Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3

708 events across 1 channel

Event	Title	Channel	Sample
10	task_0	ETW Trace	N
11	task_011	ETW Trace	N
12	task_012	ETW Trace	N
13	task_013	ETW Trace	N
14	task_014	ETW Trace	N
15	task_015	ETW Trace	N
16	task_016	ETW Trace	N
17	task_017	ETW Trace	N
18	task_018	ETW Trace	N
19	task_019	ETW Trace	N
20	task_020	ETW Trace	N
21	task_021	ETW Trace	N
22	task_022	ETW Trace	N
23	task_023	ETW Trace	N
24	task_024	ETW Trace	N
25	task_025	ETW Trace	N
26	task_026	ETW Trace	N
27	task_027	ETW Trace	N
28	task_028	ETW Trace	N
29	task_029	ETW Trace	N
30	task_030	ETW Trace	N
31	task_031	ETW Trace	N
32	task_032	ETW Trace	N
33	task_033	ETW Trace	N
34	task_034	ETW Trace	N
35	task_035	ETW Trace	N
36	task_036	ETW Trace	N
37	task_037	ETW Trace	N
38	task_038	ETW Trace	N
39	task_039	ETW Trace	N
40	task_040	ETW Trace	N
41	task_041	ETW Trace	N
42	task_042	ETW Trace	N
43	task_043	ETW Trace	N
44	task_044	ETW Trace	N
45	task_045	ETW Trace	N
46	task_046	ETW Trace	N
47	task_047	ETW Trace	N
48	task_048	ETW Trace	N
49	task_049	ETW Trace	N
50	task_050	ETW Trace	N
51	task_051	ETW Trace	N
52	task_052	ETW Trace	N
53	task_053	ETW Trace	N
54	task_054	ETW Trace	N
55	task_055	ETW Trace	N
56	task_056	ETW Trace	N
57	task_057	ETW Trace	N
58	task_058	ETW Trace	N
59	task_059	ETW Trace	N
60	task_060	ETW Trace	N
61	task_061	ETW Trace	N
62	task_062	ETW Trace	N
63	task_063	ETW Trace	N
64	task_064	ETW Trace	N
65	task_065	ETW Trace	N
66	task_066	ETW Trace	N
67	task_067	ETW Trace	N
68	task_068	ETW Trace	N
69	task_069	ETW Trace	N
70	task_070	ETW Trace	N
71	task_071	ETW Trace	N
72	task_072	ETW Trace	N
73	task_073	ETW Trace	N
74	task_074	ETW Trace	N
75	task_075	ETW Trace	N
76	task_076	ETW Trace	N
77	task_077	ETW Trace	N
78	task_078	ETW Trace	N
79	task_079	ETW Trace	N
80	task_080	ETW Trace	N
81	task_081	ETW Trace	N
82	task_082	ETW Trace	N
83	task_083	ETW Trace	N
84	task_084	ETW Trace	N
85	task_085	ETW Trace	N
86	task_086	ETW Trace	N
87	task_087	ETW Trace	N
88	task_088	ETW Trace	N
89	task_089	ETW Trace	N
90	task_090	ETW Trace	N
91	task_091	ETW Trace	N
92	task_092	ETW Trace	N
93	task_093	ETW Trace	N
94	task_094	ETW Trace	N
95	task_095	ETW Trace	N
96	task_096	ETW Trace	N
97	task_097	ETW Trace	N
98	task_098	ETW Trace	N
99	task_099	ETW Trace	N
100	task_0100	ETW Trace	N
101	task_0101	ETW Trace	N
102	task_0102	ETW Trace	N
103	task_0103	ETW Trace	N
104	task_0104	ETW Trace	N
105	task_0105	ETW Trace	N
106	task_0106	ETW Trace	N
107	task_0107	ETW Trace	N
108	task_0108	ETW Trace	N
109	task_0109	ETW Trace	N
110	task_0110	ETW Trace	N
111	task_0111	ETW Trace	N
112	task_0112	ETW Trace	N
113	task_0113	ETW Trace	N
114	task_0114	ETW Trace	N
115	task_0115	ETW Trace	N
116	task_0116	ETW Trace	N
117	task_0117	ETW Trace	N
118	task_0118	ETW Trace	N
119	task_0119	ETW Trace	N
120	task_0120	ETW Trace	N
121	task_0121	ETW Trace	N
122	task_0122	ETW Trace	N
123	task_0123	ETW Trace	N
124	task_0124	ETW Trace	N
125	task_0125	ETW Trace	N
126	task_0126	ETW Trace	N
127	task_0127	ETW Trace	N
128	task_0128	ETW Trace	N
129	task_0129	ETW Trace	N
130	task_0130	ETW Trace	N
131	task_0131	ETW Trace	N
132	task_0132	ETW Trace	N
133	task_0133	ETW Trace	N
134	task_0134	ETW Trace	N
135	task_0135	ETW Trace	N
136	task_0136	ETW Trace	N
137	task_0137	ETW Trace	N
138	task_0138	ETW Trace	N
139	task_0139	ETW Trace	N
140	task_0140	ETW Trace	N
141	task_0141	ETW Trace	N
142	task_0142	ETW Trace	N
143	task_0143	ETW Trace	N
144	task_0144	ETW Trace	N
145	task_0145	ETW Trace	N
146	task_0146	ETW Trace	N
147	task_0147	ETW Trace	N
148	task_0148	ETW Trace	N
149	task_0149	ETW Trace	N
150	task_0150	ETW Trace	N
151	task_0151	ETW Trace	N
152	task_0152	ETW Trace	N
153	task_0153	ETW Trace	N
154	task_0154	ETW Trace	N
155	task_0155	ETW Trace	N
156	task_0156	ETW Trace	N
157	task_0157	ETW Trace	N
158	task_0158	ETW Trace	N
159	task_0159	ETW Trace	N
160	task_0160	ETW Trace	N
161	task_0161	ETW Trace	N
162	task_0162	ETW Trace	N
163	task_0163	ETW Trace	N
164	task_0164	ETW Trace	N
165	task_0165	ETW Trace	N
166	task_0166	ETW Trace	N
167	task_0167	ETW Trace	N
168	task_0168	ETW Trace	N
169	task_0169	ETW Trace	N
170	task_0170	ETW Trace	N
171	task_0171	ETW Trace	N
172	task_0172	ETW Trace	N
173	task_0173	ETW Trace	N
174	task_0174	ETW Trace	N
175	task_0175	ETW Trace	N
176	task_0176	ETW Trace	N
177	task_0177	ETW Trace	N
178	task_0178	ETW Trace	N
179	task_0179	ETW Trace	N
180	task_0180	ETW Trace	N
181	task_0181	ETW Trace	N
182	task_0182	ETW Trace	N
183	task_0183	ETW Trace	N
184	task_0184	ETW Trace	N
185	task_0185	ETW Trace	N
186	task_0186	ETW Trace	N
187	task_0187	ETW Trace	N
188	task_0188	ETW Trace	N
189	task_0189	ETW Trace	N
190	task_0190	ETW Trace	N
191	task_0191	ETW Trace	N
192	task_0192	ETW Trace	N
193	task_0193	ETW Trace	N
194	task_0194	ETW Trace	N
195	task_0195	ETW Trace	N
196	task_0196	ETW Trace	N
197	task_0197	ETW Trace	N
198	task_0198	ETW Trace	N
199	task_0199	ETW Trace	N
200	task_0200	ETW Trace	N
201	task_0201	ETW Trace	N
202	task_0202	ETW Trace	N
203	task_0203	ETW Trace	N
204	task_0204	ETW Trace	N
205	task_0205	ETW Trace	N
206	task_0206	ETW Trace	N
207	task_0207	ETW Trace	N
208	task_0208	ETW Trace	N
209	task_0209	ETW Trace	N
210	task_0210	ETW Trace	N
211	task_0211	ETW Trace	N
212	task_0212	ETW Trace	N
213	task_0213	ETW Trace	N
214	task_0214	ETW Trace	N
215	task_0215	ETW Trace	N
216	task_0216	ETW Trace	N
217	task_0217	ETW Trace	N
218	task_0218	ETW Trace	N
219	task_0219	ETW Trace	N
220	task_0220	ETW Trace	N
221	task_0221	ETW Trace	N
222	task_0222	ETW Trace	N
223	task_0223	ETW Trace	N
224	task_0224	ETW Trace	N
225	task_0225	ETW Trace	N
226	task_0226	ETW Trace	N
227	task_0227	ETW Trace	N
228	task_0228	ETW Trace	N
229	task_0229	ETW Trace	N
230	task_0230	ETW Trace	N
231	task_0231	ETW Trace	N
232	task_0232	ETW Trace	N
233	task_0233	ETW Trace	N
234	task_0234	ETW Trace	N
235	task_0235	ETW Trace	N
236	task_0236	ETW Trace	N
237	task_0237	ETW Trace	N
238	task_0238	ETW Trace	N
239	task_0239	ETW Trace	N
240	task_0240	ETW Trace	N
241	task_0241	ETW Trace	N
242	task_0242	ETW Trace	N
243	task_0243	ETW Trace	N
244	task_0244	ETW Trace	N
245	task_0245	ETW Trace	N
246	task_0246	ETW Trace	N
247	task_0247	ETW Trace	N
248	task_0248	ETW Trace	N
249	task_0249	ETW Trace	N
250	task_0250	ETW Trace	N
251	task_0251	ETW Trace	N
252	task_0252	ETW Trace	N
253	task_0253	ETW Trace	N
254	task_0254	ETW Trace	N
255	task_0255	ETW Trace	N
256	task_0256	ETW Trace	N
257	task_0257	ETW Trace	N
258	task_0258	ETW Trace	N
259	task_0259	ETW Trace	N
260	task_0260	ETW Trace	N
261	task_0261	ETW Trace	N
262	task_0262	ETW Trace	N
263	task_0263	ETW Trace	N
264	task_0264	ETW Trace	N
265	task_0265	ETW Trace	N
266	task_0266	ETW Trace	N
267	task_0267	ETW Trace	N
268	task_0268	ETW Trace	N
269	task_0269	ETW Trace	N
270	task_0270	ETW Trace	N
271	task_0271	ETW Trace	N
272	task_0272	ETW Trace	N
273	task_0273	ETW Trace	N
274	task_0274	ETW Trace	N
275	task_0275	ETW Trace	N
276	task_0276	ETW Trace	N
277	task_0277	ETW Trace	N
278	task_0278	ETW Trace	N
279	task_0279	ETW Trace	N
280	task_0280	ETW Trace	N
281	task_0281	ETW Trace	N
282	task_0282	ETW Trace	N
283	task_0283	ETW Trace	N
284	task_0284	ETW Trace	N
285	task_0285	ETW Trace	N
286	task_0286	ETW Trace	N
287	task_0287	ETW Trace	N
288	task_0288	ETW Trace	N
289	task_0289	ETW Trace	N
290	task_0290	ETW Trace	N
291	task_0291	ETW Trace	N
292	task_0292	ETW Trace	N
293	task_0293	ETW Trace	N
294	task_0294	ETW Trace	N
295	task_0295	ETW Trace	N
296	task_0296	ETW Trace	N
297	task_0297	ETW Trace	N
298	task_0298	ETW Trace	N
299	task_0299	ETW Trace	N
300	task_0300	ETW Trace	N
301	task_0301	ETW Trace	N
302	task_0302	ETW Trace	N
303	task_0303	ETW Trace	N
304	task_0304	ETW Trace	N
305	task_0305	ETW Trace	N
306	task_0306	ETW Trace	N
307	task_0307	ETW Trace	N
308	task_0308	ETW Trace	N
309	task_0309	ETW Trace	N
310	task_0310	ETW Trace	N
311	task_0311	ETW Trace	N
312	task_0312	ETW Trace	N
313	task_0313	ETW Trace	N
314	task_0314	ETW Trace	N
315	task_0315	ETW Trace	N
316	task_0316	ETW Trace	N
317	task_0317	ETW Trace	N
318	task_0318	ETW Trace	N
319	task_0319	ETW Trace	N
320	task_0320	ETW Trace	N
321	task_0321	ETW Trace	N
322	task_0322	ETW Trace	N
323	task_0323	ETW Trace	N
324	task_0324	ETW Trace	N
325	task_0325	ETW Trace	N
326	task_0326	ETW Trace	N
327	task_0327	ETW Trace	N
328	task_0328	ETW Trace	N
329	task_0329	ETW Trace	N
330	task_0330	ETW Trace	N
331	task_0331	ETW Trace	N
332	task_0332	ETW Trace	N
333	task_0333	ETW Trace	N
334	task_0334	ETW Trace	N
335	task_0335	ETW Trace	N
336	task_0336	ETW Trace	N
337	task_0337	ETW Trace	N
338	task_0338	ETW Trace	N
339	task_0339	ETW Trace	N
340	task_0340	ETW Trace	N
341	task_0341	ETW Trace	N
342	task_0342	ETW Trace	N
343	task_0343	ETW Trace	N
344	task_0344	ETW Trace	N
345	task_0345	ETW Trace	N
346	task_0346	ETW Trace	N
347	task_0347	ETW Trace	N
348	task_0348	ETW Trace	N
349	task_0349	ETW Trace	N
350	task_0350	ETW Trace	N
351	task_0351	ETW Trace	N
352	task_0352	ETW Trace	N
353	task_0353	ETW Trace	N
354	task_0354	ETW Trace	N
355	task_0355	ETW Trace	N
356	task_0356	ETW Trace	N
357	task_0357	ETW Trace	N
358	task_0358	ETW Trace	N
359	task_0359	ETW Trace	N
360	task_0360	ETW Trace	N
361	task_0361	ETW Trace	N
362	task_0362	ETW Trace	N
363	task_0363	ETW Trace	N
364	task_0364	ETW Trace	N
365	task_0365	ETW Trace	N
366	task_0366	ETW Trace	N
367	task_0367	ETW Trace	N
368	task_0368	ETW Trace	N
369	task_0369	ETW Trace	N
370	task_0370	ETW Trace	N
371	task_0371	ETW Trace	N
372	task_0372	ETW Trace	N
373	task_0373	ETW Trace	N
374	task_0374	ETW Trace	N
375	task_0375	ETW Trace	N
376	task_0376	ETW Trace	N
377	task_0377	ETW Trace	N
378	task_0378	ETW Trace	N
379	task_0379	ETW Trace	N
380	task_0380	ETW Trace	N
381	task_0381	ETW Trace	N
382	task_0382	ETW Trace	N
383	task_0383	ETW Trace	N
384	task_0384	ETW Trace	N
385	task_0385	ETW Trace	N
386	task_0386	ETW Trace	N
387	task_0387	ETW Trace	N
388	task_0388	ETW Trace	N
389	task_0389	ETW Trace	N
390	task_0390	ETW Trace	N
391	task_0391	ETW Trace	N
392	task_0392	ETW Trace	N
393	task_0393	ETW Trace	N
394	task_0394	ETW Trace	N
395	task_0395	ETW Trace	N
396	task_0396	ETW Trace	N
397	task_0397	ETW Trace	N
398	task_0398	ETW Trace	N
399	task_0399	ETW Trace	N
400	task_0400	ETW Trace	N
401	task_0401	ETW Trace	N
402	task_0402	ETW Trace	N
403	task_0403	ETW Trace	N
404	task_0404	ETW Trace	N
405	task_0405	ETW Trace	N
406	task_0406	ETW Trace	N
407	task_0407	ETW Trace	N
408	task_0408	ETW Trace	N
409	task_0409	ETW Trace	N
410	task_0410	ETW Trace	N
411	task_0411	ETW Trace	N
412	task_0412	ETW Trace	N
413	task_0413	ETW Trace	N
414	task_0414	ETW Trace	N
415	task_0415	ETW Trace	N
416	task_0416	ETW Trace	N
417	task_0417	ETW Trace	N
418	task_0418	ETW Trace	N
419	task_0419	ETW Trace	N
420	task_0420	ETW Trace	N
421	task_0421	ETW Trace	N
422	task_0422	ETW Trace	N
423	task_0423	ETW Trace	N
424	task_0424	ETW Trace	N
425	task_0425	ETW Trace	N
426	task_0426	ETW Trace	N
427	task_0427	ETW Trace	N
428	task_0428	ETW Trace	N
429	task_0429	ETW Trace	N
430	task_0430	ETW Trace	N
431	task_0431	ETW Trace	N
432	task_0432	ETW Trace	N
433	task_0433	ETW Trace	N
434	task_0434	ETW Trace	N
435	task_0435	ETW Trace	N
436	task_0436	ETW Trace	N
437	task_0437	ETW Trace	N
438	task_0438	ETW Trace	N
439	task_0439	ETW Trace	N
440	task_0440	ETW Trace	N
441	task_0441	ETW Trace	N
442	task_0442	ETW Trace	N
443	task_0443	ETW Trace	N
444	task_0444	ETW Trace	N
445	task_0445	ETW Trace	N
446	task_0446	ETW Trace	N
447	task_0447	ETW Trace	N
448	task_0448	ETW Trace	N
449	task_0449	ETW Trace	N
450	task_0450	ETW Trace	N
451	task_0451	ETW Trace	N
452	task_0452	ETW Trace	N
453	task_0453	ETW Trace	N
454	task_0454	ETW Trace	N
455	task_0455	ETW Trace	N
456	task_0456	ETW Trace	N
457	task_0457	ETW Trace	N
458	task_0458	ETW Trace	N
459	task_0459	ETW Trace	N
460	task_0460	ETW Trace	N
461	task_0461	ETW Trace	N
462	task_0462	ETW Trace	N
463	task_0463	ETW Trace	N
464	task_0464	ETW Trace	N
465	task_0465	ETW Trace	N
466	task_0466	ETW Trace	N
467	task_0467	ETW Trace	N
468	task_0468	ETW Trace	N
469	task_0469	ETW Trace	N
470	task_0470	ETW Trace	N
471	task_0471	ETW Trace	N
472	task_0472	ETW Trace	N
473	task_0473	ETW Trace	N
474	task_0474	ETW Trace	N
475	task_0475	ETW Trace	N
476	task_0476	ETW Trace	N
477	task_0477	ETW Trace	N
478	task_0478	ETW Trace	N
479	task_0479	ETW Trace	N
480	task_0480	ETW Trace	N
481	task_0481	ETW Trace	N
482	task_0482	ETW Trace	N
483	task_0483	ETW Trace	N
484	task_0484	ETW Trace	N
485	task_0485	ETW Trace	N
486	task_0486	ETW Trace	N
487	task_0487	ETW Trace	N
488	task_0488	ETW Trace	N
489	task_0489	ETW Trace	N
490	task_0490	ETW Trace	N
491	task_0491	ETW Trace	N
492	task_0492	ETW Trace	N
493	task_0493	ETW Trace	N
494	task_0494	ETW Trace	N
495	task_0495	ETW Trace	N
496	task_0496	ETW Trace	N
497	task_0497	ETW Trace	N
498	task_0498	ETW Trace	N
499	task_0499	ETW Trace	N
500	task_0500	ETW Trace	N
501	task_0501	ETW Trace	N
502	task_0502	ETW Trace	N
503	task_0503	ETW Trace	N
504	task_0504	ETW Trace	N
505	task_0505	ETW Trace	N
506	task_0506	ETW Trace	N
507	task_0507	ETW Trace	N
508	task_0508	ETW Trace	N
509	task_0509	ETW Trace	N
510	task_0510	ETW Trace	N
511	task_0511	ETW Trace	N
512	task_0512	ETW Trace	N
513	task_0513	ETW Trace	N
514	task_0514	ETW Trace	N
515	task_0515	ETW Trace	N
516	task_0516	ETW Trace	N
517	task_0517	ETW Trace	N
518	task_0518	ETW Trace	N
519	task_0519	ETW Trace	N
520	task_0520	ETW Trace	N
521	task_0521	ETW Trace	N
522	task_0522	ETW Trace	N
523	task_0523	ETW Trace	N
524	task_0524	ETW Trace	N
525	task_0525	ETW Trace	N
526	task_0526	ETW Trace	N
527	task_0527	ETW Trace	N
528	task_0528	ETW Trace	N
529	task_0529	ETW Trace	N
530	task_0530	ETW Trace	N
531	task_0531	ETW Trace	N
532	task_0532	ETW Trace	N
533	task_0533	ETW Trace	N
534	task_0534	ETW Trace	N
535	task_0535	ETW Trace	N
536	task_0536	ETW Trace	N
537	task_0537	ETW Trace	N
538	task_0538	ETW Trace	N
539	task_0539	ETW Trace	N
540	task_0540	ETW Trace	N
541	task_0541	ETW Trace	N
542	task_0542	ETW Trace	N
543	task_0543	ETW Trace	N
544	task_0544	ETW Trace	N
545	task_0545	ETW Trace	N
546	task_0546	ETW Trace	N
547	task_0547	ETW Trace	N
548	task_0548	ETW Trace	N
549	task_0549	ETW Trace	N
550	task_0550	ETW Trace	N
551	task_0551	ETW Trace	N
552	task_0552	ETW Trace	N
553	task_0553	ETW Trace	N
554	task_0554	ETW Trace	N
555	task_0555	ETW Trace	N
556	task_0556	ETW Trace	N
557	task_0557	ETW Trace	N
558	task_0558	ETW Trace	N
559	task_0559	ETW Trace	N
560	task_0560	ETW Trace	N
561	task_0561	ETW Trace	N
562	task_0562	ETW Trace	N
563	task_0563	ETW Trace	N
564	task_0564	ETW Trace	N
565	task_0565	ETW Trace	N
566	task_0566	ETW Trace	N
567	task_0567	ETW Trace	N
568	task_0568	ETW Trace	N
569	task_0569	ETW Trace	N
570	task_0570	ETW Trace	N
571	task_0571	ETW Trace	N
572	task_0572	ETW Trace	N
573	task_0573	ETW Trace	N
574	task_0574	ETW Trace	N
575	task_0575	ETW Trace	N
576	task_0576	ETW Trace	N
577	task_0577	ETW Trace	N
578	task_0578	ETW Trace	N
579	task_0579	ETW Trace	N
580	task_0580	ETW Trace	N
581	task_0581	ETW Trace	N
582	task_0582	ETW Trace	N
583	task_0583	ETW Trace	N
584	task_0584	ETW Trace	N
585	task_0585	ETW Trace	N
586	task_0586	ETW Trace	N
587	task_0587	ETW Trace	N
588	task_0588	ETW Trace	N
589	task_0589	ETW Trace	N
590	task_0590	ETW Trace	N
591	task_0591	ETW Trace	N
592	task_0592	ETW Trace	N
593	task_0593	ETW Trace	N
594	task_0594	ETW Trace	N
595	task_0595	ETW Trace	N
596	task_0596	ETW Trace	N
597	task_0597	ETW Trace	N
598	task_0598	ETW Trace	N
599	task_0599	ETW Trace	N
600	task_0600	ETW Trace	N
601	task_0601	ETW Trace	N
602	task_0602	ETW Trace	N
603	task_0603	ETW Trace	N
604	task_0604	ETW Trace	N
605	task_0605	ETW Trace	N
606	task_0606	ETW Trace	N
607	task_0607	ETW Trace	N
608	task_0608	ETW Trace	N
609	task_0609	ETW Trace	N
610	task_0610	ETW Trace	N
611	task_0611	ETW Trace	N
612	task_0612	ETW Trace	N
613	task_0613	ETW Trace	N
614	task_0614	ETW Trace	N
615	task_0615	ETW Trace	N
616	task_0616	ETW Trace	N
617	task_0617	ETW Trace	N
618	task_0618	ETW Trace	N
619	task_0619	ETW Trace	N
620	task_0620	ETW Trace	N
621	task_0621	ETW Trace	N
622	task_0622	ETW Trace	N
623	task_0623	ETW Trace	N
624	task_0624	ETW Trace	N
625	task_0625	ETW Trace	N
626	task_0626	ETW Trace	N
627	task_0627	ETW Trace	N
628	task_0628	ETW Trace	N
629	task_0629	ETW Trace	N
630	task_0630	ETW Trace	N
631	task_0631	ETW Trace	N
632	task_0632	ETW Trace	N
633	task_0633	ETW Trace	N
634	task_0634	ETW Trace	N
635	task_0635	ETW Trace	N
636	task_0636	ETW Trace	N
637	task_0637	ETW Trace	N
638	task_0638	ETW Trace	N
639	task_0639	ETW Trace	N
640	task_0640	ETW Trace	N
641	task_0641	ETW Trace	N
642	task_0642	ETW Trace	N
643	task_0643	ETW Trace	N
644	task_0644	ETW Trace	N
645	task_0645	ETW Trace	N
646	task_0646	ETW Trace	N
647	task_0647	ETW Trace	N
648	task_0648	ETW Trace	N
649	task_0649	ETW Trace	N
650	task_0650	ETW Trace	N
651	task_0651	ETW Trace	N
652	task_0652	ETW Trace	N
653	task_0653	ETW Trace	N
654	task_0654	ETW Trace	N
655	task_0655	ETW Trace	N
656	task_0656	ETW Trace	N
657	task_0657	ETW Trace	N
658	task_0658	ETW Trace	N
659	task_0659	ETW Trace	N
660	task_0660	ETW Trace	N
661	task_0661	ETW Trace	N
662	task_0662	ETW Trace	N
663	task_0663	ETW Trace	N
664	task_0664	ETW Trace	N
665	task_0665	ETW Trace	N
666	task_0666	ETW Trace	N
667	task_0667	ETW Trace	N
668	task_0668	ETW Trace	N
669	task_0669	ETW Trace	N
670	task_0670	ETW Trace	N
671	task_0671	ETW Trace	N
672	task_0672	ETW Trace	N
673	task_0673	ETW Trace	N
674	task_0674	ETW Trace	N
675	task_0675	ETW Trace	N
676	task_0676	ETW Trace	N
677	task_0677	ETW Trace	N
678	task_0678	ETW Trace	N
679	task_0679	ETW Trace	N
680	task_0680	ETW Trace	N
681	task_0681	ETW Trace	N
682	task_0682	ETW Trace	N
683	task_0683	ETW Trace	N
684	task_0684	ETW Trace	N
685	task_0685	ETW Trace	N
686	task_0686	ETW Trace	N
687	task_0687	ETW Trace	N
688	task_0688	ETW Trace	N
689	task_0689	ETW Trace	N
690	task_0690	ETW Trace	N
691	task_0691	ETW Trace	N
692	task_0692	ETW Trace	N
693	task_0693	ETW Trace	N
694	task_0694	ETW Trace	N
695	task_0695	ETW Trace	N
696	task_0696	ETW Trace	N
697	task_0697	ETW Trace	N
698	task_0698	ETW Trace	N
699	task_0699	ETW Trace	N
700	task_0700	ETW Trace	N
701	task_0701	ETW Trace	N
702	task_0702	ETW Trace	N
703	task_0703	ETW Trace	N
704	task_0704	ETW Trace	N
705	task_0705	ETW Trace	N
706	task_0706	ETW Trace	N
707	task_0707	ETW Trace	N
708	task_0708	ETW Trace	N
709	task_0709	ETW Trace	N
710	task_0710	ETW Trace	N
711	task_0711	ETW Trace	N
712	task_0712	ETW Trace	N
713	task_0713	ETW Trace	N
714	task_0714	ETW Trace	N
715	task_0715	ETW Trace	N
716	task_0716	ETW Trace	N
717	task_0717	ETW Trace	N

Event ID 10: task_0

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsLookupRealAllocation: Vcn %1!I64x!, LowestVcn %2!I64x!, HighestVcn %3!I64x!, AllocationClusters %4!I64x!

Fields #

Name	Description
`A10_Vcn` HexInt64
`A11_Attribute->Form.Nonresident.LowestVcn` HexInt64
`A12_Attribute->Form.Nonresident.HighestVcn` HexInt64
`A13_AllocationClusters` HexInt64

Event ID 11: task_011

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAllocateAttribute MaxAlloc for Mft&apos;s AttrList IC:%1!p!, Scb:%2!p!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Scb` Pointer

Event ID 12: task_012

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

FileObject: %1!p!, Scb: %2!p!, StaringVcn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!, CcbForWriteExtend: %6!p!

Fields #

Name	Description
`A10_FileObject` Pointer
`A11_Scb` Pointer
`A12_StartingVcn` HexInt64
`A13_ClusterCount` HexInt64
`A14_Flags` HexInt32
`A15_CcbForWriteExtend` Pointer

Event ID 13: task_013

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddAllocation IC:%1!p!, FileObject:%2!p!, Scb:%3!p!, StaringVcn:%4!I64x!, ClusterCount:%5!I64x!, Flags:%6!08x!, CcbForWriteExtend:%7!p!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_FileObject` Pointer
`A12_Scb` Pointer
`A13_StartingVcn` HexInt64
`A14_ClusterCount` HexInt64
`A15_Flags` HexInt32
`A16_CcbForWriteExtend` Pointer

Event ID 14: task_014

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_PurgeOffset` HexInt64

Event ID 15: task_015

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!, PurgeChunkLength: 0x%3!x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_PurgeOffset` HexInt64
`A12_PurgeChunkLength` HexInt32

Event ID 16: task_016

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGetLastVcnForNewMappingPairSize IC:%1!p!, Using LastVcn:%2!4I64x!, InstanceId:%3!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_*LastVcn` HexInt64
`A12_Attribute->Instance` HexInt32

Event ID 17: task_017

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Can&apos;t find StdInfo in FileRef %1!I64x!

Fields #

Name	Description
`A10_NtfsFullFileRefNumber( _Fcb->FileReference )` HexInt64

Event ID 18: task_018

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Can&apos;t find StdInfo in FileRef %1!I64x!

Fields #

Name	Description
`A10_NtfsFullFileRefNumber( _Fcb->FileReference )` HexInt64

Event ID 19: task_019

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCreateNonresidentWithValue Create Mft&apos;s NonResident Attribute List IC:%1!p!ValueLength:%2!x!, AttrFlags=%3!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_ValueLength` HexInt32
`A12_AttributeFlags` HexInt32

Event ID 20: task_020

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LastVcn %5!I64x!, NewHighestVcn %6!I64x!, PassCount %7!x! - step 6

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_LastVcn` HexInt64
`A15_NewHighestVcn` HexInt64
`A16_PassCount` HexInt32

Event ID 21: task_021

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - try to merge backward

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn` HexInt64
`A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn` HexInt64
`A16_Context->AttributeList.Entry->LowestVcn` HexInt64

Event ID 22: task_022

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after merge backward

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn` HexInt64
`A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn` HexInt64
`A16_Context->AttributeList.Entry->LowestVcn` HexInt64

Event ID 23: task_023

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x!, PassCount %8!x! - before last merge after step 6

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn` HexInt64
`A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn` HexInt64
`A16_Context->AttributeList.Entry->LowestVcn` HexInt64
`A17_PassCount` HexInt32

Event ID 24: task_024

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after last merge after step 6

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn` HexInt64
`A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn` HexInt64
`A16_Context->AttributeList.Entry->LowestVcn` HexInt64

Event ID 25: task_025

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, MergeSkipCt %5!x! - done

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NtfsFrsConsolidationStatistics.MergeSkipCount` HexInt32

Event ID 26: task_026

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRestartRemoveAttribute FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields #

Name	Description
`A10_FileRecord->SegmentNumberHighPart` HexInt32
`A11_FileRecord->SegmentNumberLowPart` HexInt32
`A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )` HexInt64
`A13_Attribute->TypeCode` HexInt32

Event ID 27: task_027

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRestartChangeValue FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields #

Name	Description
`A10_FileRecord->SegmentNumberHighPart` HexInt32
`A11_FileRecord->SegmentNumberLowPart` HexInt32
`A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )` HexInt64
`A13_Attribute->TypeCode` HexInt32

Event ID 28: task_028

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

AddToAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields #

Name	Description
`A10_Fcb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_*(PULONGLONG)_Fcb->FileReference` HexInt64
`A13_StdInfoAttrListEntry->Signature` HexInt32
`A14_StdInfoAttrListEntry->LastCompactedSize` HexInt32
`A15_CurrentAttributeListSize` HexInt32

Event ID 29: task_029

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DeleteFromAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields #

Name	Description
`A10_Fcb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_*(PULONGLONG)_Fcb->FileReference` HexInt64
`A13_StdInfoAttrListEntry->Signature` HexInt32
`A14_StdInfoAttrListEntry->LastCompactedSize` HexInt32
`A15_NewStdInfoAttrListEntry.LastCompactedSize` HexInt32

Event ID 30: task_030

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MakeRoomForAttribute Moving Mft&apos;s attribute IC:%1!p!, Moving Attrib %2!x!/%3!x!, Type=%4!x!, RecLengh=%5!x!, Instance:%6!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_i` HexInt32
`A12_MAX_MOVEABLE_ATTRIBUTES` HexInt32
`A13_Attribute->TypeCode` HexInt32
`A14_Attribute->RecordLength` HexInt32
`A15_Attribute->Instance` HexInt32

Event ID 31: task_031

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MoveAttributeToOwnRecord Moving Mft&apos;s $BITMAP IC:%1!p!, SizeNeeded:%2!x!, TypeCode:%3!x!, RecLen:%4!x!, Form:%5!x!, Instance:%6!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_SizeNeeded` HexInt32
`A12_Attribute->TypeCode` HexInt32
`A13_Attribute->RecordLength` HexInt32
`A14_Attribute->FormCode` HexInt32
`A15_Attribute->Instance` HexInt32

Event ID 32: task_032

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MoveAttributeToOwnRecord IC:%1!p!, SizeNeeded:%2!x!, Bytes2Free:%3!x!, OldMappingSize:%4!x!, NewMappingSize:%5!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_SizeNeeded` HexInt32
`A12_BytesToFree` HexInt32
`A13_MappingPairSize` HexInt32
`A14_NewMappingPairSize` HexInt32

Event ID 33: task_033

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRestartZeroEndOfFileRecord FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Start:0x%4!x!, Len:0x%5!x!

Fields #

Name	Description
`A10_FileRecord->SegmentNumberHighPart` HexInt32
`A11_FileRecord->SegmentNumberLowPart` HexInt32
`A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )` HexInt64
`A13_StartZero` HexInt32
`A14_ZeroLength` HexInt32

Event ID 34: task_034

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, LowVcn %7!I64x!, HalfWayVcn %8!I64x!, FinalVcn %9!I64x!, PackedMode %10!x!, TryPrior %11!x! - about to merge

Event ID 35: task_035

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - all fit in one so get rid of the second one

Event ID 36: task_036

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - should all fit into one so get rid of the second one FIRST

Event ID 37: task_037

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x! - initial RangePtr query

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NewFinalVcn` HexInt64

Event ID 38: task_038

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - secondary RangePtr query

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NewHalfWayVcn` HexInt64
`A15_RangePtr` Pointer

Event ID 39: task_039

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - calling lookup runs range

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NewHalfWayVcn` HexInt64
`A15_RangePtr` Pointer

Event ID 40: task_040

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - current McbArray

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NtfsMcbArray` Pointer
`A15_NtfsMcbArray->StartingVcn` HexInt64
`A16_NtfsMcbArray->EndingVcn` HexInt64

Event ID 41: task_041

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - previous McbArray

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NtfsMcbArray` Pointer
`A15_NtfsMcbArray->StartingVcn` HexInt64
`A16_NtfsMcbArray->EndingVcn` HexInt64

Event ID 42: task_042

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - prev prev McbArray

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NtfsMcbArray` Pointer
`A15_NtfsMcbArray->StartingVcn` HexInt64
`A16_NtfsMcbArray->EndingVcn` HexInt64

Event ID 43: task_043

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - next McbArray

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NtfsMcbArray` Pointer
`A15_NtfsMcbArray->StartingVcn` HexInt64
`A16_NtfsMcbArray->EndingVcn` HexInt64

Event ID 44: task_044

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewFinalVcnInMcb %5!I64x! > NewFinalVcn %6!I64x! - NewFinalVcn is smaller

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NewFinalVcnInMcb` HexInt64
`A15_NewFinalVcn` HexInt64

Event ID 45: task_045

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewStartVcn %5!I64x!, LastVcn %6!I64x!, NewFinalVcn %7!I64x!, NewFinalVcnInMcb %8!I64x!, #Ranges %9!x!, DeletedNextAttribute %10!x!, Mcb1(%11!x!,%12!x!), Mcb2(%13!x!,%14!x!), McbArraySizeInUseChange %15!d! - final vcn in mcb

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NewStartVcn` HexInt64
`A15_LastVcn` HexInt64
`A16_NewFinalVcn` HexInt64
`A17_NewFinalVcnInMcb` HexInt64
`A18_NumberOfRanges` HexInt32
`A19_DeletedNextAttribute` HexInt32
`A20_Mcb1StartWithNewStartVcn` HexInt32
`A21_Mcb1HoldNewStartVcn` HexInt32
`A22_Mcb2StartWithNewStartVcn` HexInt32
`A23_Mcb2HoldNewStartVcn` HexInt32
`A24_McbArraySizeInUseChange` Int32

Event ID 46: task_046

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range1

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_NewStartVcn` HexInt64
`A15_DeletedNextAttribute ? NewFinalVcnInMcb : (LastVcn-1)` HexInt64

Event ID 47: task_047

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range2

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A14_LastVcn` HexInt64
`A15_NewFinalVcnInMcb` HexInt64

Event ID 48: task_048

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, FileRef %7!I64x!, OldLowVcn %8!I64x!, NewLowVcn %9!I64x!, Instance %10!x! - updating LowestVcn in attribute list entry

Event ID 49: task_049

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, OldLowVcn %7!I64x!, NewLowVcn %8!I64x!, OldHighVcn %9!I64x!, NewHighVcn %10!I64x!, ChildRef %11!x!0000%12!08x! - done

Event ID 50: task_050

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: %1!p!.

Fields #

Name	Description
`A10_PsGetCurrentThread()` Pointer

Event ID 51: task_051

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords: Volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume Id: %5!S!, Vcb State: 0x%6!08x!.

Event ID 52: task_052

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, FirstRequest %5!x! - opened fcb

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Fcb` Pointer
`A13_*(PULONGLONG)_Fcb->FileReference` HexInt64
`A14_AllFlags.FirstRequest` HexInt32

Event ID 53: task_053

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - already in progress so get out

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Fcb` Pointer
`A13_*(PULONGLONG)_Fcb->FileReference` HexInt64

Event ID 54: task_054

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - set in progress flag

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Fcb` Pointer
`A13_*(PULONGLONG)_Fcb->FileReference` HexInt64

Event ID 55: task_055

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RstrTypeCode %5!x!, RstrAttrName %6!S!, RstrVcn %7!I64x!, RstrAttrListEntryOffset %8!x!, AttrListEntryOffset %9!x!, AttrListLength %10!I64x!, AttrListGrowBy %11!x!(%12!d!) - adjust FinalCompactedSizeDeduction

Event ID 56: task_056

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 1

Event ID 57: task_057

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 2

Event ID 58: task_058

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, Scb %5!p! - completed this Scb

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Fcb` Pointer
`A13_*(PULONGLONG)_Fcb->FileReference` HexInt64
`A14_Scb` Pointer

Event ID 59: task_059

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - going into finally

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Fcb` Pointer
`A13_*(PULONGLONG)_Fcb->FileReference` HexInt64

Event ID 60: task_060

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): FileRef %3!I64x!, Status %4!x! - Abnormal Termination

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_*(PULONGLONG)_FrsConsolidationContext->FileReference` HexInt64
`A13_IrpContext->ExceptionStatus` HexInt32

Event ID 61: task_061

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - decremented close counts

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Fcb` Pointer
`A13_*(PULONGLONG)_Fcb->FileReference` HexInt64

Event ID 62: task_062

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - clearing in progress flag

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Fcb` Pointer
`A13_*(PULONGLONG)_Fcb->FileReference` HexInt64

Event ID 63: task_063

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, ExceptionStatus %5!x!- released

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Fcb` Pointer
`A13_FileRef` HexInt64
`A14_ExceptionStatus` HexInt32

Event ID 64: task_064

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RemovedFcb %5!x!, AllFlags.FcbAcquired %6!x!, TransId %7!x! - no release

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Fcb` Pointer
`A13_FileRef` HexInt64
`A14_RemovedFcb` HexInt32
`A15_AllFlags.FcbAcquired` HexInt32
`A16_IrpContext->TransactionId` HexInt32

Event ID 65: task_065

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): DeltaTime %3!I64d! (ms), TotalTime %4!I64d! (ms)

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_(EndTime.QuadPart*1000)/NtfsPerformanceFrequency.QuadPart` Int64
`A13_(FrsConsolidationContext->TotalTime*1000)/NtfsPerformanceFrequency.QuadPart` Int64

Event ID 66: task_066

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

UpdateLCS: Vcb %1!p!, IC %2!p!, FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields #

Name	Description
`A10_Fcb->Vcb` Pointer
`A11_IrpContext` Pointer
`A12_*(PULONGLONG)_Fcb->FileReference` HexInt64
`A13_StdInfoAttrListEntry->Signature` HexInt32
`A14_StdInfoAttrListEntry->LastCompactedSize` HexInt32
`A15_AttributeListSize` HexInt32

Event ID 67: task_067

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_Scb` Pointer
`A13__Scb->Mcb` Pointer
`A14_OriginalStartingVcn` HexInt64
`A15_ClusterCount` HexInt64
`A16_AllocateAll` UInt32
`A17_(TargetLcn != NULL) ? *TargetLcn : (ULONGLONG)-1` HexInt64
`A18_PreAllocated` UInt32
`A19_UseDelayedAllocation` UInt32

Event ID 68: task_068

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_Scb` Pointer
`A13__Scb->Mcb` Pointer
`A14_OriginalStartingVcn` HexInt64
`A15_ClusterCount` HexInt64
`A16_AllocateAll` UInt32
`A17_(TargetLcn != NULL) ? *TargetLcn : (ULONGLONG)-1` HexInt64
`A18_PreAllocated` UInt32
`A19_UseDelayedAllocation` UInt32

Event ID 69: task_069

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!

Fields #

Name	Description
`A10_FoundClusterCount` HexInt64
`A11_Scb` Pointer
`A12_Scb->TotalAllocated` HexInt64

Event ID 70: task_070

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!ScbState: %4!08x!, IrpContextState2: %5!08x!, AllocateWithNoHole: %6!d!

Fields #

Name	Description
`A10_FoundClusterCount` HexInt64
`A11_Scb` Pointer
`A12_Scb->TotalAllocated` HexInt64
`A13_Scb->State` HexInt32
`A14_IrpContext->State2` HexInt32
`A15_AllocateWithNoHole` Int32

Event ID 71: task_071

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_ClustersAllocated` UInt32

Event ID 72: task_072

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_ClustersAllocated` UInt32

Event ID 73: task_073

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_Scb` Pointer
`A13__Scb->Mcb` Pointer
`A14_StartingVcn` HexInt64
`A15_EndingVcn` HexInt64

Event ID 74: task_074

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! from clusters %3!I64x! to %4!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A12_StartingVcn` HexInt64
`A13_EndingVcn` HexInt64

Event ID 75: task_075

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_Scb` Pointer
`A13__Scb->Mcb` Pointer
`A14_StartingVcn` HexInt64
`A15_EndingVcn` HexInt64

Event ID 76: task_076

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! starting at %3!I64x! for %4!I64x! clusters

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_*(PULONGLONG)_Scb->Fcb->FileReference` HexInt64
`A12_AdjLcn` HexInt64
`A13_AdjClusterCount` HexInt64

Event ID 77: task_077

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters: Vcb %1!p! - raising logfile full

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 78: task_078

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters: Vcb %1!p! - adding clusters to DeallocatedClusters: %2!p! ==> Lsn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!; Vcb&apos;s DeallocatedClustersCount old: %6!I64x! new: %7!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_DeallocatedClusters` Pointer
`A12_DeallocatedClusters->Lsn.QuadPart` HexInt64
`A13_DeallocatedClusters->ClusterCount` HexInt64
`A14_DeallocatedClusters->Flags` HexInt32
`A15_Vcb->DeallocatedClusters` HexInt64
`A16_Vcb->DeallocatedClusters + AdjClusterCount` HexInt64

Event ID 79: task_079

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters: Decremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!Addr(TotalAllocated): %4!p!

Fields #

Name	Description
`A10_ClusterCount` HexInt64
`A11_Scb` Pointer
`A12_*TotalAllocated` HexInt64
`A13_TotalAllocated` Pointer

Event ID 80: task_080

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!Addr(TotalAllocated): %3!p!, ScbState: %4!08x!, IrpContextState2: %5!08x!

Fields #

Name	Description
`A10_ClusterCount` HexInt64
`A11_Scb` Pointer
`A12_TotalAllocated` Pointer
`A13_Scb->State` HexInt32
`A14_IrpContext->State2` HexInt32

Event ID 81: task_081

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters: Vcb %1!p! - Undoing some changes to DeallocatedClustersCount from %2!I64x! to %3!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->DeallocatedClusters` HexInt64
`A12_Vcb->DeallocatedClusters-ClustersRemoved` HexInt64

Event ID 82: task_082

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_ClustersDeallocated` UInt32

Event ID 83: task_083

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_ClustersDeallocated` UInt32

Event ID 84: task_084

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsModifyBitsInBitmap IC: %1!p!, Vcb: %2!p!, FirstBit: 0x%3!I64x!, BeyondLastBit: 0x%4!I64x!, Redo: 0x%5!x!, Undo: 0x%6!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_FirstBit` HexInt64
`A13_BeyondFinalBit` HexInt64
`A14_RedoOperation` HexInt32
`A15_UndoOperation` HexInt32

Event ID 85: task_085

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsModifyBitsInBitmap IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, CurrentLcn: 0x%4!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11__Bitmap` Pointer
`A12_BaseLcn` HexInt64
`A13_CurrentLcn` HexInt64

Event ID 86: task_086

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAllocateBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_StartingLcn` HexInt64
`A13_ClusterCount` HexInt64

Event ID 87: task_087

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAllocateBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11__Bitmap` Pointer
`A12_BaseLcn` HexInt64
`A13_StartingLcn` HexInt64

Event ID 88: task_088

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRestartSetBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Bitmap` Pointer
`A12_BitMapOffset` HexInt32
`A13_NumberOfBits` HexInt32

Event ID 89: task_089

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_StartingLcn` HexInt64
`A13_*ClusterCount` HexInt64

Event ID 90: task_090

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11__Bitmap` Pointer
`A12_BaseLcn` HexInt64
`A13_StartingLcn` HexInt64

Event ID 91: task_091

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRestartClearBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Bitmap` Pointer
`A12_BitMapOffset` HexInt32
`A13_NumberOfBits` HexInt32

Event ID 92: task_092

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!, StartingBitmapLcn: 0x%4!I64x!, SetBits: %5!S!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_Bitmap` Pointer
`A13_StartingBitmapLcn` HexInt64
`A14_SetBits` UInt32

Event ID 93: task_093

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Bitmap: %2!p!, StartLcn: 0x%3!I64x!, EndLcn: 0x%4!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Bitmap` Pointer
`A12_StartingBit` HexInt64
`A13_EndingBit` HexInt64

Event ID 94: task_094

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Result: %2!S!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Results` UInt32

Event ID 95: task_095

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

System files not marked as in use in the MFT bitmap.  DWord offset %1!x!, value %2!x!.

Fields #

Name	Description
`A10_i` HexInt32
`A11_OriginalSystemBitmap[i / sizeof( OriginalSystemBitmap[0] )]` HexInt32

Event ID 96: task_096

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Length:        0 --> BinIndex :        0    - Unexpected length

Event ID 97: task_097

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Length: %1!8I64d! --> BinIndex : %2!8u!    - Key: %3!u!, BitPosition: %4!ld!, GroupIndex: %5!ld!, GroupShiftFactor: %6!ld!

Fields #

Name	Description
`A10_Length` Int64
`A11_BinIndex` UInt32
`A12_Key` UInt32
`A13_BitPosition` Int32
`A14_GroupIndex` Int32
`A15_GroupShiftFactor` Int32

Event ID 98: task_098

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Length: %1!8I64d! --> BinIndex : %2!8u!    - BinIndex was beyond TotalBins: %3!u! hence brought down

Fields #

Name	Description
`A10_Length` Int64
`A11_BinIndex` UInt32
`A12_TotalBins` UInt32

Event ID 99: task_099

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - BinIndex is set to last bin or beyond, TotalBins: %3!u!

Fields #

Name	Description
`A10_BinIndex` UInt32
`A11_MAXLONGLONG` Int64
`A12_TotalBins` UInt32

Event ID 100: task_0100

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - GroupIndex: %3!ld!, RelativeBinIndex: %4!ld!, MaxKey: %5!u!

Fields #

Name	Description
`A10_BinIndex` UInt32
`A11_MaxLength` Int64
`A12_GroupIndex` Int32
`A13_RelativeBinIndex` Int32
`A14_MaxKey` UInt32

Event ID 101: task_0101

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

BinGroupShift: %1!8ld!, BinGroupSize: %2!8u!, BinGroupMask: %3!8x!

Fields #

Name	Description
`A10_NtfsCachedRunBinGroupShift` Int32
`A11_NtfsCachedRunBinGroupSize` UInt32
`A12_NtfsCachedRunBinGroupMask` HexInt32

Event ID 102: task_0102

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

BinIndex: %1!8u! --> MaxLength: %2!8I64u! (0x%3!8I64x!)

Fields #

Name	Description
`A10_BinIndex` UInt32
`A11_MaxLength` UInt64
`A12_MaxLength` HexInt64

Event ID 103: task_0103

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Searched committed allocations but didnt find enough free space.  StartingCluster %1!I64x!, ClusterCount %2!I64x!, Committed %3!I64x!, Total %4!I64x!, Free %5!I64x!

Fields #

Name	Description
`A10_StartingCluster` HexInt64
`A11_ClusterCount` HexInt64
`A12_Vcb->TotalClustersCommitted` HexInt64
`A13_Vcb->TotalClusters` HexInt64
`A14_Vcb->FreeClusters` HexInt64

Event ID 104: task_0104

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): first bit 0x%2!X!, last bit 0x%3!X!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_FirstBitToClear` HexInt32
`A12_BeyondLastBitToClear - 1` HexInt32

Event ID 105: task_0105

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no leading partial slab

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 106: task_0106

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): leading partial slab returned - LCN %2!I64X!, len %3!I64X!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_*FreeClusterBase1` HexInt64
`A12_*FreeClusterCount1` HexInt64

Event ID 107: task_0107

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no trailing partial slab

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 108: task_0108

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): trailing partial slab returned - lcn %2!I64X!, len %3!I64X!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_*FreeClusterBase2` HexInt64
`A12_*FreeClusterCount2` HexInt64

Event ID 109: task_0109

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsValidateTotalClustersCommitted(%1!p!,%2!p!): TCC %3!I64x!, TC %4!I64x!, BMSize %5!x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_PsGetCurrentThread()` Pointer
`A12_Vcb->TotalClustersCommitted` HexInt64
`A13_Vcb->TotalClusters` HexInt64
`A14_Vcb->TPMap.SizeOfBitMap` HexInt32

Event ID 110: task_0110

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Illegal MDL Complete for major code %1!u!

Fields #

Name	Description
`A10_IrpContext->MajorFunction` UInt32

Event ID 111: task_0111

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, ByteCount: 0x%3!016I64x!, ExtentsDescriptor: %4!p!, ExtentsDescriptorIndex: %5!d!, ExtentsDescriptorStartOffset: 0x%6!016I64x!, Offset: 0x%7!016I64x!, MaxRuns: %8!d!,

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingZero` HexInt64
`A12_ByteCount` HexInt64
`A13_ExtentsDescriptor` Pointer
`A14_*ExtentsDescriptorIndex` Int32
`A15_*ExtentsDescriptorStartOffset` HexInt64
`A16_Offset` HexInt64
`A17_MaxRuns` Int32

Event ID 112: task_0112

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

RunEntry ==> %1!4d!: [0x%2!016I64x!, 0x%3!016I64x!], ExtentLength: 0x%4!016I64x!, Offset: 0x%5!016I64x!, RunIndexStartOffset: 0x%6!016I64x!

Fields #

Name	Description
`A10_RunIndex` Int32
`A11_ExtentsDescriptor->Run[RunIndex].BasePage` HexInt64
`A12_ExtentsDescriptor->Run[RunIndex].PageCount` HexInt64
`A13_ExtentLength` HexInt64
`A14_Offset` HexInt64
`A15_RunIndexStartOffset` HexInt64

Event ID 113: task_0113

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Offset is beyond this extent skipping the extent.

Event ID 114: task_0114

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Shrinking LengthInExtent (0x%1!016I64x!) to ByteCount (0x%2!016I64x!) that we have to zero

Fields #

Name	Description
`A10_LengthInExtent` HexInt64
`A11_ByteCount` HexInt64

Event ID 115: task_0115

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields #

Name	Description
`A10_StartingPhysicalAddr.QuadPart` HexInt64
`A11_LengthInExtent` HexInt64

Event ID 116: task_0116

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Exiting: ExtentsDescriptorIndex: %1!d! ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields #

Name	Description
`A10_*ExtentsDescriptorIndex` Int32
`A11_*ExtentsDescriptorStartOffset` HexInt64

Event ID 117: task_0117

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingOffset` HexInt64
`A12_BeyondEndOffset` HexInt64

Event ID 118: task_0118

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Dsm Ranges[%1!d!]: StartingOffset: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields #

Name	Description
`A10_DataSetRangeIndex` Int32
`A11_DsmBuffer->DataSetRanges[DataSetRangeIndex].StartingOffset` HexInt64
`A12_DsmBuffer->DataSetRanges[DataSetRangeIndex].LengthInBytes` HexInt64

Event ID 119: task_0119

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!

Fields #

Name	Description
`A10_RemainingClusterCount` HexInt64
`A11_DataSetRangeIndex` Int32

Event ID 120: task_0120

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Dsm: TotalNumberOfRanges: %1!d!, NumberOfRangesReturned: %2!d!

Fields #

Name	Description
`A10_DsmByteAddressRanges->TotalNumberOfRanges` Int32
`A11_DsmByteAddressRanges->NumberOfRangesReturned` Int32

Event ID 121: task_0121

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DsmOut Ranges[%1!d!]: StartingAddress: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields #

Name	Description
`A10_Index` Int32
`A11_DsmByteAddressRanges->Ranges[Index].StartAddress` HexInt64
`A12_DsmByteAddressRanges->Ranges[Index].LengthInBytes` HexInt64

Event ID 122: task_0122

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields #

Name	Description
`A10_StartingPhysicalAddr.QuadPart` HexInt64
`A11_LengthInExtent` HexInt64

Event ID 123: task_0123

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields #

Name	Description
`A10_*ExtentsDescriptorIndex` Int32
`A11_*ExtentsDescriptorStartOffset` HexInt64

Event ID 124: task_0124

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!, ByteCount: 0x%4!016I64x!, ExtentsDescriptor: %5!p!, ExtentsDescriptorIndex: %6!d!, ExtentsDescriptorStartOffset: 0x%7!016I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingZero` HexInt64
`A12_BeyondEndOffset` HexInt64
`A13_ByteCount` HexInt64
`A14_ExtentsDescriptor` Pointer
`A15_ExtentsDescriptorIndex ? *ExtentsDescriptorIndex : 0` Int32
`A16_ExtentsDescriptorStartOffset ? *ExtentsDescriptorStartOffset : 0` HexInt64

Event ID 125: task_0125

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields #

Name	Description
`A10_*ExtentsDescriptorIndex` Int32
`A11_*ExtentsDescriptorStartOffset` HexInt64

Event ID 126: task_0126

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

IrpContext: %1!p!; Scb: %2!p!; StartOffset: 0x%3!I64x!; ByteCount: 0x%4!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Scb` Pointer
`A12_StartOffset` HexInt64
`A13_ByteCount` HexInt32

Event ID 127: task_0127

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Return. IrpContext: %1!p!

Fields #

Name	Description
`A10_IrpContext` Pointer

Event ID 128: task_0128

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Unexpected open type received: %1!u!

Fields #

Name	Description
`A10_TypeOfOpen` UInt32

Event ID 129: task_0129

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: %1

Fields #

Name	Description
`A10_Status` HexInt32

Event ID 130: task_0130

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields #

Name	Description
`A10_Status` HexInt32

Event ID 131: task_0131

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields #

Name	Description
`A10_Status` HexInt32

Event ID 132: task_0132

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, FileIdBuffer: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Event ID 133: task_0133

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, Path: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Event ID 134: task_0134

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonCreate: Volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: %5!x!.

Event ID 135: task_0135

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: %1!p!, CreateDisposition: 0x%2!x!.

Fields #

Name	Description
`A10_PsGetCurrentThread()` Pointer
`A11_CreateDisposition` HexInt32

Event ID 136: task_0136

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Event ID 137: task_0137

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonVolumeOpen: Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->CleanupCount: %6!d!, BiasedCleanupCount: %7!d!.

Event ID 138: task_0138

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Event ID 139: task_0139

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonVolumeOpen: Conlicting file objects. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->ReadOnlyCloseCount: %6!d!, Vcb->CloseCount: %7!d!, Vcb->SystemFileCloseCount: %8!d!.

Event ID 140: task_0140

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsHandlePagingFile: Paging file already open, paging files can only be opened once. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->CleanupCount: %7!d!, Fcb->FcbState: 0x%8!08x!, IrpSp->Flags: 0x%9!08x!.

Event ID 141: task_0141

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->FcbState: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Event ID 142: task_0142

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsHandlePagingFile: Persisted paging file already exists. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, IrpContext->State: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Event ID 143: task_0143

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenFcbById: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Event ID 144: task_0144

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Event ID 145: task_0145

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenExistingPrefixFcb: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Event ID 146: task_0146

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Event ID 147: task_0147

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenFile: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Event ID 148: task_0148

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenFile: Deny open when txf rm is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb Rmstate: 0x%7!08x!.

Event ID 149: task_0149

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCreateNewFile: Deny creation in system directory (except root). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb): Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!, AttrTypeCode: 0x%9!x!.

Event ID 150: task_0150

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCreateNewFile: Unable to create Ea for the file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Create options: 0x%7!08x!, Ccb flags: 0x%8!08x!.

Event ID 151: task_0151

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCreateNewFile: Unable to create in the $txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb) Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!.

Event ID 152: task_0152

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb state: 0x%7!08x!.

Event ID 153: task_0153

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NeedEaCount: %7!d!, CreateOptions: 0x%8!08x!, CcbFlags: 0x%9!08x!.

Event ID 154: task_0154

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttrTypeCode to create: 0x%7!x!, CreateDisposition: 0x%8!08x!.

Event ID 155: task_0155

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CreateDisposition: 0x%7!08x!.

Event ID 156: task_0156

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, AttrTypeCode: 0x%8!x!.

Event ID 157: task_0157

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, DuplicateInfo attributes: 0x%7!08x!, FileAttributes: 0x%8!08x!.

Event ID 158: task_0158

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Create options: 0x%7!08x!.

Event ID 159: task_0159

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttributeTypeCode: 0x%7!x!, Scb state: 0x%8!08x!, Scb HighWaterMark: %9!I64d!.

Event ID 160: task_0160

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, CreateDisposition: 0x%6!08x!.

Event ID 161: task_0161

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, DesiredAccess: 0x%6!08x!.

Event ID 162: task_0162

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: %1!p!, AttributeTypeCode: %2!x!.

Fields #

Name	Description
`A10_PsGetCurrentThread()` Pointer
`A11_*AttrCode` HexInt32

Event ID 163: task_0163

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttributeCheck: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Event ID 164: task_0164

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Event ID 165: task_0165

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttributeCheck: File was granted write access but has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Previously granted access: 0x%10!08x!.

Event ID 166: task_0166

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttribute: Denying write access on disallowed writes. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Disallow write count: %8!d!, Desired Access: 0x%9!08x!.

Event ID 167: task_0167

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Event ID 168: task_0168

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Event ID 169: task_0169

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Event ID 170: task_0170

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Event ID 171: task_0171

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Desired Access: 0x%7!08x!, FileAttributes: 0x%8!08x!, SL control flags: 0x%9!08x!.

Event ID 172: task_0172

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, NtfsData flags: 0x%8!08x!.

Event ID 173: task_0173

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Stream attribute flags: 0x%8!08x!.

Event ID 174: task_0174

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb cleanup count: %7!d!, EncryptionCallBackTable flags: 0x%8!08x!.

Event ID 175: task_0175

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: %1!p!, Fcb: %2!p!, FileRef: 0x%3!I64x!, TxfRmcb RM state: %4!x!.

Fields #

Name	Description
`A10_PsGetCurrentThread()` Pointer
`A11_CurrentFcb` Pointer
`A12_NtfsFullFileRefNumber( _CurrentFcb->FileReference )` HexInt64
`A13_CurrentFcb->TxfRmcb->RmState` HexInt32

Event ID 176: task_0176

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Link Name: %7!S!, DesiredAccess: 0x%8!08x!, DesiredShareAccess: 0x%9!08x!, IoShareAccessFlags: 0x%10!08x!, LinkShareAccess->OpenCount: %11!d!, LinkShareAccess->Deleters: %12!d!, LinkShareAccess->SharedDelete: %13!d!.

Event ID 177: task_0177

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, DesiredAccess: 0x%9!08x!, DesiredShareAccess: 0x%10!08x!, IoShareAccessFlags: 0x%11!08x!, ShareAccess->OpenCount: %12!d!, ShareAccess->Readers: %13!d!, ShareAccess->Writers: %14!d!, ShareAccess->->Deleters: %15!d!, ShareAccess->SharedRead: %16!d!, ShareAccess->SharedWrite: %17!d!, ShareAccess->SharedDelete: %18!d!.

Event ID 178: task_0178

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, DesiredAccess: 0x%10!08x!, DesiredShareAccess: 0x%11!08x!, IoShareAccessFlags: 0x%12!08x!, ShareAccess->OpenCount: %13!d!, ShareAccess->Readers: %14!d!, ShareAccess->Writers: %15!d!, ShareAccess->->Deleters: %16!d!, ShareAccess->SharedRead: %17!d!, ShareAccess->SharedWrite: %18!d!, ShareAccess->SharedDelete: %19!d!, LinkShareAccess->OpenCount: %20!d!, LinkShareAccess->Deleters: %21!d!, LinkShareAccess->SharedDelete: %22!d!.

Event ID 179: task_0179

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsReCheckShareAccess: Does not meet allow open requirement. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, Previously granted access: 0x%10!08x!, AccessState->Flags: 0x%11!08x!, DesiredShareAccess: 0x%12!08x!, CreateDisposition: 0x%13!08x!, OpenCount: %14!d!, Readers: %15!d!, Writers: %16!d!, Deleters: %17!d!, SharedRead: %18!d!, Lcb Deleters: %19!d!.

Event ID 180: task_0180

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 181: task_0181

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 182: task_0182

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 183: task_0183

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 184: task_0184

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Will tell storage we are freeing at %2!I64x! for %3!x! clusters

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_StartingCluster` HexInt64
`A12_RunLength` HexInt32

Event ID 185: task_0185

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Flush requested

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 186: task_0186

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! -  Created new MarkUnusedContext %2!p!, DEALLOCATED_CLUSTERS %3!p!, MCB %4!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_*MarkUnusedContext` Pointer
`A12_(*MarkUnusedContext)->DeallocatedClusters` Pointer
`A13__(*MarkUnusedContext)->DeallocatedClusters->Mcb` Pointer

Event ID 187: task_0187

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Successfully added clusters starting at %2!I64x! for %3!x! into MCB %4!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_StartingCluster` HexInt64
`A12_RunLength` HexInt32
`A13__(*MarkUnusedContext)->DeallocatedClusters->Mcb` Pointer

Event ID 188: task_0188

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - MCB %2!p! is full

Fields #

Name	Description
`A10_Vcb` Pointer
`A11__(*MarkUnusedContext)->DeallocatedClusters->Mcb` Pointer

Event ID 189: task_0189

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Queuing request to IC pre-trim list, MUC %2!p!, IC %3!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_*MarkUnusedContext` Pointer
`A12_IrpContext` Pointer

Event ID 190: task_0190

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! -  Failed to allocate/initial MarkUnusedContext

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 191: task_0191

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, SrcOrigClusCt %4!I64x!, SrcDSRL %5!x! - Entering

Fields #

Name	Description
`A10_Src` Pointer
`A11_Dst` Pointer
`A12_Src->ClustersCount` HexInt64
`A13_Src->DeallocatedClusters->ClusterCount` HexInt64
`A14_SrcDsmAttr->DataSetRangesLength` HexInt32

Event ID 192: task_0192

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, DstClusCt %4!I64x!, DstDSRL %5!x!, DstLIB %6!I64x!, DstSOff %7!I64x! - Leaving

Fields #

Name	Description
`A10_Src` Pointer
`A11_Dst` Pointer
`A12_Src->ClustersCount` HexInt64
`A13_Dst->ClustersCount` HexInt64
`A14_DstDsmAttr->DataSetRangesLength` HexInt32
`A15_DstFirstDataSetRangePtr->LengthInBytes` HexInt64
`A16_DstFirstDataSetRangePtr->StartingOffset` HexInt64

Event ID 193: task_0193

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPostTrimProcessing: Entering

Event ID 194: task_0194

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - DC %3!I64x!, DCIT %4!x!, DCTD %5!x!, CC %6!I64x!, IR %7!x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer
`A12_Vcb->DeallocatedClusters` HexInt64
`A13_Vcb->DeallocatedClustersListLengthInTrim` HexInt32
`A14_Vcb->DeallocatedClustersListLengthToDrain` HexInt32
`A15_Clusters->ClusterCount` HexInt64
`A16_InitialRanges` HexInt32

Event ID 195: task_0195

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - Removed interior slab(s) from TP map - [LCN %3!I64X!, len %4!I64X!] => [LCN %5!I64X!, len %6!I64X!], [LCN %7!I64X!, len %8!I64X!]

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer
`A12_StartingLcn` HexInt64
`A13_ClusterCount` HexInt64
`A14_FreeClusterBase1` HexInt64
`A15_FreeClusterCount1` HexInt64
`A16_FreeClusterBase2` HexInt64
`A17_FreeClusterCount2` HexInt64

Event ID 196: task_0196

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - Releasing bitmap

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 197: task_0197

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - CloseCount %2!x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->CloseCount` HexInt32

Event ID 198: task_0198

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPostTrimProcessing: Leaving

Event ID 199: task_0199

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp %1!p!

Fields #

Name	Description
`A10_Irp` Pointer

Event ID 200: task_0200

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p!, IC %2!p! - Entering

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer

Event ID 201: task_0201

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Kicked off DelayedWorkQueue

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 202: task_0202

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Leaving

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 203: task_0203

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb %1!p!

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 204: task_0204

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Small MUC %2!p! instead of MUC %3!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_SmallMarkUnusedContext` Pointer
`A12_MarkUnusedContext` Pointer

Event ID 205: task_0205

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Failed to allocate small MUC so use MUC %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer

Event ID 206: task_0206

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down.  MUC %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer

Event ID 207: task_0207

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - [%3!x!] Offset %4!I64x!, Length %5!I64x! - trim entry

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer
`A12_TrimEntryCount++` HexInt32
`A13_DataSetRangePtr->StartingOffset` HexInt64
`A14_DataSetRangePtr->LengthInBytes` HexInt64

Event ID 208: task_0208

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p!, Irp %3!p! - Completed

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer
`A12_IrpUsed` Pointer

Event ID 209: task_0209

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - %3!x! - failed to send

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer
`A12_Status` HexInt32

Event ID 210: task_0210

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Add MUC %2!p! to post trim list

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer

Event ID 211: task_0211

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Free small MUC %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer

Event ID 212: task_0212

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down failed with %2!x!.  MUC %3!p!, Count %4!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Status` HexInt32
`A12_MarkUnusedContext` Pointer
`A13_((MarkUnusedContext != NULL) __ (MarkUnusedContext->DeallocatedClusters != NULL)) ? MarkUnusedContext->DeallocatedClusters->ClusterCount : -1LL` HexInt64

Event ID 213: task_0213

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Event ID 214: task_0214

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - There are waiters for DC %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_DeallocatedClusters` Pointer

Event ID 215: task_0215

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Waking up waiter for DC %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_DeallocatedClusters` Pointer

Event ID 216: task_0216

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Done waking up DC %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_DeallocatedClusters` Pointer

Event ID 217: task_0217

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p!, All %2!x! - Entering

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_All` HexInt32

Event ID 218: task_0218

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting to drain

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 219: task_0219

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting for partial drain

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 220: task_0220

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 221: task_0221

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Entering

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 222: task_0222

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Inserted %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_DeallocatedClustersToWaitFor->DeallocatedClusters` Pointer

Event ID 223: task_0223

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 224: task_0224

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb %1!p! - Wait for DC %2!p!

Fields #

Name	Description
`A10_IrpContext->Vcb` Pointer
`A11_DeallocatedClustersToWaitFor->DeallocatedClusters` Pointer

Event ID 225: task_0225

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields #

Name	Description
`A10_WaitInSeconds` Int32
`A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ? (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)` Int32
`A12_IrpContext` Pointer
`A13_IrpContext->Vcb` Pointer
`A14_DeallocatedClusters` Pointer

Event ID 226: task_0226

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields #

Name	Description
`A10_WaitInSeconds` Int32
`A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ? (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)` Int32
`A12_IrpContext` Pointer
`A13_IrpContext->Vcb` Pointer
`A14_DeallocatedClusters` Pointer

Event ID 227: task_0227

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckForTrimThrottling: Vcb %1!p! - hitting trim threshold %2!d!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->DeallocatedClustersListLengthInTrim` Int32

Event ID 228: task_0228

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Entering

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 229: task_0229

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 230: task_0230

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredSyncResource %2!u!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_AcquiredVcb` UInt32

Event ID 231: task_0231

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - Skipping deallocated clusters gen&apos;d by smart trim

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer

Event ID 232: task_0232

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - MCB run %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer
`A12_RunIndex` UInt32
`A13_StartingOffset` HexInt64
`A14_LengthInBytes` HexInt64

Event ID 233: task_0233

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - MUC %2!p!, DSR count %3!u!, MCB count %4!u!, ST free slots %5!u!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer
`A12_DataSetRangeCount` UInt32
`A13_McbRunCount` UInt32
`A14_SmartTrimFreeRangeCount` UInt32

Event ID 234: task_0234

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - DSR range %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer
`A12_RunIndex` UInt32
`A13_DataSetRange->StartingOffset` HexInt64
`A14_DataSetRange->LengthInBytes` HexInt64

Event ID 235: task_0235

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - MCB lcn %2!I64X! len %3!I64X! maps to TP map bits [0x%4!X!, 0x%5!X!]

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_StartingLcn` HexInt64
`A12_ClusterCount` HexInt64
`A13_FirstTpMapBit` HexInt32
`A14_LastTpMapBit` HexInt32

Event ID 236: task_0236

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Smart trim state on exit; %2!u! ranges:

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_SmartTrimState->SlabRangesCount` UInt32

Event ID 237: task_0237

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Range %2!u!: FirstTPMapBit 0x%3!X!, LastTPMapBit 0x%4!X!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_SlabRangeIndex` UInt32
`A12_SlabRange->FirstTPMapBit` HexInt32
`A13_SlabRange->LastTPMapBit` HexInt32

Event ID 238: task_0238

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Leaving

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 239: task_0239

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Entering

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 240: task_0240

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 241: task_0241

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredBitmap %2!u!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_AcquiredBitmap` UInt32

Event ID 242: task_0242

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Checking slab 0x%2!X! for allocations

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_TpMapBit` HexInt32

Event ID 243: task_0243

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Slab 0x%2!X! has allocations, will not trim

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_TpMapBit` HexInt32

Event ID 244: task_0244

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Free slab found - TP map bit 0x%2!X!, lcn %3!I64X!, len %4!I64X!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_TpMapBit` HexInt32
`A12_SlabBaseLcn` HexInt64
`A13_SlabLengthInClusters` HexInt64

Event ID 245: task_0245

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Leaving

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 246: task_0246

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFlushAllTrimHintsSynchronous (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 247: task_0247

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFlushAllTrimHintsSynchronous (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 248: task_0248

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, SL control flags: 0x%6!08x!.

Event ID 249: task_0249

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsVolumeDasdIo: Data section blocking flush. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush status: %5!S!.

Event ID 250: task_0250

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Could not find paging file run.

Event ID 251: task_0251

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Could not find paging file MCB entry.

Event ID 252: task_0252

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Could not find paging file run.

Event ID 253: task_0253

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Writing to $Bitmap. Vcb: %1!p!, Offset: 0x%2!I64x!, Length: 0x%3!x!

Fields #

Name	Description
`A10_Scb->Vcb` Pointer
`A11_StartingVbo` HexInt64
`A12_ByteCount` HexInt32

Event ID 254: task_0254

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NTFS: Posting hotfix on file object: %1!p!

Fields #

Name	Description
`A10_FileObject` Pointer

Event ID 255: task_0255

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NTFS:     Freeing Bad Vcn: %1!08x!, %2!08x!

Fields #

Name	Description
`A10_((ULONG)BadVcn)` HexInt32
`A11_((PLARGE_INTEGER)_BadVcn)->HighPart` HexInt32

Event ID 256: task_0256

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NTFS:     Retiring Bad Lcn: %1!08x!, %2!08x!

Fields #

Name	Description
`A10_((ULONG)BadLcn)` HexInt32
`A11_((PLARGE_INTEGER)_BadLcn)->HighPart` HexInt32

Event ID 257: task_0257

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NTFS:     Reallocating Bad Vcn

Event ID 258: task_0258

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NTFS:     Bad Cluster replaced

Event ID 259: task_0259

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_NewBufferSize` HexInt32

Event ID 260: task_0260

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields #

Name	Description
`A10_NewBufferSize` HexInt32
`A11_NtfsGetCompressionBufferSize()` HexInt32

Event ID 261: task_0261

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1

Fields #

Name	Description
`A10_Status` HexInt32

Event ID 262: task_0262

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12_NewBufferSize` HexInt32

Event ID 263: task_0263

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields #

Name	Description
`A10_NewBufferSize` HexInt32
`A11_NtfsGetUsaBufferSize( Vcb )` HexInt32

Event ID 264: task_0264

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1

Fields #

Name	Description
`A10_Status` HexInt32

Event ID 265: task_0265

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 266: task_0266

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal: Vcb %1!p! - Calling FRD

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 267: task_0267

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal: Vcb %1!p! - Done calling FRD

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 268: task_0268

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 269: task_0269

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x! - copy offload

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )` HexInt64
`A14_MoveData->StartingVcn.QuadPart` HexInt64
`A15_TransferClusters` HexInt64
`A16_Lcn` HexInt64
`A17_MoveData->StartingLcn.QuadPart` HexInt64
`A18_CopyLength` HexInt32
`A19_Flags.UseDelayedAllocation` Int32
`A20_Status` HexInt32

Event ID 270: task_0270

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )` HexInt64
`A14_MoveData->StartingVcn.QuadPart` HexInt64
`A15_TransferClusters` HexInt64
`A16_Lcn` HexInt64
`A17_MoveData->StartingLcn.QuadPart` HexInt64
`A18_CopyLength` HexInt32
`A19_Flags.UseDelayedAllocation` Int32
`A20_MyStatus` HexInt32

Event ID 271: task_0271

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, CurrLcn %5!I64x!, Len %6!x!, Status %7!x! - read completed

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )` HexInt64
`A14_Lcn` HexInt64
`A15_CopyLength` HexInt32
`A16_MyStatus` HexInt32

Event ID 272: task_0272

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, NewLcn %5!I64x!, Len %6!x!, Status %7!x! - write completed

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )` HexInt64
`A14_MoveData->StartingLcn.QuadPart` HexInt64
`A15_CopyLength` HexInt32
`A16_MyStatus` HexInt32

Event ID 273: task_0273

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, DA %9!d!, ValidClusters %10!I64x! - beyond VDL

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )` HexInt64
`A14_MoveData->StartingVcn.QuadPart` HexInt64
`A15_TransferClusters` HexInt64
`A16_Lcn` HexInt64
`A17_MoveData->StartingLcn.QuadPart` HexInt64
`A18_Flags.UseDelayedAllocation` Int32
`A19_ValidClusters` HexInt64

Event ID 274: task_0274

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x! - committed

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )` HexInt64
`A14_MoveData->StartingVcn.QuadPart` HexInt64
`A15_TransferClusters` HexInt64

Event ID 275: task_0275

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefragFile: Defrag is denied without manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Event ID 276: task_0276

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 277: task_0277

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEncryptDecryptOnline: Vcb %1!p! - Calling FRD

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 278: task_0278

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEncryptDecryptOnline: Vcb %1!p! - Done calling FRD

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 279: task_0279

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 280: task_0280

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

SCB: %1!p!, VDL=0x%2!I64x!, FS=0x%3!I64x!, StartOff=0x%4!I64x!, StartVcn=0x%5!I64x!, Length=0x%6!I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Scb->Header.ValidDataLength.QuadPart` HexInt64
`A12_Scb->Header.FileSize.QuadPart` HexInt64
`A13_QueryDaxExtents->FileOffset` HexInt64
`A14_StartingVcn` HexInt64
`A15_QueryDaxExtents->Length` HexInt64

Event ID 281: task_0281

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

StartOff=0x%1!I64x!, Length=0x%2!I64x!, EffectiveLength=0x%3!I64x! StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!, Clusters=0x%6!I64x!, LastVcnInFile=0x%7!I64x!

Fields #

Name	Description
`A10_QueryDaxExtents->FileOffset` HexInt64
`A11_QueryDaxExtents->Length` HexInt64
`A12_EffectiveInputFileRegionLength` HexInt64
`A13_StartingVcn` HexInt64
`A14_BeyondEndVcn` HexInt64
`A15_RemainingClusterCount` HexInt64
`A16_LastVcnInFile` HexInt64

Event ID 282: task_0282

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NumberOfValidRuns: 0

Event ID 283: task_0283

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!, OutputBufferLength: 0x%3!d!

Fields #

Name	Description
`A10_RemainingClusterCount` HexInt64
`A11_DataSetRangeIndex` Int32
`A12_OutputBufferLength` Int32

Event ID 284: task_0284

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0x%1!x!, MaxRuns: 0x%2!x!, BytesReturned: 0x%3!I64x!

Fields #

Name	Description
`A10_ExtentsDescriptor->NumberOfValidRuns` HexInt32
`A11_MaxRuns` HexInt32
`A12_*BytesReturned` HexInt64

Event ID 285: task_0285

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Made an educated guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields #

Name	Description
`A10_RemainingClusterCount` HexInt64
`A11_ExtentsDescriptor->NumberOfValidRuns` HexInt32

Event ID 286: task_0286

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Made a wild guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields #

Name	Description
`A10_RemainingClusterCount` HexInt64
`A11_ExtentsDescriptor->NumberOfValidRuns` HexInt32

Event ID 287: task_0287

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NumberOfValidRuns: 0x%1!08x!, MaxRuns: 0x%2!08x!, Status: 0x%3!08x!, BytesReturned: 0x%4!I64x!

Fields #

Name	Description
`A10_ExtentsDescriptor->NumberOfValidRuns` HexInt32
`A11_MaxRuns` HexInt32
`A12_Status` HexInt32
`A13_*BytesReturned` HexInt64

Event ID 288: task_0288

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

BasePage: 0x%1!-16I64x!, PageCount: 0x%2!-16I64x!

Fields #

Name	Description
`A10_ExtentsDescriptor->Run[Index].BasePage` HexInt64
`A11_ExtentsDescriptor->Run[Index].PageCount` HexInt64

Event ID 289: task_0289

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

About to zero range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields #

Name	Description
`A10_ZeroStart` HexInt64
`A11_ZeroEnd` HexInt64

Event ID 290: task_0290

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Zeroed range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields #

Name	Description
`A10_ZeroStart` HexInt64
`A11_ZeroEnd` HexInt64

Event ID 291: task_0291

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Event ID 292: task_0292

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb access flags: 0x%10!08x!, Granted access: 0x%11!08x!.

Event ID 293: task_0293

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Event ID 294: task_0294

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Event ID 295: task_0295

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Device Object flags: 0x%10!08x!.

Event ID 296: task_0296

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: %7!x!.

Event ID 297: task_0297

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfNumWriters count: %7!d!.

Event ID 298: task_0298

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, TxfNumWriters count: %9!d!.

Event ID 299: task_0299

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Cleanup count: %7!d!.

Event ID 300: task_0300

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, Link cleanup count: %9!d!, SplitPrimaryLcb: %10!p!, Split link name: %11!S!, Split link cleanup count: %12!d!.

Event ID 301: task_0301

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: 0x%7!08x!, Lcb: %8!p!, link name: %9!S!, link name flag: 0x%10!08x!, link state: 0x%11!08x!.

Event ID 302: task_0302

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetRenameInfo: Can not rename a txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, File attributes: 0x%7!08x!.

Event ID 303: task_0303

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetRenameInfo: Can not rename into a system directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Event ID 304: task_0304

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Event ID 305: task_0305

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!.

Event ID 306: task_0306

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetRenameInfo: Child Scb mismatch. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Potential child FileRef: %7!I64x!.

Event ID 307: task_0307

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!.

Event ID 308: task_0308

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, TxfVisibleLinks: %8!d!.

Event ID 309: task_0309

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, SeAccessCheck status: %8!S!.

Event ID 310: task_0310

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!.

Event ID 311: task_0311

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!, Target RM state: %8!x!.

Event ID 312: task_0312

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!.

Event ID 313: task_0313

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!, Parent FileRef: %9!I64x!.

Event ID 314: task_0314

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Stream cleanup count: %7!d!.

Event ID 315: task_0315

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, ByID opens: %7!d!, Stream cleanup count: %8!d!.

Event ID 316: task_0316

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsStreamRename: Deny access due to encryption happening on source stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb state: 0x%10!08x! Scb HighWaterMark: %11!I64d!.

Event ID 317: task_0317

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Previous batch oplock count: %7!d!, current batch oplock count: %8!d!.

Event ID 318: task_0318

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Vcb: %2!p!, Fcb: %3!p!, LocalFlags: %4!#08x!

Fields #

Name	Description
`A10_PsGetCurrentThread()` Pointer
`A11_Vcb` Pointer
`A12_Fcb` Pointer
`A13_LocalFlags->EntireFlags` HexInt32

Event ID 319: task_0319

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Scb: %2!p!

Fields #

Name	Description
`A10_PsGetCurrentThread()` Pointer
`A11_Scb` Pointer

Event ID 320: task_0320

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFlushVolume: Thread: %1!p!, Vcb: %2!p!, LocalFlags: %3!#08x!

Fields #

Name	Description
`A10_PsGetCurrentThread()` Pointer
`A11_Vcb` Pointer
`A12_LocalFlags.EntireFlags` HexInt32

Event ID 321: task_0321

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: %1!p! Vcb: %2!p!

Fields #

Name	Description
`A10_Vcb->BitmapScb` Pointer
`A11_Vcb` Pointer

Event ID 322: task_0322

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: %1!p! Vcb: %2!p!

Fields #

Name	Description
`A10_Vcb->MftScb` Pointer
`A11_Vcb` Pointer

Event ID 323: task_0323

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into completion queue

Fields #

Name	Description
`A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb` Pointer
`A11_Context` Pointer

Event ID 324: task_0324

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into WorkQueue - Flink %3!p!

Fields #

Name	Description
`A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb` Pointer
`A11_Context` Pointer
`A12_NtfsData.DiskFlushContextCompletedWorkItem.List.Flink` Pointer

Event ID 325: task_0325

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDiskFlushContextWorkItemProcessing: Process work item

Event ID 326: task_0326

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Event ID 327: task_0327

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, MinorCode: %4!02x!, FsControlCode: 0x%5!08x!

Fields #

Name	Description
`A10_Irp` Pointer
`A11_IrpContext` Pointer
`A12_IrpContext->Vcb` Pointer
`A13_IrpSp->MinorFunction` HexInt32
`A14_FsControlCode` HexInt32

Event ID 328: task_0328

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsLockVolumeInternal: Cannot lock the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!, DisallowDismountCount: %6!d!, ExplicitLock: %7!d!, Volume CleanupCount: %8!d!, Handle count: %9!d!.

Event ID 329: task_0329

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsLockVolumeInternal: Volume is already locked.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Event ID 330: task_0330

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Event ID 331: task_0331

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Event ID 332: task_0332

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume close count: %5!d!, System file close count: %6!d!, User handle count: %7!d!.

Event ID 333: task_0333

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 334: task_0334

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Active RM count: %5!d!, Default RM Active: %6!d!.

Event ID 335: task_0335

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)Vcb->TxfVcb.DefaultRm` Pointer
`A12_(Vcb->TxfVcb.DefaultRm != NULL) ? _Vcb->TxfVcb.DefaultRm->RmId : NULL` GUID

Event ID 336: task_0336

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 337: task_0337

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDismountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Event ID 338: task_0338

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 339: task_0339

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Event ID 340: task_0340

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, ReadOnlyCloseCount: %6!d!, CloseCount: %7!d!, SystemFileCloseCount: %8!d!.

Event ID 341: task_0341

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDismountVolume: Could not flush trim hints.  Couldn&apos;t make progress flushing log.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Event ID 342: task_0342

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 343: task_0343

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 344: task_0344

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 345: task_0345

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 346: task_0346

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 347: task_0347

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, TypeOfOpen: %6!d!.

Event ID 348: task_0348

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Irp Request Mode: %6!d!.

Event ID 349: task_0349

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 350: task_0350

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 351: task_0351

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!.

Event ID 352: task_0352

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!, CallerId: %7!d!, Context owner ID: %8!d!.

Event ID 353: task_0353

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetSparse: Caller does not have appropriate write access to the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, FileObject write access: %9!d!.

Event ID 354: task_0354

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetSparse: Cannot desparse encrypted file without write data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Scb attributes: 0x%9!08x!.

Event ID 355: task_0355

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsZeroRange: User mode caller not allowed. Thread: %1!p!, Zero flags: 0x%2!08x!, Irp Requestor Mode: %3!d!.

Fields #

Name	Description
`A10_PsGetCurrentThread()` Pointer
`A11_ZeroFlags` HexInt32
`A12_Irp->RequestorMode` Int32

Event ID 356: task_0356

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

IC: %1!p!, Scb: %2!p!, FileObject: %3!p!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Scb` Pointer
`A12_IrpSp->FileObject` Pointer

Event ID 357: task_0357

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

IC: %1!p!, EncryptionOperation: 0x%2!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_EncryptionOperation` HexInt32

Event ID 358: task_0358

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 359: task_0359

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 360: task_0360

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 361: task_0361

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 362: task_0362

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 363: task_0363

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsChangeVolumeSize (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 364: task_0364

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsChangeVolumeSize (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 365: task_0365

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, HandleInfo flags: 0x%9!08x!, Irp Requestor Mode: %10!d!.

Event ID 366: task_0366

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkHandle: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 367: task_0367

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkHandle: Cannot deny defrag. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, HandleInfo flags: 0x%11!08x!.

Event ID 368: task_0368

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkHandle: Cannot deny Frs consolidation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState2: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!.

Event ID 369: task_0369

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkHandle: Cannot filter metadata. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!, Irp RequestorMode: %13!d!.

Event ID 370: task_0370

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, HandleInfo flags: %8!x!.

Event ID 371: task_0371

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkHandle: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, HandleInfo: 0x%10!08x!.

Event ID 372: task_0372

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Writers: %10!d!.

Event ID 373: task_0373

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPrefetchFile: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 374: task_0374

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, WriteAccess: %6!d!, Fcb: %7!p!, FileRef: 0x%8!I64x!, FcbState: %9!x!, Scb AttributeTypeCode: 0x%10!x!, Ccb FullFileName: %11!S!.

Event ID 375: task_0375

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 376: task_0376

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x%1!p! to %2!u!.

Fields #

Name	Description
`A10_(PVOID)Vcb` Pointer
`A11_InputParameter` UInt32

Event ID 377: task_0377

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 378: task_0378

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 379: task_0379

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, NtfsData Flags: %5!x!.

Event ID 380: task_0380

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 381: task_0381

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Resetting Volsnap behavior for VCB = 0x%1!p!.  New state is 0x%2!x!.

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->VcbState` HexInt32

Event ID 382: task_0382

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 383: task_0383

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCorruptionHandling: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Event ID 384: task_0384

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Event ID 385: task_0385

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scrub resume from SystemScbIndex: %1!u! Vcn: %2!#I64x! + %3!#x!

Fields #

Name	Description
`A10_ScrubResumeContext.SystemScbIndex` UInt32
`A11_ScrubResumeContext.ResumeVcn` HexInt64
`A12_ScrubResumeContext.ResumeVcnOffset` HexInt32

Event ID 386: task_0386

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! Scrub resume from Vcn: %2!#I64x! + %3!#x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_ScrubResumeContext.ResumeVcn` HexInt64
`A12_ScrubResumeContext.ResumeVcnOffset` HexInt32

Event ID 387: task_0387

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scrub SystemScbIndex: %1!u!

Fields #

Name	Description
`A10_ScrubResumeContext.SystemScbIndex` UInt32

Event ID 388: task_0388

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsScrubData: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 389: task_0389

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scrub not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Scb->TxfScb` Pointer

Event ID 390: task_0390

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request. noop

Event ID 391: task_0391

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! ScrubInternal OperationStatus: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! FileOffset: %5!#I64x! Length: %6!#I64x! ParityExtentCount: %7!u!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_ScrubContext.OperationStatus` HexInt32
`A12_ScrubContext.NumberOfBytesRepaired` HexInt64
`A13_ScrubContext.NumberOfBytesFailed` HexInt64
`A14_ScrubContext.ErrorFileOffset` HexInt64
`A15_ScrubContext.ErrorLength` HexInt64
`A16_ScrubContext.ParityExtentData->NumberOfParityExtents` UInt32

Event ID 392: task_0392

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! ScrubInternal Status: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! ParityExtentCount: %5!u!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Status` HexInt32
`A12_ScrubContext.NumberOfBytesRepaired` HexInt64
`A13_ScrubContext.NumberOfBytesFailed` HexInt64
`A14_ScrubContext.ParityExtentData->NumberOfParityExtents` UInt32

Event ID 393: task_0393

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

InternalFileReference: %1!u!

Fields #

Name	Description
`A10_InternalFileReference` UInt32

Event ID 394: task_0394

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

InternalFileReference:%1!u!

Fields #

Name	Description
`A10_InternalFileReference` UInt32

Event ID 395: task_0395

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! Incomplete IoCount:%2!u! Cancel:%3!u! ParityExtentCount:%4!u!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_ScrubIoCount` UInt32
`A12_Irp->Cancel` UInt32
`A13_ScrubContext.ParityExtentData->NumberOfParityExtents` UInt32

Event ID 396: task_0396

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! Scrub skipping resident attribute (d) (%2!S!)

Event ID 397: task_0397

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! Scrub skipping resident attribute (%2!S!)

Event ID 398: task_0398

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! Scrub StartingVcn(%2!#I64d!) is negative

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingVcn` Int64

Event ID 399: task_0399

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! Scrub starting vcn is beyond VDL (FileOffset: %2!#I64x!, SectorAlignedVdl: %3!#I64x!)

Fields #

Name	Description
`A10_Scb` Pointer
`A11_FileScrubOffset` HexInt64
`A12_SectorAlignedVdl` HexInt64

Event ID 400: task_0400

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! Scrub no more Mcb entries from StartingVcn:%2!#I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingVcn` HexInt64

Event ID 401: task_0401

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! Scrub skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingVcn` HexInt64
`A12_ClusterCount` HexInt64

Event ID 402: task_0402

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! StartingVcn:%2!#I64x! is beyond Vdl

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingVcn` HexInt64

Event ID 403: task_0403

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! ScrubDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) StartingVcn:%5!#I64x! + %6!#x! SectorAlignedVdl:%7!#I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_DsmRange.StartingOffset` HexInt64
`A12_DsmRange.StartingOffset + DsmRange.LengthInBytes` HexInt64
`A13_DsmRange.LengthInBytes` HexInt64
`A14_StartingVcn` HexInt64
`A15_StartingVcnOffset` HexInt32
`A16_SectorAlignedVdl` HexInt64

Event ID 404: task_0404

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scrub found problems Scb: %1!p! Vcn %2!#I64x! FileOffset: %3!#I64x! Length: %4!#I64x! Status: %5!S! BytesFailed: %6!#I64x! BytesRepaired: %7!#I64x! NewParityExtents: %8!u!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingVcn` HexInt64
`A12_ScrubContext->ErrorFileOffset` HexInt64
`A13_ScrubbedLength` HexInt64
`A14_ScrubContext->OperationStatus` HexInt32
`A15_ScrubContext->NumberOfBytesFailed` HexInt64
`A16_ScrubContext->NumberOfBytesRepaired` HexInt64
`A17_NewParityExtentCount` UInt32

Event ID 405: task_0405

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! DsmAction_Scrub call failed, Status: %2!S!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Status` HexInt32

Event ID 406: task_0406

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! DsmAction_Scrub operation failed, Status: %2!S!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Status` HexInt32

Event ID 407: task_0407

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

FSCTL_REPAIR_COPIES not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Scb->TxfScb` Pointer

Event ID 408: task_0408

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2!S!)

Event ID 409: task_0409

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (%2!S!)

Event ID 410: task_0410

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

FSCTL_REPAIR_COPIES interrupted by thread termination.

Event ID 411: task_0411

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

FSCTL_REPAIR_COPIES canceled

Event ID 412: task_0412

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:%2!#I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingVcn` HexInt64

Event ID 413: task_0413

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:%2!#I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingVcn` HexInt64

Event ID 414: task_0414

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartingVcn` HexInt64
`A12_ClusterCount` HexInt64

Event ID 415: task_0415

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! RepairDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) FileOffset: %5!#I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_RepairDataSetRange->StartingOffset` HexInt64
`A12_RepairDataSetRange->StartingOffset + RepairDataSetRange->LengthInBytes` HexInt64
`A13_RepairDataSetRange->LengthInBytes` HexInt64
`A14_RepairFileOffset` HexInt64

Event ID 416: task_0416

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! DsmAction_Repair call failed, Status: %2!S!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Status` HexInt32

Event ID 417: task_0417

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! DsmAction_Repair operation failed, Status: %2!S!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_IrpStatus` HexInt32

Event ID 418: task_0418

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb:%1!p! DsmAction_Repair completed, IrpStatus: %2!S!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_RepairCopiesOutput->Status` HexInt32

Event ID 419: task_0419

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 420: task_0420

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 421: task_0421

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 422: task_0422

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUnloadFile: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 423: task_0423

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckForSection: File already has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!.

Event ID 424: task_0424

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsShuffleFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Irp RequestorMode: %9!d!.

Event ID 425: task_0425

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsShuffleFile: Denying access due to volume is locked. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, VcbState: 0x%9!08x!.

Event ID 426: task_0426

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsShuffleFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 427: task_0427

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Event ID 428: task_0428

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRearrangeFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Irp RequestorMode: %8!d!.

Event ID 429: task_0429

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRearrangeFile: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, VcbState: 0x%8!08x!.

Event ID 430: task_0430

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRearrangeFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Event ID 431: task_0431

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Event ID 432: task_0432

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FileRef: %5!I64x!, FullFileName: %6!S!, Ccb access flags: %7!x!.

Event ID 433: task_0433

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Scb AttributeTypeCode: %8!x!, FcbState2: %9!x!, Ccb FullFileName: %10!S!, Ccb Access flags: %11!x!, Ccb Flags2: %12!x!.

Event ID 434: task_0434

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Scb AttributeTypeCode: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb Access flags: 0x%10!08x!.

Event ID 435: task_0435

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 436: task_0436

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Open status=0x%3!x!, path=&quot;%4!S!&quot;

Event ID 437: task_0437

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Enumerate status=0x%3!x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_PsGetCurrentThread()` Pointer
`A12_Status` HexInt32

Event ID 438: task_0438

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEnumMountWorker(%1!p!,%2!p!): Open status=0x%3!x!, file=&quot;%4!S!&quot;

Event ID 439: task_0439

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEnumMountWorker(%1!p!,%2!p!): Close status=0x%3!x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_PsGetCurrentThread()` Pointer
`A12_Status` HexInt32

Event ID 440: task_0440

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Close dir status=0x%3!x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_PsGetCurrentThread()` Pointer
`A12_Status` HexInt32

Event ID 441: task_0441

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, EffectiveMode: %10!d!.

Event ID 442: task_0442

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

SCB: %1!p!, StartOffset: 0x%2!I64x!, Length: 0x%3!I64x!, StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_StartOffset` HexInt64
`A12_Length` HexInt64
`A13_StartVcn` HexInt64
`A14_BeyondEndVcn` HexInt64

Event ID 443: task_0443

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

FsLibGetBadAddressRanges returned Status: %1, NumBadRanges: 0x%2!x!

Fields #

Name	Description
`A10_Status` HexInt32
`A11_Output->NumBadRanges` HexInt32

Event ID 444: task_0444

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

FsInputRangeIndex: %1!u!, FileOffset: 0x%2!I64x!, VolumeOffset: 0x%3!I64x!, LengthInBytes: 0x%4!I64x!

Fields #

Name	Description
`A10_FsInputRangeIndex` UInt32
`A11_FsInputRanges[FsInputRangeIndex].FileOffset` HexInt64
`A12_FsInputRanges[FsInputRangeIndex].VolumeOffset` HexInt64
`A13_FsInputRanges[FsInputRangeIndex].LengthInBytes` HexInt64

Event ID 445: task_0445

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb: %1!p!, Status: %2!S!, AbnormalTermination: %3!S!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Status` HexInt32
`A12_(BOOLEAN)AbnormalTermination()` UInt8

Event ID 446: task_0446

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Scb: %1!p!, Status: %2!S!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Status` HexInt32

Event ID 447: task_0447

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Event ID 448: task_0448

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Logic error of posting close to work queue.

Event ID 449: task_0449

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFindPrefixHashEntry: {Hash table: %1!p!} {ParentScb: %2!p!, &apos;%3!S!&apos;} {RemainingName: &apos;%4!S!&apos;}

Event ID 450: task_0450

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFindPrefixHashEntry: {Lcb: NULL}

Event ID 451: task_0451

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFindPrefixHashEntry: {Lcb: %1!p!, &apos;%2!S!&apos;}

Event ID 452: task_0452

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFindPrefixHashEntry: {Lcb not found}

Event ID 453: task_0453

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsInsertHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {FullNameLength: %3!d!} {Lcb: %4!p!, &apos;%5!S!&apos;}

Event ID 454: task_0454

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {HashLcb: %3!p!, &apos;%4!S!&apos;}

Event ID 455: task_0455

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Checkpoint injection.  Count %2!d!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->CheckpointInjectionCount` Int32

Event ID 456: task_0456

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Log %2!d!%!PCT! full.  Wait for CC to flush metadata first. Count %3!d!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_PercentFull` Int32
`A12_Vcb->WaitForCcLoggedDataActivityCount` Int32

Event ID 457: task_0457

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Done waiting for CC to flush metadata

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 458: task_0458

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Injected checkpoint.

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 459: task_0459

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Start of checkpoint

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 460: task_0460

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Clean checkpoint. Count %2!d!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->CleanCheckpointCount` Int32

Event ID 461: task_0461

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Overflowed DPT. Count %2!d!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->OverflowedDPTCount` Int32

Event ID 462: task_0462

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Fuzzy checkpoint. Count %2!d!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->FuzzyCheckpointCount` Int32

Event ID 463: task_0463

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Flush oldest FO.  Count %2!d!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->FlushOldestFOCount` Int32

Event ID 464: task_0464

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Flush starts with FRef %2!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_NtfsFullSegmentNumber( _Scb->Fcb->FileReference )` HexInt64

Event ID 465: task_0465

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Flush ends.  FO %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_DirtyPageContext.OldestFileObject` Pointer

Event ID 466: task_0466

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Event ID 467: task_0467

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Checkpoint completed.

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 468: task_0468

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p!.  Leaving NtfsCheckpointVolume.

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 469: task_0469

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->TransactionId` HexInt32

Event ID 470: task_0470

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->TransactionId` HexInt32

Event ID 471: task_0471

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsWriteLog failure %4!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->OriginatingIrp` Pointer
`A12_PsGetCurrentThread()` Pointer
`A13_IrpContext->ExceptionStatus` HexInt32

Event ID 472: task_0472

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsWriteLog failure %4!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->OriginatingIrp` Pointer
`A12_PsGetCurrentThread()` Pointer
`A13_IrpContext->ExceptionStatus` HexInt32

Event ID 473: task_0473

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): LfsFlushToLsn failure %4!x! Count %5!d!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->OriginatingIrp` Pointer
`A12_PsGetCurrentThread()` Pointer
`A13_IrpContext->ExceptionStatus` HexInt32
`A14_FailedFlushCount` Int32

Event ID 474: task_0474

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsProcessNewLengthQueue failure %4!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->OriginatingIrp` Pointer
`A12_PsGetCurrentThread()` Pointer
`A13_IrpContext->ExceptionStatus` HexInt32

Event ID 475: task_0475

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsProcessNewLengthQueue failure %4!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->OriginatingIrp` Pointer
`A12_PsGetCurrentThread()` Pointer
`A13_IrpContext->ExceptionStatus` HexInt32

Event ID 476: task_0476

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->TransactionId` HexInt32

Event ID 477: task_0477

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->TransactionId` HexInt32

Event ID 478: task_0478

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Entering - ActiveLsn: %2!I64x!, ClearAll: %3!S!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_ActiveLsn->QuadPart` HexInt64
`A12_ClearAll` UInt32

Event ID 479: task_0479

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list - Leaving

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 480: task_0480

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list  - Leaving

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 481: task_0481

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found frozen deallocated clusters with %2!I64x! clusters

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Clusters->ClusterCount` HexInt64

Event ID 482: task_0482

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 483: task_0483

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 484: task_0484

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found a deallocated clusters %2!p! with %3!I64x! clusters, Lsn: %4!I64x!, Flags: %5!08x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Clusters` Pointer
`A12_Clusters->ClusterCount` HexInt64
`A13_Clusters->Lsn.QuadPart` HexInt64
`A14_Clusters->Flags` HexInt32

Event ID 485: task_0485

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb: %1!p!, Processing range. DeallocatedClusters: %2!p!, RunIndex: %3!d!, StartingLcn: %4!I64x!, ClusterCount: %5!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Clusters` Pointer
`A12_i` Int32
`A13_StartingLcn` HexInt64
`A14_ClusterCount` HexInt64

Event ID 486: task_0486

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Looking for dangling MDLs

Event ID 487: task_0487

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

FsLibGroupSubExtentsByDanglingMdl failed: %1

Fields #

Name	Description
`A10_Status` HexInt32

Event ID 488: task_0488

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

FsLibAddBaseMcbEntryEx failed: %1

Fields #

Name	Description
`A10_Status` HexInt32

Event ID 489: task_0489

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: %1

Fields #

Name	Description
`A10_Status` HexInt32

Event ID 490: task_0490

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: %1

Fields #

Name	Description
`A10_Status` HexInt32

Event ID 491: task_0491

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

No sub extents has dangling MDL

Event ID 492: task_0492

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Telling volsnap freeing at %2!I64x! for %3!x! clusters

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_StartingLcn` HexInt64
`A12_(ULONG)ClusterCount` HexInt32

Event ID 493: task_0493

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Volsnap responsed with freeing at %2!I64x! for %3!x! clusters

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_StartingLcn + StartingIndex` HexInt64
`A12_runLength` HexInt32

Event ID 494: task_0494

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Got error 0x%2!x! from below

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Status` HexInt32

Event ID 495: task_0495

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Deleting MarkUnusedContext %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_MarkUnusedContext` Pointer

Event ID 496: task_0496

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Leaving

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 497: task_0497

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Length: 0x%4!I64x!

Fields #

Name	Description
`A10_Mcb->Scb` Pointer
`A11_Mcb` Pointer
`A12_StartingVcn` HexInt64
`A13_Count` HexInt64

Event ID 498: task_0498

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRemoveNtfsMcbEntry Mcb: %1!p! Completed.

Fields #

Name	Description
`A10_Mcb` Pointer

Event ID 499: task_0499

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Length: 0x%5!I64x!

Fields #

Name	Description
`A10_Mcb->Scb` Pointer
`A11_Mcb` Pointer
`A12_Vcn` HexInt64
`A13_Lcn` HexInt64
`A14_RunCount` HexInt64

Event ID 500: task_0500

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAddNtfsMcbEntry Mcb: %1!p!, Result: %2!S!

Fields #

Name	Description
`A10_Mcb` Pointer
`A11_Result` UInt32

Event ID 501: task_0501

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUnloadNtfsMcbRange Scb: %1!p!, Mcb: %2!p!, StartVcn: 0x%3!I64x!, EndVcn: 0x%4!I64x!, TruncateOnly: %5!S!

Fields #

Name	Description
`A10_Mcb->Scb` Pointer
`A11_Mcb` Pointer
`A12_StartingVcn` HexInt64
`A13_EndingVcn` HexInt64
`A14_TruncateOnly` UInt32

Event ID 502: task_0502

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUnloadNtfsMcbRange Mcb: %1!p! Completed.

Fields #

Name	Description
`A10_Mcb` Pointer

Event ID 503: task_0503

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Valid NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_BootSector` Pointer

Event ID 504: task_0504

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Not an NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!; CheckNumber: %3!d!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_BootSector` Pointer
`A12_CheckNumber` Int32

Event ID 505: task_0505

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMountVolume: Vcb:%1!p!, IC:%2!p!, Growing allocation for Mft&apos;s Attribute List failed with exception:0x%3!x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_IrpContext->ExceptionStatus` HexInt32

Event ID 506: task_0506

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsMountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Event ID 507: task_0507

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Mounting DAX partition. Vcb: %1!p!

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 508: task_0508

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: %1!p!

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 509: task_0509

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Mft AttributeList not found, skipping growth

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer

Event ID 510: task_0510

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Converting Resident AttributeList(size:0x%3!I64x!) to NonResident

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_AttrListAllocationSize` HexInt64

Event ID 511: task_0511

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p!, AttrListScb:%3!p! Added Allocation for NonResident AttributeList (old size:0x%4!I64x!)

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Scb` Pointer
`A13_AttrListAllocationSize` HexInt64

Event ID 512: task_0512

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Unexpected exception code of 0x%1!x! received

Fields #

Name	Description
`A10_ExceptionCode` HexInt32

Event ID 513: task_0513

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Exception code of 0x%1!x! received during mount.

Fields #

Name	Description
`A10_ExceptionCode` HexInt32

Event ID 514: task_0514

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Unexpected exception code of 0x%1!x! received.

Fields #

Name	Description
`A10_ExceptionCode` HexInt32

Event ID 515: task_0515

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

LogFileFull %1 BackTrace: ln %2!p!; ln %3!p!; ln %4!p!; ln %5!p!; ln %6!p!; ln %7!p!; ln %8!p!; ln %9!p!; ln %10!p!; ln %11!p!; ln %12!p!; ln %13!p!; ln %14!p!; ln %15!p!; ln %16!p!; ln %17!p!; ln %18!p!; ln %19!p!; ln %20!p!; ln %21!p!;

Fields #

Name	Description
`A10_IrpContext->LogFullReason` UInt32
`A11_BackTrace[0]` Pointer
`A12_BackTrace[1]` Pointer
`A13_BackTrace[2]` Pointer
`A14_BackTrace[3]` Pointer
`A15_BackTrace[4]` Pointer
`A16_BackTrace[5]` Pointer
`A17_BackTrace[6]` Pointer
`A18_BackTrace[7]` Pointer
`A19_BackTrace[8]` Pointer
`A20_BackTrace[9]` Pointer
`A21_BackTrace[10]` Pointer
`A22_BackTrace[11]` Pointer
`A23_BackTrace[12]` Pointer
`A24_BackTrace[13]` Pointer
`A25_BackTrace[14]` Pointer
`A26_BackTrace[15]` Pointer
`A27_BackTrace[16]` Pointer
`A28_BackTrace[17]` Pointer
`A29_BackTrace[18]` Pointer
`A30_BackTrace[19]` Pointer

Event ID 516: task_0516

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Unexpected raise of 0x%1!x! during critical non-raise code

Fields #

Name	Description
`A10_ExceptionCode` HexInt32

Event ID 517: task_0517

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_ExceptionCode` HexInt32

Event ID 518: task_0518

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_ExceptionCode` HexInt32

Event ID 519: task_0519

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Count %4!x!, Status %5!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Irp` Pointer
`A12_IrpContext->Vcb` Pointer
`A13_NtfsFailedAborts` HexInt32
`A14_GetExceptionCode()` HexInt32

Event ID 520: task_0520

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Scb %4!p!, FileRef %5!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Irp` Pointer
`A12_IrpContext->Vcb` Pointer
`A13_NextScb` Pointer
`A14_*(PULONGLONG)_NextScb->Fcb->FileReference` HexInt64

Event ID 521: task_0521

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x%1!08x!%2!08x!

Fields #

Name	Description
`A10_IrpSp->Parameters.Write.ByteOffset.HighPart` HexInt32
`A11_IrpSp->Parameters.Write.ByteOffset.LowPart` HexInt32

Event ID 522: task_0522

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Setting 0x%1!x! in top-level exception status for write @ 0x%2!08x!%3!08x!

Fields #

Name	Description
`A10_ExceptionCode` HexInt32
`A11_IrpSp->Parameters.Write.ByteOffset.HighPart` HexInt32
`A12_IrpSp->Parameters.Write.ByteOffset.LowPart` HexInt32

Event ID 523: task_0523

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields #

Name	Description
`A10_IrpSp->MajorFunction` UInt32
`A11_IrpSp->MinorFunction` HexInt32
`A12_Irp` Pointer
`A13_IrpContext` Pointer
`A14_Status` HexInt32

Event ID 524: task_0524

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields #

Name	Description
`A10_IrpSp->MajorFunction` UInt32
`A11_IrpSp->MinorFunction` HexInt32
`A12_Irp` Pointer
`A13_IrpContext` Pointer
`A14_Status` HexInt32

Event ID 525: task_0525

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Can&apos;t handle invalid bitmap in a positive way.

Event ID 526: task_0526

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NTFS ETW tracing is now active.

Event ID 527: task_0527

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Updating NtfsMinTrimTotalSize to %1!x!.

Fields #

Name	Description
`A10_MinTrimTotalSize` HexInt32

Event ID 528: task_0528

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Updating NtfsMaxTrimTotalSize to %1!x!.

Fields #

Name	Description
`A10_MaxTrimTotalSize` HexInt32

Event ID 529: task_0529

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetObjectId: Caller does not have restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Event ID 530: task_0530

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetObjectIdExtendedInfo: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Event ID 531: task_0531

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeleteObjectId: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Event ID 532: task_0532

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)Vcb->TxfVcb.DefaultRm` Pointer
`A12__Vcb->TxfVcb.DefaultRm->RmId` GUID

Event ID 533: task_0533

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsFsQuotaSetInfo: Denying access due to administrator limit. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Event ID 534: task_0534

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonSetQuota: Caller does not have manage volume privilege and it&apos;s not quota file. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, Ccb Flags: 0x%10!08x!.

Event ID 535: task_0535

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Unexpected Paging-Read on DAX mappable stream, Scb=%1!p!

Fields #

Name	Description
`A10_Scb` Pointer

Event ID 536: task_0536

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Event ID 537: task_0537

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetReparsePointEx: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Event ID 538: task_0538

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeleteReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Event ID 539: task_0539

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->LogFileObject` Pointer
`A12_IrpContext` Pointer

Event ID 540: task_0540

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsReleaseVcbCheckDelete - deleted Vcb: %1!p!, IC: %2!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer

Event ID 541: task_0541

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Vcb->LogFileObject` Pointer
`A12_IrpContext` Pointer

Event ID 542: task_0542

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->TransactionId` HexInt32

Event ID 543: task_0543

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->TransactionId` HexInt32

Event ID 544: task_0544

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DoAction::InitializeFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_FileRecord->SegmentNumberHighPart` HexInt32
`A12_FileRecord->SegmentNumberLowPart` HexInt32
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )` HexInt64

Event ID 545: task_0545

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DoAction::DeallocateFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_FileRecord->SegmentNumberHighPart` HexInt32
`A12_FileRecord->SegmentNumberLowPart` HexInt32
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )` HexInt64

Event ID 546: task_0546

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DoAction::WriteEndOfFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x! Off:0x%6!x!, Len:0x%7!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_FileRecord->SegmentNumberHighPart` HexInt32
`A12_FileRecord->SegmentNumberLowPart` HexInt32
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )` HexInt64
`A14_Attribute->TypeCode` HexInt32
`A15_LogRecord->RecordOffset` HexInt32
`A16_Length` HexInt32

Event ID 547: task_0547

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DoAction::CreateAttribute IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_FileRecord->SegmentNumberHighPart` HexInt32
`A12_FileRecord->SegmentNumberLowPart` HexInt32
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )` HexInt64
`A14_((PATTRIBUTE_RECORD_HEADER)Data)->TypeCode` HexInt32

Event ID 548: task_0548

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRestartChangeValue IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, FileRef:0x%5!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_FileRecord->SegmentNumberHighPart` HexInt32
`A12_FileRecord->SegmentNumberLowPart` HexInt32
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )` HexInt64
`A14_NtfsFullSegmentNumber( _FileReference )` HexInt64

Event ID 549: task_0549

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DoAction::SetNewAttributeSizes IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x! OLD: Alloc:%5!I64x!, FileSize:%6!I64x!, VDL:%7!I64x!, TotalAlloc:%8!I64x! NEW: Alloc:%9!I64x!, FileSize:%10!I64x!, VDL:%11!I64x!, TotalAlloc:%12!I64x!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_FileRecord->SegmentNumberHighPart` HexInt32
`A12_FileRecord->SegmentNumberLowPart` HexInt32
`A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )` HexInt64
`A14_Attribute->Form.Nonresident.AllocatedLength` HexInt64
`A15_Attribute->Form.Nonresident.FileSize` HexInt64
`A16_Attribute->Form.Nonresident.ValidDataLength` HexInt64
`A17_Attribute->Form.Nonresident.TotalAllocated` HexInt64
`A18_Sizes->AllocationSize` HexInt64
`A19_Sizes->FileSize` HexInt64
`A20_Sizes->ValidDataLength` HexInt64
`A21_Sizes->TotalAllocated` HexInt64

Event ID 550: task_0550

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DoAction(SetBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12__Bitmap` Pointer

Event ID 551: task_0551

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

DoAction(ClearBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Vcb` Pointer
`A12__Bitmap` Pointer

Event ID 552: task_0552

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Event ID 553: task_0553

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!.

Event ID 554: task_0554

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!.

Event ID 555: task_0555

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Txf Writers Count: %7!d!.

Event ID 556: task_0556

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Original status: %7!S!.

Event ID 557: task_0557

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Event ID 558: task_0558

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Event ID 559: task_0559

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Event ID 560: task_0560

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckFileForDelete: Denying access due to target file is read only. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Event ID 561: task_0561

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb AccessFlags: 0x%7!08x!, TxfAccessCheck access status: %8!S!.

Event ID 562: task_0562

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCheckFileForDelete: Denying access due to failing to remove image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Event ID 563: task_0563

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 564: task_0564

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRepairItem: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Event ID 565: task_0565

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 566: task_0566

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 567: task_0567

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NTFS ETW tracing is shutting down.

Event ID 568: task_0568

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDefineStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 569: task_0569

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeleteStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 570: task_0570

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRepairStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 571: task_0571

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a storage reserve. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Fcb State: 0x%7!08x!, Ccb FullFileName: %8!S!.

Event ID 572: task_0572

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsSetStorageReserveIdInfo: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 573: task_0573

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsChangeStorageReserveId: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Operation flags: 0x%9!08x!.

Event ID 574: task_0574

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsChangeStorageReserveId: Caller does not have manage volume privilege to explicitly setting reserve ID to/from a &quot;restricted area&quot;. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 575: task_0575

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Failed to get a non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Status` HexInt32

Event ID 576: task_0576

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Failed to free non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_Status` HexInt32

Event ID 577: task_0577

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: %1!p!, TotalAllocated: 0x%2!I64x!

Fields #

Name	Description
`A10_Scb` Pointer
`A11_Scb->TotalAllocated` HexInt64

Event ID 578: task_0578

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: %1!p!, Lsn: %2!I64x!

Fields #

Name	Description
`A10_CurrentClusters` Pointer
`A11_CurrentClusters->Lsn.QuadPart` HexInt64

Event ID 579: task_0579

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

ClustersLinkAsHead: %1!p!, FlagsToMatch: 0x%2!x!, InsertAfter: %3!S!

Fields #

Name	Description
`A10_ClustersLinkAsHead` Pointer
`A11_FlagsToMatch` HexInt32
`A12_InsertAfter` UInt32

Event ID 580: task_0580

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Clusters: %1!p!, Flags: 0x%2!x!

Fields #

Name	Description
`A10_Clusters` Pointer
`A11_Clusters->Flags` HexInt32

Event ID 581: task_0581

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Matching cluster: %1!p!, NumberOfRuns: 0x%2!x!

Fields #

Name	Description
`A10_Clusters` Pointer
`A11_NumberOfRuns` HexInt32

Event ID 582: task_0582

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Clusters: %1!p!

Fields #

Name	Description
`A10_Clusters` Pointer

Event ID 583: task_0583

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Allocated new deallocated clusters

Event ID 584: task_0584

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Need to add Range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields #

Name	Description
`A10_!FlagOn( Clusters->Flags` UInt32
`)` DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL
`A11_Clusters` Pointer
`A12_Lcn` HexInt64
`A13_ClusterCount` HexInt64

Event ID 585: task_0585

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Added range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields #

Name	Description
`A10_!FlagOn( Clusters->Flags` UInt32
`)` DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL
`A11_Clusters` Pointer
`A12_Lcn` HexInt64
`A13_ClusterCount` HexInt64

Event ID 586: task_0586

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfCheckForLockConflict: File locked for modify transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!,Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfFcb Flags: 0x%7!08x!, ShareMode: 0x%8!08x!.

Event ID 587: task_0587

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans or different trans who wants to modify. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Event ID 588: task_0588

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfCheckForLockConflict: Modification access desired. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Event ID 589: task_0589

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfCheckForLockConflict: File has user handle opened on one of the versions or user-mapping on a section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!, Reader cleanup count: %8!d!.

Event ID 590: task_0590

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_CallerFunction` AnsiString
`A12_CallerFile` AnsiString
`A13_CallerLineNumber` Int32
`A14_(PVOID)TxfRmcb` Pointer
`A15__TxfRmcb->RmId` GUID
`A16_(PVOID)TxfTrans` Pointer
`A17__TxfTrans->KtmUow` GUID
`A18_AbortReasonStatus` HexInt32

Event ID 591: task_0591

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_CallerFunction` AnsiString
`A12_CallerFile` AnsiString
`A13_CallerLineNumber` Int32
`A14_(PVOID)TxfRmcb` Pointer
`A15__TxfRmcb->RmId` GUID
`A16_(PVOID)TxfTrans` Pointer
`A17__TxfTrans->KtmUow` GUID
`A18_Status` HexInt32

Event ID 592: task_0592

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_TxfTrans` Pointer
`A14__TxfTrans->KtmUow` GUID

Event ID 593: task_0593

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_TxfTrans` Pointer
`A14__TxfTrans->KtmUow` GUID

Event ID 594: task_0594

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!}: Unexpected exception code of 0x%4!x! received.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)CalloutParameters->TxfFlush.TxfRmcb` Pointer
`A12__CalloutParameters->TxfFlush.TxfRmcb->RmId` GUID
`A13_GetExceptionCode()` HexInt32

Event ID 595: task_0595

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxfStartRm reports RM will be reset: RM metadata corrupt

Fields #

Name	Description
`A10___FUNCTION__` AnsiString

Event ID 596: task_0596

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxfStartRm reports RM will be reset: TM could not be initialized

Fields #

Name	Description
`A10___FUNCTION__` AnsiString

Event ID 597: task_0597

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxfStartRm reports RM will be reset: RM log corrupt

Fields #

Name	Description
`A10___FUNCTION__` AnsiString

Event ID 598: task_0598

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxfStartRm reports RM will be reset: log version changed

Fields #

Name	Description
`A10___FUNCTION__` AnsiString

Event ID 599: task_0599

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed

Fields #

Name	Description
`A10___FUNCTION__` AnsiString

Event ID 600: task_0600

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated

Fields #

Name	Description
`A10___FUNCTION__` AnsiString

Event ID 601: task_0601

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxfStartRm reports RM will be reset: CLFS log metadata corrupt

Fields #

Name	Description
`A10___FUNCTION__` AnsiString

Event ID 602: task_0602

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxfStartRm reports RM will be reset: 0x%2!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_FailureStatus` HexInt32

Event ID 603: task_0603

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM did not start and WILL NOT be reset, status code is 0x%2!x!!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_FailureStatus` HexInt32

Event ID 604: task_0604

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Could not initialize IrpContext: 0x%2!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_Status` HexInt32

Event ID 605: task_0605

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Event ID 606: task_0606

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x%2!x! for default RM on VCB at 0x%3!p!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_TempStatus` HexInt32
`A12_(PVOID)Vcb` Pointer

Event ID 607: task_0607

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Exception code 0x%2!x!, Status 0x%3!x! for default RM on VCB at 0x%4!p!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_GetExceptionCode()` HexInt32
`A12_Status` HexInt32
`A13_(PVOID)Vcb` Pointer

Event ID 608: task_0608

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Couldn&apos;t reset default RM on VCB at 0x%2!p! after %3!d! tries: 0x%4!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)Vcb` Pointer
`A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT` Int32
`A13_OldStatus` HexInt32

Event ID 609: task_0609

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Exception 0x%2!x! raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x%3!p!.  RM will NOT be reset.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_GetExceptionCode()` HexInt32
`A12_(PVOID)Vcb` Pointer

Event ID 610: task_0610

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: %2!S! auto-restart of RM at 0x%3!p! ({%4!S!}): 0x%5!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(NT_SUCCESS( Status ) ? 'Succeeded' : 'FAILED')` AnsiString
`A12_(PVOID)TxfRmcb` Pointer
`A13__TxfRmcb->RmId` GUID
`A14_Status` HexInt32

Event ID 611: task_0611

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Attempting auto-restart of RM at 0x%2!p! ({%3!S!})

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 612: task_0612

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Volume too small to start RM at 0x%2!p! ({%3!S!})

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 613: task_0613

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: invalid flags in $Tops

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 614: task_0614

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Event ID 615: task_0615

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Raising to reset RM at 0x%2!p! ({%3!S!}): Explicit reset requested

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 616: task_0616

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Event ID 617: task_0617

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: no TXF_DATA in root

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 618: task_0618

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!}: Different nesting levels of 0x%4!x! and 0x%5!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_LogNestingLevel` HexInt32
`A14_DiskNestingLevel` HexInt32

Event ID 619: task_0619

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 620: task_0620

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 621: task_0621

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: RmID in restart area does not match {%4!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13__ClfsRestartArea->RmId` GUID

Event ID 622: task_0622

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Got %2!d! from ClfsGetLogFileInformation for RM at 0x%3!p! {%4!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_Status` Int32
`A12_(PVOID)TxfRmcb` Pointer
`A13__TxfRmcb->RmId` GUID

Event ID 623: task_0623

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Restart LSN is before beginning of log.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 624: task_0624

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: MinRollforwardEndLsn is beyond end of log.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 625: task_0625

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxF RM at 0x%2!p! {%3!S!} started successfully.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 626: task_0626

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: TxF RM at 0x%2!p! {%3!S!} failed to start with Status 0x%4!x! %5!S!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_Status` HexInt32
`A14_AbnormalTermination() ? '(abnormal termination)' : ''` AnsiString

Event ID 627: task_0627

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Shutting down %2!S! RM at 0x%3!p! {%4!S!}.  Shutdown is %5!S!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(TxfIsDefaultRm( TxfRmcb ) ? 'default' : 'secondary')` AnsiString
`A12_(PVOID)TxfRmcb` Pointer
`A13__TxfRmcb->RmId` GUID
`A14_(ForceDirtyShutdown ? 'DIRTY!' : 'CLEAN.')` AnsiString

Event ID 628: task_0628

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Setting RM at 0x%2!p! {%3!S!} up for auto-restart.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 629: task_0629

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfFlushAndInvalidateExistingStructures: File has open user handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CleanupCount: %7!d!.

Event ID 630: task_0630

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

(%1:%2!d!) - TXF_HARD_ERROR on RM at 0x%3!p! ({%4!S!}): %5!S!)

Fields #

Name	Description
`A10_FILEID_FROM_SOURCE( FileNLine )` UInt32
`A11_LINENUM_FROM_SOURCE( FileNLine )` Int32
`A12_TxfRmcb` Pointer
`A13__TxfRmcb->RmId` GUID
`A14_Status` HexInt32

Event ID 631: task_0631

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__OldGuid` GUID
`A13__TxfRmcb->RmId` GUID

Event ID 632: task_0632

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!}, rolling back Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_(PVOID)TxfTrans` Pointer
`A14__TxfTrans->KtmUow` GUID
`A15_Status` HexInt32

Event ID 633: task_0633

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__OldGuid` GUID
`A13__TxfRmcb->RmId` GUID

Event ID 634: task_0634

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfFsctlStartRm: Denying access due starting default RM is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RmRootFcb: %5!p!.

Event ID 635: task_0635

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, BackupInfo flags: 0x%5!08x!.

Event ID 636: task_0636

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found too high of a TxF ID in log

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 637: task_0637

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Error Setting Delete Disposition: 0x%2!x!  FileObject: 0x%3!p!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_Status` HexInt32
`A12_(PVOID)FileObject` Pointer

Event ID 638: task_0638

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Got a RECOVER notification for a transaction that isn&apos;t in-doubt

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 639: task_0639

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a non-TxF modify handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Attribute Type Code: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb flags: 0x%10!08x!.

Event ID 640: task_0640

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfSetupTransactionContextFromCcb: Invalid TxF structure. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, TxfFo: %8!p!, KtmTrans: %9!p!, TxfRmcb: %10!p!, Ccb FullFileName: %11!S!

Event ID 641: task_0641

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a read-only handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, FO write access: %10!d!, FO delete access: %11!d!.

Event ID 642: task_0642

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!} raising 0x%4!x! to KTM!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_ExceptionCode` HexInt32

Event ID 643: task_0643

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Commit (0x%2!x!) of%3!S!tx {%4!S!} on RM at 0x%5!p! {%6!S!} failed with 0x%7!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_TransactionNotification` HexInt32
`A12_(TransactionAlreadyPrepared ? ' PREPARED ' : ' ')` AnsiString
`A13__TxfTrans->KtmUow` GUID
`A14_(PVOID)TxfRmcb` Pointer
`A15__TxfRmcb->RmId` GUID
`A16_Status` HexInt32

Event ID 644: task_0644

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify commit)

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_TxfTrans` Pointer
`A14__TxfTrans->KtmUow` GUID

Event ID 645: task_0645

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify rollback)

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_TxfTrans` Pointer
`A14__TxfTrans->KtmUow` GUID

Event ID 646: task_0646

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x%2!p! {%3!S!}: 0x%4!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)Trans->TxfRmcb` Pointer
`A12__Trans->TxfRmcb->RmId` GUID
`A13_FlushStatus` HexInt32

Event ID 647: task_0647

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!} trying to abort transaction at 0x%4!p! {%5!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_Trans` Pointer
`A14__Trans->KtmUow` GUID

Event ID 648: task_0648

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Aborting call stack: 0x%2!p! 0x%3!p! 0x%4!p! 0x%5!p! 0x%6!p!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_CallStack[0]` Pointer
`A12_CallStack[1]` Pointer
`A13_CallStack[2]` Pointer
`A14_CallStack[3]` Pointer
`A15_CallStack[4]` Pointer

Event ID 649: task_0649

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_Trans` Pointer
`A14__Trans->KtmUow` GUID

Event ID 650: task_0650

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: 0x%2!x! initializing IrpContext for tx at %3!p! {%4!S!}, RM at %5!p! {%6!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_Status` HexInt32
`A12_(PVOID)Trans` Pointer
`A13__Trans->KtmUow` GUID
`A14_(PVOID)TxfRmcb` Pointer
`A15__TxfRmcb->RmId` GUID

Event ID 651: task_0651

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: 0x%2!x! writing log record for RM at 0x%3!p! {%4!S!}, Tx at 0x%5!p! {%6!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_Status` HexInt32
`A12_(PVOID)TxfRmcb` Pointer
`A13__TxfRmcb->RmId` GUID
`A14_(PVOID)Trans` Pointer
`A15__Trans->KtmUow` GUID

Event ID 652: task_0652

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: About to force aborts on RM at 0x%2!p! {%3!S!}.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 653: task_0653

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: BaseLsn is greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 654: task_0654

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: No transactions remain on RM at 0x%2!p! {%3!S!}.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 655: task_0655

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Transaction&apos;s first undo LSN greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 656: task_0656

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!} surprise-aborting transaction at 0x%4!p! {%5!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_OldestTrans` Pointer
`A14__OldestTrans->KtmUow` GUID

Event ID 657: task_0657

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!} got 0x%4!x! from TxfTryAbortTransaction on Tx 0x%5!p! {%6!S!}

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_Status` HexInt32
`A14_OldestTrans` Pointer
`A15__OldestTrans->KtmUow` GUID

Event ID 658: task_0658

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Inactive RM at 0x%2!p! {%3!S!}.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 659: task_0659

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Log is pinned on RM at 0x%2!p! {%3!S!}.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 660: task_0660

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: RM at 0x%2!p! {%3!S!}, rolling back KTM Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_(PVOID)TransToDereference` Pointer
`A14__TransToDereference->KtmUow` GUID
`A15_Status` HexInt32

Event ID 661: task_0661

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Log pinned trying to advance RestartLsn on RM at 0x%2!p! {%3!S!}.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 662: task_0662

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Log pinned by doomed transaction on RM at 0x%2!p! {%3!S!}.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 663: task_0663

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Reporting 0x%2!X! to CLFS from RM at 0x%3!p! {%4!S!}: 0x%5!x!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_PinnedStatus` HexInt32
`A12_(PVOID)TxfRmcb` Pointer
`A13__TxfRmcb->RmId` GUID
`A14_Status` HexInt32

Event ID 664: task_0664

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Done forcing aborts on RM at 0x%2!p! {%3!S!}.

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 665: task_0665

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Txf directory is missing in pre-existing RM

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 666: task_0666

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 667: task_0667

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found non-empty $Txf but there is no log

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 668: task_0668

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn&apos;t find $INDEX_ROOT on $Txf

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 669: task_0669

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn&apos;t find TXF_DATA_ATTR on $Txf

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 670: task_0670

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found TXF_DATA_ATTR for normal file on $Txf

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 671: task_0671

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Expected a secondary RM here

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 672: task_0672

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but $Txf is non-empty

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 673: task_0673

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but there is already a log

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 674: task_0674

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is %4!S!

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID
`A13_(IsEncrypted( _TopsFcb->Info ) ? 'encrypted' : 'compressed')` AnsiString

Event ID 675: task_0675

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Missing $STANDARD_INFORMATION

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 676: task_0676

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn&apos;t find file attributes

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 677: task_0677

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is corrupt

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 678: task_0678

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Could not find unnamed data stream

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 679: task_0679

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong version or records wrong size

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 680: task_0680

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong size

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 681: task_0681

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Non-NULL RM ID found in $Tops and there is no log

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 682: task_0682

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Epoch in $Tops metadata doesn&apos;t match RM

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 683: task_0683

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn&apos;t find $T stream

Fields #

Name	Description
`A10___FUNCTION__` AnsiString
`A11_(PVOID)TxfRmcb` Pointer
`A12__TxfRmcb->RmId` GUID

Event ID 684: task_0684

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsReadUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 685: task_0685

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TrimUsnJournal (%1!p!, %2!p!): Decided to trim usn journal.  FirstValidUsn %3!I64x!, new FirstValidUsn %4!I64x!, FS %5!I64x!, AS %6!I64x!, MaxSize %7!I64x!, DeltaSize %8!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_Vcb->FirstValidUsn` HexInt64
`A13_FirstValidUsn` HexInt64
`A14_TrackUsnJournalFileSize` HexInt64
`A15_TrackUsnJournalAllocationSize` HexInt64
`A16_TrackUsnJournalMaxSize` HexInt64
`A17_TrackUsnJournalDeltaAllocation` HexInt64

Event ID 686: task_0686

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TrimUsnJournal (%1!p!, %2!p!): About to delete allocation till %3!I64x!, SavedReserve %4!I64x!, RequiredReserve %5!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_FirstValidUsn - 1` HexInt64
`A13_SavedReserved` HexInt64
`A14_RequiredReserved` HexInt64

Event ID 687: task_0687

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TrimUsnJournal (%1!p!, %2!p!): Before trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_UsnJournal->Header.AllocationSize.QuadPart` HexInt64
`A13_UsnJournal->Header.FileSize.QuadPart` HexInt64
`A14_UsnJournal->Header.ValidDataLength.QuadPart` HexInt64
`A15_UsnJournal->TotalAllocated` HexInt64

Event ID 688: task_0688

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TrimUsnJournal (%1!p!, %2!p!): After trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_UsnJournal->Header.AllocationSize.QuadPart` HexInt64
`A13_UsnJournal->Header.FileSize.QuadPart` HexInt64
`A14_UsnJournal->Header.ValidDataLength.QuadPart` HexInt64
`A15_UsnJournal->TotalAllocated` HexInt64

Event ID 689: task_0689

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TrimUsnJournal (%1!p!, %2!p!): Mapping pairs validated

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer

Event ID 690: task_0690

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

TrimUsnJournal (%1!p!, %2!p!): Checkpointed

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer

Event ID 691: task_0691

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsQueryUsnJournal: Denying access due to NULL Ccb. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!.

Event ID 692: task_0692

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsDeleteUsnJournal: Caller does not have manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Event ID 693: task_0693

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsRestartUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Event ID 694: task_0694

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtOfsCreateAttributeEx: Stream already has a open user handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb CleanupCount: %10!d!.

Event ID 695: task_0695

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Extending journal from AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, to AS %8!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_IrpContext->OriginatingIrp` Pointer
`A13_PsGetCurrentThread()` Pointer
`A14_Scb->Header.AllocationSize.QuadPart` HexInt64
`A15_Scb->Header.FileSize.QuadPart` HexInt64
`A16_Scb->Header.ValidDataLength.QuadPart` HexInt64
`A17_NewAllocationSize` HexInt64

Event ID 696: task_0696

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Done extending journal AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, TA %8!I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_IrpContext->OriginatingIrp` Pointer
`A13_PsGetCurrentThread()` Pointer
`A14_Scb->Header.AllocationSize.QuadPart` HexInt64
`A15_Scb->Header.FileSize.QuadPart` HexInt64
`A16_Scb->Header.ValidDataLength.QuadPart` HexInt64
`A17_Scb->TotalAllocated` HexInt64

Event ID 697: task_0697

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsWriteFileSizes

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_IrpContext->OriginatingIrp` Pointer
`A13_PsGetCurrentThread()` Pointer

Event ID 698: task_0698

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsSetCcFileSizesUsnBiasAware

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_IrpContext` Pointer
`A12_IrpContext->OriginatingIrp` Pointer
`A13_PsGetCurrentThread()` Pointer

Event ID 699: task_0699

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtOfsPostNewLength (%1!p!,%2!p!,%3!p!): Status %4!x! before calling NtfsReadUsnJournal

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_IrpContext->OriginatingIrp` Pointer
`A12_PsGetCurrentThread()` Pointer
`A13_IrpContext->ExceptionStatus` HexInt32

Event ID 700: task_0700

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsIsRegionDangling: RemainingClusterCount: 0x%1!I64x!, Scb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Clusters: 0x%5!I64x!

Fields #

Name	Description
`A10_RemainingClusterCount` HexInt64
`A11_Scb` Pointer
`A12_Vcn` HexInt64
`A13_Lcn` HexInt64
`A14_ClusterCount` HexInt64

Event ID 701: task_0701

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p! - has *no* active PFNs

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 702: task_0702

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p! - failed to query active PFNs assuming there are some

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 703: task_0703

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Vcb %1!p! - has active PFNs

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 704: task_0704

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPerformDismountOnVcb: Vcb %1!p!

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 705: task_0705

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPerformDismountOnVcb: Vcb %1!p! - Found frozen deallocated clusters

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 706: task_0706

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPerformDismountOnVcb: Vcb %1!p! - Wait for any on going trim to finish

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 707: task_0707

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPerformDismountOnVcb: Vcb %1!p! - No more on going trim

Fields #

Name	Description
`A10_Vcb` Pointer

Event ID 708: task_0708

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPerformDismountOnVcb: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Event ID 709: task_0709

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPostVcbIsCorrupt(%1!p!, %2!x!, %3!p!, %4!p!, %5!016I64x!): IrpContext->TopLevelIrpContext->ExceptionStatus == %6!x! before NtfsSetVcbDirtyFlag.

Fields #

Name	Description
`A10_IrpContext` Pointer
`A11_Status` HexInt32
`A12_FileReference` Pointer
`A13_Fcb` Pointer
`A14_Source` HexInt64
`A15_TopLevelExceptionStatus` HexInt32

Event ID 710: task_0710

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsPostVcbIsCorrupt: Marking volume dirty.  Vcb %1!p!, WasDirty: %2!x!, FileReference %3!I64x!, Source %4!016I64x!

Fields #

Name	Description
`A10_Vcb` Pointer
`A11_WasDirty` HexInt32
`A12_NtfsFullSegmentNumber( _BugCheckFileReference )` HexInt64
`A13_Source` HexInt64

Event ID 711: task_0711

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Event ID 712: task_0712

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Event ID 713: task_0713

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Succeeding log write @ 0x%1!08x!%2!08x! after getting 0x%3!x! in top-level irpcontext

Fields #

Name	Description
`A10_IrpSp->Parameters.Write.ByteOffset.HighPart` HexInt32
`A11_IrpSp->Parameters.Write.ByteOffset.LowPart` HexInt32
`A12_IrpContext->TopLevelIrpContext->ExceptionStatus` HexInt32

Event ID 714: task_0714

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=%1!p!

Fields #

Name	Description
`A10_Scb` Pointer

Event ID 715: task_0715

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RequestedRange: 0x%5!I64x!, AllowedRange: 0x%6!I64x!.

Event ID 716: task_0716

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Ignoring write to 0x%1!I64x!, SCB length is 0x%2!I64x! for SCB 0x%3!Ix!

Fields #

Name	Description
`A10_StartingVbo` HexInt64
`A11_Scb->Header.ValidDataLength.QuadPart` HexInt64
`A12_(ptrdiff_t) Scb` Pointer

Event ID 717: task_0717

Provider: Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3
Channel: ETW Trace

Message #

Truncating write from 0x%1!I64x! to 0x%2!I64x! for SCB 0x%3!Ix!

Fields #

Name	Description
`A10_ByteRange` HexInt64
`A11_SectorAlignedVdl` HexInt64
`A12_(ptrdiff_t) Scb` Pointer

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 5f779e44-e6cb-3102-aab6-31f517ea40f3

Defined in ntfsres.dll, which carries the event manifest.

Observed on:

Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.6584, captured 2026-06-02

Downloads

Microsoft-Windows-NtfsLog_5f779e44e6cb3102aab631f517ea40f3 registered manifest XML (in the Win11-26200.6584 manifest pack, 2.0 MB) manifest-xml

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)