TOO_SMALL from FsLib.	Operational	N
283	Made an educated guess for remaining runs.	Operational	N
284	Made a wild guess for remaining runs.	Operational	N
285	NumberOfValidRuns: 0x.	Operational	N
286	BasePage: 0x.	Operational	N
287	About to zero range - ZeroStart: 0x.	Operational	N
288	Zeroed range - ZeroStart: 0x.	Operational	N
289	NtfsCommonQueryInformation: File information query not allowed as file was …	Operational	N
290	NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read …	Operational	N
291	NtfsQueryNameInfo: Name info query not allowed as file was opened without …	Operational	N
292	NtfsQueryLinksInfo: Link info query not allowed as file was opened without …	Operational	N
293	NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.	Operational	N
294	NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.	Operational	N
295	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational	N
296	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational	N
297	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened …	Operational	N
298	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …	Operational	N
299	NtfsSetRenameInfo: Can not rename a file marked for deletion.	Operational	N
300	NtfsSetRenameInfo: Can not rename a txf directory.	Operational	N
301	NtfsSetRenameInfo: Can not rename into a system directory.	Operational	N
302	NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.	Operational	N
303	NtfsSetRenameInfo: The file should not have in-memory directory descendents.	Operational	N
304	NtfsSetRenameInfo: Child Scb mismatch.	Operational	N
305	NtfsSetLinkInfo: Set link info is not allowed on txf directory.	Operational	N
306	NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.	Operational	N
307	NtfsSetLinkInfo: Set link info failed due to caller not having …	Operational	N
308	NtfsSetLinkInfo: Creating a link in system directory is not allowed.	Operational	N
309	NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.	Operational	N
310	NtfsSetShortNameInfo: Can not set a short name on a deleted file.	Operational	N
311	NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF …	Operational	N
312	NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction …	Operational	N
313	NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.	Operational	N
314	NtfsStreamRename: Deny access due to encryption happening on source stream.	Operational	N
315	NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.	Operational	N
316	NtfsFlushVolumeFlushSingleFcb: Thread: .	Operational	N
317	NtfsFlushVolumeFlushSingleFcb: Thread: .	Operational	N
318	NtfsFlushVolume: Thread: .	Operational	N
319	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: .	Operational	N
320	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: .	Operational	N
321	NtfsFlushCompletionRoutine: Vcb .	Operational	N
322	NtfsFlushCompletionRoutine: Vcb .	Operational	N
323	NtfsDiskFlushContextWorkItemProcessing: Process work item	Operational	N
324	NtfsDiskFlushContextWorkItemProcessing: Nothing to work on	Operational	N
325	Irp: .	Operational	N
326	NtfsLockVolumeInternal: Cannot lock the volume.	Operational	N
327	NtfsLockVolumeInternal: Volume is already locked.	Operational	N
328	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational	N
329	NtfsLockVolumeInternal: Failed to flush system files on the volume.	Operational	N
330	NtfsLockVolumeInternal: Outstanding user files open after flush and retry.	Operational	N
331	NtfsLockVolume: Cannot lock volume due to caller does not have manage volume …	Operational	N
332	NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.	Operational	N
333	...: Setting RM at 0x...!p! ({...!S!}) up for auto-restart.	Operational	N
334	NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume …	Operational	N
335	NtfsDismountVolume: IC: .	Operational	N
336	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational	N
337	NtfsDismountVolume: Cannot dismount volume due to volume being locked.	Operational	N
338	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …	Operational	N
339	NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage …	Operational	N
340	NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage …	Operational	N
341	NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage …	Operational	N
342	NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having …	Operational	N
343	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational	N
344	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …	Operational	N
345	NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage …	Operational	N
346	NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not …	Operational	N
347	NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage …	Operational	N
348	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup …	Operational	N
349	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup …	Operational	N
350	NtfsSetSparse: Caller does not have appropriate write access to the stream.	Operational	N
351	NtfsSetSparse: Cannot desparse encrypted file without write data access.	Operational	N
352	NtfsZeroRange: User mode caller not allowed.	Operational	N
353	IC: .	Operational	N
354	IC: .	Operational	N
355	NtfsReadRawEncrypted: Caller does not have backup access or read data access.	Operational	N
356	NtfsWriteRawEncrypted: Caller does not have write data access or restore access.	Operational	N
357	NtfsWriteRawEncrypted: Caller not having manage volume privilege.	Operational	N
358	NtfsLookupStreamFromCluster: Caller not having manage volume privilege.	Operational	N
359	NtfsChangeVolumeSize: Caller not having manage volume privilege.	Operational	N
360	NtfsChangeVolumeSize (.	Operational	N
361	NtfsChangeVolumeSize (.	Operational	N
362	NtfsMarkHandle: Caller does not have a valid volume handle or manage volume …	Operational	N
363	NtfsMarkHandle: Caller not having manage volume privilege.	Operational	N
364	NtfsMarkHandle: Cannot deny defrag.	Operational	N
365	NtfsMarkHandle: Cannot deny Frs consolidation.	Operational	N
366	NtfsMarkHandle: Cannot filter metadata.	Operational	N
367	NtfsMarkHandle: Mark handle is not allowed on system files.	Operational	N
368	NtfsMarkHandle: File already has user writable references.	Operational	N
369	NtfsMarkHandle: File was granted write access previously but no oplocks were …	Operational	N
370	NtfsPrefetchFile: Caller not having manage volume privilege.	Operational	N
371	NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.	Operational	N
372	NtfsSetShortNameBehavior: Caller not having manage volume privilege.	Operational	N
373	Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.	Operational	N
374	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational	N
375	NtfsQueryPagefileEncryption: Caller not having manage volume privilege.	Operational	N
376	NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.	Operational	N
377	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational	N
378	Resetting Volsnap behavior for VCB = 0x.	Operational	N
379	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.	Operational	N
380	NtfsCorruptionHandling: Caller not having manage volume privilege.	Operational	N
381	NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.	Operational	N
382	Scrub resume from SystemScbIndex: .	Operational	N
383	Scb:.	Operational	N
384	Scrub SystemScbIndex: .	Operational	N
385	NtfsScrubData: Caller not having manage volume privilege.	Operational	N
386	Scrub not supported for Txf file, Scb: .	Operational	N
387	Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.	Operational	N
388	Scb:.	Operational	N
389	Scb:.	Operational	N
390	InternalFileReference: .	Operational	N
391	InternalFileReference:.	Operational	N
392	Scb:.	Operational	N
393	Scb:.	Operational	N
394	Scb:.	Operational	N
395	Scb:.	Operational	N
396	Scb:.	Operational	N
397	Scb:.	Operational	N
398	Scb:.	Operational	N
399	Scb:.	Operational	N
400	Scb:.	Operational	N
401	Scrub found problems Scb: .	Operational	N
402	Scb:.	Operational	N
403	Scb:.	Operational	N
404	FSCTL_REPAIR_COPIES not supported for Txf file, Scb: .	Operational	N
405	Scb:.	Operational	N
406	Scb:.	Operational	N
407	FSCTL_REPAIR_COPIES interrupted by thread termination.	Operational	N
408	FSCTL_REPAIR_COPIES canceled	Operational	N
409	Scb:.	Operational	N
410	Scb:.	Operational	N
411	Scb:.	Operational	N
412	Scb:.	Operational	N
413	Scb:.	Operational	N
414	Scb:.	Operational	N
415	Scb:.	Operational	N
416	NtfsQueryCachedRuns: Caller not having manage volume privilege.	Operational	N
417	NtfsQueryStorageClasses: Caller not having manage volume privilege.	Operational	N
418	NtfsQueryRegionInfo: Caller not having manage volume privilege.	Operational	N
419	NtfsUnloadFile: Caller not having manage volume privilege.	Operational	N
420	NtfsCheckForSection: File already has image section.	Operational	N
421	NtfsShuffleFile: User mode caller is not allowed.	Operational	N
422	NtfsShuffleFile: Denying access due to volume is locked.	Operational	N
423	NtfsShuffleFile: Defrag is denied.	Operational	N
424	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational	N
425	NtfsRearrangeFile: User mode caller is not allowed.	Operational	N
426	NtfsRearrangeFile: Denying access due to volume is locked.	Operational	N
427	NtfsRearrangeFile: Defrag is denied.	Operational	N
428	NtfsShuffleFile: Denying access due to conflicting with read-only state.	Operational	N
429	NtfsSparseOverAllocate: Caller does not have appropriate write access.	Operational	N
430	NtfsInitiateFileMetadataOptimization: Only allowed on regular user …	Operational	N
431	NtfsQueryFileMetadataOptimization: Only allowed on regular user …	Operational	N
432	NtfsCleanVolumeMetadata: Caller not having manage volume privilege.	Operational	N
433	NtfsEnumOnMountToDeleteWorker(.	Operational	N
434	NtfsEnumOnMountToDeleteWorker(.	Operational	N
435	NtfsEnumMountWorker(.	Operational	N
436	NtfsEnumMountWorker(.	Operational	N
437	NtfsEnumOnMountToDeleteWorker(.	Operational	N
438	NtfsCleanVolumeMetadata: Caller not having manage volume privilege.	Operational	N
439	SCB: .	Operational	N
440	FsLibGetBadAddressRanges returned Status: .	Operational	N
441	FsInputRangeIndex: .	Operational	N
442	Scb: .	Operational	N
443	Scb: .	Operational	N
444	NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.	Operational	N
445	Logic error of posting close to work queue.	Operational	N
446	NtfsFindPrefixHashEntry: {Hash table: .	Operational	N
447	NtfsFindPrefixHashEntry: {Lcb: NULL}	Operational	N
448	NtfsFindPrefixHashEntry: {Lcb: .	Operational	N
449	NtfsFindPrefixHashEntry: {Lcb not found}	Operational	N
450	NtfsInsertHashEntry: {Hash table: .	Operational	N
451	NtfsRemoveHashEntry: {Hash table: .	Operational	N
452	Vcb .	Operational	N
453	Vcb .	Operational	N
454	Vcb .	Operational	N
455	Vcb .	Operational	N
456	Vcb .	Operational	N
457	Vcb .	Operational	N
458	Vcb .	Operational	N
459	Vcb .	Operational	N
460	Vcb .	Operational	N
461	Vcb .	Operational	N
462	Vcb .	Operational	N
463	Vcb .	Operational	N
464	Vcb .	Operational	N
465	NtfsCommitCurrentTransaction IC: .	Operational	N
466	NtfsCommitCurrentTransaction IC: .	Operational	N
467	NtfsCommitCurrentTransaction (.	Operational	N
468	NtfsCommitCurrentTransaction (.	Operational	N
469	NtfsCommitCurrentTransaction (.	Operational	N
470	NtfsCommitCurrentTransaction (.	Operational	N
471	NtfsCommitCurrentTransaction (.	Operational	N
472	NtfsCommitCurrentTransaction IC: .	Operational	N
473	NtfsCommitCurrentTransaction IC: .	Operational	N
474	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
475	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
476	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
477	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
478	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
479	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
480	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
481	Vcb: .	Operational	N
482	Looking for dangling MDLs	Operational	N
483	FsLibGroupSubExtentsByDanglingMdl failed: .	Operational	N
484	FsLibAddBaseMcbEntryEx failed: .	Operational	N
485	NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: .	Operational	N
486	NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: .	Operational	N
487	No sub extents has dangling MDL	Operational	N
488	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
489	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
490	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
491	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
492	NtfsFreeRecentlyDeallocated: Vcb .	Operational	N
493	NtfsRemoveNtfsMcbEntry Scb: .	Operational	N
494	NtfsRemoveNtfsMcbEntry Mcb: .	Operational	N
495	NtfsAddNtfsMcbEntry Scb: .	Operational	N
496	NtfsAddNtfsMcbEntry Mcb: .	Operational	N
497	NtfsUnloadNtfsMcbRange Scb: .	Operational	N
498	NtfsUnloadNtfsMcbRange Mcb: .	Operational	N
499	Valid NTFS boot sector.	Operational	N
500	Not an NTFS boot sector.	Operational	N
501	NtfsMountVolume: Vcb:.	Operational	N
502	NtfsMountVolume: IC: .	Operational	N
503	Mounting DAX partition.	Operational	N
504	DAX volume mounted without DAX support because storage is not DAX capable.	Operational	N
505	NtfsGrowMftsAttributeListAllocation Vcb:.	Operational	N
506	NtfsGrowMftsAttributeListAllocation Vcb:.	Operational	N
507	NtfsGrowMftsAttributeListAllocation Vcb:.	Operational	N
508	Unexpected exception code of 0x.	Operational	N
509	Exception code of 0x.	Operational	N
510	Unexpected exception code of 0x.	Operational	N
511	LogFileFull .	Operational	N
512	Unexpected raise of 0x.	Operational	N
513	NtfsProcessException IC: .	Operational	N
514	NtfsProcessException IC: .	Operational	N

Event ID 10: NtfsLookupRealAllocation: Vcn .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 11: NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAllocateAttribute_MaxAlloc_for_Mfts_AttrList_IC`	NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC.
`p_Scb`

Event ID 12: FileObject: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`FileObject`
`p_Scb`
`p_StaringVcn`
`I64x_ClusterCount`
`I64x_Flags`	!I64x!, Flags.

Event ID 13: NtfsAddAllocation IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAddAllocation_IC`
`p_FileObject`
`p_Scb`
`p_StaringVcn`
`I64x_ClusterCount`
`I64x_Flags`	!I64x!, Flags.

Event ID 14: Purge failed: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Purge_failed_Scb`	Purge failed: Scb.

Event ID 15: Purge failed: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Purge_failed_Scb`	Purge failed: Scb.

Event ID 16: NtfsGetLastVcnForNewMappingPairSize IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGetLastVcnForNewMappingPairSize_IC`
`p_Using_LastVcn`

Event ID 17: Can't find StdInfo in FileRef .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 18: Can't find StdInfo in FileRef .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 19: NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCreateNonresidentWithValue_Create_Mfts_NonResident_Attribute_List_IC`	NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC.
`pValueLength`

Event ID 20: NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 21: NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 22: NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 23: NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`

Event ID 24: NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 25: NtfsAddAttributeAllocation(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 26: NtfsRestartRemoveAttribute FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 27: NtfsRestartChangeValue FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 28: AddToAttributeList(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 29: DeleteFromAttributeList(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 30: MakeRoomForAttribute Moving Mft's attribute IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`MakeRoomForAttribute_Moving_Mfts_attribute_IC`	MakeRoomForAttribute Moving Mft's attribute IC.

Event ID 31: MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`MoveAttributeToOwnRecord_Moving_Mfts_BITMAP_IC`	MoveAttributeToOwnRecord Moving Mft's $BITMAP IC.
`p_SizeNeeded`
`x_TypeCode`
`x_RecLen`
`x_Form`
`x_Instance`

Event ID 32: MoveAttributeToOwnRecord IC:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`MoveAttributeToOwnRecord_IC`
`p_SizeNeeded`
`x_Bytes2Free`
`x_OldMappingSize`
`x_NewMappingSize`

Event ID 33: NtfsRestartZeroEndOfFileRecord FileRef:0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 34: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`
`param11`

Event ID 35: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`
`param11`

Event ID 36: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`
`param11`

Event ID 37: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 38: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 39: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 40: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 41: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 42: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 43: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 44: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 45: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`
`param11`
`param12`
`param13`
`param14`
`param15`

Event ID 46: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 47: MergeFRS2(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 48: RedoAttribute(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`

Event ID 49: RedoAttribute(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`
`param11`
`param12`

Event ID 50: NtfsConsolidateAllFileRecords: Invalid Vcb.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsConsolidateAllFileRecords_Invalid_Vcb_Thread`	NtfsConsolidateAllFileRecords: Invalid Vcb. Thread.

Event ID 51: NtfsConsolidateAllFileRecords: Volume is locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsConsolidateAllFileRecords_Volume_is_locked_Thread`	NtfsConsolidateAllFileRecords: Volume is locked. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Volume_Id`

Event ID 52: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 53: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 54: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 55: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`
`param11`
`param12`

Event ID 56: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`

Event ID 57: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`

Event ID 58: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 59: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 60: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 61: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 62: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 63: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 64: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 65: NtfsConsolidateAllFileRecords(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 66: UpdateLCS: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 67: NtfsAllocateClustersPriv IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAllocateClustersPriv_IC`
`p_Vcb`
`p_Scb`
`p_Mcb`
`S_DelayedAllocation`	6!I64x!, AllocateAll.

Event ID 68: NtfsAllocateClustersPriv IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAllocateClustersPriv_IC`
`p_Vcb`
`p_Scb`
`p_Mcb`
`S_DelayedAllocation`	6!I64x!, AllocateAll.

Event ID 69: NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 70: NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`3I64xScbState`	1!I64x! clusters, Scb.

Event ID 71: NtfsAllocateClustersPriv IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAllocateClustersPriv_IC`
`p_ClustersAllocated`

Event ID 72: NtfsAllocateClustersPriv IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAllocateClustersPriv_IC`
`p_ClustersAllocated`

Event ID 73: NtfsDeallocateClusters IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDeallocateClusters_IC`
`p_Vcb`
`p_Scb`
`p_Mcb`

Event ID 74: NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 75: NtfsDeallocateClusters IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDeallocateClusters_IC`
`p_Vcb`
`p_Scb`
`p_Mcb`

Event ID 76: NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 77: NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 78: NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`p__Lsn`
`I64x_ClusterCount`
`I64x_Flags`
`I64x_new`	!08x!; Vcb's DeallocatedClustersCount old.

Event ID 79: NtfsDeallocateClusters: Decremented TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`3I64xAddrTotalAllocated`	1!I64x! clusters, Scb.

Event ID 80: NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`pAddrTotalAllocated`	1!I64x! clusters, Scb.
`p_ScbState`

Event ID 81: NtfsDeallocateClusters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 82: NtfsDeallocateClusters IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDeallocateClusters_IC`
`p_ClustersDeallocated`

Event ID 83: NtfsDeallocateClusters IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDeallocateClusters_IC`
`p_ClustersDeallocated`

Event ID 84: NtfsModifyBitsInBitmap IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsModifyBitsInBitmap_IC`
`p_Vcb`

Event ID 85: NtfsModifyBitsInBitmap IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsModifyBitsInBitmap_IC`
`p_Bitmap`

Event ID 86: NtfsAllocateBitmapRun IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAllocateBitmapRun_IC`
`p_Vcb`

Event ID 87: NtfsAllocateBitmapRun IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAllocateBitmapRun_IC`
`p_Bitmap`

Event ID 88: NtfsRestartSetBitsInBitMap IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRestartSetBitsInBitMap_IC`
`p_Bitmap`

Event ID 89: NtfsFreeBitmapRun IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFreeBitmapRun_IC`
`p_Vcb`

Event ID 90: NtfsFreeBitmapRun IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFreeBitmapRun_IC`
`p_Bitmap`

Event ID 91: NtfsRestartClearBitsInBitMap IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRestartClearBitsInBitMap_IC`
`p_Bitmap`

Event ID 92: NtfsSetOrClearBitsUsingBaseMcb IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetOrClearBitsUsingBaseMcb_IC`
`p_Vcb`
`p_Bitmap`

Event ID 93: NtfsSetOrClearBitsUsingBaseMcb IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetOrClearBitsUsingBaseMcb_IC`
`p_Bitmap`

Event ID 94: NtfsSetOrClearBitsUsingBaseMcb IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetOrClearBitsUsingBaseMcb_IC`
`p_Result`

Event ID 95: System files not marked as in use in the MFT bitmap.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 96: Length: 0 --> BinIndex : 0 - Unexpected length

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 97: Length: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Length`
`u_BitPosition`
`ld_GroupIndex`
`ld_GroupShiftFactor`

Event ID 98: Length: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Length`

Event ID 99: BinIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`BinIndex`

Event ID 100: BinIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`BinIndex`
`ld_RelativeBinIndex`
`ld_MaxKey`

Event ID 101: BinGroupShift: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`BinGroupShift`

Event ID 102: BinIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`BinIndex`

Event ID 103: Searched committed allocations but didnt find enough free space.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 104: NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 105: NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 106: NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 107: NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 108: NtfsRemoveClustersFromTPMap: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 109: NtfsValidateTotalClustersCommitted(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 110: Illegal MDL Complete for major code .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 111: Entering: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Entering_Scb`	Entering: Scb.
`p_ExtentsDescriptorIndex`

Event ID 112: RunEntry ==> .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 113: Offset is beyond this extent skipping the extent.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 114: Shrinking LengthInExtent (0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 115: Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 116: Exiting: ExtentsDescriptorIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Exiting_ExtentsDescriptorIndex`	Exiting: ExtentsDescriptorIndex.

Event ID 117: Entering: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Entering_Scb`	Entering: Scb.

Event ID 118: Dsm Ranges[.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 119: RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 120: Dsm: TotalNumberOfRanges: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Dsm_TotalNumberOfRanges`	Dsm: TotalNumberOfRanges.
`d_NumberOfRangesReturned`

Event ID 121: DsmOut Ranges[.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 122: Zeroing: StartingPhysicalAddr: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 123: Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Updating_ExtentsDescriptor_Index_and_StartOffset_from_Locals_ExtentsDescriptorIndex`	Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Event ID 124: Entering: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Entering_Scb`	Entering: Scb.
`p_ExtentsDescriptorIndex`

Event ID 125: Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Updating_ExtentsDescriptor_Index_and_StartOffset_from_Locals_ExtentsDescriptorIndex`	Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex.

Event ID 126: IrpContext: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`IrpContext`
`p_Scb`

Event ID 127: Return.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Return_IrpContext`	Return. IrpContext.

Event ID 128: Unexpected open type received: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Unexpected_open_type_received`

Event ID 129: Raising STATUS_SUCCESS from NtfsCommonCleanup: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Raising_STATUSSUCCESS_from_NtfsCommonCleanup`	Raising STATUS_SUCCESS from NtfsCommonCleanup.

Event ID 130: Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 131: Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 132: Irp: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Irp`
`p_IC`
`p_Vcb`
`p_FileObject`
`p_RelatedFileObject`
`p_FileIdBuffer`

Event ID 133: Irp: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Irp`
`p_IC`
`p_Vcb`
`p_FileObject`
`p_RelatedFileObject`
`p_Path`

Event ID 134: NtfsCommonCreate: Volume is locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommonCreate_Volume_is_locked_Thread`	NtfsCommonCreate: Volume is locked. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Vcb_State`

Event ID 135: NtfsCommonVolumeOpen: Invalid create disposition for volume open.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommonVolumeOpen_Invalid_create_disposition_for_volume_open_Thread`	NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread.

Event ID 136: NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommonVolumeOpen_Volume_is_locked_or_we_have_performed_a_dismount_Thread`	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 137: NtfsCommonVolumeOpen: Thread: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommonVolumeOpen_Thread`	NtfsCommonVolumeOpen: Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`d_BiasedCleanupCount`

Event ID 138: NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommonVolumeOpen_Volume_is_locked_or_we_have_performed_a_dismountThread`	NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 139: NtfsCommonVolumeOpen: Conlicting file objects.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommonVolumeOpen_Conlicting_file_objects_Thread`	NtfsCommonVolumeOpen: Conlicting file objects. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`d_VcbCloseCount`
`d_VcbSystemFileCloseCount`

Event ID 140: NtfsHandlePagingFile: Paging file already open, paging files can only be opened once.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsHandlePagingFile_Paging_file_already_open_paging_files_can_only_be_opened_once_Thread`	NtfsHandlePagingFile: Paging file already open, paging files can only be opened once. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 141: NtfsHandlePagingFile: Cannot open system file as paging file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsHandlePagingFile_Cannot_open_system_file_as_paging_file_Thread`	NtfsHandlePagingFile: Cannot open system file as paging file. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 142: NtfsHandlePagingFile: Persisted paging file already exists.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsHandlePagingFile_Persisted_paging_file_already_exists_Thread`	NtfsHandlePagingFile: Persisted paging file already exists. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 143: NtfsOpenFcbById: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenFcbById_Invalid_system_file_access_Thread`	NtfsOpenFcbById: Invalid system file access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 144: NtfsOpenExistingPrefixFcb: Can not directly open txf directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenExistingPrefixFcb_Can_not_directly_open_txf_directory_Thread`	NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 145: NtfsOpenExistingPrefixFcb: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenExistingPrefixFcb_Invalid_system_file_access_Thread`	NtfsOpenExistingPrefixFcb: Invalid system file access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 146: NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenFile_Unsafe_to_acquire_parent_directory_after_acquiring_a_txfsystem_file_Thread`	NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 147: NtfsOpenFile: Invalid system file access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenFile_Invalid_system_file_access_Thread`	NtfsOpenFile: Invalid system file access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 148: NtfsOpenFile: Deny open when txf rm is active.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenFile_Deny_open_when_txf_rm_is_active_Thread`	NtfsOpenFile: Deny open when txf rm is active. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 149: NtfsCreateNewFile: Deny creation in system directory (except root).

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCreateNewFile_Deny_creation_in_system_directory_except_root_Thread`	NtfsCreateNewFile: Deny creation in system directory (except root). Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Parent_Fcb_Fcb`

Event ID 150: NtfsCreateNewFile: Unable to create Ea for the file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCreateNewFile_Unable_to_create_Ea_for_the_file_Thread`	NtfsCreateNewFile: Unable to create Ea for the file. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 151: NtfsCreateNewFile: Unable to create in the $txf directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCreateNewFile_Unable_to_create_in_the_txf_directory_Thread`	NtfsCreateNewFile: Unable to create in the $txf directory. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Parent_Fcb_Fcb`

Event ID 152: NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenSubdirectory_Denying_access_to_Txf_file_when_the_RM_is_active_Thread`	NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 153: NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttributeInExistingFile_Denying_access_due_to_caller_being_Ea_blind_Thread`	NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 154: NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttributeInExistingFile_Fail_to_find_INDEXROOT_attribute_Thread`	NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 155: NtfsOpenAttributeInExistingFile: Denying access for volume root directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttributeInExistingFile_Denying_access_for_volume_root_directory_Thread`	NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 156: NtfsCreateNewFile: Not allowed to create streams on system files.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCreateNewFile_Not_allowed_to_create_streams_on_system_files_Thread`	NtfsCreateNewFile: Not allowed to create streams on system files. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 157: NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOverwriteAttr_Cannot_overwrite_hidden_or_system_attribute_for_a_nonpaging_file_Thread`	NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 158: NtfsOverwriteAttr: Denying access due to user being Ea blind.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOverwriteAttr_Denying_access_due_to_user_being_Ea_blind_Thread`	NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`p_FileRef`

Event ID 159: NtfsOverwriteAttr: Deny access due to encryption happening on the stream.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOverwriteAttr_Deny_access_due_to_encryption_happening_on_the_stream_Thread`	NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 160: NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckValidAttributeAccess_Supersede_or_overwrite_is_not_allowed_on_this_type_of_named_attribute_Thread`	NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 161: NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckValidAttributeAccess_Only_read_attributes_access_is_supported_on_this_attribute_Thread`	NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 162: NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckValidAttributeAccess_Deny_access_for_protected_system_attributes_Thread`	NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread.
`p_AttributeTypeCode`

Event ID 163: NtfsOpenAttributeCheck: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttributeCheck_File_already_has_user_writable_references_Thread`	NtfsOpenAttributeCheck: File already has user writable references. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 164: NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttributeCheck_Deny_access_for_online_encryption_backup_data_stream_Thread`	NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 165: NtfsOpenAttributeCheck: File was granted write access but has image section.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttributeCheck_File_was_granted_write_access_but_has_image_section_Thread`	NtfsOpenAttributeCheck: File was granted write access but has image section. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 166: NtfsOpenAttribute: Denying write access on disallowed writes.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttribute_Denying_write_access_on_disallowed_writes_Thread`	NtfsOpenAttribute: Denying write access on disallowed writes. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`p_Disallow_write_count`	6!I64x!, Scb.

Event ID 167: NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttribute_File_already_has_user_writable_references_Thread`	NtfsOpenAttribute: File already has user writable references. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 168: NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttribute_Open_for_exclusive_read_access_is_not_allowed_Thread`	NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 169: NtfsOpenAttribute: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttribute_File_already_has_user_writable_references_Thread`	NtfsOpenAttribute: File already has user writable references. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 170: NtfsOpenAttribute: Open for exclusive read access is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenAttribute_Open_for_exclusive_read_access_is_not_allowed_Thread`	NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 171: NtfsCheckExistingFile: Desired access conflicts with read-only state.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckExistingFile_Desired_access_conflicts_with_readonly_state_Thread`	NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 172: NtfsOpenExistingEncryptedStream: No encryption driver found.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenExistingEncryptedStream_No_encryption_driver_found_Thread`	NtfsOpenExistingEncryptedStream: No encryption driver found. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 173: NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsOpenExistingEncryptedStream_Opening_for_readwrite_access_not_allowed_on_compressed_file_Thread`	NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 174: NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsEncryptionCreateCallback_Encrytion_engine_fail_to_encrypt_all_streams_for_file_with_open_handle_Thread`	NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 175: NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFindStartingNode_Opening_not_allowed_for_txf_name_when_RM_is_active_Thread`	NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread.
`p_Fcb`

Event ID 176: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_Thread`	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`d_LinkShareAccessDeleters`
`d_LinkShareAccessSharedDelete`

Event ID 177: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_Thread`	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`d_ShareAccessReaders`
`d_ShareAccessWriters`
`d_ShareAccessDeleters`
`d_ShareAccessSharedRead`
`d_ShareAccessSharedWrite`
`d_ShareAccessSharedDelete`

Event ID 178: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckShareAccess_IoCheckLinkShareAccess_failed_with_sharing_violation_Thread`	NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`S_Link_Name`
`d_ShareAccessReaders`
`d_ShareAccessWriters`
`d_ShareAccessDeleters`
`d_ShareAccessSharedRead`
`d_ShareAccessSharedWrite`
`d_ShareAccessSharedDelete`
`d_LinkShareAccessOpenCount`
`d_LinkShareAccessDeleters`
`d_LinkShareAccessSharedDelete`

Event ID 179: NtfsReCheckShareAccess: Does not meet allow open requirement.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsReCheckShareAccess_Does_not_meet_allow_open_requirement_Thread`	NtfsReCheckShareAccess: Does not meet allow open requirement. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`S_Link_Name`
`d_Readers`
`d_Writers`
`d_Deleters`
`d_SharedRead`
`d_Lcb_Deleters`

Event ID 180: ...:...!d! Status: ...!S! ProcessName: ...!S!

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`1`
`d_Status`
`S_ProcessName`

Event ID 181: ...:...!d! Status: ...!S! ProcessName: ...!S!

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`1`
`d_Status`
`S_ProcessName`

Event ID 182: ...:...!d! Status: ...!S! ProcessName: ...!S!

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`1`
`d_Status`
`S_ProcessName`

Event ID 183: ...:...!d! Status: ...!S! ProcessName: ...!S!

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`1`
`d_Status`
`S_ProcessName`

Event ID 184: NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 185: NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 186: NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 187: NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 188: NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 189: NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 190: NtfsSendUnusedClustersHint: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 191: NtfsTransferMaxDataSetRanges: Src .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 192: NtfsTransferMaxDataSetRanges: Src .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 193: NtfsMarkUnusedContextPostTrimProcessing: Entering

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 194: NtfsMarkUnusedContextPostTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 195: NtfsMarkUnusedContextPostTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`

Event ID 196: NtfsMarkUnusedContextPostTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 197: NtfsMarkUnusedContextPostTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 198: NtfsMarkUnusedContextPostTrimProcessing: Leaving

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 199: NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 200: NtfsMarkUnusedContextPreTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 201: NtfsMarkUnusedContextPreTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 202: NtfsMarkUnusedContextPreTrimProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 203: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 204: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 205: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 206: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 207: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 208: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 209: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 210: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 211: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 212: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 213: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 214: NtfsWakeupDeallocatedClustersWaiters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 215: NtfsWakeupDeallocatedClustersWaiters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 216: NtfsWakeupDeallocatedClustersWaiters: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 217: NtfsWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 218: NtfsWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 219: NtfsWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 220: NtfsWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 221: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 222: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 223: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 224: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 225: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 226: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 227: NtfsCheckForTrimThrottling: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 228: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 229: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 230: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 231: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 232: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 233: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 234: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 235: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 236: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 237: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 238: NtfsUpdateSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 239: NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 240: NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 241: NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 242: NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 243: NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 244: NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 245: NtfsEvalSmartTrimState: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 246: NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommonDeviceControl_IOCTLDISKCOPYDATA_is_not_allowed_on_unlocked_volume_Thread`	NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 247: NtfsVolumeDasdIo: Data section blocking flush.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsVolumeDasdIo_Data_section_blocking_flush_Thread`	NtfsVolumeDasdIo: Data section blocking flush. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Flush_status`

Event ID 248: Could not find paging file run.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 249: Could not find paging file MCB entry.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 250: Could not find paging file run.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 251: Writing to $Bitmap.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Writing_to_Bitmap_Vcb`	Writing to $Bitmap. Vcb.

Event ID 252: NTFS: Posting hotfix on file object: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NTFS_Posting_hotfix_on_file_object`	NTFS: Posting hotfix on file object.

Event ID 253: NTFS: Freeing Bad Vcn: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NTFS_____Freeing_Bad_Vcn`	NTFS: Freeing Bad Vcn.

Event ID 254: NTFS: Retiring Bad Lcn: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NTFS_____Retiring_Bad_Lcn`	NTFS: Retiring Bad Lcn.

Event ID 255: NTFS: Reallocating Bad Vcn

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 256: NTFS: Bad Cluster replaced

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 257: IrpContext: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`IrpContext`
`p_Vcb`

Event ID 258: Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 259

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 260: IrpContext: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`IrpContext`
`p_Vcb`

Event ID 261: Compression buffers are already big enough.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 262

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 263: NtfsDefragFileInternal: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDefragFileInternal_Defrag_is_denied_Thread`	NtfsDefragFileInternal: Defrag is denied. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 264: NtfsDefragFileInternal: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 265: NtfsDefragFileInternal: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 266: NtfsDefragFileInternal: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDefragFileInternal_Defrag_is_denied_Thread`	NtfsDefragFileInternal: Defrag is denied. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 267: NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`
`param11`

Event ID 268: NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`
`param11`

Event ID 269: NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 270: NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 271: NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`

Event ID 272: NtfsDefragFileInternal(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`

Event ID 273: NtfsDefragFile: Defrag is denied without manage volume access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDefragFile_Defrag_is_denied_without_manage_volume_access_Thread`	NtfsDefragFile: Defrag is denied without manage volume access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 274: NtfsEncryptDecryptOnline: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsEncryptDecryptOnline_Defrag_is_denied_Thread`	NtfsEncryptDecryptOnline: Defrag is denied. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 275: NtfsEncryptDecryptOnline: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 276: NtfsEncryptDecryptOnline: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 277: NtfsEncryptDecryptOnline: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsEncryptDecryptOnline_Defrag_is_denied_Thread`	NtfsEncryptDecryptOnline: Defrag is denied. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 278: SCB: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`SCB`

Event ID 279: StartOff=0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`

Event ID 280: NumberOfValidRuns: 0

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 281: RemainingClusterCount: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 282: STATUS_BUFFER_TOO_SMALL from FsLib.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 283: Made an educated guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 284: Made a wild guess for remaining runs.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 285: NumberOfValidRuns: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 286: BasePage: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 287: About to zero range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 288: Zeroed range - ZeroStart: 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 289: NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommonQueryInformation_File_information_query_not_allowed_as_file_was_opened_by_ID_without_traversal_privilege_Thread`	NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 290: NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsQueryCaseSensitiveInfo_Case_sensitive_info_query_not_allowed_without_read_attributes_access_Thread`	NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 291: NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsQueryNameInfo_Name_info_query_not_allowed_as_file_was_opened_without_traverse_privilege_Thread`	NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 292: NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsQueryLinksInfo_Link_info_query_not_allowed_as_file_was_opened_without_traverse_privilege_Thread`	NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 293: NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetCaseSensitiveInfo_Cannot_mark_root_directory_of_a_volume_casesensitive_Thread`	NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 294: NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_system_file_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 295: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 296: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`p_Link_name`	6!I64x!, Lcb.
`S_TxfNumWriters_count`

Event ID 297: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_opened_by_ID_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 298: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRemoveSupersededTarget_Can_not_do_a_superseding_rename_over_a_file_with_open_handles_via_either_part_of_the_longshort_pair_Thread`	NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`p_Link_name`	6!I64x!, Lcb.
`S_Link_cleanup_count`
`d_SplitPrimaryLcb`
`p_Split_link_name`
`S_Split_link_cleanup_count`

Event ID 299: NtfsSetRenameInfo: Can not rename a file marked for deletion.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetRenameInfo_Can_not_rename_a_file_marked_for_deletion_Thread`	NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`p_link_name`

Event ID 300: NtfsSetRenameInfo: Can not rename a txf directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetRenameInfo_Can_not_rename_a_txf_directory_Thread`	NtfsSetRenameInfo: Can not rename a txf directory. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 301: NtfsSetRenameInfo: Can not rename into a system directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetRenameInfo_Can_not_rename_into_a_system_directory_Thread`	NtfsSetRenameInfo: Can not rename into a system directory. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 302: NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetRenameInfo_Can_not_rename_a_file_that_is_part_of_a_TxF_transaction_Thread`	NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 303: NtfsSetRenameInfo: The file should not have in-memory directory descendents.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetRenameInfo_The_file_should_not_have_inmemory_directory_descendents_Thread`	NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 304: NtfsSetRenameInfo: Child Scb mismatch.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetRenameInfo_Child_Scb_mismatch_Thread`	NtfsSetRenameInfo: Child Scb mismatch. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 305: NtfsSetLinkInfo: Set link info is not allowed on txf directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetLinkInfo_Set_link_info_is_not_allowed_on_txf_directory_Thread`	NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 306: NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetLinkInfo_Set_link_info_is_not_allowed_on_a_file_in_a_TxF_transaction_Thread`	NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`S_TxfVisibleLinks`	6!I64x!, FileName.

Event ID 307: NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetLinkInfo_Set_link_info_failed_due_to_caller_not_having_FILEWRITEATTRIBUTES_access_Thread`	NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`S_SeAccessCheck_status`	6!I64x!, FileName.

Event ID 308: NtfsSetLinkInfo: Creating a link in system directory is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetLinkInfo_Creating_a_link_in_system_directory_is_not_allowed_Thread`	NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 309: NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetLinkInfo_Creating_a_link_in_txf_is_not_allowed_if_the_RM_is_running_Thread`	NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`S_Target_RM_state`	6!I64x!, NewLinkName.

Event ID 310: NtfsSetShortNameInfo: Can not set a short name on a deleted file.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetShortNameInfo_Can_not_set_a_short_name_on_a_deleted_file_Thread`	NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`p_Link_Name`	6!I64x!, Lcb.

Event ID 311: NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetShortNameInfo_Can_not_set_a_short_name_on_a_file_under_the_TxF_directory_Thread`	NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`p_Link_Name`	6!I64x!, Lcb.
`S_Parent_FileRef`

Event ID 312: NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckScbForLinkRemoval_Existing_handles_are_not_allowed_if_Txf_transaction_is_doing_the_rename_Thread`	NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 313: NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckScbForLinkRemoval_Not_all_open_handles_for_the_stream_are_byid_opens_Thread`	NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`d_Stream_cleanup_count`	6!I64x!, ByID opens.

Event ID 314: NtfsStreamRename: Deny access due to encryption happening on source stream.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsStreamRename_Deny_access_due_to_encryption_happening_on_source_stream_Thread`	NtfsStreamRename: Deny access due to encryption happening on source stream. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 315: NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsProcessTreeForRename_Deny_access_due_to_number_of_batch_oplocks_has_grown_Thread`	NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`d_current_batch_oplock_count`	6!I64x!, Previous batch oplock count.

Event ID 316: NtfsFlushVolumeFlushSingleFcb: Thread: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFlushVolumeFlushSingleFcb_Thread`	NtfsFlushVolumeFlushSingleFcb: Thread.
`p_Vcb`
`p_Fcb`
`p_LocalFlags`

Event ID 317: NtfsFlushVolumeFlushSingleFcb: Thread: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFlushVolumeFlushSingleFcb_Thread`	NtfsFlushVolumeFlushSingleFcb: Thread.
`p_Scb`

Event ID 318: NtfsFlushVolume: Thread: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFlushVolume_Thread`	NtfsFlushVolume: Thread.
`p_Vcb`
`p_LocalFlags`

Event ID 319: NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFlushVolume_setting_SCBPERSISTVOLUMEDISMOUNTED_on_BitmapScb_Scb`	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb.
`p_Vcb`

Event ID 320: NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFlushVolume_setting_SCBPERSISTVOLUMEDISMOUNTED_on_MftScb_Scb`	NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb.
`p_Vcb`

Event ID 321: NtfsFlushCompletionRoutine: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 322: NtfsFlushCompletionRoutine: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 323: NtfsDiskFlushContextWorkItemProcessing: Process work item

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 324: NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 325: Irp: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Irp`
`p_IC`
`p_Vcb`
`p_MinorCode`

Event ID 326: NtfsLockVolumeInternal: Cannot lock the volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsLockVolumeInternal_Cannot_lock_the_volume_Thread`	NtfsLockVolumeInternal: Cannot lock the volume. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`d_ExplicitLock`
`d_Volume_CleanupCount`
`d_Handle_count`

Event ID 327: NtfsLockVolumeInternal: Volume is already locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsLockVolumeInternal_Volume_is_already_lockedThread`	NtfsLockVolumeInternal: Volume is already locked.Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 328: NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsLockVolumeInternal_Failed_to_flush_system_files_on_the_volume_Thread`	NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Flush_Status`

Event ID 329: NtfsLockVolumeInternal: Failed to flush system files on the volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsLockVolumeInternal_Failed_to_flush_system_files_on_the_volumeThread`	NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Flush_Status`

Event ID 330: NtfsLockVolumeInternal: Outstanding user files open after flush and retry.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsLockVolumeInternal_Outstanding_user_files_open_after_flush_and_retry_Thread`	NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Volume_close_count`
`d_System_file_close_count`
`d_User_handle_count`

Event ID 331: NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsLockVolume_Cannot_lock_volume_due_to_caller_does_not_have_manage_volume_privilege_Thread`	NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 332: NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsLockVolume_Cannot_lock_volume_due_to_active_secondary_RMs_on_the_volume_Thread`	NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Active_RM_count`
`d_Default_RM_Active`

Event ID 333: ...: Setting RM at 0x...!p! ({...!S!}) up for auto-restart.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 334: NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsUnlockVolume_Cannot_unlock_volume_due_to_caller_does_not_have_manage_volume_privilege_Thread`	NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 335: NtfsDismountVolume: IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDismountVolume_IC`	NtfsDismountVolume: IC.
`p_Vcb`
`p_Label`
`S_DeviceName`

Event ID 336: NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDismountVolume_Cannot_dismount_volume_due_to_systempagefiles_being_open_for_write_access_Thread`	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 337: NtfsDismountVolume: Cannot dismount volume due to volume being locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDismountVolume_Cannot_dismount_volume_due_to_volume_being_locked_Thread`	NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 338: NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsDismountVolume_Cannot_dismount_volume_due_to_systempagefiles_being_open_for_write_access_Thread`	NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`d_CloseCount`
`d_SystemFileCloseCount`

Event ID 339: NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMarkVolumeDirty_Cannot_mark_volume_dirty_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 340: NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGetVolumeBitmap_Cannot_get_volume_bitmap_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 341: NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGetBootAreaInfo_Cannot_get_boot_area_info_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 342: NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGetRetrievalPointers_Cannot_get_retrieval_pointers_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 343: NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGetRetrievalPointerBase_Cannot_get_revrieval_pointer_base_info_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 344: NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGetRetrievalPointerBase_Cannot_get_revrieval_pointer_base_info_due_to_caller_not_having_manage_volume_privilege_or_this_is_not_a_volume_open_Thread`	NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 345: NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCreateUsnJournal_Cannot_create_Usn_journal_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 346: NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsUsnTrackModifiedRanges_Cannot_enable_range_tracking_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 347: NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsEnumerateUsnData_Cannot_enumerate_Usn_data_due_to_caller_not_having_manage_volume_privilege_Thread`	NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 348: NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFindFilesOwnedBySid_Caller_not_having_manage_volume_privilege_backup_access_or_can_bypass_traverse_checks_Thread`	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 349: NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFindFilesOwnedBySid_Caller_not_having_manage_volume_privilege_or_backup_access_and_is_not_admin_Thread`	NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`d_Context_owner_ID`

Event ID 350: NtfsSetSparse: Caller does not have appropriate write access to the stream.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetSparse_Caller_does_not_have_appropriate_write_access_to_the_stream_Thread`	NtfsSetSparse: Caller does not have appropriate write access to the stream. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 351: NtfsSetSparse: Cannot desparse encrypted file without write data access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetSparse_Cannot_desparse_encrypted_file_without_write_data_access_Thread`	NtfsSetSparse: Cannot desparse encrypted file without write data access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 352: NtfsZeroRange: User mode caller not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsZeroRange_User_mode_caller_not_allowed_Thread`	NtfsZeroRange: User mode caller not allowed. Thread.

Event ID 353: IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`IC`
`p_Scb`
`p_FileObject`

Event ID 354: IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`IC`

Event ID 355: NtfsReadRawEncrypted: Caller does not have backup access or read data access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsReadRawEncrypted_Caller_does_not_have_backup_access_or_read_data_access_Thread`	NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 356: NtfsWriteRawEncrypted: Caller does not have write data access or restore access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsWriteRawEncrypted_Caller_does_not_have_write_data_access_or_restore_access_Thread`	NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 357: NtfsWriteRawEncrypted: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsWriteRawEncrypted_Caller_not_having_manage_volume_privilege_Thread`	NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 358: NtfsLookupStreamFromCluster: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsLookupStreamFromCluster_Caller_not_having_manage_volume_privilege_Thread`	NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 359: NtfsChangeVolumeSize: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsChangeVolumeSize_Caller_not_having_manage_volume_privilege_Thread`	NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 360: NtfsChangeVolumeSize (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 361: NtfsChangeVolumeSize (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 362: NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMarkHandle_Caller_does_not_have_a_valid_volume_handle_or_manage_volume_access_or_is_not_kernel_model_caller_Thread`	NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 363: NtfsMarkHandle: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMarkHandle_Caller_not_having_manage_volume_privilege_Thread`	NtfsMarkHandle: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 364: NtfsMarkHandle: Cannot deny defrag.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMarkHandle_Cannot_deny_defrag_Thread`	NtfsMarkHandle: Cannot deny defrag. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 365: NtfsMarkHandle: Cannot deny Frs consolidation.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMarkHandle_Cannot_deny_Frs_consolidation_Thread`	NtfsMarkHandle: Cannot deny Frs consolidation. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 366: NtfsMarkHandle: Cannot filter metadata.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMarkHandle_Cannot_filter_metadata_Thread`	NtfsMarkHandle: Cannot filter metadata. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 367: NtfsMarkHandle: Mark handle is not allowed on system files.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMarkHandle_Mark_handle_is_not_allowed_on_system_files_Thread`	NtfsMarkHandle: Mark handle is not allowed on system files. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 368: NtfsMarkHandle: File already has user writable references.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMarkHandle_File_already_has_user_writable_references_Thread`	NtfsMarkHandle: File already has user writable references. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 369: NtfsMarkHandle: File was granted write access previously but no oplocks were broken.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMarkHandle_File_was_granted_write_access_previously_but_no_oplocks_were_broken_Thread`	NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`S_Writers`

Event ID 370: NtfsPrefetchFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsPrefetchFile_Caller_not_having_manage_volume_privilege_Thread`	NtfsPrefetchFile: Caller not having manage volume privilege. Thread.
`p_TypeOfOpen`
`d_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 371: NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetZeroOnDeallocate_Only_allowed_on_regular_user_files_opened_for_write_Thread`	NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_TypeOfOpen`
`d_WriteAccess`
`d_Fcb`

Event ID 372: NtfsSetShortNameBehavior: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSetShortNameBehavior_Caller_not_having_manage_volume_privilege_Thread`	NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 373: Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 374: NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsQueryPagefileEncryption_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 375: NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsQueryPagefileEncryption_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 376: NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsResetVolsnapBehaviorForVolume_Volsnap_hints_are_disabled_by_registry_Thread`	NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_NtfsData_Flags`

Event ID 377: NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsResetVolsnapBehaviorForVolume_Caller_not_having_manage_volume_privilege_Thread`	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 378: Resetting Volsnap behavior for VCB = 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 379: NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsResetVolsnapBehaviorForVolume_Caller_not_having_manage_volume_privilege_Thread`	NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 380: NtfsCorruptionHandling: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCorruptionHandling_Caller_not_having_manage_volume_privilege_Thread`	NtfsCorruptionHandling: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 381: NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGlobalCorruptionHandling_Caller_does_not_have_manage_volume_privilege_Thread`	NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 382: Scrub resume from SystemScbIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scrub_resume_from_SystemScbIndex`
`u_Vcn`

Event ID 383: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_Scrub_resume_from_Vcn`

Event ID 384: Scrub SystemScbIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scrub_SystemScbIndex`

Event ID 385: NtfsScrubData: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsScrubData_Caller_not_having_manage_volume_privilege_Thread`	NtfsScrubData: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_TypeOfOpen`
`d_Fcb`

Event ID 386: Scrub not supported for Txf file, Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scrub_not_supported_for_Txf_file_Scb`	Scrub not supported for Txf file, Scb.
`p_TxfScb`

Event ID 387: Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 388: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_ScrubInternal_OperationStatus`
`S_Repaired`
`I64x_Failed`	!#I64x! Failed.
`I64x_FileOffset`	!#I64x! FileOffset.
`I64x_Length`
`I64x_ParityExtentCount`

Event ID 389: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_ScrubInternal_Status`
`S_Repaired`
`I64x_Failed`	!#I64x! Failed.
`I64x_ParityExtentCount`

Event ID 390: InternalFileReference: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`InternalFileReference`

Event ID 391: InternalFileReference:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`InternalFileReference`

Event ID 392: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_Incomplete_IoCount`
`u_Cancel`
`u_ParityExtentCount`

Event ID 393: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`

Event ID 394: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`

Event ID 395: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`

Event ID 396: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_Scrub_starting_vcn_is_beyond_VDL_FileOffset`
`I64x_SectorAlignedVdl`	!#I64x!, SectorAlignedVdl.

Event ID 397: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_Scrub_no_more_Mcb_entries_from_StartingVcn`

Event ID 398: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_Scrub_skipping_UNUSEDLCN_Vcn`
`I64x_ClusterCount`

Event ID 399: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_StartingVcn`

Event ID 400: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`I64x_Bytes_StartingVcn`

Event ID 401: Scrub found problems Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scrub_found_problems_Scb`
`I64x_Length`	2!#I64x! FileOffset.
`I64x_Status`
`S_BytesFailed`	!#I64x! Status.
`I64x_BytesRepaired`
`I64x_NewParityExtents`	!#I64x! BytesRepaired.

Event ID 402: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_DsmActionScrub_call_failed_Status`

Event ID 403: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_DsmActionScrub_operation_failed_Status`

Event ID 404: FSCTL_REPAIR_COPIES not supported for Txf file, Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`FSCTLREPAIRCOPIES_not_supported_for_Txf_file_Scb`	FSCTL_REPAIR_COPIES not supported for Txf file, Scb.
`p_TxfScb`

Event ID 405: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`

Event ID 406: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`

Event ID 407: FSCTL_REPAIR_COPIES interrupted by thread termination.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 408: FSCTL_REPAIR_COPIES canceled

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 409: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_FSCTLREPAIRCOPIES_no_more_Mcb_entries_from_StartingVcn`

Event ID 410: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_FSCTLREPAIRCOPIES_No_more_Mcb_entries_unallocated_from_StartingVcn`

Event ID 411: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_FSCTLREPAIRCOPIES_skipping_UNUSEDLCN_Vcn`
`I64x_ClusterCount`

Event ID 412: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`I64x_Bytes_FileOffset`

Event ID 413: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_DsmActionRepair_call_failed_Status`

Event ID 414: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_DsmActionRepair_operation_failed_Status`

Event ID 415: Scb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_DsmActionRepair_completed_IrpStatus`

Event ID 416: NtfsQueryCachedRuns: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsQueryCachedRuns_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_TypeOfOpen`
`d_Fcb`

Event ID 417: NtfsQueryStorageClasses: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsQueryStorageClasses_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_TypeOfOpen`
`d_Fcb`

Event ID 418: NtfsQueryRegionInfo: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsQueryRegionInfo_Caller_not_having_manage_volume_privilege_Thread`	NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_TypeOfOpen`
`d_Fcb`

Event ID 419: NtfsUnloadFile: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsUnloadFile_Caller_not_having_manage_volume_privilege_Thread`	NtfsUnloadFile: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_TypeOfOpen`
`d_Fcb`

Event ID 420: NtfsCheckForSection: File already has image section.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCheckForSection_File_already_has_image_section_Thread`	NtfsCheckForSection: File already has image section. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 421: NtfsShuffleFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsShuffleFile_User_mode_caller_is_not_allowed_Thread`	NtfsShuffleFile: User mode caller is not allowed. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_TypeOfOpen`
`d_Fcb`
`S_Irp_RequestorMode`	7!I64x!, Ccb FullFileName.

Event ID 422: NtfsShuffleFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsShuffleFile_Denying_access_due_to_volume_is_locked_Thread`	NtfsShuffleFile: Denying access due to volume is locked. Thread.
`p_TypeOfOpen`
`d_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`p_FileRef`
`I64x_Ccb_FullFileName`	!I64x!, Ccb FullFileName.

Event ID 423: NtfsShuffleFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsShuffleFile_Defrag_is_denied_Thread`	NtfsShuffleFile: Defrag is denied. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 424: NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsShuffleFile_Denying_access_due_to_conflicting_with_readonly_state_Thread`	NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 425: NtfsRearrangeFile: User mode caller is not allowed.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRearrangeFile_User_mode_caller_is_not_allowed_Thread`	NtfsRearrangeFile: User mode caller is not allowed. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`S_Irp_RequestorMode`	6!I64x!, Ccb FullFileName.

Event ID 426: NtfsRearrangeFile: Denying access due to volume is locked.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRearrangeFile_Denying_access_due_to_volume_is_locked_Thread`	NtfsRearrangeFile: Denying access due to volume is locked. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 427: NtfsRearrangeFile: Defrag is denied.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRearrangeFile_Defrag_is_denied_Thread`	NtfsRearrangeFile: Defrag is denied. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 428: NtfsShuffleFile: Denying access due to conflicting with read-only state.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsShuffleFile_Denying_access_due_to_conflicting_with_readonly_state_Thread`	NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 429: NtfsSparseOverAllocate: Caller does not have appropriate write access.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsSparseOverAllocate_Caller_does_not_have_appropriate_write_access_Thread`	NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_FileRef`
`I64x_FullFileName`	!I64x!, FullFileName.
`S_Ccb_access_flags`

Event ID 430: NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsInitiateFileMetadataOptimization_Only_allowed_on_regular_user_filesdirectories_opened_for_write_Thread`	NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread.
`p_TypeOfOpen`
`d_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`
`p_FileRef`
`I64x_Scb_AttributeTypeCode`	!I64x!, Scb AttributeTypeCode.
`x_FcbState2`
`x_Ccb_FullFileName`
`S_Ccb_Access_flags`
`x_Ccb_Flags2`

Event ID 431: NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsQueryFileMetadataOptimization_Only_allowed_on_regular_user_filesdirectories_opened_for_read_Thread`	NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread.
`p_TypeOfOpen`
`d_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 432: NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCleanVolumeMetadata_Caller_not_having_manage_volume_privilege_Thread`	NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 433: NtfsEnumOnMountToDeleteWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 434: NtfsEnumOnMountToDeleteWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 435: NtfsEnumMountWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 436: NtfsEnumMountWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 437: NtfsEnumOnMountToDeleteWorker(.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 438: NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCleanVolumeMetadata_Caller_not_having_manage_volume_privilege_Thread`	NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread.
`p_TypeOfOpen`
`d_Vcb`
`p_VolumeName`
`S_VolumeLabel`
`S_Fcb`

Event ID 439: SCB: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`SCB`

Event ID 440: FsLibGetBadAddressRanges returned Status: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`FsLibGetBadAddressRanges_returned_Status`

Event ID 441: FsInputRangeIndex: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`FsInputRangeIndex`

Event ID 442: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_Status`
`S_AbnormalTermination`

Event ID 443: Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Scb`
`p_Status`

Event ID 444: NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsEncryptionKeyCtl_Caller_does_not_have_SETCBPRIVILEGE_Thread`	NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread.
`p_Vcb`
`p_VolumeName`
`S_VolumeLabel`

Event ID 445: Logic error of posting close to work queue.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 446: NtfsFindPrefixHashEntry: {Hash table: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFindPrefixHashEntry_Hash_table`	NtfsFindPrefixHashEntry: {Hash table.
`p_ParentScb`

Event ID 447: NtfsFindPrefixHashEntry: {Lcb: NULL}

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 448: NtfsFindPrefixHashEntry: {Lcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsFindPrefixHashEntry_Lcb`	NtfsFindPrefixHashEntry: {Lcb.

Event ID 449: NtfsFindPrefixHashEntry: {Lcb not found}

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 450: NtfsInsertHashEntry: {Hash table: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsInsertHashEntry_Hash_table`	NtfsInsertHashEntry: {Hash table.
`p_HashValue`
`d_Lcb`

Event ID 451: NtfsRemoveHashEntry: {Hash table: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRemoveHashEntry_Hash_table`	NtfsRemoveHashEntry: {Hash table.
`p_HashValue`

Event ID 452: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 453: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 454: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 455: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 456: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 457: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 458: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 459: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 460: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 461: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 462: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 463: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 464: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 465: NtfsCommitCurrentTransaction IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommitCurrentTransaction_IC`

Event ID 466: NtfsCommitCurrentTransaction IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommitCurrentTransaction_IC`

Event ID 467: NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 468: NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 469: NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`

Event ID 470: NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 471: NtfsCommitCurrentTransaction (.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`

Event ID 472: NtfsCommitCurrentTransaction IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommitCurrentTransaction_IC`

Event ID 473: NtfsCommitCurrentTransaction IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsCommitCurrentTransaction_IC`

Event ID 474: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`I64x_ClearAll`

Event ID 475: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 476: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 477: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 478: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 479: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 480: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`I64x_Flags`

Event ID 481: Vcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Vcb`
`p_Processing_range_DeallocatedClusters`
`p_RunIndex`
`d_StartingLcn`
`I64x_ClusterCount`

Event ID 482: Looking for dangling MDLs

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 483: FsLibGroupSubExtentsByDanglingMdl failed: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`FsLibGroupSubExtentsByDanglingMdl_failed`

Event ID 484: FsLibAddBaseMcbEntryEx failed: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`FsLibAddBaseMcbEntryEx_failed`

Event ID 485: NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAddToMatchingDeallocatedClusters_ExtentsWithoutDanglingMdl__failed`	NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed.

Event ID 486: NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAddToMatchingDeallocatedClusters_ExtentsWithDanglingMdl__failed`	NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed.

Event ID 487: No sub extents has dangling MDL

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Event ID 488: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 489: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`

Event ID 490: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 491: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`

Event ID 492: NtfsFreeRecentlyDeallocated: Vcb .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 493: NtfsRemoveNtfsMcbEntry Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRemoveNtfsMcbEntry_Scb`
`p_Mcb`

Event ID 494: NtfsRemoveNtfsMcbEntry Mcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsRemoveNtfsMcbEntry_Mcb`

Event ID 495: NtfsAddNtfsMcbEntry Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAddNtfsMcbEntry_Scb`
`p_Mcb`

Event ID 496: NtfsAddNtfsMcbEntry Mcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsAddNtfsMcbEntry_Mcb`
`p_Result`

Event ID 497: NtfsUnloadNtfsMcbRange Scb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsUnloadNtfsMcbRange_Scb`
`p_Mcb`

Event ID 498: NtfsUnloadNtfsMcbRange Mcb: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsUnloadNtfsMcbRange_Mcb`

Event ID 499: Valid NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Valid_NTFS_boot_sector_Vcb`	Valid NTFS boot sector. Vcb.
`p_BootSector`

Event ID 500: Not an NTFS boot sector.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Not_an_NTFS_boot_sector_Vcb`	Not an NTFS boot sector. Vcb.
`p_BootSector`
`p_CheckNumber`

Event ID 501: NtfsMountVolume: Vcb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMountVolume_Vcb`	NtfsMountVolume: Vcb.
`p_IC`

Event ID 502: NtfsMountVolume: IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsMountVolume_IC`	NtfsMountVolume: IC.
`p_Vcb`
`p_Label`
`S_DeviceName`

Event ID 503: Mounting DAX partition.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`Mounting_DAX_partition_Vcb`	Mounting DAX partition. Vcb.

Event ID 504: DAX volume mounted without DAX support because storage is not DAX capable.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`DAX_volume_mounted_without_DAX_support_because_storage_is_not_DAX_capable_Vcb`	DAX volume mounted without DAX support because storage is not DAX capable. Vcb.

Event ID 505: NtfsGrowMftsAttributeListAllocation Vcb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGrowMftsAttributeListAllocation_Vcb`
`p_IC`

Event ID 506: NtfsGrowMftsAttributeListAllocation Vcb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGrowMftsAttributeListAllocation_Vcb`
`p_IC`

Event ID 507: NtfsGrowMftsAttributeListAllocation Vcb:.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsGrowMftsAttributeListAllocation_Vcb`
`p_IC`
`p_AttrListScb`

Event ID 508: Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 509: Exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 510: Unexpected exception code of 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 511: LogFileFull .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`
`param2`
`param3`
`param4`
`param5`
`param6`
`param7`
`param8`
`param9`
`param10`
`param11`
`param12`
`param13`
`param14`
`param15`
`param16`
`param17`
`param18`
`param19`
`param20`
`param21`

Event ID 512: Unexpected raise of 0x.

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`param1`

Event ID 513: NtfsProcessException IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsProcessException_IC`

Event ID 514: NtfsProcessException IC: .

Provider: Microsoft-Windows-NtfsLog_0b829c43cfd535d90d24f72b908ea742
Channel: Operational

Fields #

Name	Description
`NtfsProcessException_IC`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)