detection.wiki

Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f

708 events across 1 channel

EventTitleChannelSample
10NtfsLookupRealAllocation: Vcn A10_Vcn!OperationalN
11NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:A10_IrpContext, …OperationalN
12FileObject: A10_FileObject, Scb: A11_Scb, StaringVcn: A12_StartingVcn!OperationalN
13NtfsAddAllocation IC:A10_IrpContext, FileObject:A11_FileObject, Scb:A12_Scb, …OperationalN
14Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!OperationalN
15Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!OperationalN
16NtfsGetLastVcnForNewMappingPairSize IC:A10_IrpContext, Using …OperationalN
17Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!OperationalN
18Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!OperationalN
19NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List …OperationalN
20NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
21NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
22NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
23NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
24NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
25NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
26NtfsRestartRemoveAttribute FileRef:0xA10_FileRecordSegmentNumberHighPart!OperationalN
27NtfsRestartChangeValue FileRef:0xA10_FileRecordSegmentNumberHighPart!OperationalN
28AddToAttributeList(A10_FcbVcb,A11_IrpContext): FRef …OperationalN
29DeleteFromAttributeList(A10_FcbVcb,A11_IrpContext): FRef …OperationalN
30MakeRoomForAttribute Moving Mft's attribute IC:A10_IrpContext, Moving Attrib …OperationalN
31MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:A10_IrpContext, …OperationalN
32MoveAttributeToOwnRecord IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, …OperationalN
33NtfsRestartZeroEndOfFileRecord FileRef:0xA10_FileRecordSegmentNumberHighPart!OperationalN
34MergeFRS2(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
35MergeFRS2(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
36MergeFRS2.OperationalN
37MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
38MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
39MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
40MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
41MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
42MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
43MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
44MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
45MergeFRS2.OperationalN
46MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
47MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
48RedoAttribute(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
49RedoAttribute(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef …OperationalN
50NtfsConsolidateAllFileRecords: Invalid Vcb.OperationalN
51NtfsConsolidateAllFileRecords: Volume is locked.OperationalN
52NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
53NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
54NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
55NtfsConsolidateAllFileRecords.OperationalN
56NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
57NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
58NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
59NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
60NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): FileRef …OperationalN
61NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
62NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
63NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
64NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef …OperationalN
65NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): DeltaTime …OperationalN
66UpdateLCS: Vcb A10_FcbVcb, IC A11_IrpContext, FRef …OperationalN
67NtfsAllocateClustersPriv IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: …OperationalN
68NtfsAllocateClustersPriv IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: …OperationalN
69NtfsAllocateClustersPriv: Incremented TotalAllocated by 0xA10_FoundClusterCount!OperationalN
70NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by …OperationalN
71NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: …OperationalN
72NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: …OperationalN
73NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: …OperationalN
74NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR …OperationalN
75NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: …OperationalN
76NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR …OperationalN
77NtfsDeallocateClusters: Vcb A10_Vcb - raising logfile full.OperationalN
78NtfsDeallocateClusters: Vcb A10_Vcb - adding clusters to DeallocatedClusters: …OperationalN
79NtfsDeallocateClusters: Decremented TotalAllocated by 0xA10_ClusterCount!OperationalN
80NtfsDeallocateClusters: Skipped decrementing TotalAllocated by …OperationalN
81NtfsDeallocateClusters: Vcb A10_Vcb - Undoing some changes to …OperationalN
82NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: …OperationalN
83NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: …OperationalN
84NtfsModifyBitsInBitmap IC: A10_IrpContext, Vcb: A11_Vcb, FirstBit: …OperationalN
85NtfsModifyBitsInBitmap IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: …OperationalN
86NtfsAllocateBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: …OperationalN
87NtfsAllocateBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: …OperationalN
88NtfsRestartSetBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: …OperationalN
89NtfsFreeBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: …OperationalN
90NtfsFreeBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: …OperationalN
91NtfsRestartClearBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, …OperationalN
92NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: …OperationalN
93NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Bitmap: A11_Bitmap, StartLcn: …OperationalN
94NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Result: A11_Results.OperationalN
95System files not marked as in use in the MFT bitmap.OperationalN
96Length: 0 --> BinIndex : 0 - Unexpected lengthOperationalN
97Length: A10_Length!OperationalN
98Length: A10_Length!OperationalN
99BinIndex: A10_BinIndex!OperationalN
100BinIndex: A10_BinIndex!OperationalN
101BinGroupShift: A10_NtfsCachedRunBinGroupShift!OperationalN
102BinIndex: A10_BinIndex!OperationalN
103Searched committed allocations but didnt find enough free space.OperationalN
104NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): first bit …OperationalN
105NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no leading …OperationalN
106NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): leading …OperationalN
107NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no trailing …OperationalN
108NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): trailing …OperationalN
109NtfsValidateTotalClustersCommitted(A10_Vcb,A11_PsGetCurrentThread): TCC …OperationalN
110Illegal MDL Complete for major code A10_IrpContextMajorFunction.OperationalN
111Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingZero!OperationalN
112RunEntry ==> A10_RunIndex!OperationalN
113Offset is beyond this extent skipping the extent.OperationalN
114Shrinking LengthInExtent.OperationalN
115Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!OperationalN
116Exiting: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex …OperationalN
117Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingOffset!OperationalN
118Dsm Ranges[A10_DataSetRangeIndex]: StartingOffset: …OperationalN
119RemainingClusterCount: 0xA10_RemainingClusterCount!OperationalN
120Dsm: TotalNumberOfRanges: A10_DsmByteAddressRangesTotalNumberOfRanges, …OperationalN
121DsmOut Ranges[A10_Index]: StartingAddress: …OperationalN
122Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!OperationalN
123Updating ExtentsDescriptor Index and StartOffset from Locals: …OperationalN
124Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingZero!OperationalN
125Updating ExtentsDescriptor Index and StartOffset from Locals: …OperationalN
126IrpContext: A10_IrpContext; Scb: A11_Scb; StartOffset: 0xA12_StartOffset!OperationalN
127Return.OperationalN
128Unexpected open type received: A10_TypeOfOpen.OperationalN
129Raising STATUS_SUCCESS from NtfsCommonCleanup: A10_Status.OperationalN
130Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.OperationalN
131Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.OperationalN
132Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_Vcb, FileObject: …OperationalN
133Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_Vcb, FileObject: …OperationalN
134NtfsCommonCreate: Volume is locked.OperationalN
135NtfsCommonVolumeOpen: Invalid create disposition for volume open.OperationalN
136NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.OperationalN
137NtfsCommonVolumeOpen: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: …OperationalN
138NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.OperationalN
139NtfsCommonVolumeOpen: Conlicting file objects.OperationalN
140NtfsHandlePagingFile: Paging file already open, paging files can only be opened …OperationalN
141NtfsHandlePagingFile: Cannot open system file as paging file.OperationalN
142NtfsHandlePagingFile: Persisted paging file already exists.OperationalN
143NtfsOpenFcbById: Invalid system file access.OperationalN
144NtfsOpenExistingPrefixFcb: Can not directly open txf directory.OperationalN
145NtfsOpenExistingPrefixFcb: Invalid system file access.OperationalN
146NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system …OperationalN
147NtfsOpenFile: Invalid system file access.OperationalN
148NtfsOpenFile: Deny open when txf rm is active.OperationalN
149NtfsCreateNewFile: Deny creation in system directory (except root).OperationalN
150NtfsCreateNewFile: Unable to create Ea for the file.OperationalN
151NtfsCreateNewFile: Unable to create in the $txf directory.OperationalN
152NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.OperationalN
153NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.OperationalN
154NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.OperationalN
155NtfsOpenAttributeInExistingFile: Denying access for volume root directory.OperationalN
156NtfsCreateNewFile: Not allowed to create streams on system files.OperationalN
157NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging …OperationalN
158NtfsOverwriteAttr: Denying access due to user being Ea blind.OperationalN
159NtfsOverwriteAttr: Deny access due to encryption happening on the stream.OperationalN
160NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this …OperationalN
161NtfsCheckValidAttributeAccess: Only read attributes access is supported on this …OperationalN
162NtfsCheckValidAttributeAccess: Deny access for protected system attributes.OperationalN
163NtfsOpenAttributeCheck: File already has user writable references.OperationalN
164NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.OperationalN
165NtfsOpenAttributeCheck: File was granted write access but has image section.OperationalN
166NtfsOpenAttribute: Denying write access on disallowed writes.OperationalN
167NtfsOpenAttribute: File already has user writable references.OperationalN
168NtfsOpenAttribute: Open for exclusive read access is not allowed.OperationalN
169NtfsOpenAttribute: File already has user writable references.OperationalN
170NtfsOpenAttribute: Open for exclusive read access is not allowed.OperationalN
171NtfsCheckExistingFile: Desired access conflicts with read-only state.OperationalN
172NtfsOpenExistingEncryptedStream: No encryption driver found.OperationalN
173NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on …OperationalN
174NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for …OperationalN
175NtfsFindStartingNode: Opening not allowed for txf name when RM is active.OperationalN
176NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.OperationalN
177NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.OperationalN
178NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.OperationalN
179NtfsReCheckShareAccess: Does not meet allow open requirement.OperationalN
180A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: …OperationalN
181A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: …OperationalN
182A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: …OperationalN
183A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: …OperationalN
184NtfsSendUnusedClustersHint: Vcb A10_Vcb - Will tell storage we are freeing at …OperationalN
185NtfsSendUnusedClustersHint: Vcb A10_Vcb - Flush requested.OperationalN
186NtfsSendUnusedClustersHint: Vcb A10_Vcb - Created new MarkUnusedContext …OperationalN
187NtfsSendUnusedClustersHint: Vcb A10_Vcb - Successfully added clusters starting …OperationalN
188NtfsSendUnusedClustersHint: Vcb A10_Vcb - MCB …OperationalN
189NtfsSendUnusedClustersHint: Vcb A10_Vcb - Queuing request to IC pre-trim list, …OperationalN
190NtfsSendUnusedClustersHint: Vcb A10_Vcb - Failed to allocate/initial …OperationalN
191NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt …OperationalN
192NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt …OperationalN
193NtfsMarkUnusedContextPostTrimProcessing: EnteringOperationalN
194NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext …OperationalN
195NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext …OperationalN
196NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - Releasing bitmap.OperationalN
197NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - CloseCount …OperationalN
198NtfsMarkUnusedContextPostTrimProcessing: LeavingOperationalN
199NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp A10_Irp.OperationalN
200NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb, IC A11_IrpContext - …OperationalN
201NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Kicked off …OperationalN
202NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Leaving.OperationalN
203NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb A10_Vcb.OperationalN
204NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Small MUC …OperationalN
205NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Failed to allocate …OperationalN
206NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage …OperationalN
207NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC …OperationalN
208NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC …OperationalN
209NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC …OperationalN
210NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Add MUC …OperationalN
211NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Free small MUC …OperationalN
212NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage …OperationalN
213NtfsMarkUnusedContextPreTrimWorkItemProcessing: LeavingOperationalN
214NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - There are waiters for DC …OperationalN
215NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Waking up waiter for DC …OperationalN
216NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Done waking up DC …OperationalN
217NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb, All A11_All - Entering.OperationalN
218NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting to drain.OperationalN
219NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting for partial drain.OperationalN
220NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.OperationalN
221NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Entering.OperationalN
222NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Inserted …OperationalN
223NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.OperationalN
224NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb A10_IrpContextVcb - Wait …OperationalN
225NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for A10_WaitInSeconds …OperationalN
226NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for A10_WaitInSeconds …OperationalN
227NtfsCheckForTrimThrottling: Vcb A10_Vcb - hitting trim threshold …OperationalN
228NtfsUpdateSmartTrimState: Vcb A10_Vcb - Entering.OperationalN
229NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed.OperationalN
230NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed; …OperationalN
231NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - Skipping …OperationalN
232NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - MCB run …OperationalN
233NtfsUpdateSmartTrimState: Vcb A10_Vcb - MUC A11_MarkUnusedContext, DSR count …OperationalN
234NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DSR range …OperationalN
235NtfsUpdateSmartTrimState: Vcb A10_Vcb - MCB lcn A11_StartingLcn!OperationalN
236NtfsUpdateSmartTrimState: Vcb A10_Vcb - Smart trim state on exit; …OperationalN
237NtfsUpdateSmartTrimState: Vcb A10_Vcb - Range A11_SlabRangeIndex: FirstTPMapBit …OperationalN
238NtfsUpdateSmartTrimState: Vcb A10_Vcb - Leaving.OperationalN
239NtfsEvalSmartTrimState: Vcb A10_Vcb - Entering.OperationalN
240NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed.OperationalN
241NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredBitmap …OperationalN
242NtfsEvalSmartTrimState: Vcb A10_Vcb - Checking slab 0xA11_TpMapBit for …OperationalN
243NtfsEvalSmartTrimState: Vcb A10_Vcb - Slab 0xA11_TpMapBit has allocations, will …OperationalN
244NtfsEvalSmartTrimState: Vcb A10_Vcb - Free slab found - TP map bit …OperationalN
245NtfsEvalSmartTrimState: Vcb A10_Vcb - Leaving.OperationalN
246NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.OperationalN
247NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Done calling …OperationalN
248NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.OperationalN
249NtfsVolumeDasdIo: Data section blocking flush.OperationalN
250Could not find paging file run.OperationalN
251Could not find paging file MCB entry.OperationalN
252Could not find paging file run.OperationalN
253Writing to $Bitmap.OperationalN
254NTFS: Posting hotfix on file object: A10_FileObject.OperationalN
255NTFS: Freeing Bad Vcn: A10_ULONGBadVcn!OperationalN
256NTFS: Retiring Bad Lcn: A10_ULONGBadLcn!OperationalN
257NTFS: Reallocating Bad VcnOperationalN
258NTFS: Bad Cluster replacedOperationalN
259IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!OperationalN
260Compression buffers are already big enough.OperationalN
261Event ID 261OperationalN
262IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!OperationalN
263Compression buffers are already big enough.OperationalN
264Event ID 264OperationalN
265NtfsDefragFileInternal: Defrag is denied.OperationalN
266NtfsDefragFileInternal: Vcb A10_Vcb - Calling FRD.OperationalN
267NtfsDefragFileInternal: Vcb A10_Vcb - Done calling FRD.OperationalN
268NtfsDefragFileInternal: Defrag is denied.OperationalN
269NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …OperationalN
270NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …OperationalN
271NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …OperationalN
272NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …OperationalN
273NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …OperationalN
274NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef …OperationalN
275NtfsDefragFile: Defrag is denied without manage volume access.OperationalN
276NtfsEncryptDecryptOnline: Defrag is denied.OperationalN
277NtfsEncryptDecryptOnline: Vcb A10_Vcb - Calling FRD.OperationalN
278NtfsEncryptDecryptOnline: Vcb A10_Vcb - Done calling FRD.OperationalN
279NtfsEncryptDecryptOnline: Defrag is denied.OperationalN
280SCB: A10_Scb, VDL=0xA11_ScbHeaderValidDataLengthQuadPart!OperationalN
281StartOff=0xA10_QueryDaxExtentsFileOffset!OperationalN
282NumberOfValidRuns: 0OperationalN
283RemainingClusterCount: 0xA10_RemainingClusterCount!OperationalN
284STATUS_BUFFER_TOO_SMALL from FsLib.OperationalN
285Made an educated guess for remaining runs.OperationalN
286Made a wild guess for remaining runs.OperationalN
287NumberOfValidRuns: 0xA10_ExtentsDescriptorNumberOfValidRuns!OperationalN
288BasePage: 0xA10_ExtentsDescriptorRunIndexBasePage!OperationalN
289About to zero range - ZeroStart: 0xA10_ZeroStart!OperationalN
290Zeroed range - ZeroStart: 0xA10_ZeroStart!OperationalN
291NtfsCommonQueryInformation: File information query not allowed as file was …OperationalN
292NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read …OperationalN
293NtfsQueryNameInfo: Name info query not allowed as file was opened without …OperationalN
294NtfsQueryLinksInfo: Link info query not allowed as file was opened without …OperationalN
295NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.OperationalN
296NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.OperationalN
297NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …OperationalN
298NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …OperationalN
299NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened …OperationalN
300NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …OperationalN
301NtfsSetRenameInfo: Can not rename a file marked for deletion.OperationalN
302NtfsSetRenameInfo: Can not rename a txf directory.OperationalN
303NtfsSetRenameInfo: Can not rename into a system directory.OperationalN
304NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.OperationalN
305NtfsSetRenameInfo: The file should not have in-memory directory descendents.OperationalN
306NtfsSetRenameInfo: Child Scb mismatch.OperationalN
307NtfsSetLinkInfo: Set link info is not allowed on txf directory.OperationalN
308NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.OperationalN
309NtfsSetLinkInfo: Set link info failed due to caller not having …OperationalN
310NtfsSetLinkInfo: Creating a link in system directory is not allowed.OperationalN
311NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.OperationalN
312NtfsSetShortNameInfo: Can not set a short name on a deleted file.OperationalN
313NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF …OperationalN
314NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction …OperationalN
315NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.OperationalN
316NtfsStreamRename: Deny access due to encryption happening on source stream.OperationalN
317NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.OperationalN
318NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, …OperationalN
319NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Scb: A11_Scb.OperationalN
320NtfsFlushVolume: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, LocalFlags: …OperationalN
321NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: …OperationalN
322NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: …OperationalN
323NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add …OperationalN
324NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add …OperationalN
325NtfsDiskFlushContextWorkItemProcessing: Process work itemOperationalN
326NtfsDiskFlushContextWorkItemProcessing: Nothing to work onOperationalN
327Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_IrpContextVcb, MinorCode: …OperationalN
328NtfsLockVolumeInternal: Cannot lock the volume.OperationalN
329NtfsLockVolumeInternal: Volume is already locked.OperationalN
330NtfsLockVolumeInternal: Failed to flush system files on the volume.OperationalN
331NtfsLockVolumeInternal: Failed to flush system files on the volume.OperationalN
332NtfsLockVolumeInternal: Outstanding user files open after flush and retry.OperationalN
333NtfsLockVolume: Cannot lock volume due to caller does not have manage volume …OperationalN
334NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.OperationalN
335A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm …OperationalN
336NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume …OperationalN
337NtfsDismountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, …OperationalN
338NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …OperationalN
339NtfsDismountVolume: Cannot dismount volume due to volume being locked.OperationalN
340NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …OperationalN
341NtfsDismountVolume: Could not flush trim hints.OperationalN
342NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage …OperationalN
343NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage …OperationalN
344NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage …OperationalN
345NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having …OperationalN
346NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …OperationalN
347NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …OperationalN
348NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage …OperationalN
349NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not …OperationalN
350NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage …OperationalN
351NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup …OperationalN
352NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup …OperationalN
353NtfsSetSparse: Caller does not have appropriate write access to the stream.OperationalN
354NtfsSetSparse: Cannot desparse encrypted file without write data access.OperationalN
355NtfsZeroRange: User mode caller not allowed.OperationalN
356IC: A10_IrpContext, Scb: A11_Scb, FileObject: A12_IrpSpFileObject.OperationalN
357IC: A10_IrpContext, EncryptionOperation: 0xA11_EncryptionOperation!OperationalN
358NtfsReadRawEncrypted: Caller does not have backup access or read data access.OperationalN
359NtfsWriteRawEncrypted: Caller does not have write data access or restore access.OperationalN
360NtfsWriteRawEncrypted: Caller not having manage volume privilege.OperationalN
361NtfsLookupStreamFromCluster: Caller not having manage volume privilege.OperationalN
362NtfsChangeVolumeSize: Caller not having manage volume privilege.OperationalN
363NtfsChangeVolumeSize (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.OperationalN
364NtfsChangeVolumeSize (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.OperationalN
365NtfsMarkHandle: Caller does not have a valid volume handle or manage volume …OperationalN
366NtfsMarkHandle: Caller not having manage volume privilege.OperationalN
367NtfsMarkHandle: Cannot deny defrag.OperationalN
368NtfsMarkHandle: Cannot deny Frs consolidation.OperationalN
369NtfsMarkHandle: Cannot filter metadata.OperationalN
370NtfsMarkHandle: Mark handle is not allowed on system files.OperationalN
371NtfsMarkHandle: File already has user writable references.OperationalN
372NtfsMarkHandle: File was granted write access previously but no oplocks were …OperationalN
373NtfsPrefetchFile: Caller not having manage volume privilege.OperationalN
374NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.OperationalN
375NtfsSetShortNameBehavior: Caller not having manage volume privilege.OperationalN
376Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0xA10_PVOIDVcb to …OperationalN
377NtfsQueryPagefileEncryption: Caller not having manage volume privilege.OperationalN
378NtfsQueryPagefileEncryption: Caller not having manage volume privilege.OperationalN
379NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.OperationalN
380NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.OperationalN
381Resetting Volsnap behavior for VCB = 0xA10_Vcb.OperationalN
382NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.OperationalN
383NtfsCorruptionHandling: Caller not having manage volume privilege.OperationalN
384NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.OperationalN
385Scrub resume from SystemScbIndex: A10_ScrubResumeContextSystemScbIndex Vcn: …OperationalN
386Scb:A10_Scb Scrub resume from Vcn: A11_ScrubResumeContextResumeVcn!OperationalN
387Scrub SystemScbIndex: A10_ScrubResumeContextSystemScbIndex.OperationalN
388NtfsScrubData: Caller not having manage volume privilege.OperationalN
389Scrub not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.OperationalN
390Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.OperationalN
391Scb:A10_Scb ScrubInternal OperationStatus: A11_ScrubContextOperationStatus …OperationalN
392Scb:A10_Scb ScrubInternal Status: A11_Status Repaired: …OperationalN
393InternalFileReference: A10_InternalFileReference.OperationalN
394InternalFileReference:A10_InternalFileReference.OperationalN
395Scb:A10_Scb Incomplete IoCount:A11_ScrubIoCount Cancel:A12_IrpCancel …OperationalN
396Scb:A10_Scb Scrub skipping resident attribute (d) (A11__ScbAttributeName).OperationalN
397Scb:A10_Scb Scrub skipping resident attribute (A11__ScbAttributeName).OperationalN
398Scb:A10_Scb Scrub StartingVcn.OperationalN
399Scb:A10_Scb Scrub starting vcn is beyond VDL.OperationalN
400Scb:A10_Scb Scrub no more Mcb entries from StartingVcn:A11_StartingVcn!OperationalN
401Scb:A10_Scb Scrub skipping UNUSED_LCN Vcn: A11_StartingVcn!OperationalN
402Scb:A10_Scb StartingVcn:A11_StartingVcn!OperationalN
403Scb:A10_Scb ScrubDsmRange [A11_DsmRangeStartingOffset!OperationalN
404Scrub found problems Scb: A10_Scb Vcn A11_StartingVcn!OperationalN
405Scb:A10_Scb DsmAction_Scrub call failed, Status: A11_Status.OperationalN
406Scb:A10_Scb DsmAction_Scrub operation failed, Status: A11_Status.OperationalN
407FSCTL_REPAIR_COPIES not supported for Txf file, Scb: A10_Scb, TxfScb: …OperationalN
408Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (d) …OperationalN
409Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute …OperationalN
410FSCTL_REPAIR_COPIES interrupted by thread termination.OperationalN
411FSCTL_REPAIR_COPIES canceledOperationalN
412Scb:A10_Scb FSCTL_REPAIR_COPIES no more Mcb entries from …OperationalN
413Scb:A10_Scb FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from …OperationalN
414Scb:A10_Scb FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: A11_StartingVcn!OperationalN
415Scb:A10_Scb RepairDsmRange [A11_RepairDataSetRangeStartingOffset!OperationalN
416Scb:A10_Scb DsmAction_Repair call failed, Status: A11_Status.OperationalN
417Scb:A10_Scb DsmAction_Repair operation failed, Status: A11_IrpStatus.OperationalN
418Scb:A10_Scb DsmAction_Repair completed, IrpStatus: A11_RepairCopiesOutputStatus.OperationalN
419NtfsQueryCachedRuns: Caller not having manage volume privilege.OperationalN
420NtfsQueryStorageClasses: Caller not having manage volume privilege.OperationalN
421NtfsQueryRegionInfo: Caller not having manage volume privilege.OperationalN
422NtfsUnloadFile: Caller not having manage volume privilege.OperationalN
423NtfsCheckForSection: File already has image section.OperationalN
424NtfsShuffleFile: User mode caller is not allowed.OperationalN
425NtfsShuffleFile: Denying access due to volume is locked.OperationalN
426NtfsShuffleFile: Defrag is denied.OperationalN
427NtfsShuffleFile: Denying access due to conflicting with read-only state.OperationalN
428NtfsRearrangeFile: User mode caller is not allowed.OperationalN
429NtfsRearrangeFile: Denying access due to volume is locked.OperationalN
430NtfsRearrangeFile: Defrag is denied.OperationalN
431NtfsShuffleFile: Denying access due to conflicting with read-only state.OperationalN
432NtfsSparseOverAllocate: Caller does not have appropriate write access.OperationalN
433NtfsInitiateFileMetadataOptimization: Only allowed on regular user …OperationalN
434NtfsQueryFileMetadataOptimization: Only allowed on regular user …OperationalN
435NtfsCleanVolumeMetadata: Caller not having manage volume privilege.OperationalN
436NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Open …OperationalN
437NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Enumerate …OperationalN
438NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, …OperationalN
439NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Close status=0xA12_Status.OperationalN
440NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Close dir …OperationalN
441NtfsCleanVolumeMetadata: Caller not having manage volume privilege.OperationalN
442SCB: A10_Scb, StartOffset: 0xA11_StartOffset!OperationalN
443FsLibGetBadAddressRanges returned Status: A10_Status, NumBadRanges: …OperationalN
444FsInputRangeIndex: A10_FsInputRangeIndex, FileOffset: …OperationalN
445Scb: A10_Scb, Status: A11_Status, AbnormalTermination: …OperationalN
446Scb: A10_Scb, Status: A11_Status.OperationalN
447NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.OperationalN
448Logic error of posting close to work queue.OperationalN
449NtfsFindPrefixHashEntry: {Hash table: A10_Table} {ParentScb: A11_ParentScb, …OperationalN
450NtfsFindPrefixHashEntry: {Lcb: NULL}OperationalN
451NtfsFindPrefixHashEntry: {Lcb: A10_FoundLcb, …OperationalN
452NtfsFindPrefixHashEntry: {Lcb not found}OperationalN
453NtfsInsertHashEntry: {Hash table: A10_Table} {HashValue: …OperationalN
454NtfsRemoveHashEntry: {Hash table: A10_Table} {HashValue: A11_HashValue!OperationalN
455Vcb A10_Vcb.OperationalN
456Vcb A10_Vcb.OperationalN
457Vcb A10_Vcb.OperationalN
458Vcb A10_Vcb.OperationalN
459Vcb A10_Vcb.OperationalN
460Vcb A10_Vcb.OperationalN
461Vcb A10_Vcb.OperationalN
462Vcb A10_Vcb.OperationalN
463Vcb A10_Vcb.OperationalN
464Vcb A10_Vcb.OperationalN
465Vcb A10_Vcb.OperationalN
466NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked.OperationalN
467Vcb A10_Vcb.OperationalN
468Vcb A10_Vcb.OperationalN
469NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: …OperationalN
470NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: …OperationalN
471NtfsCommitCurrentTransaction …OperationalN
472NtfsCommitCurrentTransaction …OperationalN
473NtfsCommitCurrentTransaction …OperationalN
474NtfsCommitCurrentTransaction …OperationalN
475NtfsCommitCurrentTransaction …OperationalN
476NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: …OperationalN
477NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: …OperationalN
478NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Entering - ActiveLsn: …OperationalN
479NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.OperationalN
480NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.OperationalN
481NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found frozen deallocated clusters …OperationalN
482NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.OperationalN
483NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.OperationalN
484NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found a deallocated clusters …OperationalN
485Vcb: A10_Vcb, Processing range.OperationalN
486Looking for dangling MDLsOperationalN
487FsLibGroupSubExtentsByDanglingMdl failed: A10_Status.OperationalN
488FsLibAddBaseMcbEntryEx failed: A10_Status.OperationalN
489NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: …OperationalN
490NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: …OperationalN
491No sub extents has dangling MDLOperationalN
492NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Telling volsnap freeing at …OperationalN
493NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Volsnap responsed with freeing at …OperationalN
494NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Got error 0xA11_Status from below.OperationalN
495NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Deleting MarkUnusedContext …OperationalN
496NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Leaving.OperationalN
497NtfsRemoveNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_StartingVcn!OperationalN
498NtfsRemoveNtfsMcbEntry Mcb: A10_Mcb Completed.OperationalN
499NtfsAddNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_Vcn!OperationalN
500NtfsAddNtfsMcbEntry Mcb: A10_Mcb, Result: A11_Result.OperationalN
501NtfsUnloadNtfsMcbRange Scb: A10_McbScb, Mcb: A11_Mcb, StartVcn: …OperationalN
502NtfsUnloadNtfsMcbRange Mcb: A10_Mcb Completed.OperationalN
503Valid NTFS boot sector.OperationalN
504Not an NTFS boot sector.OperationalN
505NtfsMountVolume: Vcb:A10_Vcb, IC:A11_IrpContext, Growing allocation for Mft's …OperationalN
506NtfsMountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, …OperationalN
507Mounting DAX partition.OperationalN
508DAX volume mounted without DAX support because storage is not DAX capable.OperationalN
509NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Mft …OperationalN
510NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Converting …OperationalN
511NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext, …OperationalN
512Unexpected exception code of 0xA10_ExceptionCode received.OperationalN
513Exception code of 0xA10_ExceptionCode received during mount.OperationalN
514Unexpected exception code of 0xA10_ExceptionCode received.OperationalN
515LogFileFull A10_IrpContextLogFullReason BackTrace: ln A11_BackTrace0; ln …OperationalN
516Unexpected raise of 0xA10_ExceptionCode during critical non-raise code.OperationalN
517NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!OperationalN
518NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!OperationalN
519Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, …OperationalN
520Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, …OperationalN
521Setting STATUS_CANT_WAIT in top-level exception status for write @ …OperationalN
522Setting 0xA10_ExceptionCode in top-level exception status for write @ …OperationalN
523[A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!OperationalN
524[A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!OperationalN
525Can't handle invalid bitmap in a positive way.OperationalN
526NTFS ETW tracing is now active.OperationalN
527Updating NtfsMinTrimTotalSize to A10_MinTrimTotalSize.OperationalN
528Updating NtfsMaxTrimTotalSize to A10_MaxTrimTotalSize.OperationalN
529NtfsSetObjectId: Caller does not have restore access.OperationalN
530NtfsSetObjectIdExtendedInfo: Caller does not have write access.OperationalN
531NtfsDeleteObjectId: Caller does not have write access.OperationalN
532A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm …OperationalN
533NtfsFsQuotaSetInfo: Denying access due to administrator limit.OperationalN
534NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not …OperationalN
535Unexpected Paging-Read on DAX mappable stream, Scb=A10_Scb.OperationalN
536NtfsSetReparsePoint: Caller does not have write access.OperationalN
537NtfsSetReparsePointEx: Caller does not have write access.OperationalN
538NtfsDeleteReparsePoint: Caller does not have write access.OperationalN
539NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling …OperationalN
540NtfsReleaseVcbCheckDelete - deleted Vcb: A10_Vcb, IC: A11_IrpContext.OperationalN
541NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: …OperationalN
542NtfsAbortTransaction IC: A10_IrpContext, TransactionId: …OperationalN
543NtfsAbortTransaction IC: A10_IrpContext, TransactionId: …OperationalN
544DoAction::InitializeFRS IC:A10_IrpContext, …OperationalN
545DoAction::DeallocateFRS IC:A10_IrpContext, …OperationalN
546DoAction::WriteEndOfFRS IC:A10_IrpContext, …OperationalN
547DoAction::CreateAttribute IC:A10_IrpContext, …OperationalN
548NtfsRestartChangeValue IC:A10_IrpContext, …OperationalN
549DoAction::SetNewAttributeSizes IC.OperationalN
550DoAction(SetBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: …OperationalN
551DoAction(ClearBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: …OperationalN
552NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf.OperationalN
553NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.OperationalN
554NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.OperationalN
555NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to …OperationalN
556NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.OperationalN
557NtfsCheckFileForDelete: Denying access due to superseding view indexes are not …OperationalN
558NtfsCheckFileForDelete: Denying access due to non-posix delete of target …OperationalN
559NtfsCheckFileForDelete: Denying access due to file is not deleteable.OperationalN
560NtfsCheckFileForDelete: Denying access due to target file is read only.OperationalN
561NtfsCheckFileForDelete: Caller does not have write attributes access …OperationalN
562NtfsCheckFileForDelete: Denying access due to failing to remove image section.OperationalN
563NtfsGlobalSdUpdate: Caller does not have manage volume privilege.OperationalN
564NtfsRepairItem: Denying access due to volume is locked.OperationalN
565NtfsSetRepairState: Caller does not have manage volume privilege.OperationalN
566NtfsInitiateRepair: Caller does not have manage volume privilege.OperationalN
567NTFS ETW tracing is shutting down.OperationalN
568NtfsDefineStorageReserve: Caller does not have manage volume privilege.OperationalN
569NtfsDeleteStorageReserve: Caller does not have manage volume privilege.OperationalN
570NtfsRepairStorageReserve: Caller does not have manage volume privilege.OperationalN
571NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a …OperationalN
572NtfsSetStorageReserveIdInfo: Caller does not have appropriate access.OperationalN
573NtfsChangeStorageReserveId: Caller does not have manage volume privilege.OperationalN
574NtfsChangeStorageReserveId: Caller does not have manage volume privilege to …OperationalN
575Failed to get a non-volatile token for Vcb: A10_Vcb, Status: A11_Status.OperationalN
576Failed to free non-volatile token for Vcb: A10_Vcb, Status: A11_Status.OperationalN
577NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: A10_Scb, TotalAllocated: …OperationalN
578NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: …OperationalN
579ClustersLinkAsHead: A10_ClustersLinkAsHead, FlagsToMatch: 0xA11_FlagsToMatch, …OperationalN
580Clusters: A10_Clusters, Flags: 0xA11_ClustersFlags.OperationalN
581Matching cluster: A10_Clusters, NumberOfRuns: 0xA11_NumberOfRuns.OperationalN
582Clusters: A10_Clusters.OperationalN
583Allocated new deallocated clustersOperationalN
584Need to add Range.OperationalN
585Added range.OperationalN
586TxfCheckForLockConflict: File locked for modify transaction.OperationalN
587TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans …OperationalN
588TxfCheckForLockConflict: Modification access desired.OperationalN
589TxfCheckForLockConflict: File has user handle opened on one of the versions or …OperationalN
590A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) …OperationalN
591A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) …OperationalN
592A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …OperationalN
593A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …OperationalN
594A10___FUNCTION__: RM at 0xA11_PVOIDCalloutParametersTxfFlushTxfRmcb …OperationalN
595A10___FUNCTION__: TxfStartRm reports RM will be reset: RM metadata corrupt.OperationalN
596A10___FUNCTION__: TxfStartRm reports RM will be reset: TM could not be …OperationalN
597A10___FUNCTION__: TxfStartRm reports RM will be reset: RM log corrupt.OperationalN
598A10___FUNCTION__: TxfStartRm reports RM will be reset: log version changed.OperationalN
599A10___FUNCTION__: TxfStartRm reports RM will be reset: dedicated log found, need …OperationalN
600A10___FUNCTION__: TxfStartRm reports RM will be reset: multiplexed log found, …OperationalN
601A10___FUNCTION__: TxfStartRm reports RM will be reset: CLFS log metadata …OperationalN
602A10___FUNCTION__: TxfStartRm reports RM will be reset: 0xA11_FailureStatus.OperationalN
603A10___FUNCTION__: RM did not start and WILL NOT be reset, status code is …OperationalN
604A10___FUNCTION__: Could not initialize IrpContext: 0xA11_Status.OperationalN
605TxfInitializeVolume: Denying access due to Txf start is not allowed (possible …OperationalN
606A10___FUNCTION__: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0xA11_TempStatus for …OperationalN
607A10___FUNCTION__: Exception code 0xA11_GetExceptionCode, Status 0xA12_Status for …OperationalN
608A10___FUNCTION__: Couldn't reset default RM on VCB at 0xA11_PVOIDVcb after …OperationalN
609A10___FUNCTION__: Exception 0xA11_GetExceptionCode raised from …OperationalN
610A10___FUNCTION__: A11_NT_SUCCESSStatusSucceededFAILED auto-restart of RM at …OperationalN
611A10___FUNCTION__: Attempting auto-restart of RM at 0xA11_PVOIDTxfRmcb …OperationalN
612A10___FUNCTION__: Volume too small to start RM at 0xA11_PVOIDTxfRmcb …OperationalN
613A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: invalid …OperationalN
614TxfStartRm: Denying access due to Txf start is not allowed (possible racing with …OperationalN
615A10___FUNCTION__: Raising to reset RM at 0xA11_PVOIDTxfRmcb …OperationalN
616TxfStartRm: Denying access due to Txf start is not allowed (possible racing with …OperationalN
617A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: no …OperationalN
618A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Different nesting …OperationalN
619A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart …OperationalN
620A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart …OperationalN
621A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: RmID in …OperationalN
622A10___FUNCTION__: Got A11_Status from ClfsGetLogFileInformation for RM at …OperationalN
623A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Restart …OperationalN
624A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: …OperationalN
625A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} started …OperationalN
626A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} failed to …OperationalN
627A10___FUNCTION__: Shutting down A11_TxfIsDefaultRmTxfRmcbdefaultsecondary RM at …OperationalN
628A10___FUNCTION__: Setting RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} up for …OperationalN
629TxfFlushAndInvalidateExistingStructures: File has open user handles.OperationalN
630(A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine) - …OperationalN
631A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to …OperationalN
632A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back Tx …OperationalN
633A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to …OperationalN
634TxfFsctlStartRm: Denying access due starting default RM is not allowed.OperationalN
635TxfFsctlWriteBackupInformation: Denying access due RM is active.OperationalN
636A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found too …OperationalN
637A10___FUNCTION__: Error Setting Delete Disposition: 0xA11_Status FileObject: …OperationalN
638A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Got a …OperationalN
639TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a …OperationalN
640TxfSetupTransactionContextFromCcb: Invalid TxF structure.OperationalN
641TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a …OperationalN
642A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} raising …OperationalN
643A10___FUNCTION__: Commit (0xA11_TransactionNotification) …OperationalN
644A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …OperationalN
645A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …OperationalN
646A10___FUNCTION__: Error doing IRP_MJ_FLUSH_BUFFERS on RM at …OperationalN
647A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} trying to abort …OperationalN
648A10___FUNCTION__: Aborting call stack: 0xA11_CallStack0 0xA12_CallStack1 …OperationalN
649A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting …OperationalN
650A10___FUNCTION__: 0xA11_Status initializing IrpContext for tx at A12_PVOIDTrans …OperationalN
651A10___FUNCTION__: 0xA11_Status writing log record for RM at 0xA12_PVOIDTxfRmcb …OperationalN
652A10___FUNCTION__: About to force aborts on RM at 0xA11_PVOIDTxfRmcb …OperationalN
653A10___FUNCTION__: BaseLsn is greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb …OperationalN
654A10___FUNCTION__: No transactions remain on RM at 0xA11_PVOIDTxfRmcb …OperationalN
655A10___FUNCTION__: Transaction's first undo LSN greater than TargetLsn on RM at …OperationalN
656A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} surprise-aborting …OperationalN
657A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} got 0xA13_Status …OperationalN
658A10___FUNCTION__: Inactive RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.OperationalN
659A10___FUNCTION__: Log is pinned on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.OperationalN
660A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back KTM …OperationalN
661A10___FUNCTION__: Log pinned trying to advance RestartLsn on RM at …OperationalN
662A10___FUNCTION__: Log pinned by doomed transaction on RM at 0xA11_PVOIDTxfRmcb …OperationalN
663A10___FUNCTION__: Reporting 0xA11_PinnedStatus to CLFS from RM at …OperationalN
664A10___FUNCTION__: Done forcing aborts on RM at 0xA11_PVOIDTxfRmcb …OperationalN
665A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Txf …OperationalN
666A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found …OperationalN
667A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found …OperationalN
668A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't …OperationalN
669A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't …OperationalN
670A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found …OperationalN
671A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Expected …OperationalN
672A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is …OperationalN
673A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is …OperationalN
674A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is …OperationalN
675A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Missing …OperationalN
676A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't …OperationalN
677A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is …OperationalN
678A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Could not …OperationalN
679A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops …OperationalN
680A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops …OperationalN
681A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Non-NULL …OperationalN
682A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Epoch in …OperationalN
683A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't …OperationalN
684NtfsReadUsnJournal: Caller does not have manage volume privilege.OperationalN
685TrimUsnJournal (A10_Vcb, A11_IrpContext): Decided to trim usn journal.OperationalN
686TrimUsnJournal (A10_Vcb, A11_IrpContext): About to delete allocation till …OperationalN
687TrimUsnJournal (A10_Vcb, A11_IrpContext): Before trimming journal AS …OperationalN
688TrimUsnJournal (A10_Vcb, A11_IrpContext): After trimming journal AS …OperationalN
689TrimUsnJournal (A10_Vcb, A11_IrpContext): Mapping pairs validated.OperationalN
690TrimUsnJournal (A10_Vcb, A11_IrpContext): Checkpointed.OperationalN
691NtfsQueryUsnJournal: Denying access due to NULL Ccb.OperationalN
692NtfsDeleteUsnJournal: Caller does not have manage volume access.OperationalN
693NtfsRestartUsnJournal: Caller does not have manage volume privilege.OperationalN
694NtOfsCreateAttributeEx: Stream already has a open user handle.OperationalN
695OfsSetLength …OperationalN
696OfsSetLength …OperationalN
697OfsSetLength …OperationalN
698OfsSetLength …OperationalN
699NtOfsPostNewLength …OperationalN
700NtfsIsRegionDangling: RemainingClusterCount: 0xA10_RemainingClusterCount!OperationalN
701Vcb A10_Vcb - has *no* active PFNs.OperationalN
702Vcb A10_Vcb - failed to query active PFNs assuming there are some.OperationalN
703Vcb A10_Vcb - has active PFNs.OperationalN
704NtfsPerformDismountOnVcb: Vcb A10_Vcb.OperationalN
705NtfsPerformDismountOnVcb: Vcb A10_Vcb - Found frozen deallocated clusters.OperationalN
706NtfsPerformDismountOnVcb: Vcb A10_Vcb - Wait for any on going trim to finish.OperationalN
707NtfsPerformDismountOnVcb: Vcb A10_Vcb - No more on going trim.OperationalN
708NtfsPerformDismountOnVcb: IC: A10_IrpContext, Vcb: A11_Vcb, Label: …OperationalN
709NtfsPostVcbIsCorrupt.OperationalN
710NtfsPostVcbIsCorrupt: Marking volume dirty.OperationalN
711NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for …OperationalN
712NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for …OperationalN
713Succeeding log write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!OperationalN
714Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=A10_Scb.OperationalN
715NtfsCommonWrite: Writing beyond highest writable sector on active volume is not …OperationalN
716Ignoring write to 0xA10_StartingVbo!OperationalN
717Truncating write from 0xA10_ByteRange!OperationalN

Event ID 10: NtfsLookupRealAllocation: Vcn A10_Vcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLookupRealAllocation: Vcn A10_Vcn!I64x!, LowestVcn A11_AttributeFormNonresidentLowestVcn!I64x!, HighestVcn A12_AttributeFormNonresidentHighestVcn!I64x!, AllocationClusters A13_AllocationClusters!I64x!

Message #

NtfsLookupRealAllocation: Vcn %1!I64x!, LowestVcn %2!I64x!, HighestVcn %3!I64x!, AllocationClusters %4!I64x!

Fields #

NameDescription
A10_Vcn HexInt64
A11_AttributeFormNonresidentLowestVcn HexInt64
A12_AttributeFormNonresidentHighestVcn HexInt64
A13_AllocationClusters HexInt64

Event ID 11: NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:A10_IrpContext, Scb:A11_Scb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:A10_IrpContext, Scb:A11_Scb.

Message #

NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:%1!p!, Scb:%2!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Scb Pointer

Event ID 12: FileObject: A10_FileObject, Scb: A11_Scb, StaringVcn: A12_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FileObject: A10_FileObject, Scb: A11_Scb, StaringVcn: A12_StartingVcn!I64x!, ClusterCount: A13_ClusterCount!I64x!, Flags: A14_Flags!08x!, CcbForWriteExtend: A15_CcbForWriteExtend.

Message #

FileObject: %1!p!, Scb: %2!p!, StaringVcn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!, CcbForWriteExtend: %6!p!

Fields #

NameDescription
A10_FileObject Pointer
A11_Scb Pointer
A12_StartingVcn HexInt64
A13_ClusterCount HexInt64
A14_Flags HexInt32
A15_CcbForWriteExtend Pointer

Event ID 13: NtfsAddAllocation IC:A10_IrpContext, FileObject:A11_FileObject, Scb:A12_Scb, StaringVcn:A13_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAllocation IC:A10_IrpContext, FileObject:A11_FileObject, Scb:A12_Scb, StaringVcn:A13_StartingVcn!I64x!, ClusterCount:A14_ClusterCount!I64x!, Flags:A15_Flags!08x!, CcbForWriteExtend:A16_CcbForWriteExtend.

Message #

NtfsAddAllocation IC:%1!p!, FileObject:%2!p!, Scb:%3!p!, StaringVcn:%4!I64x!, ClusterCount:%5!I64x!, Flags:%6!08x!, CcbForWriteExtend:%7!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileObject Pointer
A12_Scb Pointer
A13_StartingVcn HexInt64
A14_ClusterCount HexInt64
A15_Flags HexInt32
A16_CcbForWriteExtend Pointer

Event ID 14: Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!016I64x!

Message #

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_PurgeOffset HexInt64

Event ID 15: Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Purge failed: Scb: A10_Scb, PurgeOffset: 0xA11_PurgeOffset!016I64x!, PurgeChunkLength: 0xA12_PurgeChunkLength.

Message #

Purge failed: Scb: %1!p!, PurgeOffset: 0x%2!016I64x!, PurgeChunkLength: 0x%3!x!

Fields #

NameDescription
A10_Scb Pointer
A11_PurgeOffset HexInt64
A12_PurgeChunkLength HexInt32

Event ID 16: NtfsGetLastVcnForNewMappingPairSize IC:A10_IrpContext, Using LastVcn:A11_LastVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetLastVcnForNewMappingPairSize IC:A10_IrpContext, Using LastVcn:A11_LastVcn!4I64x!, InstanceId:A12_AttributeInstance.

Message #

NtfsGetLastVcnForNewMappingPairSize IC:%1!p!, Using LastVcn:%2!4I64x!, InstanceId:%3!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_LastVcn HexInt64
A12_AttributeInstance HexInt32

Event ID 17: Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!I64x!

Message #

Can't find StdInfo in FileRef %1!I64x!

Fields #

NameDescription
A10_NtfsFullFileRefNumber_FcbFileReference HexInt64

Event ID 18: Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Can't find StdInfo in FileRef A10_NtfsFullFileRefNumber_FcbFileReference!I64x!

Message #

Can't find StdInfo in FileRef %1!I64x!

Fields #

NameDescription
A10_NtfsFullFileRefNumber_FcbFileReference HexInt64

Event ID 19: NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:A10_IrpContextValueLength:A11_ValueLength, AttrFlags=A12_AttributeFlags.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:A10_IrpContextValueLength:A11_ValueLength, AttrFlags=A12_AttributeFlags.

Message #

NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:%1!p!ValueLength:%2!x!, AttrFlags=%3!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ValueLength HexInt32
A12_AttributeFlags HexInt32

Event ID 20: NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, LastVcn A14_LastVcn!I64x!, NewHighestVcn A15_NewHighestVcn!I64x!, PassCount A16_PassCount - step 6.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LastVcn %5!I64x!, NewHighestVcn %6!I64x!, PassCount %7!x! - step 6

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_LastVcn HexInt64
A15_NewHighestVcn HexInt64
A16_PassCount HexInt32

Event ID 21: NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(!p!,!p!): Scb !p!, FileRef !I64x!, LowestVcn !I64x!, HighestVcn !I64x!, ALE.LowestVcn !I64x! - try to merge backward.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - try to merge backward

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn HexInt64
A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn HexInt64
A16_ContextAttributeListEntryLowestVcn HexInt64

Event ID 22: NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(!p!,!p!): Scb !p!, FileRef !I64x!, LowestVcn !I64x!, HighestVcn !I64x!, ALE.LowestVcn !I64x! - after merge backward.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after merge backward

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn HexInt64
A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn HexInt64
A16_ContextAttributeListEntryLowestVcn HexInt64

Event ID 23: NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(!p!,!p!): Scb !p!, FileRef !I64x!, LowestVcn !I64x!, HighestVcn !I64x!, ALE.LowestVcn !I64x!, PassCount !x! - before last merge after step 6.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x!, PassCount %8!x! - before last merge after step 6

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn HexInt64
A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn HexInt64
A16_ContextAttributeListEntryLowestVcn HexInt64
A17_PassCount HexInt32

Event ID 24: NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(!p!,!p!): Scb !p!, FileRef !I64x!, LowestVcn !I64x!, HighestVcn !I64x!, ALE.LowestVcn !I64x! - after last merge after step 6.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, LowestVcn %5!I64x!, HighestVcn %6!I64x!, ALE.LowestVcn %7!I64x! - after last merge after step 6

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ContextFoundAttributeAttributeFormNonresidentLowestVcn HexInt64
A15_ContextFoundAttributeAttributeFormNonresidentHighestVcn HexInt64
A16_ContextAttributeListEntryLowestVcn HexInt64

Event ID 25: NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddAttributeAllocation(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, MergeSkipCt A14_NtfsFrsConsolidationStatisticsMergeSkipCount - done.

Message #

NtfsAddAttributeAllocation(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, MergeSkipCt %5!x! - done

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsFrsConsolidationStatisticsMergeSkipCount HexInt32

Event ID 26: NtfsRestartRemoveAttribute FileRef:0xA10_FileRecordSegmentNumberHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartRemoveAttribute FileRef:0xA10_FileRecordSegmentNumberHighPart!04x!_A11_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Attrib:0xA13_AttributeTypeCode.

Message #

NtfsRestartRemoveAttribute FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields #

NameDescription
A10_FileRecordSegmentNumberHighPart HexInt32
A11_FileRecordSegmentNumberLowPart HexInt32
A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A13_AttributeTypeCode HexInt32

Event ID 27: NtfsRestartChangeValue FileRef:0xA10_FileRecordSegmentNumberHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartChangeValue FileRef:0xA10_FileRecordSegmentNumberHighPart!04x!_A11_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Attrib:0xA13_AttributeTypeCode.

Message #

NtfsRestartChangeValue FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Attrib:0x%4!x!

Fields #

NameDescription
A10_FileRecordSegmentNumberHighPart HexInt32
A11_FileRecordSegmentNumberLowPart HexInt32
A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A13_AttributeTypeCode HexInt32

Event ID 28: AddToAttributeList(A10_FcbVcb,A11_IrpContext): FRef A12_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

AddToAttributeList(A10_FcbVcb,A11_IrpContext): FRef A12_PULONGLONG_FcbFileReference!I64x!, OldSig A13_StdInfoAttrListEntrySignature, OldLCS A14_StdInfoAttrListEntryLastCompactedSize, NewLCS A15_CurrentAttributeListSize.

Message #

AddToAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields #

NameDescription
A10_FcbVcb Pointer
A11_IrpContext Pointer
A12_PULONGLONG_FcbFileReference HexInt64
A13_StdInfoAttrListEntrySignature HexInt32
A14_StdInfoAttrListEntryLastCompactedSize HexInt32
A15_CurrentAttributeListSize HexInt32

Event ID 29: DeleteFromAttributeList(A10_FcbVcb,A11_IrpContext): FRef A12_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DeleteFromAttributeList(A10_FcbVcb,A11_IrpContext): FRef A12_PULONGLONG_FcbFileReference!I64x!, OldSig A13_StdInfoAttrListEntrySignature, OldLCS A14_StdInfoAttrListEntryLastCompactedSize, NewLCS A15_NewStdInfoAttrListEntryLastCompactedSize.

Message #

DeleteFromAttributeList(%1!p!,%2!p!): FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields #

NameDescription
A10_FcbVcb Pointer
A11_IrpContext Pointer
A12_PULONGLONG_FcbFileReference HexInt64
A13_StdInfoAttrListEntrySignature HexInt32
A14_StdInfoAttrListEntryLastCompactedSize HexInt32
A15_NewStdInfoAttrListEntryLastCompactedSize HexInt32

Event ID 30: MakeRoomForAttribute Moving Mft's attribute IC:A10_IrpContext, Moving Attrib A11_i/A12_MAX_MOVEABLE_ATTRIBUTES, Type=A13_AttributeTypeCode, RecLengh=A14_AttributeRecordLength, Instance:A15_Attribut...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MakeRoomForAttribute Moving Mft's attribute IC:A10_IrpContext, Moving Attrib A11_i/A12_MAX_MOVEABLE_ATTRIBUTES, Type=A13_AttributeTypeCode, RecLengh=A14_AttributeRecordLength, Instance:A15_AttributeInstance.

Message #

MakeRoomForAttribute Moving Mft's attribute IC:%1!p!, Moving Attrib %2!x!/%3!x!, Type=%4!x!, RecLengh=%5!x!, Instance:%6!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_i HexInt32
A12_MAX_MOVEABLE_ATTRIBUTES HexInt32
A13_AttributeTypeCode HexInt32
A14_AttributeRecordLength HexInt32
A15_AttributeInstance HexInt32

Event ID 31: MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, TypeCode:A12_AttributeTypeCode, RecLen:A13_AttributeRecordLength, Form:A14_AttributeFormCode, Instance:A1...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, TypeCode:A12_AttributeTypeCode, RecLen:A13_AttributeRecordLength, Form:A14_AttributeFormCode, Instance:A15_AttributeInstance.

Message #

MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:%1!p!, SizeNeeded:%2!x!, TypeCode:%3!x!, RecLen:%4!x!, Form:%5!x!, Instance:%6!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_SizeNeeded HexInt32
A12_AttributeTypeCode HexInt32
A13_AttributeRecordLength HexInt32
A14_AttributeFormCode HexInt32
A15_AttributeInstance HexInt32

Event ID 32: MoveAttributeToOwnRecord IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, Bytes2Free:A12_BytesToFree, OldMappingSize:A13_MappingPairSize, NewMappingSize:A14_NewMappingPairSize.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MoveAttributeToOwnRecord IC:A10_IrpContext, SizeNeeded:A11_SizeNeeded, Bytes2Free:A12_BytesToFree, OldMappingSize:A13_MappingPairSize, NewMappingSize:A14_NewMappingPairSize.

Message #

MoveAttributeToOwnRecord IC:%1!p!, SizeNeeded:%2!x!, Bytes2Free:%3!x!, OldMappingSize:%4!x!, NewMappingSize:%5!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_SizeNeeded HexInt32
A12_BytesToFree HexInt32
A13_MappingPairSize HexInt32
A14_NewMappingPairSize HexInt32

Event ID 33: NtfsRestartZeroEndOfFileRecord FileRef:0xA10_FileRecordSegmentNumberHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartZeroEndOfFileRecord FileRef:0xA10_FileRecordSegmentNumberHighPart!04x!_A11_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Start:0xA13_StartZero, Len:0xA14_ZeroLength.

Message #

NtfsRestartZeroEndOfFileRecord FileRef:0x%1!04x!_%2!08x!, BaseFRS:0x%3!012I64x!, Start:0x%4!x!, Len:0x%5!x!

Fields #

NameDescription
A10_FileRecordSegmentNumberHighPart HexInt32
A11_FileRecordSegmentNumberLowPart HexInt32
A12_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A13_StartZero HexInt32
A14_ZeroLength HexInt32

Event ID 34: MergeFRS2(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(!p!,!p!): Scb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, LowVcn !I64x!, HalfWayVcn !I64x!, FinalVcn !I64x!, PackedMode !x!, TryPrior !x! - about to merge.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, LowVcn %7!I64x!, HalfWayVcn %8!I64x!, FinalVcn %9!I64x!, PackedMode %10!x!, TryPrior %11!x! - about to merge

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_NewStartVcn HexInt64
A17_NewHalfWayVcn HexInt64
A18_NewFinalVcn HexInt64
A19_PackedMode HexInt32
A20_TryPrior HexInt32

Event ID 35: MergeFRS2(A10_Vcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(!p!,!p!): Scb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, DeleteFileRef !x!0000!08x!, LowVcn !I64x!, LastVcn !I64x!, FinalVcn !I64x! - all fit in one so get rid of the second one.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - all fit in one so get rid of the second one

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_FileRecordSequenceNumber HexInt32
A17_FileRecordSegmentNumberLowPart HexInt32
A18_NewStartVcn HexInt64
A19_LastVcn HexInt64
A20_NewFinalVcn HexInt64

Event ID 36: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, DeleteFileRef %7!x!0000%8!08x!, LowVcn %9!I64x!, LastVcn %10!I64x!, FinalVcn %11!I64x! - should all fit into one so get rid of the second one FIRST

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_FileRecordSequenceNumber HexInt32
A17_FileRecordSegmentNumberLowPart HexInt32
A18_NewStartVcn HexInt64
A19_LastVcn HexInt64
A20_NewFinalVcn HexInt64

Event ID 37: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, Vcn A14_NewFinalVcn!I64x! - initial RangePtr query.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x! - initial RangePtr query

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewFinalVcn HexInt64

Event ID 38: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, Vcn A14_NewHalfWayVcn!I64x!, Rptr A15_RangePtr - secondary RangePtr query.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - secondary RangePtr query

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewHalfWayVcn HexInt64
A15_RangePtr Pointer

Event ID 39: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, Vcn A14_NewHalfWayVcn!I64x!, Rptr A15_RangePtr - calling lookup runs range.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, Vcn %5!I64x!, Rptr %6!p! - calling lookup runs range

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewHalfWayVcn HexInt64
A15_RangePtr Pointer

Event ID 40: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, McbArray A14_NtfsMcbArray (A15_NtfsMcbArrayStartingVcn!I64x!, A16_NtfsMcbArrayEndingVcn!I64x!) - current McbArray.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - current McbArray

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsMcbArray Pointer
A15_NtfsMcbArrayStartingVcn HexInt64
A16_NtfsMcbArrayEndingVcn HexInt64

Event ID 41: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, McbArray A14_NtfsMcbArray (A15_NtfsMcbArrayStartingVcn!I64x!, A16_NtfsMcbArrayEndingVcn!I64x!) - previous McbArray.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - previous McbArray

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsMcbArray Pointer
A15_NtfsMcbArrayStartingVcn HexInt64
A16_NtfsMcbArrayEndingVcn HexInt64

Event ID 42: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, McbArray A14_NtfsMcbArray (A15_NtfsMcbArrayStartingVcn!I64x!, A16_NtfsMcbArrayEndingVcn!I64x!) - prev prev McbArray.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - prev prev McbArray

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsMcbArray Pointer
A15_NtfsMcbArrayStartingVcn HexInt64
A16_NtfsMcbArrayEndingVcn HexInt64

Event ID 43: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, McbArray A14_NtfsMcbArray (A15_NtfsMcbArrayStartingVcn!I64x!, A16_NtfsMcbArrayEndingVcn!I64x!) - next McbArray.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, McbArray %5!p! (%6!I64x!, %7!I64x!) - next McbArray

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NtfsMcbArray Pointer
A15_NtfsMcbArrayStartingVcn HexInt64
A16_NtfsMcbArrayEndingVcn HexInt64

Event ID 44: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, NewFinalVcnInMcb A14_NewFinalVcnInMcb!I64x! > NewFinalVcn A15_NewFinalVcn!I64x! - NewFinalVcn is smaller.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewFinalVcnInMcb %5!I64x! > NewFinalVcn %6!I64x! - NewFinalVcn is smaller

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewFinalVcnInMcb HexInt64
A15_NewFinalVcn HexInt64

Event ID 45: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, NewStartVcn %5!I64x!, LastVcn %6!I64x!, NewFinalVcn %7!I64x!, NewFinalVcnInMcb %8!I64x!, #Ranges %9!x!, DeletedNextAttribute %10!x!, Mcb1(%11!x!,%12!x!), Mcb2(%13!x!,%14!x!), McbArraySizeInUseChange %15!d! - final vcn in mcb

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewStartVcn HexInt64
A15_LastVcn HexInt64
A16_NewFinalVcn HexInt64
A17_NewFinalVcnInMcb HexInt64
A18_NumberOfRanges HexInt32
A19_DeletedNextAttribute HexInt32
A20_Mcb1StartWithNewStartVcn HexInt32
A21_Mcb1HoldNewStartVcn HexInt32
A22_Mcb2StartWithNewStartVcn HexInt32
A23_Mcb2HoldNewStartVcn HexInt32
A24_McbArraySizeInUseChange Int32

Event ID 46: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, StartingVcn A14_NewStartVcn!I64x!, EndingVcn A15_DeletedNextAttributeNewFinalVcnInMcbLastVcn1!I64x! - redefined mcb range1.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range1

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_NewStartVcn HexInt64
A15_DeletedNextAttributeNewFinalVcnInMcbLastVcn1 HexInt64

Event ID 47: MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

MergeFRS2(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!I64x!, StartingVcn A14_LastVcn!I64x!, EndingVcn A15_NewFinalVcnInMcb!I64x! - redefined mcb range2.

Message #

MergeFRS2(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, StartingVcn %5!I64x!, EndingVcn %6!I64x! - redefined mcb range2

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_LastVcn HexInt64
A15_NewFinalVcnInMcb HexInt64

Event ID 48: RedoAttribute(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RedoAttribute(!p!,!p!): Scb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, FileRef !I64x!, OldLowVcn !I64x!, NewLowVcn !I64x!, Instance !x! - updating LowestVcn in attribute list entry.

Message #

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, FileRef %7!I64x!, OldLowVcn %8!I64x!, NewLowVcn %9!I64x!, Instance %10!x! - updating LowestVcn in attribute list entry

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_PULONGLONG_ContextAttributeListEntrySegmentReference HexInt64
A17_OldLowestVcn HexInt64
A18_StartVcn HexInt64
A19_NewAttributeInstance HexInt32

Event ID 49: RedoAttribute(A10_ScbVcb,A11_IrpContext): Scb A12_Scb, FileRef A13_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RedoAttribute(!p!,!p!): Scb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, OldLowVcn !I64x!, NewLowVcn !I64x!, OldHighVcn !I64x!, NewHighVcn !I64x!, ChildRef !x!0000!08x! - done.

Message #

RedoAttribute(%1!p!,%2!p!): Scb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, OldLowVcn %7!I64x!, NewLowVcn %8!I64x!, OldHighVcn %9!I64x!, NewHighVcn %10!I64x!, ChildRef %11!x!0000%12!08x! - done

Fields #

NameDescription
A10_ScbVcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_PULONGLONG_ScbFcbFileReference HexInt64
A14_ScbAttributeTypeCode HexInt32
A15__ScbAttributeName CountedUtf16String
A16_OldLowestVcn HexInt64
A17_StartVcn HexInt64
A18_OldHighestVcn HexInt64
A19_LastVcn HexInt64
A20_FileRecordSequenceNumber HexInt32
A21_FileRecordSegmentNumberLowPart HexInt32

Event ID 50: NtfsConsolidateAllFileRecords: Invalid Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: A10_PsGetCurrentThread.

Message #

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: %1!p!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer

Event ID 51: NtfsConsolidateAllFileRecords: Volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords: Volume is locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Volume Id: A14__VolumeId, Vcb State: 0xA15_VcbVcbState!08x!.

Message #

NtfsConsolidateAllFileRecords: Volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume Id: %5!S!, Vcb State: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14__VolumeId CountedUtf16String
A15_VcbVcbState HexInt32

Event ID 52: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x!, FirstRequest A14_AllFlagsFirstRequest - opened fcb.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, FirstRequest %5!x! - opened fcb

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_AllFlagsFirstRequest HexInt32

Event ID 53: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - already in progress so get out.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - already in progress so get out

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 54: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - set in progress flag.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - set in progress flag

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 55: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RstrTypeCode %5!x!, RstrAttrName %6!S!, RstrVcn %7!I64x!, RstrAttrListEntryOffset %8!x!, AttrListEntryOffset %9!x!, AttrListLength %10!I64x!, AttrListGrowBy %11!x!(%12!d!) - adjust FinalCompactedSizeDeduction

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_FrsConsolidationContextRestartAttributeTypeCode HexInt32
A15__FrsConsolidationContextRestartAttributeName CountedUtf16String
A16_FrsConsolidationContextRestartVcn HexInt64
A17_FrsConsolidationContextRestartAttributeListEntryOffset HexInt32
A18_AttributeListEntryOffset HexInt32
A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength HexInt64
A20_AttributeListGrowBy HexInt32
A21_AttributeListGrowBy Int32

Event ID 56: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(!p!,!p!): Fcb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, Vcn !I64x!, Instance !x!, RstrAttrListEntryOffset !x!, AttrListLength !I64x! - breaking up 1.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 1

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_FrsConsolidationContextRestartAttributeTypeCode HexInt32
A15__FrsConsolidationContextRestartAttributeName CountedUtf16String
A16_FrsConsolidationContextRestartVcn HexInt64
A17_FrsConsolidationContextInstance HexInt32
A18_FrsConsolidationContextRestartAttributeListEntryOffset HexInt32
A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength HexInt64

Event ID 57: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(!p!,!p!): Fcb !p!, FileRef !I64x!, TypeCode !x!, AttrName !S!, Vcn !I64x!, Instance !x!, RstrAttrListEntryOffset !x!, AttrListLength !I64x! - breaking up 2.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, TypeCode %5!x!, AttrName %6!S!, Vcn %7!I64x!, Instance %8!x!, RstrAttrListEntryOffset %9!x!, AttrListLength %10!I64x! - breaking up 2

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_FrsConsolidationContextRestartAttributeTypeCode HexInt32
A15__FrsConsolidationContextRestartAttributeName CountedUtf16String
A16_FrsConsolidationContextRestartVcn HexInt64
A17_FrsConsolidationContextInstance HexInt32
A18_FrsConsolidationContextRestartAttributeListEntryOffset HexInt32
A19_AttrContextAttributeListAttributeListFormNonresidentValidDataLength HexInt64

Event ID 58: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x!, Scb A14_Scb - completed this Scb.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, Scb %5!p! - completed this Scb

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64
A14_Scb Pointer

Event ID 59: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - going into finally.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - going into finally

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 60: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): FileRef A12_PULONGLONG_FrsConsolidationContextFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): FileRef A12_PULONGLONG_FrsConsolidationContextFileReference!I64x!, Status A13_IrpContextExceptionStatus - Abnormal Termination.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): FileRef %3!I64x!, Status %4!x! - Abnormal Termination

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_PULONGLONG_FrsConsolidationContextFileReference HexInt64
A13_IrpContextExceptionStatus HexInt32

Event ID 61: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - decremented close counts.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - decremented close counts

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 62: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_PULONGLONG_FcbFileReference!I64x! - clearing in progress flag.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x! - clearing in progress flag

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_PULONGLONG_FcbFileReference HexInt64

Event ID 63: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_FileRef!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_FileRef!I64x!, ExceptionStatus A14_ExceptionStatus- released.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, ExceptionStatus %5!x!- released

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_FileRef HexInt64
A14_ExceptionStatus HexInt32

Event ID 64: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_FileRef!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): Fcb A12_Fcb, FileRef A13_FileRef!I64x!, RemovedFcb A14_RemovedFcb, AllFlags.FcbAcquired A15_AllFlagsFcbAcquired, TransId A16_IrpContextTransactionId - no release.

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): Fcb %3!p!, FileRef %4!I64x!, RemovedFcb %5!x!, AllFlags.FcbAcquired %6!x!, TransId %7!x! - no release

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Fcb Pointer
A13_FileRef HexInt64
A14_RemovedFcb HexInt32
A15_AllFlagsFcbAcquired HexInt32
A16_IrpContextTransactionId HexInt32

Event ID 65: NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): DeltaTime A12_EndTimeQuadPart1000NtfsPerformanceFrequencyQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsConsolidateAllFileRecords(A10_Vcb,A11_IrpContext): DeltaTime A12_EndTimeQuadPart1000NtfsPerformanceFrequencyQuadPart!I64d! (ms), TotalTime A13_FrsConsolidationContextTotalTime1000NtfsPerformanceFrequencyQuadPart!I64d! (ms).

Message #

NtfsConsolidateAllFileRecords(%1!p!,%2!p!): DeltaTime %3!I64d! (ms), TotalTime %4!I64d! (ms)

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_EndTimeQuadPart1000NtfsPerformanceFrequencyQuadPart Int64
A13_FrsConsolidationContextTotalTime1000NtfsPerformanceFrequencyQuadPart Int64

Event ID 66: UpdateLCS: Vcb A10_FcbVcb, IC A11_IrpContext, FRef A12_PULONGLONG_FcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

UpdateLCS: Vcb A10_FcbVcb, IC A11_IrpContext, FRef A12_PULONGLONG_FcbFileReference!I64x!, OldSig A13_StdInfoAttrListEntrySignature, OldLCS A14_StdInfoAttrListEntryLastCompactedSize, NewLCS A15_AttributeListSize.

Message #

UpdateLCS: Vcb %1!p!, IC %2!p!, FRef %3!I64x!, OldSig %4!x!, OldLCS %5!x!, NewLCS %6!x!

Fields #

NameDescription
A10_FcbVcb Pointer
A11_IrpContext Pointer
A12_PULONGLONG_FcbFileReference HexInt64
A13_StdInfoAttrListEntrySignature HexInt32
A14_StdInfoAttrListEntryLastCompactedSize HexInt32
A15_AttributeListSize HexInt32

Event ID 67: NtfsAllocateClustersPriv IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, Vcn: 0xA14_OriginalStartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv IC: !p!, Vcb: !p!, Scb: !p!, Mcb: !p!, Vcn: 0x!I64x!, Length: 0x!I64x!, AllocateAll: !S!, TargetLcn: 0x!I64x!, PreAllocated: !S!, DelayedAllocation: !S!

Message #

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Scb Pointer
A13__ScbMcb Pointer
A14_OriginalStartingVcn HexInt64
A15_ClusterCount HexInt64
A16_AllocateAll UInt32
A17_TargetLcnNULLTargetLcnULONGLONG1 HexInt64
A18_PreAllocated UInt32
A19_UseDelayedAllocation UInt32

Event ID 68: NtfsAllocateClustersPriv IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, Vcn: 0xA14_OriginalStartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv IC: !p!, Vcb: !p!, Scb: !p!, Mcb: !p!, Vcn: 0x!I64x!, Length: 0x!I64x!, AllocateAll: !S!, TargetLcn: 0x!I64x!, PreAllocated: !S!, DelayedAllocation: !S!

Message #

NtfsAllocateClustersPriv IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, Vcn: 0x%5!I64x!, Length: 0x%6!I64x!, AllocateAll: %7!S!, TargetLcn: 0x%8!I64x!, PreAllocated: %9!S!, DelayedAllocation: %10!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Scb Pointer
A13__ScbMcb Pointer
A14_OriginalStartingVcn HexInt64
A15_ClusterCount HexInt64
A16_AllocateAll UInt32
A17_TargetLcnNULLTargetLcnULONGLONG1 HexInt64
A18_PreAllocated UInt32
A19_UseDelayedAllocation UInt32

Event ID 69: NtfsAllocateClustersPriv: Incremented TotalAllocated by 0xA10_FoundClusterCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0xA10_FoundClusterCount!I64x! clusters, Scb: A11_Scb, TotalAllocated: 0xA12_ScbTotalAllocated!I64x!

Message #

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!

Fields #

NameDescription
A10_FoundClusterCount HexInt64
A11_Scb Pointer
A12_ScbTotalAllocated HexInt64

Event ID 70: NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0xA10_FoundClusterCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0xA10_FoundClusterCount!I64x! clusters, Scb: A11_Scb, TotalAllocated: 0xA12_ScbTotalAllocated!I64x!ScbState: A13_ScbState!08x!, IrpContextState2: A14_IrpContextState2!08x!, AllocateWithNoHole: A15_AllocateWithNoHole.

Message #

NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!ScbState: %4!08x!, IrpContextState2: %5!08x!, AllocateWithNoHole: %6!d!

Fields #

NameDescription
A10_FoundClusterCount HexInt64
A11_Scb Pointer
A12_ScbTotalAllocated HexInt64
A13_ScbState HexInt32
A14_IrpContextState2 HexInt32
A15_AllocateWithNoHole Int32

Event ID 71: NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: A11_ClustersAllocated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: A11_ClustersAllocated.

Message #

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ClustersAllocated UInt32

Event ID 72: NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: A11_ClustersAllocated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateClustersPriv IC: A10_IrpContext, ClustersAllocated: A11_ClustersAllocated.

Message #

NtfsAllocateClustersPriv IC: %1!p!, ClustersAllocated: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ClustersAllocated UInt32

Event ID 73: NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, StartVcn: 0xA14_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, StartVcn: 0xA14_StartingVcn!I64x!, EndVcn: 0xA15_EndingVcn!I64x!

Message #

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Scb Pointer
A13__ScbMcb Pointer
A14_StartingVcn HexInt64
A15_EndingVcn HexInt64

Event ID 74: NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR A11_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR A11_PULONGLONG_ScbFcbFileReference!I64x! from clusters A12_StartingVcn!I64x! to A13_EndingVcn!I64x!

Message #

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! from clusters %3!I64x! to %4!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PULONGLONG_ScbFcbFileReference HexInt64
A12_StartingVcn HexInt64
A13_EndingVcn HexInt64

Event ID 75: NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, StartVcn: 0xA14_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters IC: A10_IrpContext, Vcb: A11_Vcb, Scb: A12_Scb, Mcb: A13__ScbMcb, StartVcn: 0xA14_StartingVcn!I64x!, EndVcn: 0xA15_EndingVcn!I64x!

Message #

NtfsDeallocateClusters IC: %1!p!, Vcb: %2!p!, Scb: %3!p!, Mcb: %4!p!, StartVcn: 0x%5!I64x!, EndVcn: 0x%6!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Scb Pointer
A13__ScbMcb Pointer
A14_StartingVcn HexInt64
A15_EndingVcn HexInt64

Event ID 76: NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR A11_PULONGLONG_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb A10_Vcb - deleting FR A11_PULONGLONG_ScbFcbFileReference!I64x! starting at A12_AdjLcn!I64x! for A13_AdjClusterCount!I64x! clusters.

Message #

NtfsDeallocateClusters: Vcb %1!p! - deleting FR %2!I64x! starting at %3!I64x! for %4!I64x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_PULONGLONG_ScbFcbFileReference HexInt64
A12_AdjLcn HexInt64
A13_AdjClusterCount HexInt64

Event ID 77: NtfsDeallocateClusters: Vcb A10_Vcb - raising logfile full.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb A10_Vcb - raising logfile full.

Message #

NtfsDeallocateClusters: Vcb %1!p! - raising logfile full

Fields #

NameDescription
A10_Vcb Pointer

Event ID 78: NtfsDeallocateClusters: Vcb A10_Vcb - adding clusters to DeallocatedClusters: A11_DeallocatedClusters ==> Lsn: A12_DeallocatedClustersLsnQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb !p! - adding clusters to DeallocatedClusters: !p! ==> Lsn: !I64x!, ClusterCount: !I64x!, Flags: !08x!; Vcb's DeallocatedClustersCount old: !I64x! new: !I64x!

Message #

NtfsDeallocateClusters: Vcb %1!p! - adding clusters to DeallocatedClusters: %2!p! ==> Lsn: %3!I64x!, ClusterCount: %4!I64x!, Flags: %5!08x!; Vcb's DeallocatedClustersCount old: %6!I64x! new: %7!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClusters Pointer
A12_DeallocatedClustersLsnQuadPart HexInt64
A13_DeallocatedClustersClusterCount HexInt64
A14_DeallocatedClustersFlags HexInt32
A15_VcbDeallocatedClusters HexInt64
A16_VcbDeallocatedClustersAdjClusterCount HexInt64

Event ID 79: NtfsDeallocateClusters: Decremented TotalAllocated by 0xA10_ClusterCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Decremented TotalAllocated by 0xA10_ClusterCount!I64x! clusters, Scb: A11_Scb, TotalAllocated: 0xA12_TotalAllocated!I64x!Addr(TotalAllocated): A13_TotalAllocated.

Message #

NtfsDeallocateClusters: Decremented TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!, TotalAllocated: 0x%3!I64x!Addr(TotalAllocated): %4!p!

Fields #

NameDescription
A10_ClusterCount HexInt64
A11_Scb Pointer
A12_TotalAllocated HexInt64
A13_TotalAllocated Pointer

Event ID 80: NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0xA10_ClusterCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0xA10_ClusterCount!I64x! clusters, Scb: A11_ScbAddr(TotalAllocated): A12_TotalAllocated, ScbState: A13_ScbState!08x!, IrpContextState2: A14_IrpContextState2!08x!

Message #

NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x%1!I64x! clusters, Scb: %2!p!Addr(TotalAllocated): %3!p!, ScbState: %4!08x!, IrpContextState2: %5!08x!

Fields #

NameDescription
A10_ClusterCount HexInt64
A11_Scb Pointer
A12_TotalAllocated Pointer
A13_ScbState HexInt32
A14_IrpContextState2 HexInt32

Event ID 81: NtfsDeallocateClusters: Vcb A10_Vcb - Undoing some changes to DeallocatedClustersCount from A11_VcbDeallocatedClusters!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters: Vcb A10_Vcb - Undoing some changes to DeallocatedClustersCount from A11_VcbDeallocatedClusters!I64x! to A12_VcbDeallocatedClustersClustersRemoved!I64x!

Message #

NtfsDeallocateClusters: Vcb %1!p! - Undoing some changes to DeallocatedClustersCount from %2!I64x! to %3!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbDeallocatedClusters HexInt64
A12_VcbDeallocatedClustersClustersRemoved HexInt64

Event ID 82: NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: A11_ClustersDeallocated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: A11_ClustersDeallocated.

Message #

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ClustersDeallocated UInt32

Event ID 83: NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: A11_ClustersDeallocated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeallocateClusters IC: A10_IrpContext, ClustersDeallocated: A11_ClustersDeallocated.

Message #

NtfsDeallocateClusters IC: %1!p!, ClustersDeallocated: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ClustersDeallocated UInt32

Event ID 84: NtfsModifyBitsInBitmap IC: A10_IrpContext, Vcb: A11_Vcb, FirstBit: 0xA12_FirstBit!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsModifyBitsInBitmap IC: A10_IrpContext, Vcb: A11_Vcb, FirstBit: 0xA12_FirstBit!I64x!, BeyondLastBit: 0xA13_BeyondFinalBit!I64x!, Redo: 0xA14_RedoOperation, Undo: 0xA15_UndoOperation.

Message #

NtfsModifyBitsInBitmap IC: %1!p!, Vcb: %2!p!, FirstBit: 0x%3!I64x!, BeyondLastBit: 0x%4!I64x!, Redo: 0x%5!x!, Undo: 0x%6!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_FirstBit HexInt64
A13_BeyondFinalBit HexInt64
A14_RedoOperation HexInt32
A15_UndoOperation HexInt32

Event ID 85: NtfsModifyBitsInBitmap IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsModifyBitsInBitmap IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!I64x!, CurrentLcn: 0xA13_CurrentLcn!I64x!

Message #

NtfsModifyBitsInBitmap IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, CurrentLcn: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11__Bitmap Pointer
A12_BaseLcn HexInt64
A13_CurrentLcn HexInt64

Event ID 86: NtfsAllocateBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: 0xA12_StartingLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: 0xA12_StartingLcn!I64x!, ClusterCount: 0xA13_ClusterCount!I64x!

Message #

NtfsAllocateBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_StartingLcn HexInt64
A13_ClusterCount HexInt64

Event ID 87: NtfsAllocateBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAllocateBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!I64x!, StartingLcn: 0xA13_StartingLcn!I64x!

Message #

NtfsAllocateBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11__Bitmap Pointer
A12_BaseLcn HexInt64
A13_StartingLcn HexInt64

Event ID 88: NtfsRestartSetBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: 0xA12_BitMapOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartSetBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: 0xA12_BitMapOffset!08x!, NumBits: 0xA13_NumberOfBits!08x!

Message #

NtfsRestartSetBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Bitmap Pointer
A12_BitMapOffset HexInt32
A13_NumberOfBits HexInt32

Event ID 89: NtfsFreeBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: 0xA12_StartingLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeBitmapRun IC: A10_IrpContext, Vcb: A11_Vcb, StartingLcn: 0xA12_StartingLcn!I64x!, ClusterCount: 0xA13_ClusterCount!I64x!

Message #

NtfsFreeBitmapRun IC: %1!p!, Vcb: %2!p!, StartingLcn: 0x%3!I64x!, ClusterCount: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_StartingLcn HexInt64
A13_ClusterCount HexInt64

Event ID 90: NtfsFreeBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeBitmapRun IC: A10_IrpContext, Bitmap: A11__Bitmap, BaseLcn: 0xA12_BaseLcn!I64x!, StartingLcn: 0xA13_StartingLcn!I64x!

Message #

NtfsFreeBitmapRun IC: %1!p!, Bitmap: %2!p!, BaseLcn: 0x%3!I64x!, StartingLcn: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11__Bitmap Pointer
A12_BaseLcn HexInt64
A13_StartingLcn HexInt64

Event ID 91: NtfsRestartClearBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: 0xA12_BitMapOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartClearBitsInBitMap IC: A10_IrpContext, Bitmap: A11_Bitmap, BitMapOffset: 0xA12_BitMapOffset!08x!, NumBits: 0xA13_NumberOfBits!08x!

Message #

NtfsRestartClearBitsInBitMap IC: %1!p!, Bitmap: %2!p!, BitMapOffset: 0x%3!08x!, NumBits: 0x%4!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Bitmap Pointer
A12_BitMapOffset HexInt32
A13_NumberOfBits HexInt32

Event ID 92: NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12_Bitmap, StartingBitmapLcn: 0xA13_StartingBitmapLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12_Bitmap, StartingBitmapLcn: 0xA13_StartingBitmapLcn!I64x!, SetBits: A14_SetBits.

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!, StartingBitmapLcn: 0x%4!I64x!, SetBits: %5!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_Bitmap Pointer
A13_StartingBitmapLcn HexInt64
A14_SetBits UInt32

Event ID 93: NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Bitmap: A11_Bitmap, StartLcn: 0xA12_StartingBit!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Bitmap: A11_Bitmap, StartLcn: 0xA12_StartingBit!I64x!, EndLcn: 0xA13_EndingBit!I64x!

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Bitmap: %2!p!, StartLcn: 0x%3!I64x!, EndLcn: 0x%4!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Bitmap Pointer
A12_StartingBit HexInt64
A13_EndingBit HexInt64

Event ID 94: NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Result: A11_Results.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetOrClearBitsUsingBaseMcb IC: A10_IrpContext, Result: A11_Results.

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: %1!p!, Result: %2!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Results UInt32

Event ID 95: System files not marked as in use in the MFT bitmap.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

System files not marked as in use in the MFT bitmap. DWord offset A10_i, value A11_OriginalSystemBitmapisizeofOriginalSystemBitmap0.

Message #

System files not marked as in use in the MFT bitmap.  DWord offset %1!x!, value %2!x!.

Fields #

NameDescription
A10_i HexInt32
A11_OriginalSystemBitmapisizeofOriginalSystemBitmap0 HexInt32

Event ID 96: Length: 0 --> BinIndex : 0 - Unexpected length

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Length: 0 --> BinIndex : 0 - Unexpected length.

Message #

Length:        0 --> BinIndex :        0    - Unexpected length

Event ID 97: Length: A10_Length!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Length: A10_Length!8I64d! --> BinIndex : A11_BinIndex!8u! - Key: A12_Key, BitPosition: A13_BitPosition, GroupIndex: A14_GroupIndex, GroupShiftFactor: A15_GroupShiftFactor.

Message #

Length: %1!8I64d! --> BinIndex : %2!8u!    - Key: %3!u!, BitPosition: %4!ld!, GroupIndex: %5!ld!, GroupShiftFactor: %6!ld!

Fields #

NameDescription
A10_Length Int64
A11_BinIndex UInt32
A12_Key UInt32
A13_BitPosition Int32
A14_GroupIndex Int32
A15_GroupShiftFactor Int32

Event ID 98: Length: A10_Length!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Length: A10_Length!8I64d! --> BinIndex : A11_BinIndex!8u! - BinIndex was beyond TotalBins: A12_TotalBins hence brought down.

Message #

Length: %1!8I64d! --> BinIndex : %2!8u!    - BinIndex was beyond TotalBins: %3!u! hence brought down

Fields #

NameDescription
A10_Length Int64
A11_BinIndex UInt32
A12_TotalBins UInt32

Event ID 99: BinIndex: A10_BinIndex!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BinIndex: A10_BinIndex!8u! --> MaxLength: A11_MAXLONGLONG!8I64d! - BinIndex is set to last bin or beyond, TotalBins: A12_TotalBins.

Message #

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - BinIndex is set to last bin or beyond, TotalBins: %3!u!

Fields #

NameDescription
A10_BinIndex UInt32
A11_MAXLONGLONG Int64
A12_TotalBins UInt32

Event ID 100: BinIndex: A10_BinIndex!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BinIndex: A10_BinIndex!8u! --> MaxLength: A11_MaxLength!8I64d! - GroupIndex: A12_GroupIndex, RelativeBinIndex: A13_RelativeBinIndex, MaxKey: A14_MaxKey.

Message #

BinIndex: %1!8u! --> MaxLength: %2!8I64d!  - GroupIndex: %3!ld!, RelativeBinIndex: %4!ld!, MaxKey: %5!u!

Fields #

NameDescription
A10_BinIndex UInt32
A11_MaxLength Int64
A12_GroupIndex Int32
A13_RelativeBinIndex Int32
A14_MaxKey UInt32

Event ID 101: BinGroupShift: A10_NtfsCachedRunBinGroupShift!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BinGroupShift: A10_NtfsCachedRunBinGroupShift!8ld!, BinGroupSize: A11_NtfsCachedRunBinGroupSize!8u!, BinGroupMask: A12_NtfsCachedRunBinGroupMask!8x!

Message #

BinGroupShift: %1!8ld!, BinGroupSize: %2!8u!, BinGroupMask: %3!8x!

Fields #

NameDescription
A10_NtfsCachedRunBinGroupShift Int32
A11_NtfsCachedRunBinGroupSize UInt32
A12_NtfsCachedRunBinGroupMask HexInt32

Event ID 102: BinIndex: A10_BinIndex!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BinIndex: A10_BinIndex!8u! --> MaxLength: A11_MaxLength!8I64u! (0xA12_MaxLength!8I64x!).

Message #

BinIndex: %1!8u! --> MaxLength: %2!8I64u! (0x%3!8I64x!)

Fields #

NameDescription
A10_BinIndex UInt32
A11_MaxLength UInt64
A12_MaxLength HexInt64

Event ID 103: Searched committed allocations but didnt find enough free space.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Searched committed allocations but didnt find enough free space. StartingCluster A10_StartingCluster!I64x!, ClusterCount A11_ClusterCount!I64x!, Committed A12_VcbTotalClustersCommitted!I64x!, Total A13_VcbTotalClusters!I64x!, Free A14_VcbFreeClusters!I64x!

Message #

Searched committed allocations but didnt find enough free space.  StartingCluster %1!I64x!, ClusterCount %2!I64x!, Committed %3!I64x!, Total %4!I64x!, Free %5!I64x!

Fields #

NameDescription
A10_StartingCluster HexInt64
A11_ClusterCount HexInt64
A12_VcbTotalClustersCommitted HexInt64
A13_VcbTotalClusters HexInt64
A14_VcbFreeClusters HexInt64

Event ID 104: NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): first bit 0xA11_FirstBitToClear, last bit 0xA12_BeyondLastBitToClear1.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): first bit 0xA11_FirstBitToClear, last bit 0xA12_BeyondLastBitToClear1.

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): first bit 0x%2!X!, last bit 0x%3!X!

Fields #

NameDescription
A10_Vcb Pointer
A11_FirstBitToClear HexInt32
A12_BeyondLastBitToClear1 HexInt32

Event ID 105: NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no leading partial slab.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no leading partial slab.

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no leading partial slab

Fields #

NameDescription
A10_Vcb Pointer

Event ID 106: NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): leading partial slab returned - LCN A11_FreeClusterBase1!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): leading partial slab returned - LCN A11_FreeClusterBase1!I64X!, len A12_FreeClusterCount1!I64X!

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): leading partial slab returned - LCN %2!I64X!, len %3!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_FreeClusterBase1 HexInt64
A12_FreeClusterCount1 HexInt64

Event ID 107: NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no trailing partial slab.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): no trailing partial slab.

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): no trailing partial slab

Fields #

NameDescription
A10_Vcb Pointer

Event ID 108: NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): trailing partial slab returned - lcn A11_FreeClusterBase2!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb A10_Vcb - Clearing TP map bit(s): trailing partial slab returned - lcn A11_FreeClusterBase2!I64X!, len A12_FreeClusterCount2!I64X!

Message #

NtfsRemoveClustersFromTPMap: Vcb %1!p! - Clearing TP map bit(s): trailing partial slab returned - lcn %2!I64X!, len %3!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_FreeClusterBase2 HexInt64
A12_FreeClusterCount2 HexInt64

Event ID 109: NtfsValidateTotalClustersCommitted(A10_Vcb,A11_PsGetCurrentThread): TCC A12_VcbTotalClustersCommitted!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsValidateTotalClustersCommitted(A10_Vcb,A11_PsGetCurrentThread): TCC A12_VcbTotalClustersCommitted!I64x!, TC A13_VcbTotalClusters!I64x!, BMSize A14_VcbTPMapSizeOfBitMap.

Message #

NtfsValidateTotalClustersCommitted(%1!p!,%2!p!): TCC %3!I64x!, TC %4!I64x!, BMSize %5!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_VcbTotalClustersCommitted HexInt64
A13_VcbTotalClusters HexInt64
A14_VcbTPMapSizeOfBitMap HexInt32

Event ID 110: Illegal MDL Complete for major code A10_IrpContextMajorFunction.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Illegal MDL Complete for major code A10_IrpContextMajorFunction.

Message #

Illegal MDL Complete for major code %1!u!

Fields #

NameDescription
A10_IrpContextMajorFunction UInt32

Event ID 111: Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingZero!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Entering: Scb: !p!, StartingZero: 0x!016I64x!, ByteCount: 0x!016I64x!, ExtentsDescriptor: !p!, ExtentsDescriptorIndex: !d!, ExtentsDescriptorStartOffset: 0x!016I64x!, Offset: 0x!016I64x!, MaxRuns: !d!

Message #

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, ByteCount: 0x%3!016I64x!, ExtentsDescriptor: %4!p!, ExtentsDescriptorIndex: %5!d!, ExtentsDescriptorStartOffset: 0x%6!016I64x!, Offset: 0x%7!016I64x!, MaxRuns: %8!d!,

Fields #

NameDescription
A10_Scb Pointer
A11_StartingZero HexInt64
A12_ByteCount HexInt64
A13_ExtentsDescriptor Pointer
A14_ExtentsDescriptorIndex Int32
A15_ExtentsDescriptorStartOffset HexInt64
A16_Offset HexInt64
A17_MaxRuns Int32

Event ID 112: RunEntry ==> A10_RunIndex!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RunEntry ==> A10_RunIndex!4d!: [0xA11_ExtentsDescriptorRunRunIndexBasePage!016I64x!, 0xA12_ExtentsDescriptorRunRunIndexPageCount!016I64x!], ExtentLength: 0xA13_ExtentLength!016I64x!, Offset: 0xA14_Offset!016I64x!, RunIndexStartOffset: 0xA15_RunIndexStartOffset!016I64x!

Message #

RunEntry ==> %1!4d!: [0x%2!016I64x!, 0x%3!016I64x!], ExtentLength: 0x%4!016I64x!, Offset: 0x%5!016I64x!, RunIndexStartOffset: 0x%6!016I64x!

Fields #

NameDescription
A10_RunIndex Int32
A11_ExtentsDescriptorRunRunIndexBasePage HexInt64
A12_ExtentsDescriptorRunRunIndexPageCount HexInt64
A13_ExtentLength HexInt64
A14_Offset HexInt64
A15_RunIndexStartOffset HexInt64

Event ID 113: Offset is beyond this extent skipping the extent.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Offset is beyond this extent skipping the extent.

Message #

Offset is beyond this extent skipping the extent.

Event ID 114: Shrinking LengthInExtent.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Shrinking LengthInExtent (0xA10_LengthInExtent!016I64x!) to ByteCount (0xA11_ByteCount!016I64x!) that we have to zero.

Message #

Shrinking LengthInExtent (0x%1!016I64x!) to ByteCount (0x%2!016I64x!) that we have to zero

Fields #

NameDescription
A10_LengthInExtent HexInt64
A11_ByteCount HexInt64

Event ID 115: Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!016I64x!, LengthInExtent: 0xA11_LengthInExtent!016I64x!

Message #

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields #

NameDescription
A10_StartingPhysicalAddrQuadPart HexInt64
A11_LengthInExtent HexInt64

Event ID 116: Exiting: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Exiting: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!016I64x!

Message #

Exiting: ExtentsDescriptorIndex: %1!d! ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields #

NameDescription
A10_ExtentsDescriptorIndex Int32
A11_ExtentsDescriptorStartOffset HexInt64

Event ID 117: Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingOffset!016I64x!, BeyondEndOffset: 0xA12_BeyondEndOffset!016I64x!

Message #

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingOffset HexInt64
A12_BeyondEndOffset HexInt64

Event ID 118: Dsm Ranges[A10_DataSetRangeIndex]: StartingOffset: 0xA11_DsmBufferDataSetRangesDataSetRangeIndexStartingOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Dsm Ranges[A10_DataSetRangeIndex]: StartingOffset: 0xA11_DsmBufferDataSetRangesDataSetRangeIndexStartingOffset!016I64x!, LengthInBytes: 0xA12_DsmBufferDataSetRangesDataSetRangeIndexLengthInBytes!016I64x!

Message #

Dsm Ranges[%1!d!]: StartingOffset: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields #

NameDescription
A10_DataSetRangeIndex Int32
A11_DsmBufferDataSetRangesDataSetRangeIndexStartingOffset HexInt64
A12_DsmBufferDataSetRangesDataSetRangeIndexLengthInBytes HexInt64

Event ID 119: RemainingClusterCount: 0xA10_RemainingClusterCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, DataSetRangeIndex: A11_DataSetRangeIndex.

Message #

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_DataSetRangeIndex Int32

Event ID 120: Dsm: TotalNumberOfRanges: A10_DsmByteAddressRangesTotalNumberOfRanges, NumberOfRangesReturned: A11_DsmByteAddressRangesNumberOfRangesReturned.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Dsm: TotalNumberOfRanges: A10_DsmByteAddressRangesTotalNumberOfRanges, NumberOfRangesReturned: A11_DsmByteAddressRangesNumberOfRangesReturned.

Message #

Dsm: TotalNumberOfRanges: %1!d!, NumberOfRangesReturned: %2!d!

Fields #

NameDescription
A10_DsmByteAddressRangesTotalNumberOfRanges Int32
A11_DsmByteAddressRangesNumberOfRangesReturned Int32

Event ID 121: DsmOut Ranges[A10_Index]: StartingAddress: 0xA11_DsmByteAddressRangesRangesIndexStartAddress!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DsmOut Ranges[A10_Index]: StartingAddress: 0xA11_DsmByteAddressRangesRangesIndexStartAddress!016I64x!, LengthInBytes: 0xA12_DsmByteAddressRangesRangesIndexLengthInBytes!016I64x!

Message #

DsmOut Ranges[%1!d!]: StartingAddress: 0x%2!016I64x!, LengthInBytes: 0x%3!016I64x!

Fields #

NameDescription
A10_Index Int32
A11_DsmByteAddressRangesRangesIndexStartAddress HexInt64
A12_DsmByteAddressRangesRangesIndexLengthInBytes HexInt64

Event ID 122: Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Zeroing: StartingPhysicalAddr: 0xA10_StartingPhysicalAddrQuadPart!016I64x!, LengthInExtent: 0xA11_LengthInExtent!016I64x!

Message #

Zeroing: StartingPhysicalAddr: 0x%1!016I64x!, LengthInExtent: 0x%2!016I64x!

Fields #

NameDescription
A10_StartingPhysicalAddrQuadPart HexInt64
A11_LengthInExtent HexInt64

Event ID 123: Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex, ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex, ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!016I64x!

Message #

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields #

NameDescription
A10_ExtentsDescriptorIndex Int32
A11_ExtentsDescriptorStartOffset HexInt64

Event ID 124: Entering: Scb: A10_Scb, StartingZero: 0xA11_StartingZero!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Entering: Scb: !p!, StartingZero: 0x!016I64x!, BeyondEndOffset: 0x!016I64x!, ByteCount: 0x!016I64x!, ExtentsDescriptor: !p!, ExtentsDescriptorIndex: !d!, ExtentsDescriptorStartOffset: 0x!016I64x!

Message #

Entering: Scb: %1!p!, StartingZero: 0x%2!016I64x!, BeyondEndOffset: 0x%3!016I64x!, ByteCount: 0x%4!016I64x!, ExtentsDescriptor: %5!p!, ExtentsDescriptorIndex: %6!d!, ExtentsDescriptorStartOffset: 0x%7!016I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingZero HexInt64
A12_BeyondEndOffset HexInt64
A13_ByteCount HexInt64
A14_ExtentsDescriptor Pointer
A15_ExtentsDescriptorIndexExtentsDescriptorIndex0 Int32
A16_ExtentsDescriptorStartOffsetExtentsDescriptorStartOffset0 HexInt64

Event ID 125: Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex, ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: A10_ExtentsDescriptorIndex, ExtentsDescriptorStartOffset: 0xA11_ExtentsDescriptorStartOffset!016I64x!

Message #

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: %1!d!, ExtentsDescriptorStartOffset: 0x%2!016I64x!

Fields #

NameDescription
A10_ExtentsDescriptorIndex Int32
A11_ExtentsDescriptorStartOffset HexInt64

Event ID 126: IrpContext: A10_IrpContext; Scb: A11_Scb; StartOffset: 0xA12_StartOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IrpContext: A10_IrpContext; Scb: A11_Scb; StartOffset: 0xA12_StartOffset!I64x!; ByteCount: 0xA13_ByteCount.

Message #

IrpContext: %1!p!; Scb: %2!p!; StartOffset: 0x%3!I64x!; ByteCount: 0x%4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Scb Pointer
A12_StartOffset HexInt64
A13_ByteCount HexInt32

Event ID 127: Return.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Return. IrpContext: A10_IrpContext.

Message #

Return. IrpContext: %1!p!

Fields #

NameDescription
A10_IrpContext Pointer

Event ID 128: Unexpected open type received: A10_TypeOfOpen.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected open type received: A10_TypeOfOpen.

Message #

Unexpected open type received: %1!u!

Fields #

NameDescription
A10_TypeOfOpen UInt32

Event ID 129: Raising STATUS_SUCCESS from NtfsCommonCleanup: A10_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Raising STATUS_SUCCESS from NtfsCommonCleanup: A10_Status.

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 130: Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields #

NameDescription
A10_Status HexInt32

Event ID 131: Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0xA10_Status.

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x%1!X!

Fields #

NameDescription
A10_Status HexInt32

Event ID 132: Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_Vcb, FileObject: A13_CreateContextFileObject, RelatedFileObject: A14_CreateContextFileObjectRelatedFileObject, FileIdBuffer: A15__CreateContextFileObjectF...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Irp: !p!, IC: !p!, Vcb: !p!, FileObject: !p!, RelatedFileObject: !p!, FileIdBuffer: !S!, Options: 0x!08x!, FileAttributes: 0x!04x!, DesiredAccess: 0x!08x!, ShareAccess: 0x!04x!, EaLength: 0x!08x!

Message #

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, FileIdBuffer: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Fields #

NameDescription
A10_Irp Pointer
A11_IrpContext Pointer
A12_Vcb Pointer
A13_CreateContextFileObject Pointer
A14_CreateContextFileObjectRelatedFileObject Pointer
A15__CreateContextFileObjectFileName 25
A16_CreateContextIrpSpParametersCreateOptions HexInt32
A17_CreateContextIrpSpParametersCreateFileAttributes HexInt32
A18_CreateContextDesiredAccess HexInt32
A19_CreateContextIrpSpParametersCreateShareAccess HexInt32
A20_CreateContextIrpSpParametersCreateEaLength HexInt32

Event ID 133: Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_Vcb, FileObject: A13_CreateContextFileObject, RelatedFileObject: A14_CreateContextFileObjectRelatedFileObject, Path: A15__CreateContextFileObjectFileName,...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Irp: !p!, IC: !p!, Vcb: !p!, FileObject: !p!, RelatedFileObject: !p!, Path: !S!, Options: 0x!08x!, FileAttributes: 0x!04x!, DesiredAccess: 0x!08x!, ShareAccess: 0x!04x!, EaLength: 0x!08x!

Message #

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, FileObject: %4!p!, RelatedFileObject: %5!p!, Path: %6!S!, Options: 0x%7!08x!, FileAttributes: 0x%8!04x!, DesiredAccess: 0x%9!08x!, ShareAccess: 0x%10!04x!, EaLength: 0x%11!08x!

Fields #

NameDescription
A10_Irp Pointer
A11_IrpContext Pointer
A12_Vcb Pointer
A13_CreateContextFileObject Pointer
A14_CreateContextFileObjectRelatedFileObject Pointer
A15__CreateContextFileObjectFileName CountedUtf16String
A16_CreateContextIrpSpParametersCreateOptions HexInt32
A17_CreateContextIrpSpParametersCreateFileAttributes HexInt32
A18_CreateContextDesiredAccess HexInt32
A19_CreateContextIrpSpParametersCreateShareAccess HexInt32
A20_CreateContextIrpSpParametersCreateEaLength HexInt32

Event ID 134: NtfsCommonCreate: Volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonCreate: Volume is locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Vcb State: A14_VcbVcbState.

Message #

NtfsCommonCreate: Volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: %5!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 135: NtfsCommonVolumeOpen: Invalid create disposition for volume open.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: A10_PsGetCurrentThread, CreateDisposition: 0xA11_CreateDisposition.

Message #

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: %1!p!, CreateDisposition: 0x%2!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CreateDisposition HexInt32

Event ID 136: NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Vcb State: 0xA14_VcbVcbState!08x!.

Message #

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 137: NtfsCommonVolumeOpen: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Requested ...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonVolumeOpen: Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Requested ShareAccess: 0x!08x!, Vcb->CleanupCount: !d!, BiasedCleanupCount: !d!.

Message #

NtfsCommonVolumeOpen: Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->CleanupCount: %6!d!, BiasedCleanupCount: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_IrpSpParametersCreateShareAccess HexInt32
A15_ReadULongNoFence_VcbCleanupCount Int32
A16_BiasedCleanupCount Int32

Event ID 138: NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Vcb State: 0xA14_VcbVcbState!08x!.

Message #

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 139: NtfsCommonVolumeOpen: Conlicting file objects.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonVolumeOpen: Conlicting file objects. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Requested ShareAccess: 0x%5!08x!, Vcb->ReadOnlyCloseCount: %6!d!, Vcb->CloseCount: %7!d!, Vcb->SystemFileCloseCount: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_IrpSpParametersCreateShareAccess HexInt32
A15_VcbReadOnlyCloseCount Int32
A16_VcbCloseCount Int32
A17_VcbSystemFileCloseCount Int32

Event ID 140: NtfsHandlePagingFile: Paging file already open, paging files can only be opened once.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsHandlePagingFile: Paging file already open, paging files can only be opened once. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->CleanupCount: %7!d!, Fcb->FcbState: 0x%8!08x!, IrpSp->Flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbCleanupCount Int32
A17_FcbFcbState HexInt32
A18_IrpSpFlags HexInt32

Event ID 141: NtfsHandlePagingFile: Cannot open system file as paging file.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Fcb->FcbState: 0x!08x!, IrpSp->Flags: 0x!08x!.

Message #

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb->FcbState: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbFcbState HexInt32
A17_IrpSpFlags HexInt32

Event ID 142: NtfsHandlePagingFile: Persisted paging file already exists.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsHandlePagingFile: Persisted paging file already exists. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, IrpContext->State: 0x!08x!, IrpSp->Flags: 0x!08x!.

Message #

NtfsHandlePagingFile: Persisted paging file already exists. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, IrpContext->State: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_IrpContextState HexInt32
A17_IrpSpFlags HexInt32

Event ID 143: NtfsOpenFcbById: Invalid system file access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenFcbById: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbFcbState HexInt32
A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff HexInt32
A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess HexInt32

Event ID 144: NtfsOpenExistingPrefixFcb: Can not directly open txf directory.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FileAttributes: 0x!08x!, Rmstate: 0x!08x!.

Message #

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CreateContextCurrentFcbVcb Pointer
A12__CreateContextCurrentFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWCreateContextCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCreateContextCurrentFcbVcbVpb CountedUtf16String
A14_CreateContextCurrentFcb Pointer
A15_NtfsFullFileRefNumber_CreateContextCurrentFcbFileReference HexInt64
A16_CreateContextCurrentFcbInfoFileAttributes HexInt32
A17_CreateContextCurrentFcbTxfRmcbRmState HexInt32

Event ID 145: NtfsOpenExistingPrefixFcb: Invalid system file access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenExistingPrefixFcb: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CreateContextCurrentFcbVcb Pointer
A12__CreateContextCurrentFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWCreateContextCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCreateContextCurrentFcbVcbVpb CountedUtf16String
A14_CreateContextCurrentFcb Pointer
A15_NtfsFullFileRefNumber_CreateContextCurrentFcbFileReference HexInt64
A16_CreateContextCurrentFcbFcbState HexInt32
A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff HexInt32
A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess HexInt32

Event ID 146: NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!.

Message #

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbFcbState HexInt32

Event ID 147: NtfsOpenFile: Invalid system file access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenFile: Invalid system file access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!, CreateDisposition: 0x!08x!, DesiredAccess: 0x!08x!.

Message #

NtfsOpenFile: Invalid system file access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, CreateDisposition: 0x%8!08x!, DesiredAccess: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbFcbState HexInt32
A17_CreateContextIrpSpParametersCreateOptions24_0x000000ff HexInt32
A18_CreateContextIrpSpParametersCreateSecurityContextDesiredAccess HexInt32

Event ID 148: NtfsOpenFile: Deny open when txf rm is active.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenFile: Deny open when txf rm is active. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, TxfRmcb Rmstate: 0x!08x!.

Message #

NtfsOpenFile: Deny open when txf rm is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb Rmstate: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbTxfRmcbRmState HexInt32

Event ID 149: NtfsCreateNewFile: Deny creation in system directory (except root).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCreateNewFile: Deny creation in system directory (except root). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb): Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!, AttrTypeCode: 0x%9!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ParentScbFcbVcb Pointer
A12__ParentScbFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWParentScbFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHParentScbFcbVcbVpb CountedUtf16String
A14_ParentScbFcb Pointer
A15_NtfsFullFileRefNumber_ParentScbFcbFileReference HexInt64
A16_ParentScbFcbFcbState HexInt32
A17_ParentScbFcbTxfRmcbRmState HexInt32
A18_AttrTypeCode HexInt32

Event ID 150: NtfsCreateNewFile: Unable to create Ea for the file.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCreateNewFile: Unable to create Ea for the file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Create options: 0x!08x!, Ccb flags: 0x!08x!.

Message #

NtfsCreateNewFile: Unable to create Ea for the file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Create options: 0x%7!08x!, Ccb flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CreateContextIrpSpParametersCreateOptions HexInt32
A17_CcbFlags HexInt32

Event ID 151: NtfsCreateNewFile: Unable to create in the $txf directory.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCreateNewFile: Unable to create in the $txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, (Parent Fcb) Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, TxfRmcb state: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ParentScbVcb Pointer
A12__ParentScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWParentScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHParentScbVcbVpb CountedUtf16String
A14_ParentScbFcb Pointer
A15_NtfsFullFileRefNumber_ParentScbFcbFileReference HexInt64
A16_ParentScbFcbFcbState HexInt32
A17_ParentScbFcbTxfRmcbRmState HexInt32

Event ID 152: NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, TxfRmcb state: 0x!08x!.

Message #

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfRmcb state: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbTxfRmcbRmState HexInt32

Event ID 153: NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NeedEaCount: %7!d!, CreateOptions: 0x%8!08x!, CcbFlags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisEaInformationNeedEaCount Int32
A17_CreateContextIrpSpParametersCreateOptions HexInt32
A18_CcbFlags HexInt32

Event ID 154: NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttrTypeCode to create: 0x%7!x!, CreateDisposition: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_AttrTypeCode HexInt32
A17_CreateDisposition HexInt32

Event ID 155: NtfsOpenAttributeInExistingFile: Denying access for volume root directory.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, CreateDisposition: 0x!08x!.

Message #

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CreateDisposition: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CreateDisposition HexInt32

Event ID 156: NtfsCreateNewFile: Not allowed to create streams on system files.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!, AttrTypeCode: 0x!x!.

Message #

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, AttrTypeCode: 0x%8!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbFcbState HexInt32
A17_AttrTypeCode HexInt32

Event ID 157: NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, DuplicateInfo attributes: 0x%7!08x!, FileAttributes: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbInfoFileAttributes HexInt32
A17_FileAttributes HexInt32

Event ID 158: NtfsOverwriteAttr: Denying access due to user being Ea blind.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Create options: 0x!08x!.

Message #

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Create options: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CreateContextIrpSpParametersCreateOptions HexInt32

Event ID 159: NtfsOverwriteAttr: Deny access due to encryption happening on the stream.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, AttributeTypeCode: 0x%7!x!, Scb state: 0x%8!08x!, Scb HighWaterMark: %9!I64d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CreateContextThisScbAttributeTypeCode HexInt32
A17_CreateContextThisScbState HexInt32
A18_CreateContextThisScbScbTypeDataHighWaterMark Int64

Event ID 160: NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, CreateDisposition: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_AttrCode HexInt32
A15_CreateDisposition HexInt32

Event ID 161: NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, AttributeTypeCode: 0x!x!, DesiredAccess: 0x!08x!.

Message #

NtfsCheckValidAttributeAccess: Only read attributes access is supported on this attribute. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, AttributeTypeCode: 0x%5!x!, DesiredAccess: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_AttrCode HexInt32
A15_IrpSpParametersCreateSecurityContextAccessStateOriginalDesiredAccess HexInt32

Event ID 162: NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: A10_PsGetCurrentThread, AttributeTypeCode: A11_AttrCode.

Message #

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: %1!p!, AttributeTypeCode: %2!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_AttrCode HexInt32

Event ID 163: NtfsOpenAttributeCheck: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeCheck: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String
A19_IrpSpParametersCreateShareAccess HexInt32
A20_IrpSpParametersCreateSecurityContextAccessStatePreviouslyGrantedAccess HexInt32

Event ID 164: NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String

Event ID 165: NtfsOpenAttributeCheck: File was granted write access but has image section.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttributeCheck: File was granted write access but has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Previously granted access: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String
A19_IrpSpParametersCreateSecurityContextAccessStatePreviouslyGrantedAccess HexInt32

Event ID 166: NtfsOpenAttribute: Denying write access on disallowed writes.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: Denying write access on disallowed writes. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Disallow write count: %8!d!, Desired Access: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbMarkHandleDisallowWritesCount Int32
A18_IrpSpParametersCreateSecurityContextDesiredAccess HexInt32

Event ID 167: NtfsOpenAttribute: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String
A19_IrpSpParametersCreateShareAccess HexInt32
A20_GrantedAccess HexInt32

Event ID 168: NtfsOpenAttribute: Open for exclusive read access is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_IrpSpParametersCreateShareAccess HexInt32
A17_IrpSpFileObjectFlags HexInt32

Event ID 169: NtfsOpenAttribute: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Requested ShareAccess: 0x%10!08x!, Previously granted access: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_ThisScb Pointer
A17_ThisScbAttributeTypeCode HexInt32
A18__ThisScbAttributeName CountedUtf16String
A19_IrpSpParametersCreateShareAccess HexInt32
A20_GrantedAccess HexInt32

Event ID 170: NtfsOpenAttribute: Open for exclusive read access is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Requested share access: 0x%7!08x!, FO flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_IrpSpParametersCreateShareAccess HexInt32
A17_IrpSpFileObjectFlags HexInt32

Event ID 171: NtfsCheckExistingFile: Desired access conflicts with read-only state.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Desired Access: 0x%7!08x!, FileAttributes: 0x%8!08x!, SL control flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_IrpSpParametersCreateSecurityContextDesiredAccess HexInt32
A17_ThisFcbInfoFileAttributes HexInt32
A18_IrpSpFlags HexInt32

Event ID 172: NtfsOpenExistingEncryptedStream: No encryption driver found.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FileAttributes: 0x!08x!, NtfsData flags: 0x!08x!.

Message #

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, NtfsData flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CurrentFcbVcb Pointer
A12__CurrentFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCurrentFcbVcbVpb CountedUtf16String
A14_CurrentFcb Pointer
A15_NtfsFullFileRefNumber_CurrentFcbFileReference HexInt64
A16_CurrentFcbInfoFileAttributes HexInt32
A17_NtfsDataFlags HexInt32

Event ID 173: NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Stream attribute flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CurrentFcbVcb Pointer
A12__CurrentFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWCurrentFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHCurrentFcbVcbVpb CountedUtf16String
A14_CurrentFcb Pointer
A15_NtfsFullFileRefNumber_CurrentFcbFileReference HexInt64
A16_CurrentFcbInfoFileAttributes HexInt32
A17_ThisScbAttributeFlags HexInt32

Event ID 174: NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsEncryptionCreateCallback: Encrytion engine fail to encrypt all streams for file with open handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb cleanup count: %7!d!, EncryptionCallBackTable flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisScbVcb Pointer
A12__ThisScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisScbVcbVpb CountedUtf16String
A14_ThisScbFcb Pointer
A15_NtfsFullFileRefNumber_ThisScbFcbFileReference HexInt64
A16_CreateContextCurrentFcbCleanupCount Int32
A17_NtfsDataEncryptionCallBackTableImplementationFlags HexInt32

Event ID 175: NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: A10_PsGetCurrentThread, Fcb: A11_CurrentFcb, FileRef: 0xA12_NtfsFullFileRefNumber_CurrentFcbFileReference!I64x!, TxfRmcb RM state: A13_CurrentFcbTxfRmcbRmState.

Message #

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: %1!p!, Fcb: %2!p!, FileRef: 0x%3!I64x!, TxfRmcb RM state: %4!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_CurrentFcb Pointer
A12_NtfsFullFileRefNumber_CurrentFcbFileReference HexInt64
A13_CurrentFcbTxfRmcbRmState HexInt32

Event ID 176: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Link Name: %7!S!, DesiredAccess: 0x%8!08x!, DesiredShareAccess: 0x%9!08x!, IoShareAccessFlags: 0x%10!08x!, LinkShareAccess->OpenCount: %11!d!, LinkShareAccess->Deleters: %12!d!, LinkShareAccess->SharedDelete: %13!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_LcbFcbVcb Pointer
A12__LcbFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWLcbFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHLcbFcbVcbVpb CountedUtf16String
A14_LcbFcb Pointer
A15_NtfsFullFileRefNumber_LcbFcbFileReference HexInt64
A16_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String
A17_DesiredAccess HexInt32
A18_DesiredShareAccess HexInt32
A19_IoShareAccessFlags HexInt32
A20_LinkShareAccessOpenCount Int32
A21_LinkShareAccessDeleters Int32
A22_LinkShareAccessSharedDelete Int32

Event ID 177: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, DesiredAccess: 0x%9!08x!, DesiredShareAccess: 0x%10!08x!, IoShareAccessFlags: 0x%11!08x!, ShareAccess->OpenCount: %12!d!, ShareAccess->Readers: %13!d!, ShareAccess->Writers: %14!d!, ShareAccess->->Deleters: %15!d!, ShareAccess->SharedRead: %16!d!, ShareAccess->SharedWrite: %17!d!, ShareAccess->SharedDelete: %18!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbAttributeTypeCode HexInt32
A17__ScbAttributeName CountedUtf16String
A18_DesiredAccess HexInt32
A19_DesiredShareAccess HexInt32
A20_IoShareAccessFlags HexInt32
A21_ShareAccessOpenCount Int32
A22_ShareAccessReaders Int32
A23_ShareAccessWriters Int32
A24_ShareAccessDeleters Int32
A25_ShareAccessSharedRead Int32
A26_ShareAccessSharedWrite Int32
A27_ShareAccessSharedDelete Int32

Event ID 178: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, DesiredAccess: 0x%10!08x!, DesiredShareAccess: 0x%11!08x!, IoShareAccessFlags: 0x%12!08x!, ShareAccess->OpenCount: %13!d!, ShareAccess->Readers: %14!d!, ShareAccess->Writers: %15!d!, ShareAccess->->Deleters: %16!d!, ShareAccess->SharedRead: %17!d!, ShareAccess->SharedWrite: %18!d!, ShareAccess->SharedDelete: %19!d!, LinkShareAccess->OpenCount: %20!d!, LinkShareAccess->Deleters: %21!d!, LinkShareAccess->SharedDelete: %22!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbAttributeTypeCode HexInt32
A17__ScbAttributeName CountedUtf16String
A18_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String
A19_DesiredAccess HexInt32
A20_DesiredShareAccess HexInt32
A21_IoShareAccessFlags HexInt32
A22_ShareAccessOpenCount Int32
A23_ShareAccessReaders Int32
A24_ShareAccessWriters Int32
A25_ShareAccessDeleters Int32
A26_ShareAccessSharedRead Int32
A27_ShareAccessSharedWrite Int32
A28_ShareAccessSharedDelete Int32
A29_LinkShareAccessOpenCount Int32
A30_LinkShareAccessDeleters Int32
A31_LinkShareAccessSharedDelete Int32

Event ID 179: NtfsReCheckShareAccess: Does not meet allow open requirement.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsReCheckShareAccess: Does not meet allow open requirement. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb Type Code: 0x%7!x!, Scb Name: %8!S!, Link Name: %9!S!, Previously granted access: 0x%10!08x!, AccessState->Flags: 0x%11!08x!, DesiredShareAccess: 0x%12!08x!, CreateDisposition: 0x%13!08x!, OpenCount: %14!d!, Readers: %15!d!, Writers: %16!d!, Deleters: %17!d!, SharedRead: %18!d!, Lcb Deleters: %19!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbAttributeTypeCode HexInt32
A17__ScbAttributeName CountedUtf16String
A18_ARGUMENT_PRESENTLcbWppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLengthWppCountedStringWNULL0 CountedUtf16String
A19_AccessStatePreviouslyGrantedAccess HexInt32
A20_AccessStateFlags HexInt32
A21_DesiredShareAccess HexInt32
A22_CreateDisposition HexInt32
A23_ScbShareAccessOpenCount Int32
A24_ScbShareAccessReaders Int32
A25_ScbShareAccessWriters Int32
A26_ScbShareAccessDeleters Int32
A27_ScbShareAccessSharedRead Int32
A28_ARGUMENT_PRESENTLcbLcbLinkShareAccessDeleters0 Int32

Event ID 180: A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_Status HexInt32
A13__ProcessName CountedMbcsString

Event ID 181: A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_Status HexInt32
A13__ProcessName CountedMbcsString

Event ID 182: A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_Status HexInt32
A13__ProcessName CountedMbcsString

Event ID 183: A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine Status: A12_Status ProcessName: A13__ProcessName.

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_Status HexInt32
A13__ProcessName CountedMbcsString

Event ID 184: NtfsSendUnusedClustersHint: Vcb A10_Vcb - Will tell storage we are freeing at A11_StartingCluster!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Will tell storage we are freeing at A11_StartingCluster!I64x! for A12_RunLength clusters.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Will tell storage we are freeing at %2!I64x! for %3!x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingCluster HexInt64
A12_RunLength HexInt32

Event ID 185: NtfsSendUnusedClustersHint: Vcb A10_Vcb - Flush requested.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Flush requested.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Flush requested

Fields #

NameDescription
A10_Vcb Pointer

Event ID 186: NtfsSendUnusedClustersHint: Vcb A10_Vcb - Created new MarkUnusedContext A11_MarkUnusedContext, DEALLOCATED_CLUSTERS A12_MarkUnusedContextDeallocatedClusters, MCB A13__MarkUnusedContextDeallocatedCl...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Created new MarkUnusedContext A11_MarkUnusedContext, DEALLOCATED_CLUSTERS A12_MarkUnusedContextDeallocatedClusters, MCB A13__MarkUnusedContextDeallocatedClustersMcb.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! -  Created new MarkUnusedContext %2!p!, DEALLOCATED_CLUSTERS %3!p!, MCB %4!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_MarkUnusedContextDeallocatedClusters Pointer
A13__MarkUnusedContextDeallocatedClustersMcb Pointer

Event ID 187: NtfsSendUnusedClustersHint: Vcb A10_Vcb - Successfully added clusters starting at A11_StartingCluster!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Successfully added clusters starting at A11_StartingCluster!I64x! for A12_RunLength into MCB A13__MarkUnusedContextDeallocatedClustersMcb.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Successfully added clusters starting at %2!I64x! for %3!x! into MCB %4!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingCluster HexInt64
A12_RunLength HexInt32
A13__MarkUnusedContextDeallocatedClustersMcb Pointer

Event ID 188: NtfsSendUnusedClustersHint: Vcb A10_Vcb - MCB A11__MarkUnusedContextDeallocatedClustersMcb is full.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - MCB A11__MarkUnusedContextDeallocatedClustersMcb is full.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - MCB %2!p! is full

Fields #

NameDescription
A10_Vcb Pointer
A11__MarkUnusedContextDeallocatedClustersMcb Pointer

Event ID 189: NtfsSendUnusedClustersHint: Vcb A10_Vcb - Queuing request to IC pre-trim list, MUC A11_MarkUnusedContext, IC A12_IrpContext.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Queuing request to IC pre-trim list, MUC A11_MarkUnusedContext, IC A12_IrpContext.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! - Queuing request to IC pre-trim list, MUC %2!p!, IC %3!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_IrpContext Pointer

Event ID 190: NtfsSendUnusedClustersHint: Vcb A10_Vcb - Failed to allocate/initial MarkUnusedContext.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb A10_Vcb - Failed to allocate/initial MarkUnusedContext.

Message #

NtfsSendUnusedClustersHint: Vcb %1!p! -  Failed to allocate/initial MarkUnusedContext

Fields #

NameDescription
A10_Vcb Pointer

Event ID 191: NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt A12_SrcClustersCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt A12_SrcClustersCount!I64x!, SrcOrigClusCt A13_SrcDeallocatedClustersClusterCount!I64x!, SrcDSRL A14_SrcDsmAttrDataSetRangesLength - Entering.

Message #

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, SrcOrigClusCt %4!I64x!, SrcDSRL %5!x! - Entering

Fields #

NameDescription
A10_Src Pointer
A11_Dst Pointer
A12_SrcClustersCount HexInt64
A13_SrcDeallocatedClustersClusterCount HexInt64
A14_SrcDsmAttrDataSetRangesLength HexInt32

Event ID 192: NtfsTransferMaxDataSetRanges: Src A10_Src, Dst A11_Dst, SrcRemainClusCt A12_SrcClustersCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsTransferMaxDataSetRanges: Src !p!, Dst !p!, SrcRemainClusCt !I64x!, DstClusCt !I64x!, DstDSRL !x!, DstLIB !I64x!, DstSOff !I64x! - Leaving.

Message #

NtfsTransferMaxDataSetRanges: Src %1!p!, Dst %2!p!, SrcRemainClusCt %3!I64x!, DstClusCt %4!I64x!, DstDSRL %5!x!, DstLIB %6!I64x!, DstSOff %7!I64x! - Leaving

Fields #

NameDescription
A10_Src Pointer
A11_Dst Pointer
A12_SrcClustersCount HexInt64
A13_DstClustersCount HexInt64
A14_DstDsmAttrDataSetRangesLength HexInt32
A15_DstFirstDataSetRangePtrLengthInBytes HexInt64
A16_DstFirstDataSetRangePtrStartingOffset HexInt64

Event ID 193: NtfsMarkUnusedContextPostTrimProcessing: Entering

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Entering.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Entering

Event ID 194: NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DC A12_VcbDeallocatedClusters!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DC A12_VcbDeallocatedClusters!I64x!, DCIT A13_VcbDeallocatedClustersListLengthInTrim, DCTD A14_VcbDeallocatedClustersListLengthToDrain, CC A15_ClustersClusterCount!I64x!, IR A16_InitialRanges.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - DC %3!I64x!, DCIT %4!x!, DCTD %5!x!, CC %6!I64x!, IR %7!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_VcbDeallocatedClusters HexInt64
A13_VcbDeallocatedClustersListLengthInTrim HexInt32
A14_VcbDeallocatedClustersListLengthToDrain HexInt32
A15_ClustersClusterCount HexInt64
A16_InitialRanges HexInt32

Event ID 195: NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - Removed interior slab(s) from TP map - [LCN A12_StartingLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb !p!, MUC !p! - Removed interior slab(s) from TP map - [LCN !I64X!, len !I64X!] => [LCN !I64X!, len !I64X!], [LCN !I64X!, len !I64X!].

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p!, MUC %2!p! - Removed interior slab(s) from TP map - [LCN %3!I64X!, len %4!I64X!] => [LCN %5!I64X!, len %6!I64X!], [LCN %7!I64X!, len %8!I64X!]

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_StartingLcn HexInt64
A13_ClusterCount HexInt64
A14_FreeClusterBase1 HexInt64
A15_FreeClusterCount1 HexInt64
A16_FreeClusterBase2 HexInt64
A17_FreeClusterCount2 HexInt64

Event ID 196: NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - Releasing bitmap.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - Releasing bitmap.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - Releasing bitmap

Fields #

NameDescription
A10_Vcb Pointer

Event ID 197: NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - CloseCount A11_VcbCloseCount.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb A10_Vcb - CloseCount A11_VcbCloseCount.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb %1!p! - CloseCount %2!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbCloseCount HexInt32

Event ID 198: NtfsMarkUnusedContextPostTrimProcessing: Leaving

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Leaving.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Leaving

Event ID 199: NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp A10_Irp.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp A10_Irp.

Message #

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp %1!p!

Fields #

NameDescription
A10_Irp Pointer

Event ID 200: NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb, IC A11_IrpContext - Entering.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb, IC A11_IrpContext - Entering.

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p!, IC %2!p! - Entering

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 201: NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Kicked off DelayedWorkQueue.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Kicked off DelayedWorkQueue.

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Kicked off DelayedWorkQueue

Fields #

NameDescription
A10_Vcb Pointer

Event ID 202: NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Leaving.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimProcessing: Vcb A10_Vcb - Leaving.

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 203: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb A10_Vcb.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb %1!p!

Fields #

NameDescription
A10_Vcb Pointer

Event ID 204: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Small MUC A11_SmallMarkUnusedContext instead of MUC A12_MarkUnusedContext.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Small MUC A11_SmallMarkUnusedContext instead of MUC A12_MarkUnusedContext.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Small MUC %2!p! instead of MUC %3!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_SmallMarkUnusedContext Pointer
A12_MarkUnusedContext Pointer

Event ID 205: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Failed to allocate small MUC so use MUC A11_MarkUnusedContext.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Failed to allocate small MUC so use MUC A11_MarkUnusedContext.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Failed to allocate small MUC so use MUC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 206: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage ioctl down.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage ioctl down. MUC A11_MarkUnusedContext.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down.  MUC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 207: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - [A12_TrimEntryCount] Offset A13_DataSetRangePtrStartingOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - [A12_TrimEntryCount] Offset A13_DataSetRangePtrStartingOffset!I64x!, Length A14_DataSetRangePtrLengthInBytes!I64x! - trim entry.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - [%3!x!] Offset %4!I64x!, Length %5!I64x! - trim entry

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_TrimEntryCount HexInt32
A13_DataSetRangePtrStartingOffset HexInt64
A14_DataSetRangePtrLengthInBytes HexInt64

Event ID 208: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext, Irp A12_IrpUsed - Completed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext, Irp A12_IrpUsed - Completed.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p!, Irp %3!p! - Completed

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_IrpUsed Pointer

Event ID 209: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - A12_Status - failed to send.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb, MUC A11_MarkUnusedContext - A12_Status - failed to send.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p!, MUC %2!p! - %3!x! - failed to send

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_Status HexInt32

Event ID 210: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Add MUC A11_MarkUnusedContext to post trim list.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Add MUC A11_MarkUnusedContext to post trim list.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Add MUC %2!p! to post trim list

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 211: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Free small MUC A11_MarkUnusedContext.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Free small MUC A11_MarkUnusedContext.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Free small MUC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 212: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage ioctl down failed with A11_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb A10_Vcb - Sending storage ioctl down failed with A11_Status. MUC A12_MarkUnusedContext, Count A13_MarkUnusedContextNULL__MarkUnusedContextDeallocatedClustersNULLMarkUnusedContextDeallocatedClustersClusterCount1LL!I64x!

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb %1!p! - Sending storage ioctl down failed with %2!x!.  MUC %3!p!, Count %4!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_Status HexInt32
A12_MarkUnusedContext Pointer
A13_MarkUnusedContextNULL__MarkUnusedContextDeallocatedClustersNULLMarkUnusedContextDeallocatedClustersClusterCount1LL HexInt64

Event ID 213: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Leaving

Event ID 214: NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - There are waiters for DC A11_DeallocatedClusters.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - There are waiters for DC A11_DeallocatedClusters.

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - There are waiters for DC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClusters Pointer

Event ID 215: NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Waking up waiter for DC A11_DeallocatedClusters.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Waking up waiter for DC A11_DeallocatedClusters.

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Waking up waiter for DC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClusters Pointer

Event ID 216: NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Done waking up DC A11_DeallocatedClusters.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWakeupDeallocatedClustersWaiters: Vcb A10_Vcb - Done waking up DC A11_DeallocatedClusters.

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb %1!p! - Done waking up DC %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClusters Pointer

Event ID 217: NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb, All A11_All - Entering.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb, All A11_All - Entering.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p!, All %2!x! - Entering

Fields #

NameDescription
A10_Vcb Pointer
A11_All HexInt32

Event ID 218: NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting to drain.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting to drain.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting to drain

Fields #

NameDescription
A10_Vcb Pointer

Event ID 219: NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting for partial drain.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Waiting for partial drain.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Waiting for partial drain

Fields #

NameDescription
A10_Vcb Pointer

Event ID 220: NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 221: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Entering.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Entering.

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Entering

Fields #

NameDescription
A10_Vcb Pointer

Event ID 222: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Inserted A11_DeallocatedClustersToWaitForDeallocatedClusters.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Inserted A11_DeallocatedClustersToWaitForDeallocatedClusters.

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Inserted %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DeallocatedClustersToWaitForDeallocatedClusters Pointer

Event ID 223: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb A10_Vcb - Leaving.

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 224: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb A10_IrpContextVcb - Wait for DC A11_DeallocatedClustersToWaitForDeallocatedClusters.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb A10_IrpContextVcb - Wait for DC A11_DeallocatedClustersToWaitForDeallocatedClusters.

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb %1!p! - Wait for DC %2!p!

Fields #

NameDescription
A10_IrpContextVcb Pointer
A11_DeallocatedClustersToWaitForDeallocatedClusters Pointer

Event ID 225: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for A10_WaitInSeconds (s), Exceeded by A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocate...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for !d! (s), Exceeded by !d! (s), IC !p!, Vcb !p!, DC !p!

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields #

NameDescription
A10_WaitInSeconds Int32
A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartNtfsDataSystemTimeIncrementINTERVAL_ONE_SECOND0 Int32
A12_IrpContext Pointer
A13_IrpContextVcb Pointer
A14_DeallocatedClusters Pointer

Event ID 226: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for A10_WaitInSeconds (s), Exceeded by A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocate...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for !d! (s), Exceeded by !d! (s), IC !p!, Vcb !p!, DC !p!

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for %1!d! (s), Exceeded by %2!d! (s), IC %3!p!, Vcb %4!p!, DC %5!p!

Fields #

NameDescription
A10_WaitInSeconds Int32
A11_CurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartULONGCurrentTimeQuadPartDeallocatedClustersToWaitForEndTimeQuadPartNtfsDataSystemTimeIncrementINTERVAL_ONE_SECOND0 Int32
A12_IrpContext Pointer
A13_IrpContextVcb Pointer
A14_DeallocatedClusters Pointer

Event ID 227: NtfsCheckForTrimThrottling: Vcb A10_Vcb - hitting trim threshold A11_VcbDeallocatedClustersListLengthInTrim.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckForTrimThrottling: Vcb A10_Vcb - hitting trim threshold A11_VcbDeallocatedClustersListLengthInTrim.

Message #

NtfsCheckForTrimThrottling: Vcb %1!p! - hitting trim threshold %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbDeallocatedClustersListLengthInTrim Int32

Event ID 228: NtfsUpdateSmartTrimState: Vcb A10_Vcb - Entering.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Entering.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Entering

Fields #

NameDescription
A10_Vcb Pointer

Event ID 229: NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields #

NameDescription
A10_Vcb Pointer

Event ID 230: NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredSyncResource A11_AcquiredVcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredSyncResource A11_AcquiredVcb.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredSyncResource %2!u!

Fields #

NameDescription
A10_Vcb Pointer
A11_AcquiredVcb UInt32

Event ID 231: NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - Skipping deallocated clusters gen'd by smart trim.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - Skipping deallocated clusters gen'd by smart trim.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - Skipping deallocated clusters gen'd by smart trim

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 232: NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - MCB run A12_RunIndex; offs 0xA13_StartingOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - MCB run A12_RunIndex; offs 0xA13_StartingOffset!I64X!, len 0xA14_LengthInBytes!I64X!

Message #

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - MCB run %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_RunIndex UInt32
A13_StartingOffset HexInt64
A14_LengthInBytes HexInt64

Event ID 233: NtfsUpdateSmartTrimState: Vcb A10_Vcb - MUC A11_MarkUnusedContext, DSR count A12_DataSetRangeCount, MCB count A13_McbRunCount, ST free slots A14_SmartTrimFreeRangeCount.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - MUC A11_MarkUnusedContext, DSR count A12_DataSetRangeCount, MCB count A13_McbRunCount, ST free slots A14_SmartTrimFreeRangeCount.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - MUC %2!p!, DSR count %3!u!, MCB count %4!u!, ST free slots %5!u!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_DataSetRangeCount UInt32
A13_McbRunCount UInt32
A14_SmartTrimFreeRangeCount UInt32

Event ID 234: NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DSR range A12_RunIndex; offs 0xA13_DataSetRangeStartingOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb, MUC A11_MarkUnusedContext - DSR range A12_RunIndex; offs 0xA13_DataSetRangeStartingOffset!I64X!, len 0xA14_DataSetRangeLengthInBytes!I64X!

Message #

NtfsUpdateSmartTrimState: Vcb %1!p!, MUC %2!p! - DSR range %3!u!; offs 0x%4!I64X!, len 0x%5!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer
A12_RunIndex UInt32
A13_DataSetRangeStartingOffset HexInt64
A14_DataSetRangeLengthInBytes HexInt64

Event ID 235: NtfsUpdateSmartTrimState: Vcb A10_Vcb - MCB lcn A11_StartingLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - MCB lcn A11_StartingLcn!I64X! len A12_ClusterCount!I64X! maps to TP map bits [0xA13_FirstTpMapBit, 0xA14_LastTpMapBit].

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - MCB lcn %2!I64X! len %3!I64X! maps to TP map bits [0x%4!X!, 0x%5!X!]

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingLcn HexInt64
A12_ClusterCount HexInt64
A13_FirstTpMapBit HexInt32
A14_LastTpMapBit HexInt32

Event ID 236: NtfsUpdateSmartTrimState: Vcb A10_Vcb - Smart trim state on exit; A11_SmartTrimStateSlabRangesCount ranges.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Smart trim state on exit; A11_SmartTrimStateSlabRangesCount ranges.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Smart trim state on exit; %2!u! ranges:

Fields #

NameDescription
A10_Vcb Pointer
A11_SmartTrimStateSlabRangesCount UInt32

Event ID 237: NtfsUpdateSmartTrimState: Vcb A10_Vcb - Range A11_SlabRangeIndex: FirstTPMapBit 0xA12_SlabRangeFirstTPMapBit, LastTPMapBit 0xA13_SlabRangeLastTPMapBit.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Range A11_SlabRangeIndex: FirstTPMapBit 0xA12_SlabRangeFirstTPMapBit, LastTPMapBit 0xA13_SlabRangeLastTPMapBit.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Range %2!u!: FirstTPMapBit 0x%3!X!, LastTPMapBit 0x%4!X!

Fields #

NameDescription
A10_Vcb Pointer
A11_SlabRangeIndex UInt32
A12_SlabRangeFirstTPMapBit HexInt32
A13_SlabRangeLastTPMapBit HexInt32

Event ID 238: NtfsUpdateSmartTrimState: Vcb A10_Vcb - Leaving.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb A10_Vcb - Leaving.

Message #

NtfsUpdateSmartTrimState: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 239: NtfsEvalSmartTrimState: Vcb A10_Vcb - Entering.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Entering.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Entering

Fields #

NameDescription
A10_Vcb Pointer

Event ID 240: NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed

Fields #

NameDescription
A10_Vcb Pointer

Event ID 241: NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredBitmap A11_AcquiredBitmap.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Precondition checks failed; AcquiredBitmap A11_AcquiredBitmap.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Precondition checks failed; AcquiredBitmap %2!u!

Fields #

NameDescription
A10_Vcb Pointer
A11_AcquiredBitmap UInt32

Event ID 242: NtfsEvalSmartTrimState: Vcb A10_Vcb - Checking slab 0xA11_TpMapBit for allocations.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Checking slab 0xA11_TpMapBit for allocations.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Checking slab 0x%2!X! for allocations

Fields #

NameDescription
A10_Vcb Pointer
A11_TpMapBit HexInt32

Event ID 243: NtfsEvalSmartTrimState: Vcb A10_Vcb - Slab 0xA11_TpMapBit has allocations, will not trim.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Slab 0xA11_TpMapBit has allocations, will not trim.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Slab 0x%2!X! has allocations, will not trim

Fields #

NameDescription
A10_Vcb Pointer
A11_TpMapBit HexInt32

Event ID 244: NtfsEvalSmartTrimState: Vcb A10_Vcb - Free slab found - TP map bit 0xA11_TpMapBit, lcn A12_SlabBaseLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Free slab found - TP map bit 0xA11_TpMapBit, lcn A12_SlabBaseLcn!I64X!, len A13_SlabLengthInClusters!I64X!

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Free slab found - TP map bit 0x%2!X!, lcn %3!I64X!, len %4!I64X!

Fields #

NameDescription
A10_Vcb Pointer
A11_TpMapBit HexInt32
A12_SlabBaseLcn HexInt64
A13_SlabLengthInClusters HexInt64

Event ID 245: NtfsEvalSmartTrimState: Vcb A10_Vcb - Leaving.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb A10_Vcb - Leaving.

Message #

NtfsEvalSmartTrimState: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 246: NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.

Message #

NtfsFlushAllTrimHintsSynchronous (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb Pointer

Event ID 247: NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushAllTrimHintsSynchronous (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.

Message #

NtfsFlushAllTrimHintsSynchronous (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb Pointer

Event ID 248: NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, VcbState: 0x!08x!, SL control flags: 0x!08x!.

Message #

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, SL control flags: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32
A15_IrpSpFlags HexInt32

Event ID 249: NtfsVolumeDasdIo: Data section blocking flush.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsVolumeDasdIo: Data section blocking flush. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Flush status: A14_Status.

Message #

NtfsVolumeDasdIo: Data section blocking flush. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush status: %5!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Status HexInt32

Event ID 250: Could not find paging file run.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Could not find paging file run.

Message #

Could not find paging file run.

Event ID 251: Could not find paging file MCB entry.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Could not find paging file MCB entry.

Message #

Could not find paging file MCB entry.

Event ID 252: Could not find paging file run.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Could not find paging file run.

Message #

Could not find paging file run.

Event ID 253: Writing to $Bitmap.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Writing to $Bitmap. Vcb: A10_ScbVcb, Offset: 0xA11_StartingVbo!I64x!, Length: 0xA12_ByteCount.

Message #

Writing to $Bitmap. Vcb: %1!p!, Offset: 0x%2!I64x!, Length: 0x%3!x!

Fields #

NameDescription
A10_ScbVcb Pointer
A11_StartingVbo HexInt64
A12_ByteCount HexInt32

Event ID 254: NTFS: Posting hotfix on file object: A10_FileObject.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Posting hotfix on file object: A10_FileObject.

Message #

NTFS: Posting hotfix on file object: %1!p!

Fields #

NameDescription
A10_FileObject Pointer

Event ID 255: NTFS: Freeing Bad Vcn: A10_ULONGBadVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Freeing Bad Vcn: A10_ULONGBadVcn!08x!, A11_PLARGE_INTEGER_BadVcnHighPart!08x!

Message #

NTFS:     Freeing Bad Vcn: %1!08x!, %2!08x!

Fields #

NameDescription
A10_ULONGBadVcn HexInt32
A11_PLARGE_INTEGER_BadVcnHighPart HexInt32

Event ID 256: NTFS: Retiring Bad Lcn: A10_ULONGBadLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Retiring Bad Lcn: A10_ULONGBadLcn!08x!, A11_PLARGE_INTEGER_BadLcnHighPart!08x!

Message #

NTFS:     Retiring Bad Lcn: %1!08x!, %2!08x!

Fields #

NameDescription
A10_ULONGBadLcn HexInt32
A11_PLARGE_INTEGER_BadLcnHighPart HexInt32

Event ID 257: NTFS: Reallocating Bad Vcn

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Reallocating Bad Vcn.

Message #

NTFS:     Reallocating Bad Vcn

Event ID 258: NTFS: Bad Cluster replaced

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS: Bad Cluster replaced.

Message #

NTFS:     Bad Cluster replaced

Event ID 259: IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!08x!

Message #

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_NewBufferSize HexInt32

Event ID 260: Compression buffers are already big enough.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Compression buffers are already big enough. NewBufferSize: 0xA10_NewBufferSize!08x!, ExistingBufferSize: 0xA11_NtfsGetCompressionBufferSize!08x!

Message #

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields #

NameDescription
A10_NewBufferSize HexInt32
A11_NtfsGetCompressionBufferSize HexInt32

Event ID 261

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

%1

Fields #

NameDescription
A10_Status HexInt32

Event ID 262: IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IrpContext: A10_IrpContext; Vcb: A11_Vcb; NewBufferSize: 0xA12_NewBufferSize!08x!

Message #

IrpContext: %1!p!; Vcb: %2!p!; NewBufferSize: 0x%3!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12_NewBufferSize HexInt32

Event ID 263: Compression buffers are already big enough.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Compression buffers are already big enough. NewBufferSize: 0xA10_NewBufferSize!08x!, ExistingBufferSize: 0xA11_NtfsGetUsaBufferSizeVcb!08x!

Message #

Compression buffers are already big enough. NewBufferSize: 0x%1!08x!, ExistingBufferSize: 0x%2!08x!

Fields #

NameDescription
A10_NewBufferSize HexInt32
A11_NtfsGetUsaBufferSizeVcb HexInt32

Event ID 264

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

%1

Fields #

NameDescription
A10_Status HexInt32

Event ID 265: NtfsDefragFileInternal: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbFlags HexInt32

Event ID 266: NtfsDefragFileInternal: Vcb A10_Vcb - Calling FRD.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal: Vcb A10_Vcb - Calling FRD.

Message #

NtfsDefragFileInternal: Vcb %1!p! - Calling FRD

Fields #

NameDescription
A10_Vcb Pointer

Event ID 267: NtfsDefragFileInternal: Vcb A10_Vcb - Done calling FRD.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal: Vcb A10_Vcb - Done calling FRD.

Message #

NtfsDefragFileInternal: Vcb %1!p! - Done calling FRD

Fields #

NameDescription
A10_Vcb Pointer

Event ID 268: NtfsDefragFileInternal: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDefragFileInternal: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbFlags HexInt32

Event ID 269: NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(!p!,!p!): Scb !p!, FRef !I64x!, Vcn !I64x!, CC !I64x!, CurrLcn !I64x!, NewLcn !I64x!, Len !x!, DA !d!, Status !x! - copy offload.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x! - copy offload

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingVcnQuadPart HexInt64
A15_TransferClusters HexInt64
A16_Lcn HexInt64
A17_MoveDataStartingLcnQuadPart HexInt64
A18_CopyLength HexInt32
A19_FlagsUseDelayedAllocation Int32
A20_Status HexInt32

Event ID 270: NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(!p!,!p!): Scb !p!, FRef !I64x!, Vcn !I64x!, CC !I64x!, CurrLcn !I64x!, NewLcn !I64x!, Len !x!, DA !d!, Status !x!

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, Len %9!x!, DA %10!d!, Status %11!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingVcnQuadPart HexInt64
A15_TransferClusters HexInt64
A16_Lcn HexInt64
A17_MoveDataStartingLcnQuadPart HexInt64
A18_CopyLength HexInt32
A19_FlagsUseDelayedAllocation Int32
A20_MyStatus HexInt32

Event ID 271: NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!I64x!, CurrLcn A14_Lcn!I64x!, Len A15_CopyLength, Status A16_MyStatus - read completed.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, CurrLcn %5!I64x!, Len %6!x!, Status %7!x! - read completed

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_Lcn HexInt64
A15_CopyLength HexInt32
A16_MyStatus HexInt32

Event ID 272: NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!I64x!, NewLcn A14_MoveDataStartingLcnQuadPart!I64x!, Len A15_CopyLength, Status A16_MyStatus - write completed.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, NewLcn %5!I64x!, Len %6!x!, Status %7!x! - write completed

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingLcnQuadPart HexInt64
A15_CopyLength HexInt32
A16_MyStatus HexInt32

Event ID 273: NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(!p!,!p!): Scb !p!, FRef !I64x!, Vcn !I64x!, CC !I64x!, CurrLcn !I64x!, NewLcn !I64x!, DA !d!, ValidClusters !I64x! - beyond VDL.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x!, CurrLcn %7!I64x!, NewLcn %8!I64x!, DA %9!d!, ValidClusters %10!I64x! - beyond VDL

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingVcnQuadPart HexInt64
A15_TransferClusters HexInt64
A16_Lcn HexInt64
A17_MoveDataStartingLcnQuadPart HexInt64
A18_FlagsUseDelayedAllocation Int32
A19_ValidClusters HexInt64

Event ID 274: NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFileInternal(A10_Vcb,A11_IrpContext): Scb A12_Scb, FRef A13_NtfsFullFileRefNumber_ScbFcbFileReference!I64x!, Vcn A14_MoveDataStartingVcnQuadPart!I64x!, CC A15_TransferClusters!I64x! - committed.

Message #

NtfsDefragFileInternal(%1!p!,%2!p!): Scb %3!p!, FRef %4!I64x!, Vcn %5!I64x!, CC %6!I64x! - committed

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A14_MoveDataStartingVcnQuadPart HexInt64
A15_TransferClusters HexInt64

Event ID 275: NtfsDefragFile: Defrag is denied without manage volume access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDefragFile: Defrag is denied without manage volume access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Ccb flags: 0x!08x!.

Message #

NtfsDefragFile: Defrag is denied without manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_FcbNULLNtfsFullFileRefNumber_FcbFileReference0 HexInt64
A16_CcbNULLCcbFlags0 HexInt32

Event ID 276: NtfsEncryptDecryptOnline: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18_ScbAttributeNameBuffer UnicodeString
A19_ScbPersist HexInt32
A20_CcbFlags HexInt32

Event ID 277: NtfsEncryptDecryptOnline: Vcb A10_Vcb - Calling FRD.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEncryptDecryptOnline: Vcb A10_Vcb - Calling FRD.

Message #

NtfsEncryptDecryptOnline: Vcb %1!p! - Calling FRD

Fields #

NameDescription
A10_Vcb Pointer

Event ID 278: NtfsEncryptDecryptOnline: Vcb A10_Vcb - Done calling FRD.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEncryptDecryptOnline: Vcb A10_Vcb - Done calling FRD.

Message #

NtfsEncryptDecryptOnline: Vcb %1!p! - Done calling FRD

Fields #

NameDescription
A10_Vcb Pointer

Event ID 279: NtfsEncryptDecryptOnline: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsEncryptDecryptOnline: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbNULLCcbFlags0 HexInt32

Event ID 280: SCB: A10_Scb, VDL=0xA11_ScbHeaderValidDataLengthQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

SCB: A10_Scb, VDL=0xA11_ScbHeaderValidDataLengthQuadPart!I64x!, FS=0xA12_ScbHeaderFileSizeQuadPart!I64x!, StartOff=0xA13_QueryDaxExtentsFileOffset!I64x!, StartVcn=0xA14_StartingVcn!I64x!, Length=0xA15_QueryDaxExtentsLength!I64x!

Message #

SCB: %1!p!, VDL=0x%2!I64x!, FS=0x%3!I64x!, StartOff=0x%4!I64x!, StartVcn=0x%5!I64x!, Length=0x%6!I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_ScbHeaderValidDataLengthQuadPart HexInt64
A12_ScbHeaderFileSizeQuadPart HexInt64
A13_QueryDaxExtentsFileOffset HexInt64
A14_StartingVcn HexInt64
A15_QueryDaxExtentsLength HexInt64

Event ID 281: StartOff=0xA10_QueryDaxExtentsFileOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

StartOff=0x!I64x!, Length=0x!I64x!, EffectiveLength=0x!I64x! StartVcn=0x!I64x!, BeyondEndVcn=0x!I64x!, Clusters=0x!I64x!, LastVcnInFile=0x!I64x!

Message #

StartOff=0x%1!I64x!, Length=0x%2!I64x!, EffectiveLength=0x%3!I64x! StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!, Clusters=0x%6!I64x!, LastVcnInFile=0x%7!I64x!

Fields #

NameDescription
A10_QueryDaxExtentsFileOffset HexInt64
A11_QueryDaxExtentsLength HexInt64
A12_EffectiveInputFileRegionLength HexInt64
A13_StartingVcn HexInt64
A14_BeyondEndVcn HexInt64
A15_RemainingClusterCount HexInt64
A16_LastVcnInFile HexInt64

Event ID 282: NumberOfValidRuns: 0

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NumberOfValidRuns: 0.

Message #

NumberOfValidRuns: 0

Event ID 283: RemainingClusterCount: 0xA10_RemainingClusterCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, DataSetRangeIndex: A11_DataSetRangeIndex, OutputBufferLength: 0xA12_OutputBufferLength.

Message #

RemainingClusterCount: 0x%1!I64x!, DataSetRangeIndex: %2!d!, OutputBufferLength: 0x%3!d!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_DataSetRangeIndex Int32
A12_OutputBufferLength Int32

Event ID 284: STATUS_BUFFER_TOO_SMALL from FsLib.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0xA10_ExtentsDescriptorNumberOfValidRuns, MaxRuns: 0xA11_MaxRuns, BytesReturned: 0xA12_BytesReturned!I64x!

Message #

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0x%1!x!, MaxRuns: 0x%2!x!, BytesReturned: 0x%3!I64x!

Fields #

NameDescription
A10_ExtentsDescriptorNumberOfValidRuns HexInt32
A11_MaxRuns HexInt32
A12_BytesReturned HexInt64

Event ID 285: Made an educated guess for remaining runs.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Made an educated guess for remaining runs. RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, NumberOfValidRuns: 0xA11_ExtentsDescriptorNumberOfValidRuns.

Message #

Made an educated guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_ExtentsDescriptorNumberOfValidRuns HexInt32

Event ID 286: Made a wild guess for remaining runs.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Made a wild guess for remaining runs. RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, NumberOfValidRuns: 0xA11_ExtentsDescriptorNumberOfValidRuns.

Message #

Made a wild guess for remaining runs. RemainingClusterCount: 0x%1!I64x!, NumberOfValidRuns: 0x%2!x!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_ExtentsDescriptorNumberOfValidRuns HexInt32

Event ID 287: NumberOfValidRuns: 0xA10_ExtentsDescriptorNumberOfValidRuns!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NumberOfValidRuns: 0xA10_ExtentsDescriptorNumberOfValidRuns!08x!, MaxRuns: 0xA11_MaxRuns!08x!, Status: 0xA12_Status!08x!, BytesReturned: 0xA13_BytesReturned!I64x!

Message #

NumberOfValidRuns: 0x%1!08x!, MaxRuns: 0x%2!08x!, Status: 0x%3!08x!, BytesReturned: 0x%4!I64x!

Fields #

NameDescription
A10_ExtentsDescriptorNumberOfValidRuns HexInt32
A11_MaxRuns HexInt32
A12_Status HexInt32
A13_BytesReturned HexInt64

Event ID 288: BasePage: 0xA10_ExtentsDescriptorRunIndexBasePage!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

BasePage: 0xA10_ExtentsDescriptorRunIndexBasePage!-16I64x!, PageCount: 0xA11_ExtentsDescriptorRunIndexPageCount!-16I64x!

Message #

BasePage: 0x%1!-16I64x!, PageCount: 0x%2!-16I64x!

Fields #

NameDescription
A10_ExtentsDescriptorRunIndexBasePage HexInt64
A11_ExtentsDescriptorRunIndexPageCount HexInt64

Event ID 289: About to zero range - ZeroStart: 0xA10_ZeroStart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

About to zero range - ZeroStart: 0xA10_ZeroStart!016I64x!, ZeroEnd: 0xA11_ZeroEnd!016I64x!

Message #

About to zero range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields #

NameDescription
A10_ZeroStart HexInt64
A11_ZeroEnd HexInt64

Event ID 290: Zeroed range - ZeroStart: 0xA10_ZeroStart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Zeroed range - ZeroStart: 0xA10_ZeroStart!016I64x!, ZeroEnd: 0xA11_ZeroEnd!016I64x!

Message #

Zeroed range - ZeroStart: 0x%1!016I64x!, ZeroEnd: 0x%2!016I64x!

Fields #

NameDescription
A10_ZeroStart HexInt64
A11_ZeroEnd HexInt64

Event ID 291: NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_CcbFlags HexInt32

Event ID 292: NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb access flags: 0x%10!08x!, Granted access: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ARGUMENT_PRESENTCcbCcbAccessFlags0 HexInt32
A20_ARGUMENT_PRESENTCreateContextCreateContextPreviouslyGrantedAccess0 HexInt32

Event ID 293: NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Ccb flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_CcbFlags HexInt32

Event ID 294: NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb flags: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_CcbNULLCcbFlags0 HexInt32

Event ID 295: NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Device Object flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbVcbVpbRealDeviceFlags HexInt32

Event ID 296: NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Fcb state: !x!.

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: %7!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_RenameCleanupTargetLinkFcb Pointer
A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference HexInt64
A16_RenameCleanupTargetLinkFcbFcbState HexInt32

Event ID 297: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfNumWriters count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_RenameCleanupTargetLinkFcb Pointer
A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference HexInt64
A16_RenameCleanupTargetLinkFcbTxfFcbTxfNumWriters Int32

Event ID 298: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, TxfNumWriters count: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbToDeleteFcb Pointer
A15_NtfsFullFileRefNumber_LcbToDeleteFcbFileReference HexInt64
A16_LcbToDelete Pointer
A17_WppCountedStringWLcbToDeleteFileNameAttrFileNameUSHORTLcbToDeleteFileNameAttrFileNameLength CountedUtf16String
A18_LcbToDeleteTxfNumWriters Int32

Event ID 299: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Cleanup count: !d!.

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Cleanup count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_RenameCleanupTargetLinkFcb Pointer
A15_NtfsFullFileRefNumber_RenameCleanupTargetLinkFcbFileReference HexInt64
A16_RenameCleanupTargetLinkFcbCleanupCount Int32

Event ID 300: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link name: %8!S!, Link cleanup count: %9!d!, SplitPrimaryLcb: %10!p!, Split link name: %11!S!, Split link cleanup count: %12!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbToDeleteFcb Pointer
A15_NtfsFullFileRefNumber_LcbToDeleteFcbFileReference HexInt64
A16_LcbToDelete Pointer
A17_WppCountedStringWLcbToDeleteFileNameAttrFileNameUSHORTLcbToDeleteFileNameAttrFileNameLength CountedUtf16String
A18_LcbToDeleteCleanupCount Int32
A19_SplitPrimaryLcb Pointer
A20_SplitPrimaryLcbNULLWppCountedStringWSplitPrimaryLcbFileNameAttrFileNameUSHORTSplitPrimaryLcbFileNameAttrFileNameLengthWppCountedStringWNULL0 CountedUtf16String
A21_SplitPrimaryLcbNULLSplitPrimaryLcbCleanupCount0 Int32

Event ID 301: NtfsSetRenameInfo: Can not rename a file marked for deletion.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Fcb state: 0x%7!08x!, Lcb: %8!p!, link name: %9!S!, link name flag: 0x%10!08x!, link state: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbFcb Pointer
A15_NtfsFullFileRefNumber_LcbFcbFileReference HexInt64
A16_LcbFcbFcbState HexInt32
A17_Lcb Pointer
A18_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String
A19_LcbFileNameAttrFlags HexInt32
A20_LcbLcbState HexInt32

Event ID 302: NtfsSetRenameInfo: Can not rename a txf directory.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRenameInfo: Can not rename a txf directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, File attributes: 0x!08x!.

Message #

NtfsSetRenameInfo: Can not rename a txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, File attributes: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbFcbInfoFileAttributes HexInt32

Event ID 303: NtfsSetRenameInfo: Can not rename into a system directory.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRenameInfo: Can not rename into a system directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!.

Message #

NtfsSetRenameInfo: Can not rename into a system directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TargetParentScbFcb Pointer
A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64
A16_TargetParentScbFcbFcbState HexInt32

Event ID 304: NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, Rmstate: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TargetParentScbFcb Pointer
A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64
A16_TargetParentScbFcbInfoFileAttributes HexInt32
A17_TargetParentScbFcbFcbState HexInt32

Event ID 305: NtfsSetRenameInfo: The file should not have in-memory directory descendents.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!.

Message #

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64

Event ID 306: NtfsSetRenameInfo: Child Scb mismatch.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRenameInfo: Child Scb mismatch. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Potential child FileRef: !I64x!.

Message #

NtfsSetRenameInfo: Child Scb mismatch. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Potential child FileRef: %7!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64

Event ID 307: NtfsSetLinkInfo: Set link info is not allowed on txf directory.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FileName: !S!.

Message #

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String

Event ID 308: NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, TxfVisibleLinks: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String

Event ID 309: NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileName: %7!S!, SeAccessCheck status: %8!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_AccessStatus HexInt32

Event ID 310: NtfsSetLinkInfo: Creating a link in system directory is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, NewLinkName: !S!.

Message #

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TargetParentScbFcb Pointer
A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64
A16__NewLinkName CountedUtf16String

Event ID 311: NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, NewLinkName: %7!S!, Target RM state: %8!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TargetParentScbFcb Pointer
A15_NtfsFullFileRefNumber_TargetParentScbFcbFileReference HexInt64
A16__NewLinkName CountedUtf16String
A17_TargetParentScbFcbTxfRmcbRmState HexInt32

Event ID 312: NtfsSetShortNameInfo: Can not set a short name on a deleted file.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Lcb: !p!, Link Name: !S!.

Message #

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbFcb Pointer
A15_NtfsFullFileRefNumber_LcbFcbFileReference HexInt64
A16_Lcb Pointer
A17_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String

Event ID 313: NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Lcb: %7!p!, Link Name: %8!S!, Parent FileRef: %9!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_LcbFcb Pointer
A15_NtfsFullFileRefNumber_LcbFcbFileReference HexInt64
A16_Lcb Pointer
A17_WppCountedStringWLcbFileNameAttrFileNameUSHORTLcbFileNameAttrFileNameLength CountedUtf16String
A18_NtfsFullFileRefNumber_ParentScbFcbFileReference HexInt64

Event ID 314: NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Stream cleanup count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_NextScbVcb Pointer
A12__NextScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWNextScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHNextScbVcbVpb CountedUtf16String
A14_NextScbFcb Pointer
A15_NtfsFullFileRefNumber_NextScbFcbFileReference HexInt64
A16_NextScbCleanupCount Int32

Event ID 315: NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, ByID opens: %7!d!, Stream cleanup count: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_NextScbVcb Pointer
A12__NextScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWNextScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHNextScbVcbVpb CountedUtf16String
A14_NextScbFcb Pointer
A15_NtfsFullFileRefNumber_NextScbFcbFileReference HexInt64
A16_ByIdCcbs Int32
A17_NextScbCleanupCount Int32

Event ID 316: NtfsStreamRename: Deny access due to encryption happening on source stream.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsStreamRename: Deny access due to encryption happening on source stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb state: 0x%10!08x! Scb HighWaterMark: %11!I64d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbState HexInt32
A20_ScbScbTypeDataHighWaterMark Int64

Event ID 317: NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsProcessTreeForRename: Deny access due to number of batch oplocks has grown. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Previous batch oplock count: %7!d!, current batch oplock count: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_DirectoryScbVcb Pointer
A12__DirectoryScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWDirectoryScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHDirectoryScbVcbVpb CountedUtf16String
A14_DirectoryScbFcb Pointer
A15_NtfsFullFileRefNumber_DirectoryScbFcbFileReference HexInt64
A16_ULONGIrpIoStatusInformation Int32
A17_BatchOplockCount Int32

Event ID 318: NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, Fcb: A12_Fcb, LocalFlags: A13_LocalFlagsEntireFlags!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, Fcb: A12_Fcb, LocalFlags: A13_LocalFlagsEntireFlags!#08x!

Message #

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Vcb: %2!p!, Fcb: %3!p!, LocalFlags: %4!#08x!

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12_Fcb Pointer
A13_LocalFlagsEntireFlags HexInt32

Event ID 319: NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Scb: A11_Scb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolumeFlushSingleFcb: Thread: A10_PsGetCurrentThread, Scb: A11_Scb.

Message #

NtfsFlushVolumeFlushSingleFcb: Thread: %1!p!, Scb: %2!p!

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Scb Pointer

Event ID 320: NtfsFlushVolume: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, LocalFlags: A12_LocalFlagsEntireFlags!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolume: Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, LocalFlags: A12_LocalFlagsEntireFlags!#08x!

Message #

NtfsFlushVolume: Thread: %1!p!, Vcb: %2!p!, LocalFlags: %3!#08x!

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12_LocalFlagsEntireFlags HexInt32

Event ID 321: NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: A10_VcbBitmapScb Vcb: A11_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: A10_VcbBitmapScb Vcb: A11_Vcb.

Message #

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: %1!p! Vcb: %2!p!

Fields #

NameDescription
A10_VcbBitmapScb Pointer
A11_Vcb Pointer

Event ID 322: NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: A10_VcbMftScb Vcb: A11_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: A10_VcbMftScb Vcb: A11_Vcb.

Message #

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: %1!p! Vcb: %2!p!

Fields #

NameDescription
A10_VcbMftScb Pointer
A11_Vcb Pointer

Event ID 323: NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add context A11_Context into completion queue.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add context A11_Context into completion queue.

Message #

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into completion queue

Fields #

NameDescription
A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb Pointer
A11_Context Pointer

Event ID 324: NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add context A11_Context into WorkQueue - Flink A12_NtfsDataDiskFlushContextCompletedWorkItemListFlink.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFlushCompletionRoutine: Vcb A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb - Add context A11_Context into WorkQueue - Flink A12_NtfsDataDiskFlushContextCompletedWorkItemListFlink.

Message #

NtfsFlushCompletionRoutine: Vcb %1!p! - Add context %2!p! into WorkQueue - Flink %3!p!

Fields #

NameDescription
A10_PNTFS_DISK_FLUSH_CONTEXTContextVcb Pointer
A11_Context Pointer

Event ID 325: NtfsDiskFlushContextWorkItemProcessing: Process work item

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDiskFlushContextWorkItemProcessing: Process work item.

Message #

NtfsDiskFlushContextWorkItemProcessing: Process work item

Event ID 326: NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDiskFlushContextWorkItemProcessing: Nothing to work on.

Message #

NtfsDiskFlushContextWorkItemProcessing: Nothing to work on

Event ID 327: Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_IrpContextVcb, MinorCode: A13_IrpSpMinorFunction!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Irp: A10_Irp, IC: A11_IrpContext, Vcb: A12_IrpContextVcb, MinorCode: A13_IrpSpMinorFunction!02x!, FsControlCode: 0xA14_FsControlCode!08x!

Message #

Irp: %1!p!, IC: %2!p!, Vcb: %3!p!, MinorCode: %4!02x!, FsControlCode: 0x%5!08x!

Fields #

NameDescription
A10_Irp Pointer
A11_IrpContext Pointer
A12_IrpContextVcb Pointer
A13_IrpSpMinorFunction HexInt32
A14_FsControlCode HexInt32

Event ID 328: NtfsLockVolumeInternal: Cannot lock the volume.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsLockVolumeInternal: Cannot lock the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!, DisallowDismountCount: %6!d!, ExplicitLock: %7!d!, Volume CleanupCount: %8!d!, Handle count: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32
A15_VcbDisallowDismountCount Int32
A16_ExplicitLock10 Int32
A17_ReadULongNoFence_VcbCleanupCount Int32
A18_UserHandleCountSystemHandleCountVcbExternalMetadataCleanupCount Int32

Event ID 329: NtfsLockVolumeInternal: Volume is already locked.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolumeInternal: Volume is already locked.Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Vcb State: 0xA14_VcbVcbState!08x!.

Message #

NtfsLockVolumeInternal: Volume is already locked.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Vcb State: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 330: NtfsLockVolumeInternal: Failed to flush system files on the volume.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Flush Status: A14_Status.

Message #

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Status HexInt32

Event ID 331: NtfsLockVolumeInternal: Failed to flush system files on the volume.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Flush Status: A14_Status.

Message #

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Flush Status: %5!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Status HexInt32

Event ID 332: NtfsLockVolumeInternal: Outstanding user files open after flush and retry.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Volume close count: %5!d!, System file close count: %6!d!, User handle count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbCloseCount Int32
A15_VcbSystemFileCloseCount Int32
A16_UserHandleCount Int32

Event ID 333: NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsLockVolume: Cannot lock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 334: NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Active RM count: !d!, Default RM Active: !d!.

Message #

NtfsLockVolume: Cannot lock volume due to active secondary RMs on the volume. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Active RM count: %5!d!, Default RM Active: %6!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ActiveRmCount Int32
A15_DefaultRmActive10 Int32

Event ID 335: A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm ({A12_VcbTxfVcbDefaultRmNULL_VcbTxfVcbDefaultRmRmIdNULL}) up for auto-restart.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm ({A12_VcbTxfVcbDefaultRmNULL_VcbTxfVcbDefaultRmRmIdNULL}) up for auto-restart.

Message #

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDVcbTxfVcbDefaultRm Pointer
A12_VcbTxfVcbDefaultRmNULL_VcbTxfVcbDefaultRmRmIdNULL GUID

Event ID 336: NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 337: NtfsDismountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDismountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

Message #

NtfsDismountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__VolumeLabel CountedUtf16String
A13__VcbDeviceName CountedUtf16String

Event ID 338: NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 339: NtfsDismountVolume: Cannot dismount volume due to volume being locked.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, VcbState: 0xA14_VcbVcbState!08x!.

Message #

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 340: NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!, ReadOnlyCloseCount: %6!d!, CloseCount: %7!d!, SystemFileCloseCount: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32
A15_VcbReadOnlyCloseCount Int32
A16_VcbCloseCount Int32
A17_VcbSystemFileCloseCount Int32

Event ID 341: NtfsDismountVolume: Could not flush trim hints.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDismountVolume: Could not flush trim hints. Couldn't make progress flushing log.Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, VcbState: 0xA14_VcbVcbState!08x!.

Message #

NtfsDismountVolume: Could not flush trim hints.  Couldn't make progress flushing log.Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 342: NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 343: NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 344: NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32

Event ID 345: NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32

Event ID 346: NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32

Event ID 347: NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, TypeOfOpen: %6!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32
A15_TypeOfOpen Int32

Event ID 348: NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Irp Request Mode: %6!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32
A15_IrpRequestorMode Int32

Event ID 349: NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 350: NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 351: NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege, backup access or can bypass traverse checks. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32
A15_CcbFlags HexInt32

Event ID 352: NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!, Ccb flags: 0x%6!08x!, CallerId: %7!d!, Context owner ID: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbAccessFlags HexInt32
A15_CcbFlags HexInt32
A16_CallerId Int32
A17_ContextOwnerId Int32

Event ID 353: NtfsSetSparse: Caller does not have appropriate write access to the stream.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetSparse: Caller does not have appropriate write access to the stream. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, FileObject write access: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_FileObjectWriteAccess10 Int32

Event ID 354: NtfsSetSparse: Cannot desparse encrypted file without write data access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetSparse: Cannot desparse encrypted file without write data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Scb attributes: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_ScbAttributeFlags HexInt32

Event ID 355: NtfsZeroRange: User mode caller not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsZeroRange: User mode caller not allowed. Thread: A10_PsGetCurrentThread, Zero flags: 0xA11_ZeroFlags!08x!, Irp Requestor Mode: A12_IrpRequestorMode.

Message #

NtfsZeroRange: User mode caller not allowed. Thread: %1!p!, Zero flags: 0x%2!08x!, Irp Requestor Mode: %3!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ZeroFlags HexInt32
A12_IrpRequestorMode Int32

Event ID 356: IC: A10_IrpContext, Scb: A11_Scb, FileObject: A12_IrpSpFileObject.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IC: A10_IrpContext, Scb: A11_Scb, FileObject: A12_IrpSpFileObject.

Message #

IC: %1!p!, Scb: %2!p!, FileObject: %3!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Scb Pointer
A12_IrpSpFileObject Pointer

Event ID 357: IC: A10_IrpContext, EncryptionOperation: 0xA11_EncryptionOperation!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

IC: A10_IrpContext, EncryptionOperation: 0xA11_EncryptionOperation!08x!

Message #

IC: %1!p!, EncryptionOperation: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_EncryptionOperation HexInt32

Event ID 358: NtfsReadRawEncrypted: Caller does not have backup access or read data access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32

Event ID 359: NtfsWriteRawEncrypted: Caller does not have write data access or restore access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32

Event ID 360: NtfsWriteRawEncrypted: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 361: NtfsLookupStreamFromCluster: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsLookupStreamFromCluster: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 362: NtfsChangeVolumeSize: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsChangeVolumeSize: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 363: NtfsChangeVolumeSize (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsChangeVolumeSize (A10_Vcb): Calling NtfsFreeRecentlyDeallocated.

Message #

NtfsChangeVolumeSize (%1!p!): Calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb Pointer

Event ID 364: NtfsChangeVolumeSize (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsChangeVolumeSize (A10_Vcb): Done calling NtfsFreeRecentlyDeallocated.

Message #

NtfsChangeVolumeSize (%1!p!): Done calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb Pointer

Event ID 365: NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, HandleInfo flags: 0x%9!08x!, Irp Requestor Mode: %10!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_HandleInfoHandleInfo HexInt32
A19_IrpRequestorMode Int32

Event ID 366: NtfsMarkHandle: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkHandle: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_DasdCcbNULLDasdCcbAccessFlags0!08x!.

Message #

NtfsMarkHandle: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_DasdCcbNULLDasdCcbAccessFlags0 HexInt32

Event ID 367: NtfsMarkHandle: Cannot deny defrag.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: Cannot deny defrag. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, HandleInfo flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_HandleInfoHandleInfo HexInt32

Event ID 368: NtfsMarkHandle: Cannot deny Frs consolidation.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: Cannot deny Frs consolidation. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState2: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbFcbState2 HexInt32
A17_Scb Pointer
A18_ScbAttributeTypeCode HexInt32
A19__ScbAttributeName CountedUtf16String
A20_ScbPersist HexInt32
A21_HandleInfoHandleInfo HexInt32

Event ID 369: NtfsMarkHandle: Cannot filter metadata.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: Cannot filter metadata. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, Scb: %8!p!, Scb Type Code: 0x%9!x!, Scb Name: %10!S!, Persist flags: 0x%11!08x!, HandleInfo flags: 0x%12!08x!, Irp RequestorMode: %13!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbFcbState HexInt32
A17_Scb Pointer
A18_ScbAttributeTypeCode HexInt32
A19__ScbAttributeName CountedUtf16String
A20_ScbPersist HexInt32
A21_HandleInfoHandleInfo HexInt32
A22_IrpRequestorMode Int32

Event ID 370: NtfsMarkHandle: Mark handle is not allowed on system files.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, FcbState: 0x!08x!, HandleInfo flags: !x!.

Message #

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FcbState: 0x%7!08x!, HandleInfo flags: %8!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_ScbFcbFcbState HexInt32
A17_HandleInfoHandleInfo HexInt32

Event ID 371: NtfsMarkHandle: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: File already has user writable references. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, HandleInfo: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_HandleInfoHandleInfo HexInt32

Event ID 372: NtfsMarkHandle: File was granted write access previously but no oplocks were broken.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Writers: %10!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbShareAccessWriters Int32

Event ID 373: NtfsPrefetchFile: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsPrefetchFile: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 374: NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetZeroOnDeallocate: Only allowed on regular user files opened for write. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, WriteAccess: %6!d!, Fcb: %7!p!, FileRef: 0x%8!I64x!, FcbState: %9!x!, Scb AttributeTypeCode: 0x%10!x!, Ccb FullFileName: %11!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_IrpSpFileObjectWriteAccess10 Int32
A16_ScbFcb Pointer
A17_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A18_ScbAttributeTypeCode HexInt32
A19_ScbFcbFcbState HexInt32
A20_CcbNULL_CcbFullFileNameNULL CountedUtf16String

Event ID 375: NtfsSetShortNameBehavior: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 376: Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0xA10_PVOIDVcb to A11_InputParameter.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0xA10_PVOIDVcb to A11_InputParameter.

Message #

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x%1!p! to %2!u!.

Fields #

NameDescription
A10_PVOIDVcb Pointer
A11_InputParameter UInt32

Event ID 377: NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 378: NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 379: NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, NtfsData Flags: !x!.

Message #

NtfsResetVolsnapBehaviorForVolume: Volsnap hints are disabled by registry. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, NtfsData Flags: %5!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_IrpContextVcb Pointer
A12__IrpContextVcbVolumeName CountedUtf16String
A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb CountedUtf16String
A14_NtfsDataFlags HexInt32

Event ID 380: NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 381: Resetting Volsnap behavior for VCB = 0xA10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Resetting Volsnap behavior for VCB = 0xA10_Vcb. New state is 0xA11_VcbVcbState.

Message #

Resetting Volsnap behavior for VCB = 0x%1!p!.  New state is 0x%2!x!.

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbVcbState HexInt32

Event ID 382: NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 383: NtfsCorruptionHandling: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCorruptionHandling: Caller not having manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, Ccb access flags: 0xA14_CcbNULLCcbAccessFlags0!08x!.

Message #

NtfsCorruptionHandling: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Ccb access flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_CcbNULLCcbAccessFlags0 HexInt32

Event ID 384: NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread: A10_PsGetCurrentThread, Vcb: A11_IrpContextVcb, VolumeName: A12__IrpContextVcbVolumeName, VolumeLabel: A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb.

Message #

NtfsGlobalCorruptionHandling: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_IrpContextVcb Pointer
A12__IrpContextVcbVolumeName CountedUtf16String
A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb CountedUtf16String

Event ID 385: Scrub resume from SystemScbIndex: A10_ScrubResumeContextSystemScbIndex Vcn: A11_ScrubResumeContextResumeVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub resume from SystemScbIndex: A10_ScrubResumeContextSystemScbIndex Vcn: A11_ScrubResumeContextResumeVcn!#I64x! + A12_ScrubResumeContextResumeVcnOffset!#x!

Message #

Scrub resume from SystemScbIndex: %1!u! Vcn: %2!#I64x! + %3!#x!

Fields #

NameDescription
A10_ScrubResumeContextSystemScbIndex UInt32
A11_ScrubResumeContextResumeVcn HexInt64
A12_ScrubResumeContextResumeVcnOffset HexInt32

Event ID 386: Scb:A10_Scb Scrub resume from Vcn: A11_ScrubResumeContextResumeVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub resume from Vcn: A11_ScrubResumeContextResumeVcn!#I64x! + A12_ScrubResumeContextResumeVcnOffset!#x!

Message #

Scb:%1!p! Scrub resume from Vcn: %2!#I64x! + %3!#x!

Fields #

NameDescription
A10_Scb Pointer
A11_ScrubResumeContextResumeVcn HexInt64
A12_ScrubResumeContextResumeVcnOffset HexInt32

Event ID 387: Scrub SystemScbIndex: A10_ScrubResumeContextSystemScbIndex.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub SystemScbIndex: A10_ScrubResumeContextSystemScbIndex.

Message #

Scrub SystemScbIndex: %1!u!

Fields #

NameDescription
A10_ScrubResumeContextSystemScbIndex UInt32

Event ID 388: NtfsScrubData: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsScrubData: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17__CcbFullFileName CountedUtf16String
A18_CcbAccessFlags HexInt32

Event ID 389: Scrub not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.

Message #

Scrub not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields #

NameDescription
A10_Scb Pointer
A11_ScbTxfScb Pointer

Event ID 390: Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request. noop.

Message #

Scrub SCRUB_DATA_INPUT_FLAG_SKIP_NON_INTEGRITY_DATA is request. noop

Event ID 391: Scb:A10_Scb ScrubInternal OperationStatus: A11_ScrubContextOperationStatus Repaired: A12_ScrubContextNumberOfBytesRepaired!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:!p! ScrubInternal OperationStatus: !S! Repaired: !#I64x! Failed: !#I64x! FileOffset: !#I64x! Length: !#I64x! ParityExtentCount: !u!

Message #

Scb:%1!p! ScrubInternal OperationStatus: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! FileOffset: %5!#I64x! Length: %6!#I64x! ParityExtentCount: %7!u!

Fields #

NameDescription
A10_Scb Pointer
A11_ScrubContextOperationStatus HexInt32
A12_ScrubContextNumberOfBytesRepaired HexInt64
A13_ScrubContextNumberOfBytesFailed HexInt64
A14_ScrubContextErrorFileOffset HexInt64
A15_ScrubContextErrorLength HexInt64
A16_ScrubContextParityExtentDataNumberOfParityExtents UInt32

Event ID 392: Scb:A10_Scb ScrubInternal Status: A11_Status Repaired: A12_ScrubContextNumberOfBytesRepaired!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb ScrubInternal Status: A11_Status Repaired: A12_ScrubContextNumberOfBytesRepaired!#I64x! Failed: A13_ScrubContextNumberOfBytesFailed!#I64x! ParityExtentCount: A14_ScrubContextParityExtentDataNumberOfParityExtents.

Message #

Scb:%1!p! ScrubInternal Status: %2!S! Repaired: %3!#I64x! Failed: %4!#I64x! ParityExtentCount: %5!u!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32
A12_ScrubContextNumberOfBytesRepaired HexInt64
A13_ScrubContextNumberOfBytesFailed HexInt64
A14_ScrubContextParityExtentDataNumberOfParityExtents UInt32

Event ID 393: InternalFileReference: A10_InternalFileReference.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

InternalFileReference: A10_InternalFileReference.

Message #

InternalFileReference: %1!u!

Fields #

NameDescription
A10_InternalFileReference UInt32

Event ID 394: InternalFileReference:A10_InternalFileReference.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

InternalFileReference:A10_InternalFileReference.

Message #

InternalFileReference:%1!u!

Fields #

NameDescription
A10_InternalFileReference UInt32

Event ID 395: Scb:A10_Scb Incomplete IoCount:A11_ScrubIoCount Cancel:A12_IrpCancel ParityExtentCount:A13_ScrubContextParityExtentDataNumberOfParityExtents.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Incomplete IoCount:A11_ScrubIoCount Cancel:A12_IrpCancel ParityExtentCount:A13_ScrubContextParityExtentDataNumberOfParityExtents.

Message #

Scb:%1!p! Incomplete IoCount:%2!u! Cancel:%3!u! ParityExtentCount:%4!u!

Fields #

NameDescription
A10_Scb Pointer
A11_ScrubIoCount UInt32
A12_IrpCancel UInt32
A13_ScrubContextParityExtentDataNumberOfParityExtents UInt32

Event ID 396: Scb:A10_Scb Scrub skipping resident attribute (d) (A11__ScbAttributeName).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub skipping resident attribute (d) (A11__ScbAttributeName).

Message #

Scb:%1!p! Scrub skipping resident attribute (d) (%2!S!)

Fields #

NameDescription
A10_Scb Pointer
A11__ScbAttributeName CountedUtf16String

Event ID 397: Scb:A10_Scb Scrub skipping resident attribute (A11__ScbAttributeName).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub skipping resident attribute (A11__ScbAttributeName).

Message #

Scb:%1!p! Scrub skipping resident attribute (%2!S!)

Fields #

NameDescription
A10_Scb Pointer
A11__ScbAttributeName CountedUtf16String

Event ID 398: Scb:A10_Scb Scrub StartingVcn.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub StartingVcn(A11_StartingVcn!#I64d!) is negative.

Message #

Scb:%1!p! Scrub StartingVcn(%2!#I64d!) is negative

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn Int64

Event ID 399: Scb:A10_Scb Scrub starting vcn is beyond VDL.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub starting vcn is beyond VDL (FileOffset: A11_FileScrubOffset!#I64x!, SectorAlignedVdl: A12_SectorAlignedVdl!#I64x!).

Message #

Scb:%1!p! Scrub starting vcn is beyond VDL (FileOffset: %2!#I64x!, SectorAlignedVdl: %3!#I64x!)

Fields #

NameDescription
A10_Scb Pointer
A11_FileScrubOffset HexInt64
A12_SectorAlignedVdl HexInt64

Event ID 400: Scb:A10_Scb Scrub no more Mcb entries from StartingVcn:A11_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub no more Mcb entries from StartingVcn:A11_StartingVcn!#I64x!

Message #

Scb:%1!p! Scrub no more Mcb entries from StartingVcn:%2!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64

Event ID 401: Scb:A10_Scb Scrub skipping UNUSED_LCN Vcn: A11_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb Scrub skipping UNUSED_LCN Vcn: A11_StartingVcn!#I64x!, ClusterCount: A12_ClusterCount!#I64x!

Message #

Scb:%1!p! Scrub skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64
A12_ClusterCount HexInt64

Event ID 402: Scb:A10_Scb StartingVcn:A11_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb StartingVcn:A11_StartingVcn!#I64x! is beyond Vdl.

Message #

Scb:%1!p! StartingVcn:%2!#I64x! is beyond Vdl

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64

Event ID 403: Scb:A10_Scb ScrubDsmRange [A11_DsmRangeStartingOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb ScrubDsmRange [A11_DsmRangeStartingOffset!#I64x!,A12_DsmRangeStartingOffsetDsmRangeLengthInBytes!#I64x!) Length:A13_DsmRangeLengthInBytes!#I64x! (Bytes) StartingVcn:A14_StartingVcn!#I64x! + A15_StartingVcnOffset!#x! SectorAlignedVdl:A16_SectorAlignedVdl!#I64x!

Message #

Scb:%1!p! ScrubDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) StartingVcn:%5!#I64x! + %6!#x! SectorAlignedVdl:%7!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_DsmRangeStartingOffset HexInt64
A12_DsmRangeStartingOffsetDsmRangeLengthInBytes HexInt64
A13_DsmRangeLengthInBytes HexInt64
A14_StartingVcn HexInt64
A15_StartingVcnOffset HexInt32
A16_SectorAlignedVdl HexInt64

Event ID 404: Scrub found problems Scb: A10_Scb Vcn A11_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scrub found problems Scb: !p! Vcn !#I64x! FileOffset: !#I64x! Length: !#I64x! Status: !S! BytesFailed: !#I64x! BytesRepaired: !#I64x! NewParityExtents: !u!

Message #

Scrub found problems Scb: %1!p! Vcn %2!#I64x! FileOffset: %3!#I64x! Length: %4!#I64x! Status: %5!S! BytesFailed: %6!#I64x! BytesRepaired: %7!#I64x! NewParityExtents: %8!u!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64
A12_ScrubContextErrorFileOffset HexInt64
A13_ScrubbedLength HexInt64
A14_ScrubContextOperationStatus HexInt32
A15_ScrubContextNumberOfBytesFailed HexInt64
A16_ScrubContextNumberOfBytesRepaired HexInt64
A17_NewParityExtentCount UInt32

Event ID 405: Scb:A10_Scb DsmAction_Scrub call failed, Status: A11_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Scrub call failed, Status: A11_Status.

Message #

Scb:%1!p! DsmAction_Scrub call failed, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32

Event ID 406: Scb:A10_Scb DsmAction_Scrub operation failed, Status: A11_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Scrub operation failed, Status: A11_Status.

Message #

Scb:%1!p! DsmAction_Scrub operation failed, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32

Event ID 407: FSCTL_REPAIR_COPIES not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FSCTL_REPAIR_COPIES not supported for Txf file, Scb: A10_Scb, TxfScb: A11_ScbTxfScb.

Message #

FSCTL_REPAIR_COPIES not supported for Txf file, Scb: %1!p!, TxfScb: %2!p!

Fields #

NameDescription
A10_Scb Pointer
A11_ScbTxfScb Pointer

Event ID 408: Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (d) (A11__ScbAttributeName).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (d) (A11__ScbAttributeName).

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2!S!)

Fields #

NameDescription
A10_Scb Pointer
A11__ScbAttributeName CountedUtf16String

Event ID 409: Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (A11__ScbAttributeName).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES skipping resident attribute (A11__ScbAttributeName).

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (%2!S!)

Fields #

NameDescription
A10_Scb Pointer
A11__ScbAttributeName CountedUtf16String

Event ID 410: FSCTL_REPAIR_COPIES interrupted by thread termination.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FSCTL_REPAIR_COPIES interrupted by thread termination.

Message #

FSCTL_REPAIR_COPIES interrupted by thread termination.

Event ID 411: FSCTL_REPAIR_COPIES canceled

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FSCTL_REPAIR_COPIES canceled.

Message #

FSCTL_REPAIR_COPIES canceled

Event ID 412: Scb:A10_Scb FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:A11_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:A11_StartingVcn!#I64x!

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:%2!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64

Event ID 413: Scb:A10_Scb FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:A11_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:A11_StartingVcn!#I64x!

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:%2!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64

Event ID 414: Scb:A10_Scb FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: A11_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: A11_StartingVcn!#I64x!, ClusterCount: A12_ClusterCount!#I64x!

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: %2!#I64x!, ClusterCount: %3!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartingVcn HexInt64
A12_ClusterCount HexInt64

Event ID 415: Scb:A10_Scb RepairDsmRange [A11_RepairDataSetRangeStartingOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb RepairDsmRange [A11_RepairDataSetRangeStartingOffset!#I64x!,A12_RepairDataSetRangeStartingOffsetRepairDataSetRangeLengthInBytes!#I64x!) Length:A13_RepairDataSetRangeLengthInBytes!#I64x! (Bytes) FileOffset: A14_RepairFileOffset!#I64x!

Message #

Scb:%1!p! RepairDsmRange [%2!#I64x!,%3!#I64x!) Length:%4!#I64x! (Bytes) FileOffset: %5!#I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_RepairDataSetRangeStartingOffset HexInt64
A12_RepairDataSetRangeStartingOffsetRepairDataSetRangeLengthInBytes HexInt64
A13_RepairDataSetRangeLengthInBytes HexInt64
A14_RepairFileOffset HexInt64

Event ID 416: Scb:A10_Scb DsmAction_Repair call failed, Status: A11_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Repair call failed, Status: A11_Status.

Message #

Scb:%1!p! DsmAction_Repair call failed, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32

Event ID 417: Scb:A10_Scb DsmAction_Repair operation failed, Status: A11_IrpStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Repair operation failed, Status: A11_IrpStatus.

Message #

Scb:%1!p! DsmAction_Repair operation failed, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_IrpStatus HexInt32

Event ID 418: Scb:A10_Scb DsmAction_Repair completed, IrpStatus: A11_RepairCopiesOutputStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb:A10_Scb DsmAction_Repair completed, IrpStatus: A11_RepairCopiesOutputStatus.

Message #

Scb:%1!p! DsmAction_Repair completed, IrpStatus: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_RepairCopiesOutputStatus HexInt32

Event ID 419: NtfsQueryCachedRuns: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17__CcbFullFileName CountedUtf16String
A18_CcbAccessFlags HexInt32

Event ID 420: NtfsQueryStorageClasses: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 421: NtfsQueryRegionInfo: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 422: NtfsUnloadFile: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsUnloadFile: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 423: NtfsCheckForSection: File already has image section.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckForSection: File already has image section. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Scb: !p!, Scb Type Code: 0x!x!, Scb Name: !S!.

Message #

NtfsCheckForSection: File already has image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String

Event ID 424: NtfsShuffleFile: User mode caller is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsShuffleFile: User mode caller is not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, TypeOfOpen: !d!, Fcb: !p!, FileRef: 0x!I64x!, Ccb FullFileName: !S!, Irp RequestorMode: !d!.

Message #

NtfsShuffleFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, TypeOfOpen: %5!d!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Irp RequestorMode: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_TypeOfOpen Int32
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_IrpRequestorMode Int32

Event ID 425: NtfsShuffleFile: Denying access due to volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsShuffleFile: Denying access due to volume is locked. Thread: !p!, TypeOfOpen: !d!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, VcbState: 0x!08x!.

Message #

NtfsShuffleFile: Denying access due to volume is locked. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, VcbState: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_VcbVcbState HexInt32

Event ID 426: NtfsShuffleFile: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsShuffleFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbNULLCcbFlags0 HexInt32

Event ID 427: NtfsShuffleFile: Denying access due to conflicting with read-only state.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbInfoFileAttributes HexInt32
A17_IrpSpFlags HexInt32

Event ID 428: NtfsRearrangeFile: User mode caller is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRearrangeFile: User mode caller is not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Ccb FullFileName: !S!, Irp RequestorMode: !d!.

Message #

NtfsRearrangeFile: User mode caller is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Irp RequestorMode: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_IrpRequestorMode Int32

Event ID 429: NtfsRearrangeFile: Denying access due to volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRearrangeFile: Denying access due to volume is locked. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Ccb FullFileName: !S!, VcbState: 0x!08x!.

Message #

NtfsRearrangeFile: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, VcbState: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_VcbVcbState HexInt32

Event ID 430: NtfsRearrangeFile: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRearrangeFile: Defrag is denied. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Persist flags: 0x%10!08x!, Ccb flags: 0x%11!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbPersist HexInt32
A20_CcbNULLCcbFlags0 HexInt32

Event ID 431: NtfsShuffleFile: Denying access due to conflicting with read-only state.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, FileAttributes: 0x%7!08x!, SL control flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbInfoFileAttributes HexInt32
A17_IrpSpFlags HexInt32

Event ID 432: NtfsSparseOverAllocate: Caller does not have appropriate write access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, FileRef: !I64x!, FullFileName: !S!, Ccb access flags: !x!.

Message #

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FileRef: %5!I64x!, FullFileName: %6!S!, Ccb access flags: %7!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_NtfsFullFileRefNumber_FcbFileReference HexInt64
A15_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A16_CcbNULLCcbAccessFlags0 HexInt32

Event ID 433: NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Scb AttributeTypeCode: %8!x!, FcbState2: %9!x!, Ccb FullFileName: %10!S!, Ccb Access flags: %11!x!, Ccb Flags2: %12!x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_ScbAttributeTypeCode HexInt32
A18_ScbFcbFcbState2 HexInt32
A19_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A20_CcbNULLCcbAccessFlags0 HexInt32
A21_CcbNULLCcbFlags20 HexInt32

Event ID 434: NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Scb AttributeTypeCode: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb Access flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_ScbAttributeTypeCode HexInt32
A18_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A19_CcbNULLCcbAccessFlags0 HexInt32

Event ID 435: NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 436: NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, path="A13__DeletedFiles".

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, path="A13__DeletedFiles".

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Open status=0x%3!x!, path="%4!S!"

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32
A13__DeletedFiles CountedUtf16String

Event ID 437: NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Enumerate status=0xA12_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Enumerate status=0xA12_Status.

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Enumerate status=0x%3!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32

Event ID 438: NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, file="A13__FileNameToDelete".

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Open status=0xA12_Status, file="A13__FileNameToDelete".

Message #

NtfsEnumMountWorker(%1!p!,%2!p!): Open status=0x%3!x!, file="%4!S!"

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32
A13__FileNameToDelete CountedUtf16String

Event ID 439: NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Close status=0xA12_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumMountWorker(A10_Vcb,A11_PsGetCurrentThread): Close status=0xA12_Status.

Message #

NtfsEnumMountWorker(%1!p!,%2!p!): Close status=0x%3!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32

Event ID 440: NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Close dir status=0xA12_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker(A10_Vcb,A11_PsGetCurrentThread): Close dir status=0xA12_Status.

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!,%2!p!): Close dir status=0x%3!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_PsGetCurrentThread Pointer
A12_Status HexInt32

Event ID 441: NtfsCleanVolumeMetadata: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCleanVolumeMetadata: Caller not having manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, EffectiveMode: %10!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32
A19_EffectiveMode Int32

Event ID 442: SCB: A10_Scb, StartOffset: 0xA11_StartOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

SCB: A10_Scb, StartOffset: 0xA11_StartOffset!I64x!, Length: 0xA12_Length!I64x!, StartVcn=0xA13_StartVcn!I64x!, BeyondEndVcn=0xA14_BeyondEndVcn!I64x!

Message #

SCB: %1!p!, StartOffset: 0x%2!I64x!, Length: 0x%3!I64x!, StartVcn=0x%4!I64x!, BeyondEndVcn=0x%5!I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_StartOffset HexInt64
A12_Length HexInt64
A13_StartVcn HexInt64
A14_BeyondEndVcn HexInt64

Event ID 443: FsLibGetBadAddressRanges returned Status: A10_Status, NumBadRanges: 0xA11_OutputNumBadRanges.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FsLibGetBadAddressRanges returned Status: A10_Status, NumBadRanges: 0xA11_OutputNumBadRanges.

Message #

FsLibGetBadAddressRanges returned Status: %1, NumBadRanges: 0x%2!x!

Fields #

NameDescription
A10_Status HexInt32
A11_OutputNumBadRanges HexInt32

Event ID 444: FsInputRangeIndex: A10_FsInputRangeIndex, FileOffset: 0xA11_FsInputRangesFsInputRangeIndexFileOffset!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FsInputRangeIndex: A10_FsInputRangeIndex, FileOffset: 0xA11_FsInputRangesFsInputRangeIndexFileOffset!I64x!, VolumeOffset: 0xA12_FsInputRangesFsInputRangeIndexVolumeOffset!I64x!, LengthInBytes: 0xA13_FsInputRangesFsInputRangeIndexLengthInBytes!I64x!

Message #

FsInputRangeIndex: %1!u!, FileOffset: 0x%2!I64x!, VolumeOffset: 0x%3!I64x!, LengthInBytes: 0x%4!I64x!

Fields #

NameDescription
A10_FsInputRangeIndex UInt32
A11_FsInputRangesFsInputRangeIndexFileOffset HexInt64
A12_FsInputRangesFsInputRangeIndexVolumeOffset HexInt64
A13_FsInputRangesFsInputRangeIndexLengthInBytes HexInt64

Event ID 445: Scb: A10_Scb, Status: A11_Status, AbnormalTermination: A12_BOOLEANAbnormalTermination.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb: A10_Scb, Status: A11_Status, AbnormalTermination: A12_BOOLEANAbnormalTermination.

Message #

Scb: %1!p!, Status: %2!S!, AbnormalTermination: %3!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32
A12_BOOLEANAbnormalTermination UInt8

Event ID 446: Scb: A10_Scb, Status: A11_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Scb: A10_Scb, Status: A11_Status.

Message #

Scb: %1!p!, Status: %2!S!

Fields #

NameDescription
A10_Scb Pointer
A11_Status HexInt32

Event ID 447: NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: A10_PsGetCurrentThread, Vcb: A11_IrpContextVcb, VolumeName: A12__IrpContextVcbVolumeName, VolumeLabel: A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb.

Message #

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_IrpContextVcb Pointer
A12__IrpContextVcbVolumeName CountedUtf16String
A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb CountedUtf16String

Event ID 448: Logic error of posting close to work queue.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Logic error of posting close to work queue.

Message #

Logic error of posting close to work queue.

Event ID 449: NtfsFindPrefixHashEntry: {Hash table: A10_Table} {ParentScb: A11_ParentScb, 'A12__ParentScbScbTypeIndexNormalizedName'} {RemainingName: 'A13_RemainingName'}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Hash table: A10_Table} {ParentScb: A11_ParentScb, 'A12__ParentScbScbTypeIndexNormalizedName'} {RemainingName: 'A13_RemainingName'}.

Message #

NtfsFindPrefixHashEntry: {Hash table: %1!p!} {ParentScb: %2!p!, '%3!S!'} {RemainingName: '%4!S!'}

Fields #

NameDescription
A10_Table Pointer
A11_ParentScb Pointer
A12__ParentScbScbTypeIndexNormalizedName CountedUtf16String
A13_RemainingName CountedUtf16String

Event ID 450: NtfsFindPrefixHashEntry: {Lcb: NULL}

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Lcb: NULL}.

Message #

NtfsFindPrefixHashEntry: {Lcb: NULL}

Event ID 451: NtfsFindPrefixHashEntry: {Lcb: A10_FoundLcb, 'A11__FoundLcbExactCaseLinkLinkName'}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Lcb: A10_FoundLcb, 'A11__FoundLcbExactCaseLinkLinkName'}.

Message #

NtfsFindPrefixHashEntry: {Lcb: %1!p!, '%2!S!'}

Fields #

NameDescription
A10_FoundLcb Pointer
A11__FoundLcbExactCaseLinkLinkName CountedUtf16String

Event ID 452: NtfsFindPrefixHashEntry: {Lcb not found}

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Lcb not found}.

Message #

NtfsFindPrefixHashEntry: {Lcb not found}

Event ID 453: NtfsInsertHashEntry: {Hash table: A10_Table} {HashValue: A11_NewHashEntryHashValue!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsInsertHashEntry: {Hash table: A10_Table} {HashValue: A11_NewHashEntryHashValue!08x!} {FullNameLength: A12_NewHashEntryFullNameLength} {Lcb: A13_NewHashEntryHashLcb, 'A14__NewHashEntryHashLcbExactCaseLinkLinkName'}.

Message #

NtfsInsertHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {FullNameLength: %3!d!} {Lcb: %4!p!, '%5!S!'}

Fields #

NameDescription
A10_Table Pointer
A11_NewHashEntryHashValue HexInt32
A12_NewHashEntryFullNameLength Int32
A13_NewHashEntryHashLcb Pointer
A14__NewHashEntryHashLcbExactCaseLinkLinkName CountedUtf16String

Event ID 454: NtfsRemoveHashEntry: {Hash table: A10_Table} {HashValue: A11_HashValue!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveHashEntry: {Hash table: A10_Table} {HashValue: A11_HashValue!08x!} {HashLcb: A12_HashLcb, 'A13__HashLcbExactCaseLinkLinkName'}.

Message #

NtfsRemoveHashEntry: {Hash table: %1!p!} {HashValue: %2!08x!} {HashLcb: %3!p!, '%4!S!'}

Fields #

NameDescription
A10_Table Pointer
A11_HashValue HexInt32
A12_HashLcb Pointer
A13__HashLcbExactCaseLinkLinkName CountedUtf16String

Event ID 455: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Checkpoint injection. Count A11_VcbCheckpointInjectionCount.

Message #

Vcb %1!p!.  Checkpoint injection.  Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbCheckpointInjectionCount Int32

Event ID 456: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb !p!. Log !d!%!PCT! full. Wait for CC to flush metadata first. Count !d!

Message #

Vcb %1!p!.  Log %2!d!%!PCT! full.  Wait for CC to flush metadata first. Count %3!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_PercentFull Int32
A12_VcbWaitForCcLoggedDataActivityCount Int32

Event ID 457: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Done waiting for CC to flush metadata.

Message #

Vcb %1!p!.  Done waiting for CC to flush metadata

Fields #

NameDescription
A10_Vcb Pointer

Event ID 458: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Injected checkpoint.

Message #

Vcb %1!p!.  Injected checkpoint.

Fields #

NameDescription
A10_Vcb Pointer

Event ID 459: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Start of checkpoint.

Message #

Vcb %1!p!.  Start of checkpoint

Fields #

NameDescription
A10_Vcb Pointer

Event ID 460: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Clean checkpoint. Count A11_VcbCleanCheckpointCount.

Message #

Vcb %1!p!.  Clean checkpoint. Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbCleanCheckpointCount Int32

Event ID 461: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Overflowed DPT. Count A11_VcbOverflowedDPTCount.

Message #

Vcb %1!p!.  Overflowed DPT. Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbOverflowedDPTCount Int32

Event ID 462: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Fuzzy checkpoint. Count A11_VcbFuzzyCheckpointCount.

Message #

Vcb %1!p!.  Fuzzy checkpoint. Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbFuzzyCheckpointCount Int32

Event ID 463: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Flush oldest FO. Count A11_VcbFlushOldestFOCount.

Message #

Vcb %1!p!.  Flush oldest FO.  Count %2!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbFlushOldestFOCount Int32

Event ID 464: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Flush starts with FRef A11_NtfsFullSegmentNumber_ScbFcbFileReference!I64x!

Message #

Vcb %1!p!.  Flush starts with FRef %2!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_NtfsFullSegmentNumber_ScbFcbFileReference HexInt64

Event ID 465: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Flush ends. FO A11_DirtyPageContextOldestFileObject.

Message #

Vcb %1!p!.  Flush ends.  FO %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_DirtyPageContextOldestFileObject Pointer

Event ID 466: NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, VcbState: 0xA14_VcbVcbState!08x!.

Message #

NtfsCheckpointForVolumeSnapshot: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 467: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Checkpoint completed.

Message #

Vcb %1!p!.  Checkpoint completed.

Fields #

NameDescription
A10_Vcb Pointer

Event ID 468: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb. Leaving NtfsCheckpointVolume.

Message #

Vcb %1!p!.  Leaving NtfsCheckpointVolume.

Fields #

NameDescription
A10_Vcb Pointer

Event ID 469: NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x!

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 470: NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x!

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 471: NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Pre NtfsWriteLog failure A13_IrpContextExceptionStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Pre NtfsWriteLog failure A13_IrpContextExceptionStatus.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsWriteLog failure %4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 472: NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Post NtfsWriteLog failure A13_IrpContextExceptionStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Post NtfsWriteLog failure A13_IrpContextExceptionStatus.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsWriteLog failure %4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 473: NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): LfsFlushToLsn failure A13_IrpContextExceptionStatus Count A14_FailedFlushCount.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): LfsFlushToLsn failure A13_IrpContextExceptionStatus Count A14_FailedFlushCount.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): LfsFlushToLsn failure %4!x! Count %5!d!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32
A14_FailedFlushCount Int32

Event ID 474: NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Pre NtfsProcessNewLengthQueue failure A13_IrpContextExceptionStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Pre NtfsProcessNewLengthQueue failure A13_IrpContextExceptionStatus.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Pre NtfsProcessNewLengthQueue failure %4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 475: NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Post NtfsProcessNewLengthQueue failure A13_IrpContextExceptionStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Post NtfsProcessNewLengthQueue failure A13_IrpContextExceptionStatus.

Message #

NtfsCommitCurrentTransaction (%1!p!,%2!p!,%3!p!): Post NtfsProcessNewLengthQueue failure %4!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 476: NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x! Completed.

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 477: NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x! Completed.

Message #

NtfsCommitCurrentTransaction IC: %1!p!, TransactionId: 0x%2!08x! Completed

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 478: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Entering - ActiveLsn: A11_ActiveLsnQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Entering - ActiveLsn: A11_ActiveLsnQuadPart!I64x!, ClearAll: A12_ClearAll.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Entering - ActiveLsn: %2!I64x!, ClearAll: %3!S!

Fields #

NameDescription
A10_Vcb Pointer
A11_ActiveLsnQuadPart HexInt64
A12_ClearAll UInt32

Event ID 479: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 480: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb empty list - Leaving.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! empty list  - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 481: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found frozen deallocated clusters with A11_ClustersClusterCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found frozen deallocated clusters with A11_ClustersClusterCount!I64x! clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found frozen deallocated clusters with %2!I64x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_ClustersClusterCount HexInt64

Event ID 482: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields #

NameDescription
A10_Vcb Pointer

Event ID 483: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - No actionable deallocated clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - No actionable deallocated clusters

Fields #

NameDescription
A10_Vcb Pointer

Event ID 484: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found a deallocated clusters A11_Clusters with A12_ClustersClusterCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Found a deallocated clusters A11_Clusters with A12_ClustersClusterCount!I64x! clusters, Lsn: A13_ClustersLsnQuadPart!I64x!, Flags: A14_ClustersFlags!08x!

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Found a deallocated clusters %2!p! with %3!I64x! clusters, Lsn: %4!I64x!, Flags: %5!08x!

Fields #

NameDescription
A10_Vcb Pointer
A11_Clusters Pointer
A12_ClustersClusterCount HexInt64
A13_ClustersLsnQuadPart HexInt64
A14_ClustersFlags HexInt32

Event ID 485: Vcb: A10_Vcb, Processing range.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb: A10_Vcb, Processing range. DeallocatedClusters: A11_Clusters, RunIndex: A12_i, StartingLcn: A13_StartingLcn!I64x!, ClusterCount: A14_ClusterCount!I64x!

Message #

Vcb: %1!p!, Processing range. DeallocatedClusters: %2!p!, RunIndex: %3!d!, StartingLcn: %4!I64x!, ClusterCount: %5!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_Clusters Pointer
A12_i Int32
A13_StartingLcn HexInt64
A14_ClusterCount HexInt64

Event ID 486: Looking for dangling MDLs

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Looking for dangling MDLs.

Message #

Looking for dangling MDLs

Event ID 487: FsLibGroupSubExtentsByDanglingMdl failed: A10_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FsLibGroupSubExtentsByDanglingMdl failed: A10_Status.

Message #

FsLibGroupSubExtentsByDanglingMdl failed: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 488: FsLibAddBaseMcbEntryEx failed: A10_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

FsLibAddBaseMcbEntryEx failed: A10_Status.

Message #

FsLibAddBaseMcbEntryEx failed: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 489: NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: A10_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: A10_Status.

Message #

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 490: NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: A10_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: A10_Status.

Message #

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: %1

Fields #

NameDescription
A10_Status HexInt32

Event ID 491: No sub extents has dangling MDL

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

No sub extents has dangling MDL.

Message #

No sub extents has dangling MDL

Event ID 492: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Telling volsnap freeing at A11_StartingLcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Telling volsnap freeing at A11_StartingLcn!I64x! for A12_ULONGClusterCount clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Telling volsnap freeing at %2!I64x! for %3!x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingLcn HexInt64
A12_ULONGClusterCount HexInt32

Event ID 493: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Volsnap responsed with freeing at A11_StartingLcnStartingIndex!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Volsnap responsed with freeing at A11_StartingLcnStartingIndex!I64x! for A12_runLength clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Volsnap responsed with freeing at %2!I64x! for %3!x! clusters

Fields #

NameDescription
A10_Vcb Pointer
A11_StartingLcnStartingIndex HexInt64
A12_runLength HexInt32

Event ID 494: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Got error 0xA11_Status from below.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Got error 0xA11_Status from below.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Got error 0x%2!x! from below

Fields #

NameDescription
A10_Vcb Pointer
A11_Status HexInt32

Event ID 495: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Deleting MarkUnusedContext A11_MarkUnusedContext.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Deleting MarkUnusedContext A11_MarkUnusedContext.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Deleting MarkUnusedContext %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_MarkUnusedContext Pointer

Event ID 496: NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Leaving.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb A10_Vcb - Leaving.

Message #

NtfsFreeRecentlyDeallocated: Vcb %1!p! - Leaving

Fields #

NameDescription
A10_Vcb Pointer

Event ID 497: NtfsRemoveNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_StartingVcn!I64x!, Length: 0xA13_Count!I64x!

Message #

NtfsRemoveNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Length: 0x%4!I64x!

Fields #

NameDescription
A10_McbScb Pointer
A11_Mcb Pointer
A12_StartingVcn HexInt64
A13_Count HexInt64

Event ID 498: NtfsRemoveNtfsMcbEntry Mcb: A10_Mcb Completed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRemoveNtfsMcbEntry Mcb: A10_Mcb Completed.

Message #

NtfsRemoveNtfsMcbEntry Mcb: %1!p! Completed.

Fields #

NameDescription
A10_Mcb Pointer

Event ID 499: NtfsAddNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_Vcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddNtfsMcbEntry Scb: A10_McbScb, Mcb: A11_Mcb, Vcn: 0xA12_Vcn!I64x!, Lcn: 0xA13_Lcn!I64x!, Length: 0xA14_RunCount!I64x!

Message #

NtfsAddNtfsMcbEntry Scb: %1!p!, Mcb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Length: 0x%5!I64x!

Fields #

NameDescription
A10_McbScb Pointer
A11_Mcb Pointer
A12_Vcn HexInt64
A13_Lcn HexInt64
A14_RunCount HexInt64

Event ID 500: NtfsAddNtfsMcbEntry Mcb: A10_Mcb, Result: A11_Result.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAddNtfsMcbEntry Mcb: A10_Mcb, Result: A11_Result.

Message #

NtfsAddNtfsMcbEntry Mcb: %1!p!, Result: %2!S!

Fields #

NameDescription
A10_Mcb Pointer
A11_Result UInt32

Event ID 501: NtfsUnloadNtfsMcbRange Scb: A10_McbScb, Mcb: A11_Mcb, StartVcn: 0xA12_StartingVcn!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUnloadNtfsMcbRange Scb: A10_McbScb, Mcb: A11_Mcb, StartVcn: 0xA12_StartingVcn!I64x!, EndVcn: 0xA13_EndingVcn!I64x!, TruncateOnly: A14_TruncateOnly.

Message #

NtfsUnloadNtfsMcbRange Scb: %1!p!, Mcb: %2!p!, StartVcn: 0x%3!I64x!, EndVcn: 0x%4!I64x!, TruncateOnly: %5!S!

Fields #

NameDescription
A10_McbScb Pointer
A11_Mcb Pointer
A12_StartingVcn HexInt64
A13_EndingVcn HexInt64
A14_TruncateOnly UInt32

Event ID 502: NtfsUnloadNtfsMcbRange Mcb: A10_Mcb Completed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUnloadNtfsMcbRange Mcb: A10_Mcb Completed.

Message #

NtfsUnloadNtfsMcbRange Mcb: %1!p! Completed.

Fields #

NameDescription
A10_Mcb Pointer

Event ID 503: Valid NTFS boot sector.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Valid NTFS boot sector. Vcb: A10_Vcb; BootSector: A11_BootSector.

Message #

Valid NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_BootSector Pointer

Event ID 504: Not an NTFS boot sector.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Not an NTFS boot sector. Vcb: A10_Vcb; BootSector: A11_BootSector; CheckNumber: A12_CheckNumber.

Message #

Not an NTFS boot sector. Vcb: %1!p!; BootSector: %2!p!; CheckNumber: %3!d!

Fields #

NameDescription
A10_Vcb Pointer
A11_BootSector Pointer
A12_CheckNumber Int32

Event ID 505: NtfsMountVolume: Vcb:A10_Vcb, IC:A11_IrpContext, Growing allocation for Mft's Attribute List failed with exception:0xA12_IrpContextExceptionStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMountVolume: Vcb:A10_Vcb, IC:A11_IrpContext, Growing allocation for Mft's Attribute List failed with exception:0xA12_IrpContextExceptionStatus.

Message #

NtfsMountVolume: Vcb:%1!p!, IC:%2!p!, Growing allocation for Mft's Attribute List failed with exception:0x%3!x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextExceptionStatus HexInt32

Event ID 506: NtfsMountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsMountVolume: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

Message #

NtfsMountVolume: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__VolumeLabel CountedUtf16String
A13__VcbDeviceName CountedUtf16String

Event ID 507: Mounting DAX partition.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Mounting DAX partition. Vcb: A10_Vcb.

Message #

Mounting DAX partition. Vcb: %1!p!

Fields #

NameDescription
A10_Vcb Pointer

Event ID 508: DAX volume mounted without DAX support because storage is not DAX capable.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: A10_Vcb.

Message #

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: %1!p!

Fields #

NameDescription
A10_Vcb Pointer

Event ID 509: NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Mft AttributeList not found, skipping growth.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Mft AttributeList not found, skipping growth.

Message #

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Mft AttributeList not found, skipping growth

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 510: NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Converting Resident AttributeList.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext Converting Resident AttributeList(size:0xA12_AttrListAllocationSize!I64x!) to NonResident.

Message #

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p! Converting Resident AttributeList(size:0x%3!I64x!) to NonResident

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_AttrListAllocationSize HexInt64

Event ID 511: NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext, AttrListScb:A12_Scb Added Allocation for NonResident AttributeList.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:A10_Vcb, IC:A11_IrpContext, AttrListScb:A12_Scb Added Allocation for NonResident AttributeList (old size:0xA13_AttrListAllocationSize!I64x!).

Message #

NtfsGrowMftsAttributeListAllocation Vcb:%1!p!, IC:%2!p!, AttrListScb:%3!p! Added Allocation for NonResident AttributeList (old size:0x%4!I64x!)

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_Scb Pointer
A13_AttrListAllocationSize HexInt64

Event ID 512: Unexpected exception code of 0xA10_ExceptionCode received.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected exception code of 0xA10_ExceptionCode received.

Message #

Unexpected exception code of 0x%1!x! received

Fields #

NameDescription
A10_ExceptionCode HexInt32

Event ID 513: Exception code of 0xA10_ExceptionCode received during mount.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Exception code of 0xA10_ExceptionCode received during mount.

Message #

Exception code of 0x%1!x! received during mount.

Fields #

NameDescription
A10_ExceptionCode HexInt32

Event ID 514: Unexpected exception code of 0xA10_ExceptionCode received.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected exception code of 0xA10_ExceptionCode received.

Message #

Unexpected exception code of 0x%1!x! received.

Fields #

NameDescription
A10_ExceptionCode HexInt32

Event ID 515: LogFileFull A10_IrpContextLogFullReason BackTrace: ln A11_BackTrace0; ln A12_BackTrace1; ln A13_BackTrace2; ln A14_BackTrace3; ln A15_BackTrace4; ln A16_BackTrace5; ln A17_BackTrace6; ln A18_BackTr...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

LogFileFull BackTrace: ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!; ln !p!

Message #

LogFileFull %1 BackTrace: ln %2!p!; ln %3!p!; ln %4!p!; ln %5!p!; ln %6!p!; ln %7!p!; ln %8!p!; ln %9!p!; ln %10!p!; ln %11!p!; ln %12!p!; ln %13!p!; ln %14!p!; ln %15!p!; ln %16!p!; ln %17!p!; ln %18!p!; ln %19!p!; ln %20!p!; ln %21!p!;

Fields #

NameDescription
A10_IrpContextLogFullReason UInt32
A11_BackTrace0 Pointer
A12_BackTrace1 Pointer
A13_BackTrace2 Pointer
A14_BackTrace3 Pointer
A15_BackTrace4 Pointer
A16_BackTrace5 Pointer
A17_BackTrace6 Pointer
A18_BackTrace7 Pointer
A19_BackTrace8 Pointer
A20_BackTrace9 Pointer
A21_BackTrace10 Pointer
A22_BackTrace11 Pointer
A23_BackTrace12 Pointer
A24_BackTrace13 Pointer
A25_BackTrace14 Pointer
A26_BackTrace15 Pointer
A27_BackTrace16 Pointer
A28_BackTrace17 Pointer
A29_BackTrace18 Pointer
A30_BackTrace19 Pointer

Event ID 516: Unexpected raise of 0xA10_ExceptionCode during critical non-raise code.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected raise of 0xA10_ExceptionCode during critical non-raise code.

Message #

Unexpected raise of 0x%1!x! during critical non-raise code

Fields #

NameDescription
A10_ExceptionCode HexInt32

Event ID 517: NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!08x!

Message #

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ExceptionCode HexInt32

Event ID 518: NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsProcessException IC: A10_IrpContext, ExceptionCode: 0xA11_ExceptionCode!08x!

Message #

NtfsProcessException IC: %1!p!, ExceptionCode: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_ExceptionCode HexInt32

Event ID 519: Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, Count A13_NtfsFailedAborts, Status A14_GetExceptionCode.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, Count A13_NtfsFailedAborts, Status A14_GetExceptionCode.

Message #

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Count %4!x!, Status %5!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Irp Pointer
A12_IrpContextVcb Pointer
A13_NtfsFailedAborts HexInt32
A14_GetExceptionCode HexInt32

Event ID 520: Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, Scb A13_NextScb, FileRef A14_PULONGLONG_NextScbFcbFileReference!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Failed to abort - IrpContext A10_IrpContext, Irp A11_Irp, Vcb A12_IrpContextVcb, Scb A13_NextScb, FileRef A14_PULONGLONG_NextScbFcbFileReference!I64x!

Message #

Failed to abort - IrpContext %1!p!, Irp %2!p!, Vcb %3!p!, Scb %4!p!, FileRef %5!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Irp Pointer
A12_IrpContextVcb Pointer
A13_NextScb Pointer
A14_PULONGLONG_NextScbFcbFileReference HexInt64

Event ID 521: Setting STATUS_CANT_WAIT in top-level exception status for write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!08x!A11_IrpSpParametersWriteByteOffsetLowPart!08x!

Message #

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x%1!08x!%2!08x!

Fields #

NameDescription
A10_IrpSpParametersWriteByteOffsetHighPart HexInt32
A11_IrpSpParametersWriteByteOffsetLowPart HexInt32

Event ID 522: Setting 0xA10_ExceptionCode in top-level exception status for write @ 0xA11_IrpSpParametersWriteByteOffsetHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Setting 0xA10_ExceptionCode in top-level exception status for write @ 0xA11_IrpSpParametersWriteByteOffsetHighPart!08x!A12_IrpSpParametersWriteByteOffsetLowPart!08x!

Message #

Setting 0x%1!x! in top-level exception status for write @ 0x%2!08x!%3!08x!

Fields #

NameDescription
A10_ExceptionCode HexInt32
A11_IrpSpParametersWriteByteOffsetHighPart HexInt32
A12_IrpSpParametersWriteByteOffsetLowPart HexInt32

Event ID 523: [A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

[A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!02x!]: Irp: A12_Irp, IC: A13_IrpContext, Status: A14_Status.

Message #

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields #

NameDescription
A10_IrpSpMajorFunction UInt32
A11_IrpSpMinorFunction HexInt32
A12_Irp Pointer
A13_IrpContext Pointer
A14_Status HexInt32

Event ID 524: [A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

[A10_IrpSpMajorFunction, A11_IrpSpMinorFunction!02x!]: Irp: A12_Irp, IC: A13_IrpContext, Status: A14_Status.

Message #

[%1, %2!02x!]: Irp: %3!p!, IC: %4!p!, Status: %5!S!

Fields #

NameDescription
A10_IrpSpMajorFunction UInt32
A11_IrpSpMinorFunction HexInt32
A12_Irp Pointer
A13_IrpContext Pointer
A14_Status HexInt32

Event ID 525: Can't handle invalid bitmap in a positive way.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Can't handle invalid bitmap in a positive way.

Message #

Can't handle invalid bitmap in a positive way.

Event ID 526: NTFS ETW tracing is now active.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS ETW tracing is now active.

Message #

NTFS ETW tracing is now active.

Event ID 527: Updating NtfsMinTrimTotalSize to A10_MinTrimTotalSize.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Updating NtfsMinTrimTotalSize to A10_MinTrimTotalSize.

Message #

Updating NtfsMinTrimTotalSize to %1!x!.

Fields #

NameDescription
A10_MinTrimTotalSize HexInt32

Event ID 528: Updating NtfsMaxTrimTotalSize to A10_MaxTrimTotalSize.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Updating NtfsMaxTrimTotalSize to A10_MaxTrimTotalSize.

Message #

Updating NtfsMaxTrimTotalSize to %1!x!.

Fields #

NameDescription
A10_MaxTrimTotalSize HexInt32

Event ID 529: NtfsSetObjectId: Caller does not have restore access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetObjectId: Caller does not have restore access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpMinorFunction HexInt32

Event ID 530: NtfsSetObjectIdExtendedInfo: Caller does not have write access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetObjectIdExtendedInfo: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpMinorFunction HexInt32

Event ID 531: NtfsDeleteObjectId: Caller does not have write access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDeleteObjectId: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Irp Minor Function: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpMinorFunction HexInt32

Event ID 532: A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm ({A12__VcbTxfVcbDefaultRmRmId}) up for auto-restart.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Setting RM at 0xA11_PVOIDVcbTxfVcbDefaultRm ({A12__VcbTxfVcbDefaultRmRmId}) up for auto-restart.

Message #

%1: Setting RM at 0x%2!p! ({%3!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDVcbTxfVcbDefaultRm Pointer
A12__VcbTxfVcbDefaultRmRmId GUID

Event ID 533: NtfsFsQuotaSetInfo: Denying access due to administrator limit.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsFsQuotaSetInfo: Denying access due to administrator limit. Thread: A10_PsGetCurrentThread, Vcb: A11_IrpContextVcb, VolumeName: A12__IrpContextVcbVolumeName, VolumeLabel: A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb.

Message #

NtfsFsQuotaSetInfo: Denying access due to administrator limit. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_IrpContextVcb Pointer
A12__IrpContextVcbVolumeName CountedUtf16String
A13_WppCountedStringWIrpContextVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHIrpContextVcbVpb CountedUtf16String

Event ID 534: NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not quota file.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonSetQuota: Caller does not have manage volume privilege and it's not quota file. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: 0x%7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, Ccb Flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_ScbFcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17__CcbFullFileName CountedUtf16String
A18_CcbAccessFlags HexInt32
A19_CcbFlags HexInt32

Event ID 535: Unexpected Paging-Read on DAX mappable stream, Scb=A10_Scb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected Paging-Read on DAX mappable stream, Scb=A10_Scb.

Message #

Unexpected Paging-Read on DAX mappable stream, Scb=%1!p!

Fields #

NameDescription
A10_Scb Pointer

Event ID 536: NtfsSetReparsePoint: Caller does not have write access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpFileObjectWriteAccess Int32

Event ID 537: NtfsSetReparsePointEx: Caller does not have write access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetReparsePointEx: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpFileObjectWriteAccess Int32

Event ID 538: NtfsDeleteReparsePoint: Caller does not have write access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDeleteReparsePoint: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!, File Object Write Access: %9!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32
A18_IrpSpFileObjectWriteAccess Int32

Event ID 539: NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: A10_Vcb, Vcb->LogFileObject: A11_VcbLogFileObject, IC: A12_IrpContext.

Message #

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbLogFileObject Pointer
A12_IrpContext Pointer

Event ID 540: NtfsReleaseVcbCheckDelete - deleted Vcb: A10_Vcb, IC: A11_IrpContext.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsReleaseVcbCheckDelete - deleted Vcb: A10_Vcb, IC: A11_IrpContext.

Message #

NtfsReleaseVcbCheckDelete - deleted Vcb: %1!p!, IC: %2!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 541: NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: A10_Vcb, Vcb->LogFileObject: A11_VcbLogFileObject, IC: A12_IrpContext.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: A10_Vcb, Vcb->LogFileObject: A11_VcbLogFileObject, IC: A12_IrpContext.

Message #

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: %1!p!, Vcb->LogFileObject: %2!p!, IC: %3!p!

Fields #

NameDescription
A10_Vcb Pointer
A11_VcbLogFileObject Pointer
A12_IrpContext Pointer

Event ID 542: NtfsAbortTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAbortTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x!

Message #

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 543: NtfsAbortTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsAbortTransaction IC: A10_IrpContext, TransactionId: 0xA11_IrpContextTransactionId!08x!

Message #

NtfsAbortTransaction IC: %1!p!, TransactionId: 0x%2!08x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextTransactionId HexInt32

Event ID 544: DoAction::InitializeFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction::InitializeFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!

Message #

DoAction::InitializeFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64

Event ID 545: DoAction::DeallocateFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction::DeallocateFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!

Message #

DoAction::DeallocateFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64

Event ID 546: DoAction::WriteEndOfFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction::WriteEndOfFRS IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Attrib:0xA14_AttributeTypeCode Off:0xA15_LogRecordRecordOffset, Len:0xA16_Length.

Message #

DoAction::WriteEndOfFRS IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x! Off:0x%6!x!, Len:0x%7!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A14_AttributeTypeCode HexInt32
A15_LogRecordRecordOffset HexInt32
A16_Length HexInt32

Event ID 547: DoAction::CreateAttribute IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction::CreateAttribute IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, Attrib:0xA14_PATTRIBUTE_RECORD_HEADERDataTypeCode.

Message #

DoAction::CreateAttribute IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, Attrib:0x%5!x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A14_PATTRIBUTE_RECORD_HEADERDataTypeCode HexInt32

Event ID 548: NtfsRestartChangeValue IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestartChangeValue IC:A10_IrpContext, FileRef:0xA11_FileRecordSegmentNumberHighPart!04x!_A12_FileRecordSegmentNumberLowPart!08x!, BaseFRS:0xA13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment!012I64x!, FileRef:0xA14_NtfsFullSegmentNumber_FileReference!I64x!

Message #

NtfsRestartChangeValue IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x!, FileRef:0x%5!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A14_NtfsFullSegmentNumber_FileReference HexInt64

Event ID 549: DoAction::SetNewAttributeSizes IC.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

DoAction::SetNewAttributeSizes IC:%1!p!, FileRef:0x%2!04x!_%3!08x!, BaseFRS:0x%4!012I64x! OLD: Alloc:%5!I64x!, FileSize:%6!I64x!, VDL:%7!I64x!, TotalAlloc:%8!I64x! NEW: Alloc:%9!I64x!, FileSize:%10!I64x!, VDL:%11!I64x!, TotalAlloc:%12!I64x!

Fields #

NameDescription
A10_IrpContext Pointer
A11_FileRecordSegmentNumberHighPart HexInt32
A12_FileRecordSegmentNumberLowPart HexInt32
A13_NtfsFullSegmentNumber_FileRecordBaseFileRecordSegment HexInt64
A14_AttributeFormNonresidentAllocatedLength HexInt64
A15_AttributeFormNonresidentFileSize HexInt64
A16_AttributeFormNonresidentValidDataLength HexInt64
A17_AttributeFormNonresidentTotalAllocated HexInt64
A18_SizesAllocationSize HexInt64
A19_SizesFileSize HexInt64
A20_SizesValidDataLength HexInt64
A21_SizesTotalAllocated HexInt64

Event ID 550: DoAction(SetBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12__Bitmap.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction(SetBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12__Bitmap.

Message #

DoAction(SetBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__Bitmap Pointer

Event ID 551: DoAction(ClearBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12__Bitmap.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

DoAction(ClearBitsInNonresidentBitMap) IC: A10_IrpContext, Vcb: A11_Vcb, Bitmap: A12__Bitmap.

Message #

DoAction(ClearBitsInNonresidentBitMap) IC: %1!p!, Vcb: %2!p!, Bitmap: %3!p!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__Bitmap Pointer

Event ID 552: NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!.

Message #

NtfsUpgradeFileSecurity: Denying access due to volume does not support Txf. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64

Event ID 553: NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb Access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String
A17_CcbAccessFlags HexInt32

Event ID 554: NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!.

Message #

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16__CcbFullFileName CountedUtf16String

Event ID 555: NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Txf Writers Count: !d!.

Message #

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Txf Writers Count: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbTxfFcbTxfNumWriters Int32

Event ID 556: NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Original status: !S!.

Message #

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Original status: %7!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_Status HexInt32

Event ID 557: NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, File Attributes: 0x!08x!.

Message #

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbInfoFileAttributes HexInt32

Event ID 558: NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbInfoFileAttributes HexInt32

Event ID 559: NtfsCheckFileForDelete: Denying access due to file is not deleteable.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!.

Message #

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64

Event ID 560: NtfsCheckFileForDelete: Denying access due to target file is read only.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckFileForDelete: Denying access due to target file is read only. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, File Attributes: 0x%7!08x!, IrpSp->Flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_ThisFcbInfoFileAttributes HexInt32
A17_IrpSpFlags HexInt32

Event ID 561: NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb AccessFlags: 0x%7!08x!, TxfAccessCheck access status: %8!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_CcbAccessFlags HexInt32
A17_AccessStatus HexInt32

Event ID 562: NtfsCheckFileForDelete: Denying access due to failing to remove image section.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCheckFileForDelete: Denying access due to failing to remove image section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, AttributeTypeCode: 0x%8!x!, Attribute Name: %9!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ThisFcbVcb Pointer
A12__ThisFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWThisFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHThisFcbVcbVpb CountedUtf16String
A14_ThisFcb Pointer
A15_NtfsFullFileRefNumber_ThisFcbFileReference HexInt64
A16_NextScb Pointer
A17_NextScbAttributeTypeCode HexInt32
A18__NextScbAttributeName CountedUtf16String

Event ID 563: NtfsGlobalSdUpdate: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 564: NtfsRepairItem: Denying access due to volume is locked.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRepairItem: Denying access due to volume is locked. Thread: A10_PsGetCurrentThread, Vcb: A11_Vcb, VolumeName: A12__VcbVolumeName, VolumeLabel: A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb, VcbState: 0xA14_VcbVcbState!08x!.

Message #

NtfsRepairItem: Denying access due to volume is locked. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, VcbState: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbVcbState HexInt32

Event ID 565: NtfsSetRepairState: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 566: NtfsInitiateRepair: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 567: NTFS ETW tracing is shutting down.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NTFS ETW tracing is shutting down.

Message #

NTFS ETW tracing is shutting down.

Event ID 568: NtfsDefineStorageReserve: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDefineStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 569: NtfsDeleteStorageReserve: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsDeleteStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 570: NtfsRepairStorageReserve: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRepairStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 571: NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a storage reserve.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetStorageReserveIdInfo: System files are not allowed to be part of a storage reserve. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Fcb State: 0x%7!08x!, Ccb FullFileName: %8!S!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbFcbState HexInt32
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String

Event ID 572: NtfsSetStorageReserveIdInfo: Caller does not have appropriate access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsSetStorageReserveIdInfo: Caller does not have appropriate access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 573: NtfsChangeStorageReserveId: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsChangeStorageReserveId: Caller does not have manage volume privilege. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!, Operation flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32
A18_Flags HexInt32

Event ID 574: NtfsChangeStorageReserveId: Caller does not have manage volume privilege to explicitly setting reserve ID to/from a "restricted area".

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsChangeStorageReserveId: Caller does not have manage volume privilege to explicitly setting reserve ID to/from a "restricted area". Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 575: Failed to get a non-volatile token for Vcb: A10_Vcb, Status: A11_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Failed to get a non-volatile token for Vcb: A10_Vcb, Status: A11_Status.

Message #

Failed to get a non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields #

NameDescription
A10_Vcb Pointer
A11_Status HexInt32

Event ID 576: Failed to free non-volatile token for Vcb: A10_Vcb, Status: A11_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Failed to free non-volatile token for Vcb: A10_Vcb, Status: A11_Status.

Message #

Failed to free non-volatile token for Vcb: %1!p!, Status: %2!S!

Fields #

NameDescription
A10_Vcb Pointer
A11_Status HexInt32

Event ID 577: NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: A10_Scb, TotalAllocated: 0xA11_ScbTotalAllocated!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: A10_Scb, TotalAllocated: 0xA11_ScbTotalAllocated!I64x!

Message #

NtfsRestoreScbSnapshots: Restored TotalAllocated, Scb: %1!p!, TotalAllocated: 0x%2!I64x!

Fields #

NameDescription
A10_Scb Pointer
A11_ScbTotalAllocated HexInt64

Event ID 578: NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: A10_CurrentClusters, Lsn: A11_CurrentClustersLsnQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: A10_CurrentClusters, Lsn: A11_CurrentClustersLsnQuadPart!I64x!

Message #

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: %1!p!, Lsn: %2!I64x!

Fields #

NameDescription
A10_CurrentClusters Pointer
A11_CurrentClustersLsnQuadPart HexInt64

Event ID 579: ClustersLinkAsHead: A10_ClustersLinkAsHead, FlagsToMatch: 0xA11_FlagsToMatch, InsertAfter: A12_InsertAfter.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

ClustersLinkAsHead: A10_ClustersLinkAsHead, FlagsToMatch: 0xA11_FlagsToMatch, InsertAfter: A12_InsertAfter.

Message #

ClustersLinkAsHead: %1!p!, FlagsToMatch: 0x%2!x!, InsertAfter: %3!S!

Fields #

NameDescription
A10_ClustersLinkAsHead Pointer
A11_FlagsToMatch HexInt32
A12_InsertAfter UInt32

Event ID 580: Clusters: A10_Clusters, Flags: 0xA11_ClustersFlags.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Clusters: A10_Clusters, Flags: 0xA11_ClustersFlags.

Message #

Clusters: %1!p!, Flags: 0x%2!x!

Fields #

NameDescription
A10_Clusters Pointer
A11_ClustersFlags HexInt32

Event ID 581: Matching cluster: A10_Clusters, NumberOfRuns: 0xA11_NumberOfRuns.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Matching cluster: A10_Clusters, NumberOfRuns: 0xA11_NumberOfRuns.

Message #

Matching cluster: %1!p!, NumberOfRuns: 0x%2!x!

Fields #

NameDescription
A10_Clusters Pointer
A11_NumberOfRuns HexInt32

Event ID 582: Clusters: A10_Clusters.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Clusters: A10_Clusters.

Message #

Clusters: %1!p!

Fields #

NameDescription
A10_Clusters Pointer

Event ID 583: Allocated new deallocated clusters

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Allocated new deallocated clusters.

Message #

Allocated new deallocated clusters

Event ID 584: Need to add Range.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Need to add Range. DanglingMdl: DanglingMdl, DeallocatedClusters: A11_Clusters, Lcn: A12_Lcn!I64x!, ClusterCount: A13_ClusterCount!I64x!

Message #

Need to add Range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields #

NameDescription
A10_FlagOnClustersFlagsDEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL UInt32
A11_Clusters Pointer
A12_Lcn HexInt64
A13_ClusterCount HexInt64

Event ID 585: Added range.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Added range. DanglingMdl: DanglingMdl, DeallocatedClusters: A11_Clusters, Lcn: A12_Lcn!I64x!, ClusterCount: A13_ClusterCount!I64x!

Message #

Added range. DanglingMdl: %1, DeallocatedClusters: %2!p!, Lcn: %3!I64x!, ClusterCount: %4!I64x!

Fields #

NameDescription
A10_FlagOnClustersFlagsDEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL UInt32
A11_Clusters Pointer
A12_Lcn HexInt64
A13_ClusterCount HexInt64

Event ID 586: TxfCheckForLockConflict: File locked for modify transaction.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfCheckForLockConflict: File locked for modify transaction. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!,Fcb: !p!, FileRef: 0x!I64x!, TxfFcb Flags: 0x!08x!, ShareMode: 0x!08x!.

Message #

TxfCheckForLockConflict: File locked for modify transaction. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!,Fcb: %5!p!, FileRef: 0x%6!I64x!, TxfFcb Flags: 0x%7!08x!, ShareMode: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_TxfFcbFlags HexInt32
A17_ShareMode HexInt32

Event ID 587: TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans or different trans who wants to modify.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfCheckForLockConflict: Locking transaction is doomed and caller is non-trans or different trans who wants to modify. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_GrantedAccess HexInt32

Event ID 588: TxfCheckForLockConflict: Modification access desired.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfCheckForLockConflict: Modification access desired. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, Granted Access: 0x!08x!.

Message #

TxfCheckForLockConflict: Modification access desired. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_GrantedAccess HexInt32

Event ID 589: TxfCheckForLockConflict: File has user handle opened on one of the versions or user-mapping on a section.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfCheckForLockConflict: File has user handle opened on one of the versions or user-mapping on a section. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Granted Access: 0x%7!08x!, Reader cleanup count: %8!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_GrantedAccess HexInt32
A17_NextTxfVscbReaderCleanupCount Int32

Event ID 590: A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId}, Tx at 0xA16_PVOIDTxfTrans {A17__TxfTransKtmUow}, Status was 0xA18_AbortR...

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId}, Tx at 0xA16_PVOIDTxfTrans {A17__TxfTransKtmUow}, Status was 0xA18_AbortReasonStatus.

Message #

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_CallerFunction AnsiString
A12_CallerFile AnsiString
A13_CallerLineNumber Int32
A14_PVOIDTxfRmcb Pointer
A15__TxfRmcbRmId GUID
A16_PVOIDTxfTrans Pointer
A17__TxfTransKtmUow GUID
A18_AbortReasonStatus HexInt32

Event ID 591: A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId}, Tx at 0xA16_PVOIDTxfTrans {A17__TxfTransKtmUow}, Status was 0xA18_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: from A11_CallerFunction (A12_CallerFile:A13_CallerLineNumber) RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId}, Tx at 0xA16_PVOIDTxfTrans {A17__TxfTransKtmUow}, Status was 0xA18_Status.

Message #

%1: from %2!S! (%3!S!:%4!d!) RM at 0x%5!p! {%6!S!}, Tx at 0x%7!p! {%8!S!}, Status was 0x%9!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_CallerFunction AnsiString
A12_CallerFile AnsiString
A13_CallerLineNumber Int32
A14_PVOIDTxfRmcb Pointer
A15__TxfRmcbRmId GUID
A16_PVOIDTxfTrans Pointer
A17__TxfTransKtmUow GUID
A18_Status HexInt32

Event ID 592: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_TxfTrans Pointer
A14__TxfTransKtmUow GUID

Event ID 593: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_TxfTrans Pointer
A14__TxfTransKtmUow GUID

Event ID 594: A10___FUNCTION__: RM at 0xA11_PVOIDCalloutParametersTxfFlushTxfRmcb {A12__CalloutParametersTxfFlushTxfRmcbRmId}: Unexpected exception code of 0xA13_GetExceptionCode received.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDCalloutParametersTxfFlushTxfRmcb {A12__CalloutParametersTxfFlushTxfRmcbRmId}: Unexpected exception code of 0xA13_GetExceptionCode received.

Message #

%1: RM at 0x%2!p! {%3!S!}: Unexpected exception code of 0x%4!x! received.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDCalloutParametersTxfFlushTxfRmcb Pointer
A12__CalloutParametersTxfFlushTxfRmcbRmId GUID
A13_GetExceptionCode HexInt32

Event ID 595: A10___FUNCTION__: TxfStartRm reports RM will be reset: RM metadata corrupt.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: RM metadata corrupt.

Message #

%1: TxfStartRm reports RM will be reset: RM metadata corrupt

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 596: A10___FUNCTION__: TxfStartRm reports RM will be reset: TM could not be initialized.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: TM could not be initialized.

Message #

%1: TxfStartRm reports RM will be reset: TM could not be initialized

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 597: A10___FUNCTION__: TxfStartRm reports RM will be reset: RM log corrupt.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: RM log corrupt.

Message #

%1: TxfStartRm reports RM will be reset: RM log corrupt

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 598: A10___FUNCTION__: TxfStartRm reports RM will be reset: log version changed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: log version changed.

Message #

%1: TxfStartRm reports RM will be reset: log version changed

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 599: A10___FUNCTION__: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed.

Message #

%1: TxfStartRm reports RM will be reset: dedicated log found, need multiplexed

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 600: A10___FUNCTION__: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated.

Message #

%1: TxfStartRm reports RM will be reset: multiplexed log found, need dedicated

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 601: A10___FUNCTION__: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.

Message #

%1: TxfStartRm reports RM will be reset: CLFS log metadata corrupt

Fields #

NameDescription
A10___FUNCTION__ AnsiString

Event ID 602: A10___FUNCTION__: TxfStartRm reports RM will be reset: 0xA11_FailureStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxfStartRm reports RM will be reset: 0xA11_FailureStatus.

Message #

%1: TxfStartRm reports RM will be reset: 0x%2!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_FailureStatus HexInt32

Event ID 603: A10___FUNCTION__: RM did not start and WILL NOT be reset, status code is 0xA11_FailureStatus!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM did not start and WILL NOT be reset, status code is 0xA11_FailureStatus!

Message #

%1: RM did not start and WILL NOT be reset, status code is 0x%2!x!!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_FailureStatus HexInt32

Event ID 604: A10___FUNCTION__: Could not initialize IrpContext: 0xA11_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Could not initialize IrpContext: 0xA11_Status.

Message #

%1: Could not initialize IrpContext: 0x%2!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status HexInt32

Event ID 605: TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, FxfVcb flags: 0x!08x!.

Message #

TxfInitializeVolume: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbTxfVcbFlags HexInt32

Event ID 606: A10___FUNCTION__: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0xA11_TempStatus for default RM on VCB at 0xA12_PVOIDVcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0xA11_TempStatus for default RM on VCB at 0xA12_PVOIDVcb.

Message #

%1: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x%2!x! for default RM on VCB at 0x%3!p!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_TempStatus HexInt32
A12_PVOIDVcb Pointer

Event ID 607: A10___FUNCTION__: Exception code 0xA11_GetExceptionCode, Status 0xA12_Status for default RM on VCB at 0xA13_PVOIDVcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Exception code 0xA11_GetExceptionCode, Status 0xA12_Status for default RM on VCB at 0xA13_PVOIDVcb.

Message #

%1: Exception code 0x%2!x!, Status 0x%3!x! for default RM on VCB at 0x%4!p!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_GetExceptionCode HexInt32
A12_Status HexInt32
A13_PVOIDVcb Pointer

Event ID 608: A10___FUNCTION__: Couldn't reset default RM on VCB at 0xA11_PVOIDVcb after A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT tries: 0xA13_OldStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Couldn't reset default RM on VCB at 0xA11_PVOIDVcb after A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT tries: 0xA13_OldStatus.

Message #

%1: Couldn't reset default RM on VCB at 0x%2!p! after %3!d! tries: 0x%4!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDVcb Pointer
A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT Int32
A13_OldStatus HexInt32

Event ID 609: A10___FUNCTION__: Exception 0xA11_GetExceptionCode raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0xA12_PVOIDVcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Exception 0xA11_GetExceptionCode raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0xA12_PVOIDVcb. RM will NOT be reset.

Message #

%1: Exception 0x%2!x! raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x%3!p!.  RM will NOT be reset.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_GetExceptionCode HexInt32
A12_PVOIDVcb Pointer

Event ID 610: A10___FUNCTION__: A11_NT_SUCCESSStatusSucceededFAILED auto-restart of RM at 0xA12_PVOIDTxfRmcb ({A13__TxfRmcbRmId}): 0xA14_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: A11_NT_SUCCESSStatusSucceededFAILED auto-restart of RM at 0xA12_PVOIDTxfRmcb ({A13__TxfRmcbRmId}): 0xA14_Status.

Message #

%1: %2!S! auto-restart of RM at 0x%3!p! ({%4!S!}): 0x%5!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_NT_SUCCESSStatusSucceededFAILED AnsiString
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_Status HexInt32

Event ID 611: A10___FUNCTION__: Attempting auto-restart of RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Attempting auto-restart of RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}).

Message #

%1: Attempting auto-restart of RM at 0x%2!p! ({%3!S!})

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 612: A10___FUNCTION__: Volume too small to start RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Volume too small to start RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}).

Message #

%1: Volume too small to start RM at 0x%2!p! ({%3!S!})

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 613: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: invalid flags in $Tops.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: invalid flags in $Tops.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: invalid flags in $Tops

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 614: TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, FxfVcb flags: 0x!08x!.

Message #

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbTxfVcbFlags HexInt32

Event ID 615: A10___FUNCTION__: Raising to reset RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}): Explicit reset requested.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Raising to reset RM at 0xA11_PVOIDTxfRmcb ({A12__TxfRmcbRmId}): Explicit reset requested.

Message #

%1: Raising to reset RM at 0x%2!p! ({%3!S!}): Explicit reset requested

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 616: TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, FxfVcb flags: 0x!08x!.

Message #

TxfStartRm: Denying access due to Txf start is not allowed (possible racing with dismount or volume shutdown). Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, FxfVcb flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_VcbTxfVcbFlags HexInt32

Event ID 617: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: no TXF_DATA in root.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: no TXF_DATA in root.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: no TXF_DATA in root

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 618: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Different nesting levels of 0xA13_LogNestingLevel and 0xA14_DiskNestingLevel.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Different nesting levels of 0xA13_LogNestingLevel and 0xA14_DiskNestingLevel.

Message #

%1: RM at 0x%2!p! {%3!S!}: Different nesting levels of 0x%4!x! and 0x%5!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_LogNestingLevel HexInt32
A14_DiskNestingLevel HexInt32

Event ID 619: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart area already exists.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart area already exists.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 620: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart area already exists.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: restart area already exists.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: restart area already exists

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 621: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: RmID in restart area does not match {A13__ClfsRestartAreaRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: RmID in restart area does not match {A13__ClfsRestartAreaRmId}.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: RmID in restart area does not match {%4!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13__ClfsRestartAreaRmId GUID

Event ID 622: A10___FUNCTION__: Got A11_Status from ClfsGetLogFileInformation for RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Got A11_Status from ClfsGetLogFileInformation for RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}.

Message #

%1: Got %2!d! from ClfsGetLogFileInformation for RM at 0x%3!p! {%4!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status Int32
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID

Event ID 623: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Restart LSN is before beginning of log.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Restart LSN is before beginning of log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Restart LSN is before beginning of log.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 624: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: MinRollforwardEndLsn is beyond end of log.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: MinRollforwardEndLsn is beyond end of log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: MinRollforwardEndLsn is beyond end of log.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 625: A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} started successfully.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} started successfully.

Message #

%1: TxF RM at 0x%2!p! {%3!S!} started successfully.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 626: A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} failed to start with Status 0xA13_Status A14_AbnormalTerminationabnormaltermination.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: TxF RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} failed to start with Status 0xA13_Status A14_AbnormalTerminationabnormaltermination.

Message #

%1: TxF RM at 0x%2!p! {%3!S!} failed to start with Status 0x%4!x! %5!S!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_Status HexInt32
A14_AbnormalTerminationabnormaltermination AnsiString

Event ID 627: A10___FUNCTION__: Shutting down A11_TxfIsDefaultRmTxfRmcbdefaultsecondary RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Shutting down A11_TxfIsDefaultRmTxfRmcbdefaultsecondary RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}. Shutdown is A14_ForceDirtyShutdownDIRTYCLEAN.

Message #

%1: Shutting down %2!S! RM at 0x%3!p! {%4!S!}.  Shutdown is %5!S!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_TxfIsDefaultRmTxfRmcbdefaultsecondary AnsiString
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_ForceDirtyShutdownDIRTYCLEAN AnsiString

Event ID 628: A10___FUNCTION__: Setting RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} up for auto-restart.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Setting RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} up for auto-restart.

Message #

%1: Setting RM at 0x%2!p! {%3!S!} up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 629: TxfFlushAndInvalidateExistingStructures: File has open user handles.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfFlushAndInvalidateExistingStructures: File has open user handles. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: 0x!I64x!, CleanupCount: !d!.

Message #

TxfFlushAndInvalidateExistingStructures: File has open user handles. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, CleanupCount: %7!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_FcbFileReference HexInt64
A16_FcbCleanupCount Int32

Event ID 630: (A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine) - TXF_HARD_ERROR on RM at 0xA12_TxfRmcb ({A13__TxfRmcbRmId}): A14_Status).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

(A10_FILEID_FROM_SOURCEFileNLine:A11_LINENUM_FROM_SOURCEFileNLine) - TXF_HARD_ERROR on RM at 0xA12_TxfRmcb ({A13__TxfRmcbRmId}): A14_Status).

Message #

(%1:%2!d!) - TXF_HARD_ERROR on RM at 0x%3!p! ({%4!S!}): %5!S!)

Fields #

NameDescription
A10_FILEID_FROM_SOURCEFileNLine UInt32
A11_LINENUM_FROM_SOURCEFileNLine Int32
A12_TxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_Status HexInt32

Event ID 631: A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to {A13__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to {A13__TxfRmcbRmId}.

Message #

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__OldGuid GUID
A13__TxfRmcbRmId GUID

Event ID 632: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back Tx at 0xA13_PVOIDTxfTrans {A14__TxfTransKtmUow}, Status was 0xA15_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back Tx at 0xA13_PVOIDTxfTrans {A14__TxfTransKtmUow}, Status was 0xA15_Status.

Message #

%1: RM at 0x%2!p! {%3!S!}, rolling back Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_PVOIDTxfTrans Pointer
A14__TxfTransKtmUow GUID
A15_Status HexInt32

Event ID 633: A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to {A13__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Renamed RM at 0xA11_PVOIDTxfRmcb from {A12__OldGuid} to {A13__TxfRmcbRmId}.

Message #

%1: Renamed RM at 0x%2!p! from {%3!S!} to {%4!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__OldGuid GUID
A13__TxfRmcbRmId GUID

Event ID 634: TxfFsctlStartRm: Denying access due starting default RM is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfFsctlStartRm: Denying access due starting default RM is not allowed. Thread: A10_PsGetCurrentThread, Vcb: A11_RmRootFcbVcb, VolumeName: A12__RmRootFcbVcbVolumeName, VolumeLabel: A13_WppCountedStringWRmRootFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHRmRootFcbVcbVpb, RmRootFcb: A14_RmRootFcb.

Message #

TxfFsctlStartRm: Denying access due starting default RM is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RmRootFcb: %5!p!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_RmRootFcbVcb Pointer
A12__RmRootFcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWRmRootFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHRmRootFcbVcbVpb CountedUtf16String
A14_RmRootFcb Pointer

Event ID 635: TxfFsctlWriteBackupInformation: Denying access due RM is active.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: A10_PsGetCurrentThread, Vcb: A11_FcbVcb, VolumeName: A12__FcbVcbVolumeName, VolumeLabel: A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb, BackupInfo flags: 0xA14_BackupInfoFlags!08x!.

Message #

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, BackupInfo flags: 0x%5!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_FcbVcb Pointer
A12__FcbVcbVolumeName CountedUtf16String
A13_WppCountedStringWFcbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHFcbVcbVpb CountedUtf16String
A14_BackupInfoFlags HexInt32

Event ID 636: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found too high of a TxF ID in log.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found too high of a TxF ID in log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found too high of a TxF ID in log

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 637: A10___FUNCTION__: Error Setting Delete Disposition: 0xA11_Status FileObject: 0xA12_PVOIDFileObject.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Error Setting Delete Disposition: 0xA11_Status FileObject: 0xA12_PVOIDFileObject.

Message #

%1: Error Setting Delete Disposition: 0x%2!x!  FileObject: 0x%3!p!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status HexInt32
A12_PVOIDFileObject Pointer

Event ID 638: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Got a RECOVER notification for a transaction that isn't in-doubt.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Got a RECOVER notification for a transaction that isn't in-doubt.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Got a RECOVER notification for a transaction that isn't in-doubt

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 639: TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a non-TxF modify handle.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfSetupTransactionContextFromCcb: Modifying operation is now allowed with a non-TxF modify handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Attribute Type Code: 0x%8!x!, Ccb FullFileName: %9!S!, Ccb flags: 0x%10!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__CcbFullFileName CountedUtf16String
A19_CcbFlags HexInt32

Event ID 640: TxfSetupTransactionContextFromCcb: Invalid TxF structure.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfSetupTransactionContextFromCcb: Invalid TxF structure. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, TxfFo: %8!p!, KtmTrans: %9!p!, TxfRmcb: %10!p!, Ccb FullFileName: %11!S!

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_CcbTxfFo Pointer
A18_CcbTxfFoKtmTrans Pointer
A19_ScbFcbTxfRmcb Pointer
A20_CcbFullFileNameBuffer UnicodeString

Event ID 641: TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a read-only handle.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

TxfSetupTransactionContextFromCcb: Denying access of modifying operation on a read-only handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Scb: %7!p!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!, FO write access: %10!d!, FO delete access: %11!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17__CcbFullFileName CountedUtf16String
A18_CcbAccessFlags HexInt32
A19_FileObjectWriteAccess Int32
A20_FileObjectDeleteAccess Int32

Event ID 642: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} raising 0xA13_ExceptionCode to KTM!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} raising 0xA13_ExceptionCode to KTM!

Message #

%1: RM at 0x%2!p! {%3!S!} raising 0x%4!x! to KTM!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_ExceptionCode HexInt32

Event ID 643: A10___FUNCTION__: Commit (0xA11_TransactionNotification) ofA12_TransactionAlreadyPreparedPREPAREDtx {A13__TxfTransKtmUow} on RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId} failed with 0xA16_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Commit (0xA11_TransactionNotification) ofA12_TransactionAlreadyPreparedPREPAREDtx {A13__TxfTransKtmUow} on RM at 0xA14_PVOIDTxfRmcb {A15__TxfRmcbRmId} failed with 0xA16_Status.

Message #

%1: Commit (0x%2!x!) of%3!S!tx {%4!S!} on RM at 0x%5!p! {%6!S!} failed with 0x%7!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_TransactionNotification HexInt32
A12_TransactionAlreadyPreparedPREPARED AnsiString
A13__TxfTransKtmUow GUID
A14_PVOIDTxfRmcb Pointer
A15__TxfRmcbRmId GUID
A16_Status HexInt32

Event ID 644: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow} (notify commit).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow} (notify commit).

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify commit)

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_TxfTrans Pointer
A14__TxfTransKtmUow GUID

Event ID 645: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow} (notify rollback).

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_TxfTrans {A14__TxfTransKtmUow} (notify rollback).

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!} (notify rollback)

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_TxfTrans Pointer
A14__TxfTransKtmUow GUID

Event ID 646: A10___FUNCTION__: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0xA11_PVOIDTransTxfRmcb {A12__TransTxfRmcbRmId}: 0xA13_FlushStatus.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0xA11_PVOIDTransTxfRmcb {A12__TransTxfRmcbRmId}: 0xA13_FlushStatus.

Message #

%1: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x%2!p! {%3!S!}: 0x%4!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTransTxfRmcb Pointer
A12__TransTxfRmcbRmId GUID
A13_FlushStatus HexInt32

Event ID 647: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} trying to abort transaction at 0xA13_Trans {A14__TransKtmUow}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} trying to abort transaction at 0xA13_Trans {A14__TransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} trying to abort transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_Trans Pointer
A14__TransKtmUow GUID

Event ID 648: A10___FUNCTION__: Aborting call stack: 0xA11_CallStack0 0xA12_CallStack1 0xA13_CallStack2 0xA14_CallStack3 0xA15_CallStack4.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Aborting call stack: 0xA11_CallStack0 0xA12_CallStack1 0xA13_CallStack2 0xA14_CallStack3 0xA15_CallStack4.

Message #

%1: Aborting call stack: 0x%2!p! 0x%3!p! 0x%4!p! 0x%5!p! 0x%6!p!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_CallStack0 Pointer
A12_CallStack1 Pointer
A13_CallStack2 Pointer
A14_CallStack3 Pointer
A15_CallStack4 Pointer

Event ID 649: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_Trans {A14__TransKtmUow}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} aborting transaction at 0xA13_Trans {A14__TransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} aborting transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_Trans Pointer
A14__TransKtmUow GUID

Event ID 650: A10___FUNCTION__: 0xA11_Status initializing IrpContext for tx at A12_PVOIDTrans {A13__TransKtmUow}, RM at A14_PVOIDTxfRmcb {A15__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: 0xA11_Status initializing IrpContext for tx at A12_PVOIDTrans {A13__TransKtmUow}, RM at A14_PVOIDTxfRmcb {A15__TxfRmcbRmId}.

Message #

%1: 0x%2!x! initializing IrpContext for tx at %3!p! {%4!S!}, RM at %5!p! {%6!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status HexInt32
A12_PVOIDTrans Pointer
A13__TransKtmUow GUID
A14_PVOIDTxfRmcb Pointer
A15__TxfRmcbRmId GUID

Event ID 651: A10___FUNCTION__: 0xA11_Status writing log record for RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}, Tx at 0xA14_PVOIDTrans {A15__TransKtmUow}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: 0xA11_Status writing log record for RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}, Tx at 0xA14_PVOIDTrans {A15__TransKtmUow}.

Message #

%1: 0x%2!x! writing log record for RM at 0x%3!p! {%4!S!}, Tx at 0x%5!p! {%6!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_Status HexInt32
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_PVOIDTrans Pointer
A15__TransKtmUow GUID

Event ID 652: A10___FUNCTION__: About to force aborts on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: About to force aborts on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: About to force aborts on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 653: A10___FUNCTION__: BaseLsn is greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: BaseLsn is greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: BaseLsn is greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 654: A10___FUNCTION__: No transactions remain on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: No transactions remain on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: No transactions remain on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 655: A10___FUNCTION__: Transaction's first undo LSN greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Transaction's first undo LSN greater than TargetLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Transaction's first undo LSN greater than TargetLsn on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 656: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} surprise-aborting transaction at 0xA13_OldestTrans {A14__OldestTransKtmUow}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} surprise-aborting transaction at 0xA13_OldestTrans {A14__OldestTransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} surprise-aborting transaction at 0x%4!p! {%5!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_OldestTrans Pointer
A14__OldestTransKtmUow GUID

Event ID 657: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} got 0xA13_Status from TxfTryAbortTransaction on Tx 0xA14_OldestTrans {A15__OldestTransKtmUow}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId} got 0xA13_Status from TxfTryAbortTransaction on Tx 0xA14_OldestTrans {A15__OldestTransKtmUow}.

Message #

%1: RM at 0x%2!p! {%3!S!} got 0x%4!x! from TxfTryAbortTransaction on Tx 0x%5!p! {%6!S!}

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_Status HexInt32
A14_OldestTrans Pointer
A15__OldestTransKtmUow GUID

Event ID 658: A10___FUNCTION__: Inactive RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Inactive RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Inactive RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 659: A10___FUNCTION__: Log is pinned on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Log is pinned on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Log is pinned on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 660: A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back KTM Tx at 0xA13_PVOIDTransToDereference {A14__TransToDereferenceKtmUow}, Status was 0xA15_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}, rolling back KTM Tx at 0xA13_PVOIDTransToDereference {A14__TransToDereferenceKtmUow}, Status was 0xA15_Status.

Message #

%1: RM at 0x%2!p! {%3!S!}, rolling back KTM Tx at 0x%4!p! {%5!S!}, Status was 0x%6!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_PVOIDTransToDereference Pointer
A14__TransToDereferenceKtmUow GUID
A15_Status HexInt32

Event ID 661: A10___FUNCTION__: Log pinned trying to advance RestartLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Log pinned trying to advance RestartLsn on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Log pinned trying to advance RestartLsn on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 662: A10___FUNCTION__: Log pinned by doomed transaction on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Log pinned by doomed transaction on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Log pinned by doomed transaction on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 663: A10___FUNCTION__: Reporting 0xA11_PinnedStatus to CLFS from RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}: 0xA14_Status.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Reporting 0xA11_PinnedStatus to CLFS from RM at 0xA12_PVOIDTxfRmcb {A13__TxfRmcbRmId}: 0xA14_Status.

Message #

%1: Reporting 0x%2!X! to CLFS from RM at 0x%3!p! {%4!S!}: 0x%5!x!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PinnedStatus HexInt32
A12_PVOIDTxfRmcb Pointer
A13__TxfRmcbRmId GUID
A14_Status HexInt32

Event ID 664: A10___FUNCTION__: Done forcing aborts on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Done forcing aborts on RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}.

Message #

%1: Done forcing aborts on RM at 0x%2!p! {%3!S!}.

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 665: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Txf directory is missing in pre-existing RM.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Txf directory is missing in pre-existing RM.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Txf directory is missing in pre-existing RM

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 666: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 667: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found non-empty $Txf but there is no log.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found non-empty $Txf but there is no log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found non-empty $Txf but there is no log

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 668: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find $INDEX_ROOT on $Txf.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find $INDEX_ROOT on $Txf.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find $INDEX_ROOT on $Txf

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 669: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find TXF_DATA_ATTR on $Txf.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find TXF_DATA_ATTR on $Txf.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find TXF_DATA_ATTR on $Txf

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 670: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found TXF_DATA_ATTR for normal file on $Txf.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Found TXF_DATA_ATTR for normal file on $Txf.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Found TXF_DATA_ATTR for normal file on $Txf

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 671: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Expected a secondary RM here.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Expected a secondary RM here.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Expected a secondary RM here

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 672: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is missing but $Txf is non-empty.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is missing but $Txf is non-empty.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but $Txf is non-empty

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 673: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is missing but there is already a log.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is missing but there is already a log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is missing but there is already a log

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 674: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is A13_IsEncrypted_TopsFcbInfoencryptedcompressed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is A13_IsEncrypted_TopsFcbInfoencryptedcompressed.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is %4!S!

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID
A13_IsEncrypted_TopsFcbInfoencryptedcompressed AnsiString

Event ID 675: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Missing $STANDARD_INFORMATION.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Missing $STANDARD_INFORMATION.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Missing $STANDARD_INFORMATION

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 676: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find file attributes.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find file attributes.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find file attributes

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 677: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is corrupt.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops is corrupt.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops is corrupt

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 678: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Could not find unnamed data stream.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Could not find unnamed data stream.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Could not find unnamed data stream

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 679: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops metadata is the wrong version or records wrong size.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops metadata is the wrong version or records wrong size.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong version or records wrong size

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 680: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops metadata is the wrong size.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: $Tops metadata is the wrong size.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: $Tops metadata is the wrong size

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 681: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Non-NULL RM ID found in $Tops and there is no log.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Non-NULL RM ID found in $Tops and there is no log.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Non-NULL RM ID found in $Tops and there is no log

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 682: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Epoch in $Tops metadata doesn't match RM.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Epoch in $Tops metadata doesn't match RM.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Epoch in $Tops metadata doesn't match RM

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 683: A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find $T stream.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

A10___FUNCTION__: Corrupt RM at 0xA11_PVOIDTxfRmcb {A12__TxfRmcbRmId}: Couldn't find $T stream.

Message #

%1: Corrupt RM at 0x%2!p! {%3!S!}: Couldn't find $T stream

Fields #

NameDescription
A10___FUNCTION__ AnsiString
A11_PVOIDTxfRmcb Pointer
A12__TxfRmcbRmId GUID

Event ID 684: NtfsReadUsnJournal: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsReadUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 685: TrimUsnJournal (A10_Vcb, A11_IrpContext): Decided to trim usn journal.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (!p!, !p!): Decided to trim usn journal. FirstValidUsn !I64x!, new FirstValidUsn !I64x!, FS !I64x!, AS !I64x!, MaxSize !I64x!, DeltaSize !I64x!

Message #

TrimUsnJournal (%1!p!, %2!p!): Decided to trim usn journal.  FirstValidUsn %3!I64x!, new FirstValidUsn %4!I64x!, FS %5!I64x!, AS %6!I64x!, MaxSize %7!I64x!, DeltaSize %8!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_VcbFirstValidUsn HexInt64
A13_FirstValidUsn HexInt64
A14_TrackUsnJournalFileSize HexInt64
A15_TrackUsnJournalAllocationSize HexInt64
A16_TrackUsnJournalMaxSize HexInt64
A17_TrackUsnJournalDeltaAllocation HexInt64

Event ID 686: TrimUsnJournal (A10_Vcb, A11_IrpContext): About to delete allocation till A12_FirstValidUsn1!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): About to delete allocation till A12_FirstValidUsn1!I64x!, SavedReserve A13_SavedReserved!I64x!, RequiredReserve A14_RequiredReserved!I64x!

Message #

TrimUsnJournal (%1!p!, %2!p!): About to delete allocation till %3!I64x!, SavedReserve %4!I64x!, RequiredReserve %5!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_FirstValidUsn1 HexInt64
A13_SavedReserved HexInt64
A14_RequiredReserved HexInt64

Event ID 687: TrimUsnJournal (A10_Vcb, A11_IrpContext): Before trimming journal AS A12_UsnJournalHeaderAllocationSizeQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): Before trimming journal AS A12_UsnJournalHeaderAllocationSizeQuadPart!I64x!, FS A13_UsnJournalHeaderFileSizeQuadPart!I64x!, VDL A14_UsnJournalHeaderValidDataLengthQuadPart!I64x!, TA A15_UsnJournalTotalAllocated!I64x!

Message #

TrimUsnJournal (%1!p!, %2!p!): Before trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_UsnJournalHeaderAllocationSizeQuadPart HexInt64
A13_UsnJournalHeaderFileSizeQuadPart HexInt64
A14_UsnJournalHeaderValidDataLengthQuadPart HexInt64
A15_UsnJournalTotalAllocated HexInt64

Event ID 688: TrimUsnJournal (A10_Vcb, A11_IrpContext): After trimming journal AS A12_UsnJournalHeaderAllocationSizeQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): After trimming journal AS A12_UsnJournalHeaderAllocationSizeQuadPart!I64x!, FS A13_UsnJournalHeaderFileSizeQuadPart!I64x!, VDL A14_UsnJournalHeaderValidDataLengthQuadPart!I64x!, TA A15_UsnJournalTotalAllocated!I64x!

Message #

TrimUsnJournal (%1!p!, %2!p!): After trimming journal AS %3!I64x!, FS %4!I64x!, VDL %5!I64x!, TA %6!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_UsnJournalHeaderAllocationSizeQuadPart HexInt64
A13_UsnJournalHeaderFileSizeQuadPart HexInt64
A14_UsnJournalHeaderValidDataLengthQuadPart HexInt64
A15_UsnJournalTotalAllocated HexInt64

Event ID 689: TrimUsnJournal (A10_Vcb, A11_IrpContext): Mapping pairs validated.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): Mapping pairs validated.

Message #

TrimUsnJournal (%1!p!, %2!p!): Mapping pairs validated

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 690: TrimUsnJournal (A10_Vcb, A11_IrpContext): Checkpointed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

TrimUsnJournal (A10_Vcb, A11_IrpContext): Checkpointed.

Message #

TrimUsnJournal (%1!p!, %2!p!): Checkpointed

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer

Event ID 691: NtfsQueryUsnJournal: Denying access due to NULL Ccb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsQueryUsnJournal: Denying access due to NULL Ccb. Thread: !p!, TypeOfOpen: !d!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!.

Message #

NtfsQueryUsnJournal: Denying access due to NULL Ccb. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64

Event ID 692: NtfsDeleteUsnJournal: Caller does not have manage volume access.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsDeleteUsnJournal: Caller does not have manage volume access. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, Fcb: !p!, FileRef: !I64x!, Ccb FullFileName: !S!, Ccb access flags: 0x!08x!.

Message #

NtfsDeleteUsnJournal: Caller does not have manage volume access. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: %6!I64x!, Ccb FullFileName: %7!S!, Ccb access flags: 0x%8!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_Fcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A17_CcbNULLCcbAccessFlags0 HexInt32

Event ID 693: NtfsRestartUsnJournal: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsRestartUsnJournal: Caller does not have manage volume privilege. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, Ccb FullFileName: %8!S!, Ccb access flags: 0x%9!08x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_CcbNULL_CcbFullFileNameNULL CountedUtf16String
A18_CcbNULLCcbAccessFlags0 HexInt32

Event ID 694: NtOfsCreateAttributeEx: Stream already has a open user handle.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtOfsCreateAttributeEx: Stream already has a open user handle. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, Fcb: %5!p!, FileRef: 0x%6!I64x!, Scb: %7!p!, Scb Type Code: 0x%8!x!, Scb Name: %9!S!, Scb CleanupCount: %10!d!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_ScbVcb Pointer
A12__ScbVcbVolumeName CountedUtf16String
A13_WppCountedStringWScbVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHScbVcbVpb CountedUtf16String
A14_ScbFcb Pointer
A15_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A16_Scb Pointer
A17_ScbAttributeTypeCode HexInt32
A18__ScbAttributeName CountedUtf16String
A19_ScbCleanupCount Int32

Event ID 695: OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): Extending journal from AS A14_ScbHeaderAllocationSizeQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): Extending journal from AS A14_ScbHeaderAllocationSizeQuadPart!I64x!, FS A15_ScbHeaderFileSizeQuadPart!I64x!, VDL A16_ScbHeaderValidDataLengthQuadPart!I64x!, to AS A17_NewAllocationSize!I64x!

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Extending journal from AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, to AS %8!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextOriginatingIrp Pointer
A13_PsGetCurrentThread Pointer
A14_ScbHeaderAllocationSizeQuadPart HexInt64
A15_ScbHeaderFileSizeQuadPart HexInt64
A16_ScbHeaderValidDataLengthQuadPart HexInt64
A17_NewAllocationSize HexInt64

Event ID 696: OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): Done extending journal AS A14_ScbHeaderAllocationSizeQuadPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): Done extending journal AS A14_ScbHeaderAllocationSizeQuadPart!I64x!, FS A15_ScbHeaderFileSizeQuadPart!I64x!, VDL A16_ScbHeaderValidDataLengthQuadPart!I64x!, TA A17_ScbTotalAllocated!I64x!

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): Done extending journal AS %5!I64x!, FS %6!I64x!, VDL %7!I64x!, TA %8!I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextOriginatingIrp Pointer
A13_PsGetCurrentThread Pointer
A14_ScbHeaderAllocationSizeQuadPart HexInt64
A15_ScbHeaderFileSizeQuadPart HexInt64
A16_ScbHeaderValidDataLengthQuadPart HexInt64
A17_ScbTotalAllocated HexInt64

Event ID 697: OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): After NtfsWriteFileSizes.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): After NtfsWriteFileSizes.

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsWriteFileSizes

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextOriginatingIrp Pointer
A13_PsGetCurrentThread Pointer

Event ID 698: OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): After NtfsSetCcFileSizesUsnBiasAware.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

OfsSetLength (A10_Vcb,A11_IrpContext,A12_IrpContextOriginatingIrp,A13_PsGetCurrentThread): After NtfsSetCcFileSizesUsnBiasAware.

Message #

OfsSetLength (%1!p!,%2!p!,%3!p!,%4!p!): After NtfsSetCcFileSizesUsnBiasAware

Fields #

NameDescription
A10_Vcb Pointer
A11_IrpContext Pointer
A12_IrpContextOriginatingIrp Pointer
A13_PsGetCurrentThread Pointer

Event ID 699: NtOfsPostNewLength (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Status A13_IrpContextExceptionStatus before calling NtfsReadUsnJournal.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtOfsPostNewLength (A10_IrpContext,A11_IrpContextOriginatingIrp,A12_PsGetCurrentThread): Status A13_IrpContextExceptionStatus before calling NtfsReadUsnJournal.

Message #

NtOfsPostNewLength (%1!p!,%2!p!,%3!p!): Status %4!x! before calling NtfsReadUsnJournal

Fields #

NameDescription
A10_IrpContext Pointer
A11_IrpContextOriginatingIrp Pointer
A12_PsGetCurrentThread Pointer
A13_IrpContextExceptionStatus HexInt32

Event ID 700: NtfsIsRegionDangling: RemainingClusterCount: 0xA10_RemainingClusterCount!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsIsRegionDangling: RemainingClusterCount: 0xA10_RemainingClusterCount!I64x!, Scb: A11_Scb, Vcn: 0xA12_Vcn!I64x!, Lcn: 0xA13_Lcn!I64x!, Clusters: 0xA14_ClusterCount!I64x!

Message #

NtfsIsRegionDangling: RemainingClusterCount: 0x%1!I64x!, Scb: %2!p!, Vcn: 0x%3!I64x!, Lcn: 0x%4!I64x!, Clusters: 0x%5!I64x!

Fields #

NameDescription
A10_RemainingClusterCount HexInt64
A11_Scb Pointer
A12_Vcn HexInt64
A13_Lcn HexInt64
A14_ClusterCount HexInt64

Event ID 701: Vcb A10_Vcb - has *no* active PFNs.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb - has *no* active PFNs.

Message #

Vcb %1!p! - has *no* active PFNs

Fields #

NameDescription
A10_Vcb Pointer

Event ID 702: Vcb A10_Vcb - failed to query active PFNs assuming there are some.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb - failed to query active PFNs assuming there are some.

Message #

Vcb %1!p! - failed to query active PFNs assuming there are some

Fields #

NameDescription
A10_Vcb Pointer

Event ID 703: Vcb A10_Vcb - has active PFNs.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Vcb A10_Vcb - has active PFNs.

Message #

Vcb %1!p! - has active PFNs

Fields #

NameDescription
A10_Vcb Pointer

Event ID 704: NtfsPerformDismountOnVcb: Vcb A10_Vcb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb A10_Vcb.

Message #

NtfsPerformDismountOnVcb: Vcb %1!p!

Fields #

NameDescription
A10_Vcb Pointer

Event ID 705: NtfsPerformDismountOnVcb: Vcb A10_Vcb - Found frozen deallocated clusters.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb A10_Vcb - Found frozen deallocated clusters.

Message #

NtfsPerformDismountOnVcb: Vcb %1!p! - Found frozen deallocated clusters

Fields #

NameDescription
A10_Vcb Pointer

Event ID 706: NtfsPerformDismountOnVcb: Vcb A10_Vcb - Wait for any on going trim to finish.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb A10_Vcb - Wait for any on going trim to finish.

Message #

NtfsPerformDismountOnVcb: Vcb %1!p! - Wait for any on going trim to finish

Fields #

NameDescription
A10_Vcb Pointer

Event ID 707: NtfsPerformDismountOnVcb: Vcb A10_Vcb - No more on going trim.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb A10_Vcb - No more on going trim.

Message #

NtfsPerformDismountOnVcb: Vcb %1!p! - No more on going trim

Fields #

NameDescription
A10_Vcb Pointer

Event ID 708: NtfsPerformDismountOnVcb: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPerformDismountOnVcb: IC: A10_IrpContext, Vcb: A11_Vcb, Label: A12__VolumeLabel, DeviceName: A13__VcbDeviceName.

Message #

NtfsPerformDismountOnVcb: IC: %1!p!, Vcb: %2!p!, Label: %3!S!, DeviceName: %4!S!

Fields #

NameDescription
A10_IrpContext Pointer
A11_Vcb Pointer
A12__VolumeLabel CountedUtf16String
A13__VcbDeviceName CountedUtf16String

Event ID 709: NtfsPostVcbIsCorrupt.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPostVcbIsCorrupt(A10_IrpContext, A11_Status, A12_FileReference, A13_Fcb, A14_Source!016I64x!): IrpContext->TopLevelIrpContext->ExceptionStatus == A15_TopLevelExceptionStatus before NtfsSetVcbDirtyFlag.

Message #

NtfsPostVcbIsCorrupt(%1!p!, %2!x!, %3!p!, %4!p!, %5!016I64x!): IrpContext->TopLevelIrpContext->ExceptionStatus == %6!x! before NtfsSetVcbDirtyFlag.

Fields #

NameDescription
A10_IrpContext Pointer
A11_Status HexInt32
A12_FileReference Pointer
A13_Fcb Pointer
A14_Source HexInt64
A15_TopLevelExceptionStatus HexInt32

Event ID 710: NtfsPostVcbIsCorrupt: Marking volume dirty.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsPostVcbIsCorrupt: Marking volume dirty. Vcb A10_Vcb, WasDirty: A11_WasDirty, FileReference A12_NtfsFullSegmentNumber_BugCheckFileReference!I64x!, Source A13_Source!016I64x!

Message #

NtfsPostVcbIsCorrupt: Marking volume dirty.  Vcb %1!p!, WasDirty: %2!x!, FileReference %3!I64x!, Source %4!016I64x!

Fields #

NameDescription
A10_Vcb Pointer
A11_WasDirty HexInt32
A12_NtfsFullSegmentNumber_BugCheckFileReference HexInt64
A13_Source HexInt64

Event ID 711: NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_FsInformationClass HexInt32
A18_Scb Pointer

Event ID 712: NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Message #

NtfsCommonSetVolumeInfo: Operation is only allowed on a VolumeOpen except for IndexOpen of \$Extend\$Quota with FileFsControlInformation. Thread: %1!p!, TypeOfOpen: %2!d!, Vcb: %3!p!, VolumeName: %4!S!, VolumeLabel: %5!S!, Fcb: %6!p!, FileRef: %7!I64x!, FsInformationClass: 0x%8!x!, Scb: %9!p!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_TypeOfOpen Int32
A12_Vcb Pointer
A13__VcbVolumeName CountedUtf16String
A14_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A15_Fcb Pointer
A16_NtfsFullFileRefNumber_ScbFcbFileReference HexInt64
A17_FsInformationClass HexInt32
A18_Scb Pointer

Event ID 713: Succeeding log write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Succeeding log write @ 0xA10_IrpSpParametersWriteByteOffsetHighPart!08x!A11_IrpSpParametersWriteByteOffsetLowPart!08x! after getting 0xA12_IrpContextTopLevelIrpContextExceptionStatus in top-level irpcontext.

Message #

Succeeding log write @ 0x%1!08x!%2!08x! after getting 0x%3!x! in top-level irpcontext

Fields #

NameDescription
A10_IrpSpParametersWriteByteOffsetHighPart HexInt32
A11_IrpSpParametersWriteByteOffsetLowPart HexInt32
A12_IrpContextTopLevelIrpContextExceptionStatus HexInt32

Event ID 714: Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=A10_Scb.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=A10_Scb.

Message #

Unexpected Paging-Write on stream accessed in Direct-Access mode, Scb=%1!p!

Fields #

NameDescription
A10_Scb Pointer

Event ID 715: NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed.

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed. Thread: !p!, Vcb: !p!, VolumeName: !S!, VolumeLabel: !S!, RequestedRange: 0x!I64x!, AllowedRange: 0x!I64x!.

Message #

NtfsCommonWrite: Writing beyond highest writable sector on active volume is not allowed. Thread: %1!p!, Vcb: %2!p!, VolumeName: %3!S!, VolumeLabel: %4!S!, RequestedRange: 0x%5!I64x!, AllowedRange: 0x%6!I64x!.

Fields #

NameDescription
A10_PsGetCurrentThread Pointer
A11_Vcb Pointer
A12__VcbVolumeName CountedUtf16String
A13_WppCountedStringWVcbVpbVolumeLabelSAFE_VPB_VOLUME_LABEL_LENGTHVcbVpb CountedUtf16String
A14_ByteRange HexInt64
A15_HIGHEST_WRITABLE_SECTOR_ON_ACTIVE_VOLUMEVcbSectorSizeInfoLogicalBytesPerSector HexInt64

Event ID 716: Ignoring write to 0xA10_StartingVbo!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Ignoring write to 0xA10_StartingVbo!I64x!, SCB length is 0xA11_ScbHeaderValidDataLengthQuadPart!I64x! for SCB 0xA12_ptrdiff_tScb.

Message #

Ignoring write to 0x%1!I64x!, SCB length is 0x%2!I64x! for SCB 0x%3!Ix!

Fields #

NameDescription
A10_StartingVbo HexInt64
A11_ScbHeaderValidDataLengthQuadPart HexInt64
A12_ptrdiff_tScb Pointer

Event ID 717: Truncating write from 0xA10_ByteRange!

#
Provider
Microsoft-Windows-NtfsLog_c2df6c7f2eb93a240df3cc4d073d362f
Channel
Operational

Description

Truncating write from 0xA10_ByteRange!I64x! to 0xA11_SectorAlignedVdl!I64x! for SCB 0xA12_ptrdiff_tScb.

Message #

Truncating write from 0x%1!I64x! to 0x%2!I64x! for SCB 0x%3!Ix!

Fields #

NameDescription
A10_ByteRange HexInt64
A11_SectorAlignedVdl HexInt64
A12_ptrdiff_tScb Pointer