detection.wiki

Microsoft-Windows-NtfsLog

698 events across 1 channel

EventTitleChannelSample
10NtfsLookupRealAllocation: Vcn {A10_Vcn}!OperationalN
11NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:{A10_IrpContext}!OperationalN
12FileObject: {A10_FileObject}!OperationalN
13NtfsAddAllocation IC:{A10_IrpContext}!OperationalN
14Purge failed: Scb: {A10_Scb}!OperationalN
15Purge failed: Scb: {A10_Scb}!OperationalN
16NtfsGetLastVcnForNewMappingPairSize IC:{A10_IrpContext}!OperationalN
17Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference …OperationalN
18Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference …OperationalN
19NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List …OperationalN
20NtfsAddAttributeAllocation.OperationalN
21NtfsAddAttributeAllocation.OperationalN
22NtfsAddAttributeAllocation.OperationalN
23NtfsAddAttributeAllocation.OperationalN
24NtfsAddAttributeAllocation.OperationalN
25NtfsAddAttributeAllocation.OperationalN
26NtfsRestartRemoveAttribute FileRef:0x.OperationalN
27NtfsRestartChangeValue FileRef:0x.OperationalN
28AddToAttributeList.OperationalN
29DeleteFromAttributeList.OperationalN
30MakeRoomForAttribute Moving Mft's attribute IC:{A10_IrpContext}!OperationalN
31MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:{A10_IrpContext}!OperationalN
32MoveAttributeToOwnRecord IC:{A10_IrpContext}!OperationalN
33NtfsRestartZeroEndOfFileRecord FileRef:0x.OperationalN
34MergeFRS2(%1;%2): Scb %3; FileRef %4!OperationalN
35MergeFRS2(%1;%2): Scb %3; FileRef %4!OperationalN
36MergeFRS2(%1;%2): Scb %3; FileRef %4!OperationalN
37MergeFRS2.OperationalN
38MergeFRS2.OperationalN
39MergeFRS2.OperationalN
40MergeFRS2.OperationalN
41MergeFRS2.OperationalN
42MergeFRS2.OperationalN
43MergeFRS2.OperationalN
44MergeFRS2.OperationalN
45MergeFRS2.OperationalN
46MergeFRS2.OperationalN
47MergeFRS2.OperationalN
48RedoAttribute(%1;%2): Scb %3; FileRef %4!OperationalN
49RedoAttribute(%1;%2): Scb %3; FileRef %4!OperationalN
50NtfsConsolidateAllFileRecords: Invalid Vcb.OperationalN
51NtfsConsolidateAllFileRecords: Volume is locked.OperationalN
52NtfsConsolidateAllFileRecords.OperationalN
53NtfsConsolidateAllFileRecords.OperationalN
54NtfsConsolidateAllFileRecords.OperationalN
55NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!OperationalN
56NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!OperationalN
57NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!OperationalN
58NtfsConsolidateAllFileRecords.OperationalN
59NtfsConsolidateAllFileRecords.OperationalN
60NtfsConsolidateAllFileRecords.OperationalN
61NtfsConsolidateAllFileRecords.OperationalN
62NtfsConsolidateAllFileRecords.OperationalN
63NtfsConsolidateAllFileRecords.OperationalN
64NtfsConsolidateAllFileRecords.OperationalN
65NtfsConsolidateAllFileRecords.OperationalN
66UpdateLCS: Vcb {A10_Fcb->Vcb}!OperationalN
67NtfsAllocateClustersPriv IC: {A10_IrpContext}!OperationalN
68NtfsAllocateClustersPriv IC: {A10_IrpContext}!OperationalN
69NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.OperationalN
70NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.OperationalN
71NtfsAllocateClustersPriv IC: {A10_IrpContext}!OperationalN
72NtfsAllocateClustersPriv IC: {A10_IrpContext}!OperationalN
73NtfsDeallocateClusters IC: {A10_IrpContext}!OperationalN
74NtfsDeallocateClusters: Vcb {A10_Vcb}!OperationalN
75NtfsDeallocateClusters IC: {A10_IrpContext}!OperationalN
76NtfsDeallocateClusters: Vcb {A10_Vcb}!OperationalN
77NtfsDeallocateClusters: Vcb {A10_Vcb}!OperationalN
78NtfsDeallocateClusters: Vcb {A10_Vcb}!OperationalN
79NtfsDeallocateClusters: Decremented TotalAllocated by 0x.OperationalN
80NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.OperationalN
81NtfsDeallocateClusters: Vcb {A10_Vcb}!OperationalN
82NtfsDeallocateClusters IC: {A10_IrpContext}!OperationalN
83NtfsDeallocateClusters IC: {A10_IrpContext}!OperationalN
84NtfsModifyBitsInBitmap IC: {A10_IrpContext}!OperationalN
85NtfsModifyBitsInBitmap IC: {A10_IrpContext}!OperationalN
86NtfsAllocateBitmapRun IC: {A10_IrpContext}!OperationalN
87NtfsAllocateBitmapRun IC: {A10_IrpContext}!OperationalN
88NtfsRestartSetBitsInBitMap IC: {A10_IrpContext}!OperationalN
89NtfsFreeBitmapRun IC: {A10_IrpContext}!OperationalN
90NtfsFreeBitmapRun IC: {A10_IrpContext}!OperationalN
91NtfsRestartClearBitsInBitMap IC: {A10_IrpContext}!OperationalN
92NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!OperationalN
93NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!OperationalN
94NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!OperationalN
95System files not marked as in use in the MFT bitmap.OperationalN
97Length: {A10_Length}!OperationalN
98Length: {A10_Length}!OperationalN
99BinIndex: {A10_BinIndex}!OperationalN
100BinIndex: {A10_BinIndex}!OperationalN
101BinGroupShift: {A10_NtfsCachedRunBinGroupShift}!OperationalN
102BinIndex: {A10_BinIndex}!OperationalN
103Searched committed allocations but didnt find enough free space.OperationalN
104NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!OperationalN
105NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!OperationalN
106NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!OperationalN
107NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!OperationalN
108NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!OperationalN
109NtfsValidateTotalClustersCommitted.OperationalN
110Illegal MDL Complete for major code {A10_IrpContext->MajorFunction}!OperationalN
111Entering: Scb: {A10_Scb}!OperationalN
112RunEntry ==> {A10_RunIndex}!OperationalN
114Shrinking LengthInExtent.OperationalN
115Zeroing: StartingPhysicalAddr: 0x.OperationalN
116Exiting: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!OperationalN
117Entering: Scb: {A10_Scb}!OperationalN
118Dsm Ranges[.OperationalN
119RemainingClusterCount: 0x.OperationalN
120Dsm: TotalNumberOfRanges: {A10_DsmByteAddressRanges->TotalNumberOfRanges}!OperationalN
121DsmOut Ranges[.OperationalN
122Zeroing: StartingPhysicalAddr: 0x.OperationalN
123Updating ExtentsDescriptor Index and StartOffset from Locals: …OperationalN
124Entering: Scb: {A10_Scb}!OperationalN
125Updating ExtentsDescriptor Index and StartOffset from Locals: …OperationalN
126IrpContext: {A10_IrpContext}!OperationalN
127Return.OperationalN
128Unexpected open type received: {A10_TypeOfOpen}!OperationalN
129Raising STATUS_SUCCESS from NtfsCommonCleanup: {A10_Status}.OperationalN
130Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.OperationalN
131Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.OperationalN
132Irp: %1; IC: %2; Vcb: %3; FileObject: %4; RelatedFileObject: %5; FileIdBuffer: …OperationalN
133Irp: %1; IC: %2; Vcb: %3; FileObject: %4; RelatedFileObject: %5; Path: %6; …OperationalN
134NtfsCommonVolumeOpen: Invalid create disposition for volume open.OperationalN
135NtfsCommonVolumeOpen: Invalid create disposition for volume open.OperationalN
136NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.OperationalN
137NtfsCommonVolumeOpen: Thread: %1; Vcb: %2; VolumeName: %3; VolumeLabel: %4; …OperationalN
138NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.OperationalN
139NtfsCommonVolumeOpen: Conlicting file objects.OperationalN
140NtfsHandlePagingFile: Paging file already open; paging files can only be opened …OperationalN
141NtfsHandlePagingFile: Cannot open system file as paging file.OperationalN
142NtfsHandlePagingFile: Persisted paging file already exists.OperationalN
143NtfsOpenFcbById: Invalid system file access.OperationalN
144NtfsOpenExistingPrefixFcb: Can not directly open txf directory.OperationalN
145NtfsOpenExistingPrefixFcb: Invalid system file access.OperationalN
146NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system …OperationalN
147NtfsOpenFile: Invalid system file access.OperationalN
148NtfsOpenFile: Deny open when txf rm is active.OperationalN
149NtfsCreateNewFile: Deny creation in system directory (except root).OperationalN
150NtfsCreateNewFile: Unable to create Ea for the file.OperationalN
151NtfsCreateNewFile: Unable to create in the $txf directory.OperationalN
152NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.OperationalN
153NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.OperationalN
154NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.OperationalN
155NtfsOpenAttributeInExistingFile: Denying access for volume root directory.OperationalN
156NtfsCreateNewFile: Not allowed to create streams on system files.OperationalN
157NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging …OperationalN
158NtfsOverwriteAttr: Denying access due to user being Ea blind.OperationalN
159NtfsOverwriteAttr: Deny access due to encryption happening on the stream.OperationalN
160NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this …OperationalN
161NtfsCheckValidAttributeAccess: Deny access for protected system attributes.OperationalN
162NtfsCheckValidAttributeAccess: Deny access for protected system attributes.OperationalN
163NtfsOpenAttributeCheck: File already has user writable references.OperationalN
164NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.OperationalN
165NtfsOpenAttributeCheck: File was granted write access but has image section.OperationalN
166NtfsOpenAttribute: Denying write access on disallowed writes.OperationalN
167NtfsOpenAttribute: File already has user writable references.OperationalN
168NtfsOpenAttribute: Open for exclusive read access is not allowed.OperationalN
169NtfsOpenAttribute: File already has user writable references.OperationalN
170NtfsOpenAttribute: Open for exclusive read access is not allowed.OperationalN
171NtfsCheckExistingFile: Desired access conflicts with read-only state.OperationalN
172NtfsOpenExistingEncryptedStream: No encryption driver found.OperationalN
173NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on …OperationalN
174NtfsFindStartingNode: Opening not allowed for txf name when RM is active.OperationalN
175NtfsFindStartingNode: Opening not allowed for txf name when RM is active.OperationalN
176NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.OperationalN
177NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.OperationalN
178NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.OperationalN
179NtfsReCheckShareAccess: Does not meet allow open requirement.OperationalN
180%1:%2 Status: %3 ProcessName: %4.OperationalN
181%1:%2 Status: %3 ProcessName: %4.OperationalN
182%1:%2 Status: %3 ProcessName: %4.OperationalN
183NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!OperationalN
184NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!OperationalN
185NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!OperationalN
186NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!OperationalN
187NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!OperationalN
188NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!OperationalN
189NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!OperationalN
190NtfsTransferMaxDataSetRanges: Src {A10_Src}!OperationalN
191NtfsTransferMaxDataSetRanges: Src {A10_Src}!OperationalN
192NtfsTransferMaxDataSetRanges: Src {A10_Src}!OperationalN
193NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!OperationalN
194NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!OperationalN
195NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!OperationalN
196NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!OperationalN
197NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!OperationalN
198NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp {A10_Irp}!OperationalN
199NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!OperationalN
200NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!OperationalN
201NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!OperationalN
202NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb {A10_Vcb}!OperationalN
203NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
204NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
205NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
206NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
207NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
208NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
209NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
210NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
211NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
212NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!OperationalN
213NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!OperationalN
214NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!OperationalN
215NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!OperationalN
216NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!OperationalN
217NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!OperationalN
218NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!OperationalN
219NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!OperationalN
220NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!OperationalN
221NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!OperationalN
222NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!OperationalN
223NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb {A10_IrpContext->Vcb}!OperationalN
224NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for …OperationalN
225NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for …OperationalN
226NtfsCheckForTrimThrottling: Vcb {A10_Vcb}!OperationalN
227NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
228NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
229NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
230NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
231NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
232NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
233NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
234NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
235NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
236NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
237NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!OperationalN
238NtfsEvalSmartTrimState: Vcb {A10_Vcb}!OperationalN
239NtfsEvalSmartTrimState: Vcb {A10_Vcb}!OperationalN
240NtfsEvalSmartTrimState: Vcb {A10_Vcb}!OperationalN
241NtfsEvalSmartTrimState: Vcb {A10_Vcb}!OperationalN
242NtfsEvalSmartTrimState: Vcb {A10_Vcb}!OperationalN
243NtfsEvalSmartTrimState: Vcb {A10_Vcb}!OperationalN
244NtfsEvalSmartTrimState: Vcb {A10_Vcb}!OperationalN
245NtfsFlushAllTrimHintsSynchronous.OperationalN
246NtfsFlushAllTrimHintsSynchronous.OperationalN
247NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.OperationalN
248NtfsVolumeDasdIo: Data section blocking flush.OperationalN
251Writing to $Bitmap.OperationalN
252Writing to $Bitmap.OperationalN
253NTFS: Posting hotfix on file object: {A10_FileObject}!OperationalN
254NTFS: Freeing Bad Vcn: {A10_((ULONG)BadVcn)}!OperationalN
255NTFS: Retiring Bad Lcn: {A10_((ULONG)BadLcn)}!OperationalN
257IrpContext: {A10_IrpContext}!OperationalN
258IrpContext: {A10_IrpContext}!OperationalN
259Compression buffers are already big enough.OperationalN
260Event ID 260OperationalN
261IrpContext: {A10_IrpContext}!OperationalN
262Compression buffers are already big enough.OperationalN
263Event ID 263OperationalN
264NtfsDefragFileInternal: Vcb {A10_Vcb}!OperationalN
265NtfsDefragFileInternal: Vcb {A10_Vcb}!OperationalN
266NtfsDefragFileInternal: Vcb {A10_Vcb}!OperationalN
267NtfsDefragFileInternal.OperationalN
268NtfsDefragFileInternal.OperationalN
269NtfsDefragFileInternal.OperationalN
270NtfsDefragFileInternal.OperationalN
271NtfsDefragFileInternal.OperationalN
272NtfsDefragFileInternal.OperationalN
273NtfsDefragFileInternal.OperationalN
274NtfsDefragFile: Defrag is denied without manage volume access.OperationalN
275NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!OperationalN
276NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!OperationalN
277NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!OperationalN
278SCB: {A10_Scb}!OperationalN
279SCB: {A10_Scb}!OperationalN
280StartOff=0x.OperationalN
281RemainingClusterCount: 0x.OperationalN
282RemainingClusterCount: 0x.OperationalN
283STATUS_BUFFER_TOO_SMALL from FsLib.OperationalN
284Made an educated guess for remaining runs.OperationalN
285Made a wild guess for remaining runs.OperationalN
286NumberOfValidRuns: 0x.OperationalN
287BasePage: 0x.OperationalN
288About to zero range - ZeroStart: 0x.OperationalN
289Zeroed range - ZeroStart: 0x.OperationalN
290NtfsCommonQueryInformation: File information query not allowed as file was …OperationalN
291NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read …OperationalN
292NtfsQueryNameInfo: Name info query not allowed as file was opened without …OperationalN
293NtfsQueryLinksInfo: Link info query not allowed as file was opened without …OperationalN
294NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.OperationalN
295NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.OperationalN
296NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …OperationalN
297NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …OperationalN
298NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened …OperationalN
299NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with …OperationalN
300NtfsSetRenameInfo: Can not rename a file marked for deletion.OperationalN
301NtfsSetRenameInfo: Can not rename a txf directory.OperationalN
302NtfsSetRenameInfo: Can not rename a txf directory.OperationalN
303NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.OperationalN
304NtfsSetRenameInfo: Can not rename a directory into itself.OperationalN
305NtfsSetRenameInfo: The file should not have in-memory directory descendents.OperationalN
306NtfsSetRenameInfo: Child Scb mismatch.OperationalN
307NtfsSetLinkInfo: Set link info is not allowed on txf directory.OperationalN
308NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.OperationalN
309NtfsSetLinkInfo: Set link info failed due to caller not having …OperationalN
310NtfsSetLinkInfo: Creating a link in system directory is not allowed.OperationalN
311NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.OperationalN
312NtfsSetShortNameInfo: Can not set a short name on a deleted file.OperationalN
313NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF …OperationalN
314NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction …OperationalN
315NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.OperationalN
316NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!OperationalN
317NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!OperationalN
318NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!OperationalN
319NtfsFlushVolume: Thread: {A10_PsGetCurrentThread()}!OperationalN
320NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: …OperationalN
321NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: …OperationalN
322NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!OperationalN
323NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!OperationalN
324NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!OperationalN
325Irp: {A10_Irp}!OperationalN
326Irp: {A10_Irp}!OperationalN
327Irp: {A10_Irp}!OperationalN
328NtfsLockVolumeInternal: Cannot lock the volume.OperationalN
329NtfsLockVolumeInternal: Volume is already locked.OperationalN
330NtfsLockVolumeInternal: Failed to flush system files on the volume.OperationalN
331NtfsLockVolumeInternal: Failed to flush system files on the volume.OperationalN
332NtfsLockVolumeInternal: Outstanding user files open after flush and retry.OperationalN
333{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.OperationalN
334{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.OperationalN
335{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.OperationalN
336NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume …OperationalN
337NtfsDismountVolume: IC: %1; Vcb: %2; Label: %3; DeviceName: %4.OperationalN
338NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …OperationalN
339NtfsDismountVolume: Cannot dismount volume due to volume being locked.OperationalN
340NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open …OperationalN
341NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage …OperationalN
342NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage …OperationalN
343NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage …OperationalN
344NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having …OperationalN
345NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …OperationalN
346NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to …OperationalN
347NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage …OperationalN
348NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not …OperationalN
349NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage …OperationalN
350NtfsFindFilesOwnedBySid: Caller not having manage volume privilege; backup …OperationalN
351NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup …OperationalN
352NtfsZeroRange: User mode caller not allowed.OperationalN
353IC: {A10_IrpContext}!OperationalN
354NtfsZeroRange: User mode caller not allowed.OperationalN
355IC: {A10_IrpContext}!OperationalN
356IC: {A10_IrpContext}!OperationalN
357NtfsReadRawEncrypted: Caller does not have backup access or read data access.OperationalN
358NtfsWriteRawEncrypted: Caller does not have write data access or restore access.OperationalN
359NtfsWriteRawEncrypted: Caller not having manage volume privilege.OperationalN
360NtfsChangeVolumeSize.OperationalN
361NtfsChangeVolumeSize.OperationalN
362NtfsChangeVolumeSize.OperationalN
363NtfsChangeVolumeSize.OperationalN
364NtfsMarkHandle: Caller does not have a valid volume handle or manage volume …OperationalN
365NtfsMarkHandle: Caller not having manage volume privilege.OperationalN
366NtfsMarkHandle: Cannot deny defrag.OperationalN
367NtfsMarkHandle: Cannot deny Frs consolidation.OperationalN
368NtfsMarkHandle: Cannot filter metadata.OperationalN
369NtfsMarkHandle: Mark handle is not allowed on system files.OperationalN
370NtfsMarkHandle: File already has user writable references.OperationalN
371NtfsMarkHandle: File was granted write access previously but no oplocks were …OperationalN
372NtfsPrefetchFile: Caller not having manage volume privilege.OperationalN
373Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.OperationalN
374NtfsSetShortNameBehavior: Caller not having manage volume privilege.OperationalN
375Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.OperationalN
376NtfsQueryPagefileEncryption: Caller not having manage volume privilege.OperationalN
377NtfsQueryPagefileEncryption: Caller not having manage volume privilege.OperationalN
378Resetting Volsnap behavior for VCB = 0x.OperationalN
379NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.OperationalN
380Resetting Volsnap behavior for VCB = 0x.OperationalN
381NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.OperationalN
382Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.OperationalN
383Scb:{A10_Scb}!OperationalN
384Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.OperationalN
385Scb:{A10_Scb}!OperationalN
386Scrub SystemScbIndex: {A10_ScrubResumeContext.OperationalN
387NtfsScrubData: Caller not having manage volume privilege.OperationalN
388Scrub not supported for Txf file; Scb: {A10_Scb}!OperationalN
389Scb:{A10_Scb}!OperationalN
390Scb:{A10_Scb}!OperationalN
391Scb:{A10_Scb}!OperationalN
392InternalFileReference: {A10_InternalFileReference}!OperationalN
393InternalFileReference:{A10_InternalFileReference}!OperationalN
394Scb:{A10_Scb}!OperationalN
395Scb:{A10_Scb}!OperationalN
396Scb:{A10_Scb}!OperationalN
397Scb:{A10_Scb}!OperationalN
398Scb:{A10_Scb}!OperationalN
399Scb:{A10_Scb}!OperationalN
400Scb:{A10_Scb}!OperationalN
401Scb:{A10_Scb}!OperationalN
402Scb:{A10_Scb}!OperationalN
403Scrub found problems Scb: {A10_Scb}!OperationalN
404Scb:{A10_Scb}!OperationalN
405Scb:{A10_Scb}!OperationalN
406FSCTL_REPAIR_COPIES not supported for Txf file; Scb: {A10_Scb}!OperationalN
407Scb:%1 FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2).OperationalN
408Scb:%1 FSCTL_REPAIR_COPIES skipping resident attribute (%2).OperationalN
409Scb:{A10_Scb}!OperationalN
410Scb:{A10_Scb}!OperationalN
411Scb:{A10_Scb}!OperationalN
412Scb:{A10_Scb}!OperationalN
413Scb:{A10_Scb}!OperationalN
414Scb:{A10_Scb}!OperationalN
415Scb:{A10_Scb}!OperationalN
416Scb:{A10_Scb}!OperationalN
417Scb:{A10_Scb}!OperationalN
418NtfsQueryCachedRuns: Caller not having manage volume privilege.OperationalN
419NtfsQueryStorageClasses: Caller not having manage volume privilege.OperationalN
420NtfsQueryRegionInfo: Caller not having manage volume privilege.OperationalN
421NtfsUnloadFile: Caller not having manage volume privilege.OperationalN
422NtfsCheckForSection: File already has image section.OperationalN
423NtfsShuffleFile: User mode caller is not allowed.OperationalN
424NtfsShuffleFile: Denying access due to volume is locked.OperationalN
425NtfsShuffleFile: Defrag is denied.OperationalN
426NtfsShuffleFile: Denying access due to conflicting with read-only state.OperationalN
427NtfsRearrangeFile: User mode caller is not allowed.OperationalN
428NtfsRearrangeFile: Denying access due to volume is locked.OperationalN
429NtfsRearrangeFile: Defrag is denied.OperationalN
430NtfsShuffleFile: Denying access due to conflicting with read-only state.OperationalN
431NtfsSparseOverAllocate: Caller does not have appropriate write access.OperationalN
432NtfsInitiateFileMetadataOptimization: Only allowed on regular user …OperationalN
433NtfsQueryFileMetadataOptimization: Only allowed on regular user …OperationalN
434NtfsEnumOnMountToDeleteWorker.OperationalN
435NtfsEnumOnMountToDeleteWorker(%1;%2): Open status=0x%3; path='%4'.OperationalN
436NtfsEnumOnMountToDeleteWorker.OperationalN
437NtfsEnumOnMountToDeleteWorker.OperationalN
438NtfsEnumMountWorker.OperationalN
439NtfsEnumOnMountToDeleteWorker.OperationalN
440FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: …OperationalN
441SCB: {A10_Scb}!OperationalN
442FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: …OperationalN
443FsInputRangeIndex: {A10_FsInputRangeIndex}!OperationalN
444Scb: {A10_Scb}!OperationalN
445Scb: {A10_Scb}!OperationalN
446NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.OperationalN
448NtfsFindPrefixHashEntry: {Hash table: %1} {ParentScb: %2; '%3'} {RemainingName: …OperationalN
450NtfsFindPrefixHashEntry: {Lcb: %1; '%2'}.OperationalN
452Vcb {A10_Vcb}!OperationalN
453Vcb {A10_Vcb}!OperationalN
454Vcb {A10_Vcb}!OperationalN
455Vcb {A10_Vcb}!OperationalN
456Vcb {A10_Vcb}!OperationalN
457Vcb {A10_Vcb}!OperationalN
458Vcb {A10_Vcb}!OperationalN
459Vcb {A10_Vcb}!OperationalN
460Vcb {A10_Vcb}!OperationalN
461Vcb {A10_Vcb}!OperationalN
462Vcb {A10_Vcb}!OperationalN
463Vcb {A10_Vcb}!OperationalN
464Vcb {A10_Vcb}!OperationalN
465NtfsCommitCurrentTransaction IC: {A10_IrpContext}!OperationalN
466Vcb {A10_Vcb}!OperationalN
467Vcb {A10_Vcb}!OperationalN
468NtfsCommitCurrentTransaction IC: {A10_IrpContext}!OperationalN
469NtfsCommitCurrentTransaction IC: {A10_IrpContext}!OperationalN
470NtfsCommitCurrentTransaction.OperationalN
471NtfsCommitCurrentTransaction.OperationalN
472NtfsCommitCurrentTransaction.OperationalN
473NtfsCommitCurrentTransaction.OperationalN
474NtfsCommitCurrentTransaction.OperationalN
475NtfsCommitCurrentTransaction IC: {A10_IrpContext}!OperationalN
476NtfsCommitCurrentTransaction IC: {A10_IrpContext}!OperationalN
477NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
478NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
479NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
480NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
481NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
482NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
483NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
484Vcb: {A10_Vcb}!OperationalN
485NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: …OperationalN
486FsLibGroupSubExtentsByDanglingMdl failed: {A10_Status}.OperationalN
487FsLibAddBaseMcbEntryEx failed: {A10_Status}.OperationalN
488NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: …OperationalN
489NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: …OperationalN
490NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
491NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
492NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
493NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
494NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
495NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!OperationalN
496NtfsRemoveNtfsMcbEntry Scb: {A10_Mcb->Scb}!OperationalN
497NtfsRemoveNtfsMcbEntry Mcb: {A10_Mcb}!OperationalN
498NtfsAddNtfsMcbEntry Scb: {A10_Mcb->Scb}!OperationalN
499NtfsAddNtfsMcbEntry Mcb: {A10_Mcb}!OperationalN
500NtfsUnloadNtfsMcbRange Scb: {A10_Mcb->Scb}!OperationalN
501NtfsUnloadNtfsMcbRange Mcb: {A10_Mcb}!OperationalN
502Valid NTFS boot sector.OperationalN
503Not an NTFS boot sector.OperationalN
504NtfsMountVolume: Vcb:{A10_Vcb}!OperationalN
505NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!OperationalN
506Mounting DAX partition.OperationalN
507DAX volume mounted without DAX support because storage is not DAX capable.OperationalN
508NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!OperationalN
509NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!OperationalN
510NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!OperationalN
511Unexpected exception code of 0x.OperationalN
512Exception code of 0x.OperationalN
513Unexpected exception code of 0x.OperationalN
514LogFileFull {A10_IrpContext->LogFullReason} BackTrace: ln {A11_BackTrace[0]}!OperationalN
515Unexpected raise of 0x.OperationalN
516NtfsProcessException IC: {A10_IrpContext}!OperationalN
517NtfsProcessException IC: {A10_IrpContext}!OperationalN
518Failed to abort - IrpContext {A10_IrpContext}!OperationalN
519Failed to abort - IrpContext {A10_IrpContext}!OperationalN
520Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x.OperationalN
521Setting 0x.OperationalN
522[.OperationalN
523[.OperationalN
524Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!OperationalN
525[.OperationalN
526Updating NtfsMinTrimTotalSize to {A10_MinTrimTotalSize}!OperationalN
527Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!OperationalN
528{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.OperationalN
529Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!OperationalN
530NtfsSetObjectId: Caller does not have restore access.OperationalN
531{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.OperationalN
532NtfsDeleteObjectId: Caller does not have write access.OperationalN
533{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.OperationalN
534Unexpected Paging-Read on DAX mappable stream; Scb=.OperationalN
535NtfsAbortTransaction IC: {A10_IrpContext}!OperationalN
536NtfsAbortTransaction IC: {A10_IrpContext}!OperationalN
537DoAction::InitializeFRS IC:{A10_IrpContext}!OperationalN
538NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling …OperationalN
539NtfsReleaseVcbCheckDelete - deleted Vcb: {A10_Vcb}!OperationalN
540NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: …OperationalN
541NtfsAbortTransaction IC: {A10_IrpContext}!OperationalN
542NtfsAbortTransaction IC: {A10_IrpContext}!OperationalN
543DoAction::InitializeFRS IC:{A10_IrpContext}!OperationalN
544DoAction::DeallocateFRS IC:{A10_IrpContext}!OperationalN
545DoAction::WriteEndOfFRS IC:{A10_IrpContext}!OperationalN
546DoAction::CreateAttribute IC:{A10_IrpContext}!OperationalN
547NtfsRestartChangeValue IC:{A10_IrpContext}!OperationalN
548DoAction::SetNewAttributeSizes IC:{A10_IrpContext}!OperationalN
549DoAction(SetBitsInNonresidentBitMap) IC: {A10_IrpContext}!OperationalN
550DoAction(ClearBitsInNonresidentBitMap) IC: {A10_IrpContext}!OperationalN
551NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.OperationalN
552NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.OperationalN
553NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to …OperationalN
554NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.OperationalN
555NtfsCheckFileForDelete: Denying access due to superseding view indexes are not …OperationalN
556NtfsCheckFileForDelete: Denying access due to non-posix delete of target …OperationalN
557NtfsCheckFileForDelete: Denying access due to file is not deleteable.OperationalN
558NtfsCheckFileForDelete: Denying access due to target file is read only.OperationalN
559NtfsCheckFileForDelete: Caller does not have write attributes access …OperationalN
560NtfsCheckFileForDelete: Denying access due to failing to remove image section.OperationalN
561NtfsGlobalSdUpdate: Caller does not have manage volume privilege.OperationalN
562NtfsRepairItem: Denying access due to volume is locked.OperationalN
563NtfsSetRepairState: Caller does not have manage volume privilege.OperationalN
564NtfsInitiateRepair: Caller does not have manage volume privilege.OperationalN
566NtfsDefineStorageReserve: Caller does not have manage volume privilege.OperationalN
567NtfsDeleteStorageReserve: Caller does not have manage volume privilege.OperationalN
568Failed to get a non-volatile token for Vcb: {A10_Vcb}!OperationalN
569Failed to free non-volatile token for Vcb: {A10_Vcb}!OperationalN
570NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!OperationalN
571NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: …OperationalN
572ClustersLinkAsHead: {A10_ClustersLinkAsHead}!OperationalN
573Clusters: {A10_Clusters}!OperationalN
574Failed to get a non-volatile token for Vcb: {A10_Vcb}!OperationalN
575Failed to free non-volatile token for Vcb: {A10_Vcb}!OperationalN
576NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!OperationalN
577NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: …OperationalN
578ClustersLinkAsHead: {A10_ClustersLinkAsHead}!OperationalN
579Clusters: {A10_Clusters}!OperationalN
580Matching cluster: {A10_Clusters}!OperationalN
581Clusters: {A10_Clusters}!OperationalN
582Need to add Range.OperationalN
583Need to add Range.OperationalN
584Added range.OperationalN
585{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
586{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
587{A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.OperationalN
588{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt.OperationalN
589{A10___FUNCTION__}: from {A11_CallerFunction}!OperationalN
590{A10___FUNCTION__}: from {A11_CallerFunction}!OperationalN
591{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
592{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
593{A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.OperationalN
594{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt.OperationalN
595{A10___FUNCTION__}: TxfStartRm reports RM will be reset: TM could not be …OperationalN
596{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM log corrupt.OperationalN
597{A10___FUNCTION__}: TxfStartRm reports RM will be reset: log version changed.OperationalN
598{A10___FUNCTION__}: TxfStartRm reports RM will be reset: dedicated log found; …OperationalN
599{A10___FUNCTION__}: TxfStartRm reports RM will be reset: multiplexed log found; …OperationalN
600{A10___FUNCTION__}: TxfStartRm reports RM will be reset: CLFS log metadata …OperationalN
601{A10___FUNCTION__}: TxfStartRm reports RM will be reset: 0x{A11_FailureStatus}!OperationalN
602{A10___FUNCTION__}: RM did not start and WILL NOT be reset; status code is …OperationalN
603{A10___FUNCTION__}: Could not initialize IrpContext: 0x{A11_Status}!OperationalN
604{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
605{A10___FUNCTION__}: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x{A11_TempStatus}!OperationalN
606{A10___FUNCTION__}: Exception code 0x{A11_GetExceptionCode()}!OperationalN
607{A10___FUNCTION__}: Couldn't reset default RM on VCB at 0x{A11_(PVOID)Vcb}!OperationalN
608{A10___FUNCTION__}: Exception 0x{A11_GetExceptionCode()}!OperationalN
609{A10___FUNCTION__}: {A11_.OperationalN
610{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
611{A10___FUNCTION__}: Volume too small to start RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
612{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
613{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
614{A10___FUNCTION__}: Raising to reset RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
615{A10___FUNCTION__}: Got {A11_Status}!OperationalN
616{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
617{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
618{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
619{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
620{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
621{A10___FUNCTION__}: Got {A11_Status}!OperationalN
622{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
623{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
624{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
625{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
626{A10___FUNCTION__}: Shutting down {A11_.OperationalN
627{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
628(.OperationalN
629(.OperationalN
630{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
631{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
632{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
633TxfFsctlWriteBackupInformation: Denying access due RM is active.OperationalN
634{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
635{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
636{A10___FUNCTION__}: Error Setting Delete Disposition: 0x{A11_Status}!OperationalN
637{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
638{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
639{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at …OperationalN
640{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
641{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
642{A10___FUNCTION__}: Commit.OperationalN
643{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
644{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
645{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at …OperationalN
646{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
647{A10___FUNCTION__}: Aborting call stack: 0x{A11_CallStack[0]}!OperationalN
648{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
649{A10___FUNCTION__}: 0x{A11_Status}!OperationalN
650{A10___FUNCTION__}: 0x{A11_Status}!OperationalN
651{A10___FUNCTION__}: About to force aborts on RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
652{A10___FUNCTION__}: BaseLsn is greater than TargetLsn on RM at …OperationalN
653{A10___FUNCTION__}: No transactions remain on RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
654{A10___FUNCTION__}: Transaction's first undo LSN greater than TargetLsn on RM at …OperationalN
655{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
656{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
657{A10___FUNCTION__}: Inactive RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
658{A10___FUNCTION__}: Log is pinned on RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
659{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
660{A10___FUNCTION__}: Log pinned trying to advance RestartLsn on RM at …OperationalN
661{A10___FUNCTION__}: Log pinned by doomed transaction on RM at …OperationalN
662{A10___FUNCTION__}: Reporting 0x{A11_PinnedStatus}!OperationalN
663{A10___FUNCTION__}: Done forcing aborts on RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
664{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
665{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
666{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
667{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
668{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
669{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
670{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
671{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
672{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
673{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
674{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
675{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
676{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
677{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
678{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
679{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
680{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
681{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
682{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!OperationalN
683TrimUsnJournal.OperationalN
684TrimUsnJournal.OperationalN
685TrimUsnJournal.OperationalN
686TrimUsnJournal.OperationalN
687TrimUsnJournal.OperationalN
688TrimUsnJournal.OperationalN
689TrimUsnJournal.OperationalN
690OfsSetLength.OperationalN
691OfsSetLength.OperationalN
692NtOfsPostNewLength.OperationalN
693NtfsIsRegionDangling: RemainingClusterCount: 0x.OperationalN
694OfsSetLength.OperationalN
695OfsSetLength.OperationalN
696OfsSetLength.OperationalN
697OfsSetLength.OperationalN
698NtOfsPostNewLength.OperationalN
699NtfsIsRegionDangling: RemainingClusterCount: 0x.OperationalN
700Vcb {A10_Vcb}!OperationalN
701Vcb {A10_Vcb}!OperationalN
702Vcb {A10_Vcb}!OperationalN
703NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!OperationalN
704NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!OperationalN
705NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!OperationalN
706NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!OperationalN
707Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb=.OperationalN
708NtfsPostVcbIsCorrupt.OperationalN
709NtfsPostVcbIsCorrupt: Marking volume dirty.OperationalN
710Truncating write from 0x.OperationalN
711Succeeding log write @ 0x.OperationalN
712Succeeding log write @ 0x.OperationalN
713Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb=.OperationalN
714Ignoring write to 0x.OperationalN
715Ignoring write to 0x.OperationalN
716Truncating write from 0x.OperationalN

Event ID 10: NtfsLookupRealAllocation: Vcn {A10_Vcn}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsLookupRealAllocation: Vcn {A10_Vcn}!I64x!; LowestVcn {A11_Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A12_Attribute->Form.Nonresident.HighestVcn}!I64x!; AllocationClusters {A13_AllocationClusters}!I64x!

Fields #

NameDescription
A10_Vcn
A13_AllocationClusters

Event ID 11: NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:{A10_IrpContext}!p!; Scb:{A11_Scb}!p!

Message #

NtfsAllocateAttribute MaxAlloc for Mft's AttrList IC:{A10_IrpContext}!p!; Scb:{A11_Scb}!p!

Fields #

NameDescription
A10_IrpContext
A11_Scb

Event ID 12: FileObject: {A10_FileObject}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

FileObject: {A10_FileObject}!p!; Scb: {A11_Scb}!p!; StaringVcn: {A12_StartingVcn}!I64x!; ClusterCount: {A13_ClusterCount}!I64x!; Flags: {A14_Flags}!08x!; CcbForWriteExtend: {A15_CcbForWriteExtend}!p!

Message #

FileObject: {A10_FileObject}!p!; Scb: {A11_Scb}!p!; StaringVcn: {A12_StartingVcn}!I64x!; ClusterCount: {A13_ClusterCount}!I64x!; Flags: {A14_Flags}!08x!; CcbForWriteExtend: {A15_CcbForWriteExtend}!p!

Fields #

NameDescription
A10_FileObject
A11_Scb
A12_StartingVcn
A13_ClusterCount
A14_Flags
A15_CcbForWriteExtend

Event ID 13: NtfsAddAllocation IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAddAllocation IC:{A10_IrpContext}!p!; FileObject:{A11_FileObject}!p!; Scb:{A12_Scb}!p!; StaringVcn:{A13_StartingVcn}!I64x!; ClusterCount:{A14_ClusterCount}!I64x!; Flags:{A15_Flags}!08x!; CcbForWriteExtend:{A16_CcbForWriteExtend}!p!

Fields #

NameDescription
A10_IrpContext
A11_FileObject
A12_Scb
A13_StartingVcn
A14_ClusterCount
A15_Flags
A16_CcbForWriteExtend

Event ID 14: Purge failed: Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Purge failed: Scb: {A10_Scb}!p!; PurgeOffset: 0x{A11_PurgeOffset}!016I64x!

Message #

Purge failed: Scb: {A10_Scb}!p!; PurgeOffset: 0x{A11_PurgeOffset}!016I64x!

Fields #

NameDescription
A10_Scb
A11_PurgeOffset

Event ID 15: Purge failed: Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Purge failed: Scb: {A10_Scb}!p!; PurgeOffset: 0x{A11_PurgeOffset}!016I64x!; PurgeChunkLength: 0x{A12_PurgeChunkLength}!x!

Message #

Purge failed: Scb: {A10_Scb}!p!; PurgeOffset: 0x{A11_PurgeOffset}!016I64x!; PurgeChunkLength: 0x{A12_PurgeChunkLength}!x!

Fields #

NameDescription
A10_Scb
A11_PurgeOffset
A12_PurgeChunkLength

Event ID 16: NtfsGetLastVcnForNewMappingPairSize IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGetLastVcnForNewMappingPairSize IC:{A10_IrpContext}!p!; Using LastVcn:{A11_*LastVcn}!4I64x!; InstanceId:{A12_Attribute->Instance}!x!

Message #

NtfsGetLastVcnForNewMappingPairSize IC:{A10_IrpContext}!p!; Using LastVcn:{A11_*LastVcn}!4I64x!; InstanceId:{A12_Attribute->Instance}!x!

Fields #

NameDescription
A10_IrpContext

Event ID 17: Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!I64x!

Message #

Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!I64x!

Event ID 18: Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!I64x!

Message #

Can't find StdInfo in FileRef {A10_NtfsFullFileRefNumber( _Fcb->FileReference )}!I64x!

Event ID 19: NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:{A10_IrpContext}!p!ValueLength:{A11_ValueLength}!x!; AttrFlags={A12_AttributeFlags}!x!

Message #

NtfsCreateNonresidentWithValue Create Mft's NonResident Attribute List IC:{A10_IrpContext}!p!ValueLength:{A11_ValueLength}!x!; AttrFlags={A12_AttributeFlags}!x!

Fields #

NameDescription
A10_IrpContext
A11_ValueLength
A12_AttributeFlags

Event ID 20: NtfsAddAttributeAllocation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LastVcn {A14_LastVcn}!I64x!; NewHighestVcn {A15_NewHighestVcn}!I64x!; PassCount {A16_PassCount}!x! - step 6

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A14_LastVcn
A15_NewHighestVcn
A16_PassCount

Event ID 21: NtfsAddAttributeAllocation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LowestVcn {A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn}!I64x!; ALE.LowestVcn {A16_Context->AttributeList.Entry->LowestVcn}!I64x! - try to merge backward

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb

Event ID 22: NtfsAddAttributeAllocation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LowestVcn {A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn}!I64x!; ALE.LowestVcn {A16_Context->AttributeList.Entry->LowestVcn}!I64x! - after merge backward

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb

Event ID 23: NtfsAddAttributeAllocation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LowestVcn {A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn}!I64x!; ALE.LowestVcn {A16_Context->AttributeList.Entry->LowestVcn}!I64x!; PassCount {A17_PassCount}!x! - before last merge after step 6

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A17_PassCount

Event ID 24: NtfsAddAttributeAllocation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; LowestVcn {A14_Context->FoundAttribute.Attribute->Form.Nonresident.LowestVcn}!I64x!; HighestVcn {A15_Context->FoundAttribute.Attribute->Form.Nonresident.HighestVcn}!I64x!; ALE.LowestVcn {A16_Context->AttributeList.Entry->LowestVcn}!I64x! - after last merge after step 6

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb

Event ID 25: NtfsAddAttributeAllocation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAddAttributeAllocation({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; MergeSkipCt {A14_NtfsFrsConsolidationStatistics.MergeSkipCount}!x! - done

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb

Event ID 26: NtfsRestartRemoveAttribute FileRef:0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsRestartRemoveAttribute FileRef:0x{A10_FileRecord->SegmentNumberHighPart}!04x!_{A11_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Attrib:0x{A13_Attribute->TypeCode}!x!

Event ID 27: NtfsRestartChangeValue FileRef:0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsRestartChangeValue FileRef:0x{A10_FileRecord->SegmentNumberHighPart}!04x!_{A11_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Attrib:0x{A13_Attribute->TypeCode}!x!

Event ID 28: AddToAttributeList.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

AddToAttributeList({A10_Fcb->Vcb}!p!;{A11_IrpContext}!p!): FRef {A12_*(PULONGLONG)_Fcb->FileReference}!I64x!; OldSig {A13_StdInfoAttrListEntry->Signature}!x!; OldLCS {A14_StdInfoAttrListEntry->LastCompactedSize}!x!; NewLCS {A15_CurrentAttributeListSize}!x!

Fields #

NameDescription
A11_IrpContext
A15_CurrentAttributeListSize

Event ID 29: DeleteFromAttributeList.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

DeleteFromAttributeList({A10_Fcb->Vcb}!p!;{A11_IrpContext}!p!): FRef {A12_*(PULONGLONG)_Fcb->FileReference}!I64x!; OldSig {A13_StdInfoAttrListEntry->Signature}!x!; OldLCS {A14_StdInfoAttrListEntry->LastCompactedSize}!x!; NewLCS {A15_NewStdInfoAttrListEntry.LastCompactedSize}!x!

Fields #

NameDescription
A11_IrpContext

Event ID 30: MakeRoomForAttribute Moving Mft's attribute IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MakeRoomForAttribute Moving Mft's attribute IC:{A10_IrpContext}!p!; Moving Attrib {A11_i}!x!/{A12_MAX_MOVEABLE_ATTRIBUTES}!x!; Type={A13_Attribute->TypeCode}!x!; RecLengh={A14_Attribute->RecordLength}!x!; Instance:{A15_Attribute->Instance}!x!

Fields #

NameDescription
A10_IrpContext
A11_i
A12_MAX_MOVEABLE_ATTRIBUTES

Event ID 31: MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MoveAttributeToOwnRecord Moving Mft's $BITMAP IC:{A10_IrpContext}!p!; SizeNeeded:{A11_SizeNeeded}!x!; TypeCode:{A12_Attribute->TypeCode}!x!; RecLen:{A13_Attribute->RecordLength}!x!; Form:{A14_Attribute->FormCode}!x!; Instance:{A15_Attribute->Instance}!x!

Fields #

NameDescription
A10_IrpContext
A11_SizeNeeded

Event ID 32: MoveAttributeToOwnRecord IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

MoveAttributeToOwnRecord IC:{A10_IrpContext}!p!; SizeNeeded:{A11_SizeNeeded}!x!; Bytes2Free:{A12_BytesToFree}!x!; OldMappingSize:{A13_MappingPairSize}!x!; NewMappingSize:{A14_NewMappingPairSize}!x!

Message #

MoveAttributeToOwnRecord IC:{A10_IrpContext}!p!; SizeNeeded:{A11_SizeNeeded}!x!; Bytes2Free:{A12_BytesToFree}!x!; OldMappingSize:{A13_MappingPairSize}!x!; NewMappingSize:{A14_NewMappingPairSize}!x!

Fields #

NameDescription
A10_IrpContext
A11_SizeNeeded
A12_BytesToFree
A13_MappingPairSize
A14_NewMappingPairSize

Event ID 33: NtfsRestartZeroEndOfFileRecord FileRef:0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsRestartZeroEndOfFileRecord FileRef:0x{A10_FileRecord->SegmentNumberHighPart}!04x!_{A11_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A12_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Start:0x{A13_StartZero}!x!; Len:0x{A14_ZeroLength}!x!

Fields #

NameDescription
A13_StartZero
A14_ZeroLength

Event ID 34: MergeFRS2(%1;%2): Scb %3; FileRef %4!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

MergeFRS2(!p!;!p!): Scb !p!; FileRef !I64x!; TypeCode !x!; AttrName !S!; LowVcn !I64x!; HalfWayVcn !I64x!; FinalVcn !I64x!; PackedMode !x!; TryPrior !x! - about to merge.

Message #

MergeFRS2(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; LowVcn %7!I64x!; HalfWayVcn %8!I64x!; FinalVcn %9!I64x!; PackedMode %10!x!; TryPrior %11!x! - about to merge

Event ID 35: MergeFRS2(%1;%2): Scb %3; FileRef %4!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

MergeFRS2(!p!;!p!): Scb !p!; FileRef !I64x!; TypeCode !x!; AttrName !S!; DeleteFileRef !x!0000!08x!; LowVcn !I64x!; LastVcn !I64x!; FinalVcn !I64x! - all fit in one so get rid of the second one.

Message #

MergeFRS2(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; DeleteFileRef %7!x!0000%8!08x!; LowVcn %9!I64x!; LastVcn %10!I64x!; FinalVcn %11!I64x! - all fit in one so get rid of the second one

Event ID 36: MergeFRS2(%1;%2): Scb %3; FileRef %4!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; DeleteFileRef %7!x!0000%8!08x!; LowVcn %9!I64x!; LastVcn %10!I64x!; FinalVcn %11!I64x! - should all fit into one so get rid of the second one FIRST

Event ID 37: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; Vcn {A14_NewFinalVcn}!I64x! - initial RangePtr query.

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; Vcn {A14_NewFinalVcn}!I64x! - initial RangePtr query

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NewFinalVcn

Event ID 38: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; Vcn {A14_NewHalfWayVcn}!I64x!; Rptr {A15_RangePtr}!p! - secondary RangePtr query

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NewHalfWayVcn
A15_RangePtr

Event ID 39: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; Vcn {A14_NewHalfWayVcn}!I64x!; Rptr {A15_RangePtr}!p! - calling lookup runs range

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NewHalfWayVcn
A15_RangePtr

Event ID 40: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; McbArray {A14_NtfsMcbArray}!p! ({A15_NtfsMcbArray->StartingVcn}!I64x!; {A16_NtfsMcbArray->EndingVcn}!I64x!) - current McbArray

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NtfsMcbArray

Event ID 41: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; McbArray {A14_NtfsMcbArray}!p! ({A15_NtfsMcbArray->StartingVcn}!I64x!; {A16_NtfsMcbArray->EndingVcn}!I64x!) - previous McbArray

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NtfsMcbArray

Event ID 42: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; McbArray {A14_NtfsMcbArray}!p! ({A15_NtfsMcbArray->StartingVcn}!I64x!; {A16_NtfsMcbArray->EndingVcn}!I64x!) - prev prev McbArray

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NtfsMcbArray

Event ID 43: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; McbArray {A14_NtfsMcbArray}!p! ({A15_NtfsMcbArray->StartingVcn}!I64x!; {A16_NtfsMcbArray->EndingVcn}!I64x!) - next McbArray

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NtfsMcbArray

Event ID 44: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; NewFinalVcnInMcb {A14_NewFinalVcnInMcb}!I64x! > NewFinalVcn {A15_NewFinalVcn}!I64x! - NewFinalVcn is smaller

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NewFinalVcnInMcb
A15_NewFinalVcn

Event ID 45: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; NewStartVcn {A14_NewStartVcn}!I64x!; LastVcn {A15_LastVcn}!I64x!; NewFinalVcn {A16_NewFinalVcn}!I64x!; NewFinalVcnInMcb {A17_NewFinalVcnInMcb}!I64x!; #Ranges {A18_NumberOfRanges}!x!; DeletedNextAttribute {A10_Scb->Vcb}0!x!; Mcb1({A10_Scb->Vcb}1!x!;{A10_Scb->Vcb}2!x!); Mcb2({A10_Scb->Vcb}3!x!;{A10_Scb->Vcb}4!x!); McbArraySizeInUseChange {A10_Scb->Vcb}5!d! - final vcn in mcb

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NewStartVcn
A15_LastVcn
A16_NewFinalVcn
A17_NewFinalVcnInMcb
A18_NumberOfRanges

Event ID 46: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; StartingVcn {A14_NewStartVcn}!I64x!; EndingVcn {A15_DeletedNextAttribute ? NewFinalVcnInMcb : (LastVcn-1)}!I64x! - redefined mcb range1

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_NewStartVcn

Event ID 47: MergeFRS2.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

MergeFRS2({A10_Scb->Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FileRef {A13_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x!; StartingVcn {A14_LastVcn}!I64x!; EndingVcn {A15_NewFinalVcnInMcb}!I64x! - redefined mcb range2

Fields #

NameDescription
A11_IrpContext
A12_Scb
A14_LastVcn
A15_NewFinalVcnInMcb

Event ID 48: RedoAttribute(%1;%2): Scb %3; FileRef %4!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

RedoAttribute(!p!;!p!): Scb !p!; FileRef !I64x!; TypeCode !x!; AttrName !S!; FileRef !I64x!; OldLowVcn !I64x!; NewLowVcn !I64x!; Instance !x! - updating LowestVcn in attribute list entry.

Message #

RedoAttribute(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; FileRef %7!I64x!; OldLowVcn %8!I64x!; NewLowVcn %9!I64x!; Instance %10!x! - updating LowestVcn in attribute list entry

Event ID 49: RedoAttribute(%1;%2): Scb %3; FileRef %4!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

RedoAttribute(!p!;!p!): Scb !p!; FileRef !I64x!; TypeCode !x!; AttrName !S!; OldLowVcn !I64x!; NewLowVcn !I64x!; OldHighVcn !I64x!; NewHighVcn !I64x!; ChildRef !x!0000!08x! - done.

Message #

RedoAttribute(%1!p!;%2!p!): Scb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; OldLowVcn %7!I64x!; NewLowVcn %8!I64x!; OldHighVcn %9!I64x!; NewHighVcn %10!I64x!; ChildRef %11!x!0000%12!08x! - done

Event ID 50: NtfsConsolidateAllFileRecords: Invalid Vcb.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: {A10_PsGetCurrentThread()}!p!.

Message #

NtfsConsolidateAllFileRecords: Invalid Vcb. Thread: {A10_PsGetCurrentThread()}!p!.

Event ID 51: NtfsConsolidateAllFileRecords: Volume is locked.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords: Volume is locked. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Volume Id: !S!; Vcb State: 0x!08x!.

Message #

NtfsConsolidateAllFileRecords: Volume is locked. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Volume Id: %5!S!; Vcb State: 0x%6!08x!.

Event ID 52: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x!; FirstRequest {A14_AllFlags.FirstRequest}!x! - opened fcb.

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x!; FirstRequest {A14_AllFlags.FirstRequest}!x! - opened fcb

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Fcb

Event ID 53: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - already in progress so get out.

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - already in progress so get out

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Fcb

Event ID 54: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - set in progress flag.

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - set in progress flag

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Fcb

Event ID 55: NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsConsolidateAllFileRecords(%1!p!;%2!p!): Fcb %3!p!; FileRef %4!I64x!; RstrTypeCode %5!x!; RstrAttrName %6!S!; RstrVcn %7!I64x!; RstrAttrListEntryOffset %8!x!; AttrListEntryOffset %9!x!; AttrListLength %10!I64x!; AttrListGrowBy %11!x!(%12!d!) - adjust FinalCompactedSizeDeduction

Event ID 56: NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords(!p!;!p!): Fcb !p!; FileRef !I64x!; TypeCode !x!; AttrName !S!; Vcn !I64x!; Instance !x!; RstrAttrListEntryOffset !x!; AttrListLength !I64x! - breaking up 1.

Message #

NtfsConsolidateAllFileRecords(%1!p!;%2!p!): Fcb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; Vcn %7!I64x!; Instance %8!x!; RstrAttrListEntryOffset %9!x!; AttrListLength %10!I64x! - breaking up 1

Event ID 57: NtfsConsolidateAllFileRecords(%1;%2): Fcb %3; FileRef %4!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords(!p!;!p!): Fcb !p!; FileRef !I64x!; TypeCode !x!; AttrName !S!; Vcn !I64x!; Instance !x!; RstrAttrListEntryOffset !x!; AttrListLength !I64x! - breaking up 2.

Message #

NtfsConsolidateAllFileRecords(%1!p!;%2!p!): Fcb %3!p!; FileRef %4!I64x!; TypeCode %5!x!; AttrName %6!S!; Vcn %7!I64x!; Instance %8!x!; RstrAttrListEntryOffset %9!x!; AttrListLength %10!I64x! - breaking up 2

Event ID 58: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x!; Scb {A14_Scb}!p! - completed this Scb.

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x!; Scb {A14_Scb}!p! - completed this Scb

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Fcb
A14_Scb

Event ID 59: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - going into finally.

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - going into finally

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Fcb

Event ID 60: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): FileRef {A12_*(PULONGLONG)_FrsConsolidationContext->FileReference}!I64x!; Status {A13_IrpContext->ExceptionStatus}!x! - Abnormal Termination

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 61: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - decremented close counts.

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - decremented close counts

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Fcb

Event ID 62: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - clearing in progress flag.

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_*(PULONGLONG)_Fcb->FileReference}!I64x! - clearing in progress flag

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Fcb

Event ID 63: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_FileRef}!I64x!; ExceptionStatus {A14_ExceptionStatus}!x!- released.

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_FileRef}!I64x!; ExceptionStatus {A14_ExceptionStatus}!x!- released

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Fcb
A13_FileRef
A14_ExceptionStatus

Event ID 64: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): Fcb {A12_Fcb}!p!; FileRef {A13_FileRef}!I64x!; RemovedFcb {A14_RemovedFcb}!x!; AllFlags.FcbAcquired {A15_AllFlags.FcbAcquired}!x!; TransId {A16_IrpContext->TransactionId}!x! - no release

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Fcb
A13_FileRef
A14_RemovedFcb

Event ID 65: NtfsConsolidateAllFileRecords.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsConsolidateAllFileRecords({A10_Vcb}!p!;{A11_IrpContext}!p!): DeltaTime {A12_(EndTime.QuadPart*1000)/NtfsPerformanceFrequency.QuadPart}!I64d! (ms); TotalTime {A13_(FrsConsolidationContext->TotalTime*1000)/NtfsPerformanceFrequency.QuadPart}!I64d! (ms)

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 66: UpdateLCS: Vcb {A10_Fcb->Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

UpdateLCS: Vcb {A10_Fcb->Vcb}!p!; IC {A11_IrpContext}!p!; FRef {A12_*(PULONGLONG)_Fcb->FileReference}!I64x!; OldSig {A13_StdInfoAttrListEntry->Signature}!x!; OldLCS {A14_StdInfoAttrListEntry->LastCompactedSize}!x!; NewLCS {A15_AttributeListSize}!x!

Fields #

NameDescription
A11_IrpContext
A15_AttributeListSize

Event ID 67: NtfsAllocateClustersPriv IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; Vcn: 0x{A14_OriginalStartingVcn}!I64x!; Length: 0x{A15_ClusterCount}!I64x!; AllocateAll: {A16_AllocateAll}!S!; TargetLcn: 0x{A17_(TargetLcn != NULL) ? *TargetLcn : (ULONGLONG)-1}!I64x!; PreAllocated: {A18_PreAllocated}!S!; DelayedAllocation: {A10_IrpContext}0!S!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_Scb
A14_OriginalStartingVcn
A15_ClusterCount
A16_AllocateAll
A18_PreAllocated

Event ID 68: NtfsAllocateClustersPriv IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; Vcn: 0x{A14_OriginalStartingVcn}!I64x!; Length: 0x{A15_ClusterCount}!I64x!; AllocateAll: {A16_AllocateAll}!S!; TargetLcn: 0x{A17_(TargetLcn != NULL) ? *TargetLcn : (ULONGLONG)-1}!I64x!; PreAllocated: {A18_PreAllocated}!S!; DelayedAllocation: {A10_IrpContext}0!S!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_Scb
A14_OriginalStartingVcn
A15_ClusterCount
A16_AllocateAll
A18_PreAllocated

Event ID 69: NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x{A10_FoundClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!; TotalAllocated: 0x{A12_Scb->TotalAllocated}!I64x!

Message #

NtfsAllocateClustersPriv: Incremented TotalAllocated by 0x{A10_FoundClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!; TotalAllocated: 0x{A12_Scb->TotalAllocated}!I64x!

Fields #

NameDescription
A10_FoundClusterCount
A11_Scb

Event ID 70: NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsAllocateClustersPriv: Skipped incrementing TotalAllocated by 0x{A10_FoundClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!; TotalAllocated: 0x{A12_Scb->TotalAllocated}!I64x!ScbState: {A13_Scb->State}!08x!; IrpContextState2: {A14_IrpContext->State2}!08x!; AllocateWithNoHole: {A15_AllocateWithNoHole}!d!

Fields #

NameDescription
A10_FoundClusterCount
A11_Scb
A15_AllocateWithNoHole

Event ID 71: NtfsAllocateClustersPriv IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; ClustersAllocated: {A11_ClustersAllocated}!S!

Message #

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; ClustersAllocated: {A11_ClustersAllocated}!S!

Fields #

NameDescription
A10_IrpContext
A11_ClustersAllocated

Event ID 72: NtfsAllocateClustersPriv IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; ClustersAllocated: {A11_ClustersAllocated}!S!

Message #

NtfsAllocateClustersPriv IC: {A10_IrpContext}!p!; ClustersAllocated: {A11_ClustersAllocated}!S!

Fields #

NameDescription
A10_IrpContext
A11_ClustersAllocated

Event ID 73: NtfsDeallocateClusters IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; StartVcn: 0x{A14_StartingVcn}!I64x!; EndVcn: 0x{A15_EndingVcn}!I64x!

Message #

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; StartVcn: 0x{A14_StartingVcn}!I64x!; EndVcn: 0x{A15_EndingVcn}!I64x!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_Scb
A14_StartingVcn
A15_EndingVcn

Event ID 74: NtfsDeallocateClusters: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - deleting FR {A11_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x! from clusters {A12_StartingVcn}!I64x! to {A13_EndingVcn}!I64x!

Message #

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - deleting FR {A11_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x! from clusters {A12_StartingVcn}!I64x! to {A13_EndingVcn}!I64x!

Fields #

NameDescription
A10_Vcb
A12_StartingVcn
A13_EndingVcn

Event ID 75: NtfsDeallocateClusters IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; StartVcn: 0x{A14_StartingVcn}!I64x!; EndVcn: 0x{A15_EndingVcn}!I64x!

Message #

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Scb: {A12_Scb}!p!; Mcb: {A13__Scb->Mcb}!p!; StartVcn: 0x{A14_StartingVcn}!I64x!; EndVcn: 0x{A15_EndingVcn}!I64x!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_Scb
A14_StartingVcn
A15_EndingVcn

Event ID 76: NtfsDeallocateClusters: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - deleting FR {A11_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x! starting at {A12_AdjLcn}!I64x! for {A13_AdjClusterCount}!I64x! clusters.

Message #

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - deleting FR {A11_*(PULONGLONG)_Scb->Fcb->FileReference}!I64x! starting at {A12_AdjLcn}!I64x! for {A13_AdjClusterCount}!I64x! clusters

Fields #

NameDescription
A10_Vcb
A12_AdjLcn
A13_AdjClusterCount

Event ID 77: NtfsDeallocateClusters: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - raising logfile full.

Message #

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - raising logfile full

Fields #

NameDescription
A10_Vcb

Event ID 78: NtfsDeallocateClusters: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - adding clusters to DeallocatedClusters: {A11_DeallocatedClusters}!p! ==> Lsn: {A12_DeallocatedClusters->Lsn.QuadPart}!I64x!; ClusterCount: {A13_DeallocatedClusters->ClusterCount}!I64x!; Flags: {A14_DeallocatedClusters->Flags}!08x!; Vcb's DeallocatedClustersCount old: {A15_Vcb->DeallocatedClusters}!I64x! new: {A16_Vcb->DeallocatedClusters + AdjClusterCount}!I64x!

Fields #

NameDescription
A10_Vcb
A11_DeallocatedClusters

Event ID 79: NtfsDeallocateClusters: Decremented TotalAllocated by 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDeallocateClusters: Decremented TotalAllocated by 0x{A10_ClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!; TotalAllocated: 0x{A12_*TotalAllocated}!I64x!Addr(TotalAllocated): {A13_TotalAllocated}!p!

Message #

NtfsDeallocateClusters: Decremented TotalAllocated by 0x{A10_ClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!; TotalAllocated: 0x{A12_*TotalAllocated}!I64x!Addr(TotalAllocated): {A13_TotalAllocated}!p!

Fields #

NameDescription
A10_ClusterCount
A11_Scb
A13_TotalAllocated

Event ID 80: NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDeallocateClusters: Skipped decrementing TotalAllocated by 0x{A10_ClusterCount}!I64x! clusters; Scb: {A11_Scb}!p!Addr(TotalAllocated): {A12_TotalAllocated}!p!; ScbState: {A13_Scb->State}!08x!; IrpContextState2: {A14_IrpContext->State2}!08x!

Fields #

NameDescription
A10_ClusterCount
A11_Scb
A12_TotalAllocated

Event ID 81: NtfsDeallocateClusters: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - Undoing some changes to DeallocatedClustersCount from {A11_Vcb->DeallocatedClusters}!I64x! to {A12_Vcb->DeallocatedClusters-ClustersRemoved}!I64x!

Message #

NtfsDeallocateClusters: Vcb {A10_Vcb}!p! - Undoing some changes to DeallocatedClustersCount from {A11_Vcb->DeallocatedClusters}!I64x! to {A12_Vcb->DeallocatedClusters-ClustersRemoved}!I64x!

Fields #

NameDescription
A10_Vcb

Event ID 82: NtfsDeallocateClusters IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; ClustersDeallocated: {A11_ClustersDeallocated}!S!

Message #

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; ClustersDeallocated: {A11_ClustersDeallocated}!S!

Fields #

NameDescription
A10_IrpContext
A11_ClustersDeallocated

Event ID 83: NtfsDeallocateClusters IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; ClustersDeallocated: {A11_ClustersDeallocated}!S!

Message #

NtfsDeallocateClusters IC: {A10_IrpContext}!p!; ClustersDeallocated: {A11_ClustersDeallocated}!S!

Fields #

NameDescription
A10_IrpContext
A11_ClustersDeallocated

Event ID 84: NtfsModifyBitsInBitmap IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsModifyBitsInBitmap IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; FirstBit: 0x{A12_FirstBit}!I64x!; BeyondLastBit: 0x{A13_BeyondFinalBit}!I64x!; Redo: 0x{A14_RedoOperation}!x!; Undo: 0x{A15_UndoOperation}!x!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_FirstBit
A13_BeyondFinalBit
A14_RedoOperation
A15_UndoOperation

Event ID 85: NtfsModifyBitsInBitmap IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsModifyBitsInBitmap IC: {A10_IrpContext}!p!; Bitmap: {A11__Bitmap}!p!; BaseLcn: 0x{A12_BaseLcn}!I64x!; CurrentLcn: 0x{A13_CurrentLcn}!I64x!

Message #

NtfsModifyBitsInBitmap IC: {A10_IrpContext}!p!; Bitmap: {A11__Bitmap}!p!; BaseLcn: 0x{A12_BaseLcn}!I64x!; CurrentLcn: 0x{A13_CurrentLcn}!I64x!

Fields #

NameDescription
A10_IrpContext
A11__Bitmap
A12_BaseLcn
A13_CurrentLcn

Event ID 86: NtfsAllocateBitmapRun IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAllocateBitmapRun IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; StartingLcn: 0x{A12_StartingLcn}!I64x!; ClusterCount: 0x{A13_ClusterCount}!I64x!

Message #

NtfsAllocateBitmapRun IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; StartingLcn: 0x{A12_StartingLcn}!I64x!; ClusterCount: 0x{A13_ClusterCount}!I64x!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_StartingLcn
A13_ClusterCount

Event ID 87: NtfsAllocateBitmapRun IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAllocateBitmapRun IC: {A10_IrpContext}!p!; Bitmap: {A11__Bitmap}!p!; BaseLcn: 0x{A12_BaseLcn}!I64x!; StartingLcn: 0x{A13_StartingLcn}!I64x!

Message #

NtfsAllocateBitmapRun IC: {A10_IrpContext}!p!; Bitmap: {A11__Bitmap}!p!; BaseLcn: 0x{A12_BaseLcn}!I64x!; StartingLcn: 0x{A13_StartingLcn}!I64x!

Fields #

NameDescription
A10_IrpContext
A11__Bitmap
A12_BaseLcn
A13_StartingLcn

Event ID 88: NtfsRestartSetBitsInBitMap IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRestartSetBitsInBitMap IC: {A10_IrpContext}!p!; Bitmap: {A11_Bitmap}!p!; BitMapOffset: 0x{A12_BitMapOffset}!08x!; NumBits: 0x{A13_NumberOfBits}!08x!

Message #

NtfsRestartSetBitsInBitMap IC: {A10_IrpContext}!p!; Bitmap: {A11_Bitmap}!p!; BitMapOffset: 0x{A12_BitMapOffset}!08x!; NumBits: 0x{A13_NumberOfBits}!08x!

Fields #

NameDescription
A10_IrpContext
A11_Bitmap
A12_BitMapOffset
A13_NumberOfBits

Event ID 89: NtfsFreeBitmapRun IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeBitmapRun IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; StartingLcn: 0x{A12_StartingLcn}!I64x!; ClusterCount: 0x{A13_*ClusterCount}!I64x!

Message #

NtfsFreeBitmapRun IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; StartingLcn: 0x{A12_StartingLcn}!I64x!; ClusterCount: 0x{A13_*ClusterCount}!I64x!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_StartingLcn

Event ID 90: NtfsFreeBitmapRun IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeBitmapRun IC: {A10_IrpContext}!p!; Bitmap: {A11__Bitmap}!p!; BaseLcn: 0x{A12_BaseLcn}!I64x!; StartingLcn: 0x{A13_StartingLcn}!I64x!

Message #

NtfsFreeBitmapRun IC: {A10_IrpContext}!p!; Bitmap: {A11__Bitmap}!p!; BaseLcn: 0x{A12_BaseLcn}!I64x!; StartingLcn: 0x{A13_StartingLcn}!I64x!

Fields #

NameDescription
A10_IrpContext
A11__Bitmap
A12_BaseLcn
A13_StartingLcn

Event ID 91: NtfsRestartClearBitsInBitMap IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRestartClearBitsInBitMap IC: {A10_IrpContext}!p!; Bitmap: {A11_Bitmap}!p!; BitMapOffset: 0x{A12_BitMapOffset}!08x!; NumBits: 0x{A13_NumberOfBits}!08x!

Message #

NtfsRestartClearBitsInBitMap IC: {A10_IrpContext}!p!; Bitmap: {A11_Bitmap}!p!; BitMapOffset: 0x{A12_BitMapOffset}!08x!; NumBits: 0x{A13_NumberOfBits}!08x!

Fields #

NameDescription
A10_IrpContext
A11_Bitmap
A12_BitMapOffset
A13_NumberOfBits

Event ID 92: NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Bitmap: {A12_Bitmap}!p!; StartingBitmapLcn: 0x{A13_StartingBitmapLcn}!I64x!; SetBits: {A14_SetBits}!S!

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Bitmap: {A12_Bitmap}!p!; StartingBitmapLcn: 0x{A13_StartingBitmapLcn}!I64x!; SetBits: {A14_SetBits}!S!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_Bitmap
A13_StartingBitmapLcn
A14_SetBits

Event ID 93: NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!p!; Bitmap: {A11_Bitmap}!p!; StartLcn: 0x{A12_StartingBit}!I64x!; EndLcn: 0x{A13_EndingBit}!I64x!

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!p!; Bitmap: {A11_Bitmap}!p!; StartLcn: 0x{A12_StartingBit}!I64x!; EndLcn: 0x{A13_EndingBit}!I64x!

Fields #

NameDescription
A10_IrpContext
A11_Bitmap
A12_StartingBit
A13_EndingBit

Event ID 94: NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!p!; Result: {A11_Results}!S!

Message #

NtfsSetOrClearBitsUsingBaseMcb IC: {A10_IrpContext}!p!; Result: {A11_Results}!S!

Fields #

NameDescription
A10_IrpContext
A11_Results

Event ID 95: System files not marked as in use in the MFT bitmap.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

System files not marked as in use in the MFT bitmap. DWord offset {A10_i}!x!; value {A11_OriginalSystemBitmap[i / sizeof( OriginalSystemBitmap[0] )]}!x!.

Message #

System files not marked as in use in the MFT bitmap.  DWord offset {A10_i}!x!; value {A11_OriginalSystemBitmap[i / sizeof( OriginalSystemBitmap[0] )]}!x!.

Fields #

NameDescription
A10_i

Event ID 97: Length: {A10_Length}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Length: {A10_Length}!8I64d! --> BinIndex : {A11_BinIndex}!8u! - Key: {A12_Key}!u!; BitPosition: {A13_BitPosition}!ld!; GroupIndex: {A14_GroupIndex}!ld!; GroupShiftFactor: {A15_GroupShiftFactor}!ld!

Message #

Length: {A10_Length}!8I64d! --> BinIndex : {A11_BinIndex}!8u!    - Key: {A12_Key}!u!; BitPosition: {A13_BitPosition}!ld!; GroupIndex: {A14_GroupIndex}!ld!; GroupShiftFactor: {A15_GroupShiftFactor}!ld!

Fields #

NameDescription
A10_Length
A11_BinIndex
A12_Key
A13_BitPosition
A14_GroupIndex
A15_GroupShiftFactor

Event ID 98: Length: {A10_Length}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Length: {A10_Length}!8I64d! --> BinIndex : {A11_BinIndex}!8u! - BinIndex was beyond TotalBins: {A12_TotalBins}!u! hence brought down.

Message #

Length: {A10_Length}!8I64d! --> BinIndex : {A11_BinIndex}!8u!    - BinIndex was beyond TotalBins: {A12_TotalBins}!u! hence brought down

Fields #

NameDescription
A10_Length
A11_BinIndex
A12_TotalBins

Event ID 99: BinIndex: {A10_BinIndex}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

BinIndex: {A10_BinIndex}!8u! --> MaxLength: {A11_MAXLONGLONG}!8I64d! - BinIndex is set to last bin or beyond; TotalBins: {A12_TotalBins}!u!

Message #

BinIndex: {A10_BinIndex}!8u! --> MaxLength: {A11_MAXLONGLONG}!8I64d!  - BinIndex is set to last bin or beyond; TotalBins: {A12_TotalBins}!u!

Fields #

NameDescription
A10_BinIndex
A11_MAXLONGLONG
A12_TotalBins

Event ID 100: BinIndex: {A10_BinIndex}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

BinIndex: {A10_BinIndex}!8u! --> MaxLength: {A11_MaxLength}!8I64d! - GroupIndex: {A12_GroupIndex}!ld!; RelativeBinIndex: {A13_RelativeBinIndex}!ld!; MaxKey: {A14_MaxKey}!u!

Message #

BinIndex: {A10_BinIndex}!8u! --> MaxLength: {A11_MaxLength}!8I64d!  - GroupIndex: {A12_GroupIndex}!ld!; RelativeBinIndex: {A13_RelativeBinIndex}!ld!; MaxKey: {A14_MaxKey}!u!

Fields #

NameDescription
A10_BinIndex
A11_MaxLength
A12_GroupIndex
A13_RelativeBinIndex
A14_MaxKey

Event ID 101: BinGroupShift: {A10_NtfsCachedRunBinGroupShift}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

BinGroupShift: {A10_NtfsCachedRunBinGroupShift}!8ld!; BinGroupSize: {A11_NtfsCachedRunBinGroupSize}!8u!; BinGroupMask: {A12_NtfsCachedRunBinGroupMask}!8x!

Message #

BinGroupShift: {A10_NtfsCachedRunBinGroupShift}!8ld!; BinGroupSize: {A11_NtfsCachedRunBinGroupSize}!8u!; BinGroupMask: {A12_NtfsCachedRunBinGroupMask}!8x!

Fields #

NameDescription
A10_NtfsCachedRunBinGroupShift
A11_NtfsCachedRunBinGroupSize
A12_NtfsCachedRunBinGroupMask

Event ID 102: BinIndex: {A10_BinIndex}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

BinIndex: {A10_BinIndex}!8u! --> MaxLength: {A11_MaxLength}!8I64u! (0x{A12_MaxLength}!8I64x!).

Message #

BinIndex: {A10_BinIndex}!8u! --> MaxLength: {A11_MaxLength}!8I64u! (0x{A12_MaxLength}!8I64x!)

Fields #

NameDescription
A10_BinIndex
A11_MaxLength
A12_MaxLength

Event ID 103: Searched committed allocations but didnt find enough free space.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Searched committed allocations but didnt find enough free space.  StartingCluster {A10_StartingCluster}!I64x!; ClusterCount {A11_ClusterCount}!I64x!; Committed {A12_Vcb->TotalClustersCommitted}!I64x!; Total {A13_Vcb->TotalClusters}!I64x!; Free {A14_Vcb->FreeClusters}!I64x!

Fields #

NameDescription
A10_StartingCluster
A11_ClusterCount

Event ID 104: NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): first bit 0x{A11_FirstBitToClear}!X!; last bit 0x{A12_BeyondLastBitToClear - 1}!X!

Message #

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): first bit 0x{A11_FirstBitToClear}!X!; last bit 0x{A12_BeyondLastBitToClear - 1}!X!

Fields #

NameDescription
A10_Vcb
A11_FirstBitToClear

Event ID 105: NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): no leading partial slab.

Message #

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): no leading partial slab

Fields #

NameDescription
A10_Vcb

Event ID 106: NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): leading partial slab returned - LCN {A11_*FreeClusterBase1}!I64X!; len {A12_*FreeClusterCount1}!I64X!

Message #

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): leading partial slab returned - LCN {A11_*FreeClusterBase1}!I64X!; len {A12_*FreeClusterCount1}!I64X!

Fields #

NameDescription
A10_Vcb

Event ID 107: NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): no trailing partial slab.

Message #

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): no trailing partial slab

Fields #

NameDescription
A10_Vcb

Event ID 108: NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): trailing partial slab returned - lcn {A11_*FreeClusterBase2}!I64X!; len {A12_*FreeClusterCount2}!I64X!

Message #

NtfsRemoveClustersFromTPMap: Vcb {A10_Vcb}!p! - Clearing TP map bit(s): trailing partial slab returned - lcn {A11_*FreeClusterBase2}!I64X!; len {A12_*FreeClusterCount2}!I64X!

Fields #

NameDescription
A10_Vcb

Event ID 109: NtfsValidateTotalClustersCommitted.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsValidateTotalClustersCommitted({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): TCC {A12_Vcb->TotalClustersCommitted}!I64x!; TC {A13_Vcb->TotalClusters}!I64x!; BMSize {A14_Vcb->TPMap.SizeOfBitMap}!x!

Message #

NtfsValidateTotalClustersCommitted({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): TCC {A12_Vcb->TotalClustersCommitted}!I64x!; TC {A13_Vcb->TotalClusters}!I64x!; BMSize {A14_Vcb->TPMap.SizeOfBitMap}!x!

Fields #

NameDescription
A10_Vcb

Event ID 110: Illegal MDL Complete for major code {A10_IrpContext->MajorFunction}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Illegal MDL Complete for major code {A10_IrpContext->MajorFunction}!u!

Message #

Illegal MDL Complete for major code {A10_IrpContext->MajorFunction}!u!

Event ID 111: Entering: Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Entering: Scb: {A10_Scb}!p!; StartingZero: 0x{A11_StartingZero}!016I64x!; ByteCount: 0x{A12_ByteCount}!016I64x!; ExtentsDescriptor: {A13_ExtentsDescriptor}!p!; ExtentsDescriptorIndex: {A14_*ExtentsDescriptorIndex}!d!; ExtentsDescriptorStartOffset: 0x{A15_*ExtentsDescriptorStartOffset}!016I64x!; Offset: 0x{A16_Offset}!016I64x!; MaxRuns: {A17_MaxRuns}!d!;

Fields #

NameDescription
A10_Scb
A11_StartingZero
A12_ByteCount
A13_ExtentsDescriptor
A16_Offset
A17_MaxRuns

Event ID 112: RunEntry ==> {A10_RunIndex}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

RunEntry ==> {A10_RunIndex}!4d!: [0x{A11_ExtentsDescriptor->Run[RunIndex].BasePage}!016I64x!; 0x{A12_ExtentsDescriptor->Run[RunIndex].PageCount}!016I64x!]; ExtentLength: 0x{A13_ExtentLength}!016I64x!; Offset: 0x{A14_Offset}!016I64x!; RunIndexStartOffset: 0x{A15_RunIndexStartOffset}!016I64x!

Fields #

NameDescription
A10_RunIndex
A13_ExtentLength
A14_Offset
A15_RunIndexStartOffset

Event ID 114: Shrinking LengthInExtent.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Shrinking LengthInExtent (0x{A10_LengthInExtent}!016I64x!) to ByteCount (0x{A11_ByteCount}!016I64x!) that we have to zero.

Message #

Shrinking LengthInExtent (0x{A10_LengthInExtent}!016I64x!) to ByteCount (0x{A11_ByteCount}!016I64x!) that we have to zero

Fields #

NameDescription
A10_LengthInExtent
A11_ByteCount

Event ID 115: Zeroing: StartingPhysicalAddr: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Zeroing: StartingPhysicalAddr: 0x{A10_StartingPhysicalAddr.QuadPart}!016I64x!; LengthInExtent: 0x{A11_LengthInExtent}!016I64x!

Message #

Zeroing: StartingPhysicalAddr: 0x{A10_StartingPhysicalAddr.QuadPart}!016I64x!; LengthInExtent: 0x{A11_LengthInExtent}!016I64x!

Fields #

NameDescription
A11_LengthInExtent

Event ID 116: Exiting: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Exiting: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!d! ExtentsDescriptorStartOffset: 0x{A11_*ExtentsDescriptorStartOffset}!016I64x!

Message #

Exiting: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!d! ExtentsDescriptorStartOffset: 0x{A11_*ExtentsDescriptorStartOffset}!016I64x!

Event ID 117: Entering: Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Entering: Scb: {A10_Scb}!p!; StartingZero: 0x{A11_StartingOffset}!016I64x!; BeyondEndOffset: 0x{A12_BeyondEndOffset}!016I64x!

Message #

Entering: Scb: {A10_Scb}!p!; StartingZero: 0x{A11_StartingOffset}!016I64x!; BeyondEndOffset: 0x{A12_BeyondEndOffset}!016I64x!

Fields #

NameDescription
A10_Scb
A11_StartingOffset
A12_BeyondEndOffset

Event ID 118: Dsm Ranges[.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Dsm Ranges[{A10_DataSetRangeIndex}!d!]: StartingOffset: 0x{A11_DsmBuffer->DataSetRanges[DataSetRangeIndex].StartingOffset}!016I64x!; LengthInBytes: 0x{A12_DsmBuffer->DataSetRanges[DataSetRangeIndex].LengthInBytes}!016I64x!

Fields #

NameDescription
A10_DataSetRangeIndex

Event ID 119: RemainingClusterCount: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; DataSetRangeIndex: {A11_DataSetRangeIndex}!d!

Message #

RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; DataSetRangeIndex: {A11_DataSetRangeIndex}!d!

Fields #

NameDescription
A10_RemainingClusterCount
A11_DataSetRangeIndex

Event ID 120: Dsm: TotalNumberOfRanges: {A10_DsmByteAddressRanges->TotalNumberOfRanges}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Dsm: TotalNumberOfRanges: {A10_DsmByteAddressRanges->TotalNumberOfRanges}!d!; NumberOfRangesReturned: {A11_DsmByteAddressRanges->NumberOfRangesReturned}!d!

Message #

Dsm: TotalNumberOfRanges: {A10_DsmByteAddressRanges->TotalNumberOfRanges}!d!; NumberOfRangesReturned: {A11_DsmByteAddressRanges->NumberOfRangesReturned}!d!

Event ID 121: DsmOut Ranges[.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

DsmOut Ranges[{A10_Index}!d!]: StartingAddress: 0x{A11_DsmByteAddressRanges->Ranges[Index].StartAddress}!016I64x!; LengthInBytes: 0x{A12_DsmByteAddressRanges->Ranges[Index].LengthInBytes}!016I64x!

Message #

DsmOut Ranges[{A10_Index}!d!]: StartingAddress: 0x{A11_DsmByteAddressRanges->Ranges[Index].StartAddress}!016I64x!; LengthInBytes: 0x{A12_DsmByteAddressRanges->Ranges[Index].LengthInBytes}!016I64x!

Fields #

NameDescription
A10_Index

Event ID 122: Zeroing: StartingPhysicalAddr: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Zeroing: StartingPhysicalAddr: 0x{A10_StartingPhysicalAddr.QuadPart}!016I64x!; LengthInExtent: 0x{A11_LengthInExtent}!016I64x!

Message #

Zeroing: StartingPhysicalAddr: 0x{A10_StartingPhysicalAddr.QuadPart}!016I64x!; LengthInExtent: 0x{A11_LengthInExtent}!016I64x!

Fields #

NameDescription
A11_LengthInExtent

Event ID 123: Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!d!; ExtentsDescriptorStartOffset: 0x{A11_*ExtentsDescriptorStartOffset}!016I64x!

Message #

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!d!; ExtentsDescriptorStartOffset: 0x{A11_*ExtentsDescriptorStartOffset}!016I64x!

Event ID 124: Entering: Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Entering: Scb: {A10_Scb}!p!; StartingZero: 0x{A11_StartingZero}!016I64x!; BeyondEndOffset: 0x{A12_BeyondEndOffset}!016I64x!; ByteCount: 0x{A13_ByteCount}!016I64x!; ExtentsDescriptor: {A14_ExtentsDescriptor}!p!; ExtentsDescriptorIndex: {A15_ExtentsDescriptorIndex ? *ExtentsDescriptorIndex : 0}!d!; ExtentsDescriptorStartOffset: 0x{A16_ExtentsDescriptorStartOffset ? *ExtentsDescriptorStartOffset : 0}!016I64x!

Fields #

NameDescription
A10_Scb
A11_StartingZero
A12_BeyondEndOffset
A13_ByteCount
A14_ExtentsDescriptor

Event ID 125: Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!d!; ExtentsDescriptorStartOffset: 0x{A11_*ExtentsDescriptorStartOffset}!016I64x!

Message #

Updating ExtentsDescriptor Index and StartOffset from Locals: ExtentsDescriptorIndex: {A10_*ExtentsDescriptorIndex}!d!; ExtentsDescriptorStartOffset: 0x{A11_*ExtentsDescriptorStartOffset}!016I64x!

Event ID 126: IrpContext: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

IrpContext: {A10_IrpContext}!p!; Scb: {A11_Scb}!p!; StartOffset: 0x{A12_StartOffset}!I64x!; ByteCount: 0x{A13_ByteCount}!x!

Message #

IrpContext: {A10_IrpContext}!p!; Scb: {A11_Scb}!p!; StartOffset: 0x{A12_StartOffset}!I64x!; ByteCount: 0x{A13_ByteCount}!x!

Fields #

NameDescription
A10_IrpContext
A11_Scb
A12_StartOffset
A13_ByteCount

Event ID 127: Return.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Return. IrpContext: {A10_IrpContext}!p!

Message #

Return. IrpContext: {A10_IrpContext}!p!

Fields #

NameDescription
A10_IrpContext

Event ID 128: Unexpected open type received: {A10_TypeOfOpen}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Unexpected open type received: {A10_TypeOfOpen}!u!

Message #

Unexpected open type received: {A10_TypeOfOpen}!u!

Fields #

NameDescription
A10_TypeOfOpen

Event ID 129: Raising STATUS_SUCCESS from NtfsCommonCleanup: {A10_Status}.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Raising STATUS_SUCCESS from NtfsCommonCleanup: {A10_Status}.

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: {A10_Status}

Fields #

NameDescription
A10_Status

Event ID 130: Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x{A10_Status}!X!

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x{A10_Status}!X!

Fields #

NameDescription
A10_Status

Event ID 131: Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x{A10_Status}!X!

Message #

Raising STATUS_SUCCESS from NtfsCommonCleanup: 0x{A10_Status}!X!

Fields #

NameDescription
A10_Status

Event ID 132: Irp: %1; IC: %2; Vcb: %3; FileObject: %4; RelatedFileObject: %5; FileIdBuffer: %6; Options: 0x%7!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Irp: !p!; IC: !p!; Vcb: !p!; FileObject: !p!; RelatedFileObject: !p!; FileIdBuffer: !S!; Options: 0x!08x!; FileAttributes: 0x!04x!; ShareAccess: 0x!04x!; EaLength: 0x!08x!

Message #

Irp: %1!p!; IC: %2!p!; Vcb: %3!p!; FileObject: %4!p!; RelatedFileObject: %5!p!; FileIdBuffer: %6!S!; Options: 0x%7!08x!; FileAttributes: 0x%8!04x!; ShareAccess: 0x%9!04x!; EaLength: 0x%10!08x!

Event ID 133: Irp: %1; IC: %2; Vcb: %3; FileObject: %4; RelatedFileObject: %5; Path: %6; Options: 0x%7!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Irp: !p!; IC: !p!; Vcb: !p!; FileObject: !p!; RelatedFileObject: !p!; Path: !S!; Options: 0x!08x!; FileAttributes: 0x!04x!; ShareAccess: 0x!04x!; EaLength: 0x!08x!

Message #

Irp: %1!p!; IC: %2!p!; Vcb: %3!p!; FileObject: %4!p!; RelatedFileObject: %5!p!; Path: %6!S!; Options: 0x%7!08x!; FileAttributes: 0x%8!04x!; ShareAccess: 0x%9!04x!; EaLength: 0x%10!08x!

Event ID 134: NtfsCommonVolumeOpen: Invalid create disposition for volume open.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: {A10_PsGetCurrentThread()}!p!; CreateDisposition: 0x{A11_CreateDisposition}!x!.

Message #

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: {A10_PsGetCurrentThread()}!p!; CreateDisposition: 0x{A11_CreateDisposition}!x!.

Fields #

NameDescription
A11_CreateDisposition

Event ID 135: NtfsCommonVolumeOpen: Invalid create disposition for volume open.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: {A10_PsGetCurrentThread()}!p!; CreateDisposition: 0x{A11_CreateDisposition}!x!.

Message #

NtfsCommonVolumeOpen: Invalid create disposition for volume open. Thread: {A10_PsGetCurrentThread()}!p!; CreateDisposition: 0x{A11_CreateDisposition}!x!.

Fields #

NameDescription
A11_CreateDisposition

Event ID 136: NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Vcb State: 0x!08x!.

Message #

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Vcb State: 0x%5!08x!.

Event ID 137: NtfsCommonVolumeOpen: Thread: %1; Vcb: %2; VolumeName: %3; VolumeLabel: %4; Requested ShareAccess: 0x%5!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommonVolumeOpen: Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Requested ShareAccess: 0x!08x!; Vcb->CleanupCount: !d!; BiasedCleanupCount: !d!.

Message #

NtfsCommonVolumeOpen: Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Requested ShareAccess: 0x%5!08x!; Vcb->CleanupCount: %6!d!; BiasedCleanupCount: %7!d!.

Event ID 138: NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Vcb State: 0x!08x!.

Message #

NtfsCommonVolumeOpen: Volume is locked or we have performed a dismount.Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Vcb State: 0x%5!08x!.

Event ID 139: NtfsCommonVolumeOpen: Conlicting file objects.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCommonVolumeOpen: Conlicting file objects. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Requested ShareAccess: 0x%5!08x!; Vcb->ReadOnlyCloseCount: %6!d!; Vcb->CloseCount: %7!d!; Vcb->SystemFileCloseCount: %8!d!.

Event ID 140: NtfsHandlePagingFile: Paging file already open; paging files can only be opened once.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsHandlePagingFile: Paging file already open; paging files can only be opened once. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Fcb->CleanupCount: %7!d!; Fcb->FcbState: 0x%8!08x!; IrpSp->Flags: 0x%9!08x!.

Event ID 141: NtfsHandlePagingFile: Cannot open system file as paging file.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Fcb->FcbState: 0x!08x!; IrpSp->Flags: 0x!08x!.

Message #

NtfsHandlePagingFile: Cannot open system file as paging file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Fcb->FcbState: 0x%7!08x!; IrpSp->Flags: 0x%8!08x!.

Event ID 142: NtfsHandlePagingFile: Persisted paging file already exists.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsHandlePagingFile: Persisted paging file already exists. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; IrpContext->State: 0x!08x!; IrpSp->Flags: 0x!08x!.

Message #

NtfsHandlePagingFile: Persisted paging file already exists. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; IrpContext->State: 0x%7!08x!; IrpSp->Flags: 0x%8!08x!.

Event ID 143: NtfsOpenFcbById: Invalid system file access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenFcbById: Invalid system file access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; CreateDisposition: 0x%8!08x!; DesiredAccess: 0x%9!08x!.

Event ID 144: NtfsOpenExistingPrefixFcb: Can not directly open txf directory.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; FileAttributes: 0x!08x!; Rmstate: 0x!08x!.

Message #

NtfsOpenExistingPrefixFcb: Can not directly open txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; Rmstate: 0x%8!08x!.

Event ID 145: NtfsOpenExistingPrefixFcb: Invalid system file access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenExistingPrefixFcb: Invalid system file access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; CreateDisposition: 0x%8!08x!; DesiredAccess: 0x%9!08x!.

Event ID 146: NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; FcbState: 0x!08x!.

Message #

NtfsOpenFile: Unsafe to acquire parent directory after acquiring a txf-system file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!.

Event ID 147: NtfsOpenFile: Invalid system file access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsOpenFile: Invalid system file access. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; FcbState: 0x!08x!; CreateDisposition: 0x!08x!; DesiredAccess: 0x!08x!.

Message #

NtfsOpenFile: Invalid system file access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; CreateDisposition: 0x%8!08x!; DesiredAccess: 0x%9!08x!.

Event ID 148: NtfsOpenFile: Deny open when txf rm is active.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsOpenFile: Deny open when txf rm is active. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; TxfRmcb Rmstate: 0x!08x!.

Message #

NtfsOpenFile: Deny open when txf rm is active. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; TxfRmcb Rmstate: 0x%7!08x!.

Event ID 149: NtfsCreateNewFile: Deny creation in system directory (except root).

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCreateNewFile: Deny creation in system directory (except root). Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; (Parent Fcb): Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; TxfRmcb state: 0x%8!08x!; AttrTypeCode: 0x%9!x!.

Event ID 150: NtfsCreateNewFile: Unable to create Ea for the file.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCreateNewFile: Unable to create Ea for the file. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Create options: 0x!08x!; Ccb flags: 0x!08x!.

Message #

NtfsCreateNewFile: Unable to create Ea for the file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Create options: 0x%7!08x!; Ccb flags: 0x%8!08x!.

Event ID 151: NtfsCreateNewFile: Unable to create in the $txf directory.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCreateNewFile: Unable to create in the $txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; (Parent Fcb) Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; TxfRmcb state: 0x%8!08x!.

Event ID 152: NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; TxfRmcb state: 0x!08x!.

Message #

NtfsOpenSubdirectory: Denying access to $Txf file when the RM is active. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; TxfRmcb state: 0x%7!08x!.

Event ID 153: NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttributeInExistingFile: Denying access due to caller being Ea blind. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; NeedEaCount: %7!d!; CreateOptions: 0x%8!08x!; CcbFlags: 0x%9!08x!.

Event ID 154: NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttributeInExistingFile: Fail to find $INDEX_ROOT attribute. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; AttrTypeCode to create: 0x%7!x!; CreateDisposition: 0x%8!08x!.

Event ID 155: NtfsOpenAttributeInExistingFile: Denying access for volume root directory.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; CreateDisposition: 0x!08x!.

Message #

NtfsOpenAttributeInExistingFile: Denying access for volume root directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; CreateDisposition: 0x%7!08x!.

Event ID 156: NtfsCreateNewFile: Not allowed to create streams on system files.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; FcbState: 0x!08x!; AttrTypeCode: 0x!x!.

Message #

NtfsCreateNewFile: Not allowed to create streams on system files. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; AttrTypeCode: 0x%8!x!.

Event ID 157: NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOverwriteAttr: Cannot overwrite hidden or system attribute for a non-paging file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; DuplicateInfo attributes: 0x%7!08x!; FileAttributes: 0x%8!08x!.

Event ID 158: NtfsOverwriteAttr: Denying access due to user being Ea blind.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!; Create options: 0x!08x!.

Message #

NtfsOverwriteAttr: Denying access due to user being Ea blind. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Create options: 0x%7!08x!.

Event ID 159: NtfsOverwriteAttr: Deny access due to encryption happening on the stream.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOverwriteAttr: Deny access due to encryption happening on the stream. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; AttributeTypeCode: 0x%7!x!; Scb state: 0x%8!08x!; Scb HighWaterMark: %9!I64d!.

Event ID 160: NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckValidAttributeAccess: Supersede or overwrite is not allowed on this type of named attribute. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; AttributeTypeCode: 0x%5!x!; CreateDisposition: 0x%6!08x!.

Event ID 161: NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: {A10_PsGetCurrentThread()}!p!; AttributeTypeCode: {A11_*AttrCode}!x!.

Message #

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: {A10_PsGetCurrentThread()}!p!; AttributeTypeCode: {A11_*AttrCode}!x!.

Event ID 162: NtfsCheckValidAttributeAccess: Deny access for protected system attributes.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: {A10_PsGetCurrentThread()}!p!; AttributeTypeCode: {A11_*AttrCode}!x!.

Message #

NtfsCheckValidAttributeAccess: Deny access for protected system attributes. Thread: {A10_PsGetCurrentThread()}!p!; AttributeTypeCode: {A11_*AttrCode}!x!.

Event ID 163: NtfsOpenAttributeCheck: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttributeCheck: File already has user writable references. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Requested ShareAccess: 0x%10!08x!; Previously granted access: 0x%11!08x!.

Event ID 164: NtfsOpenAttributeCheck: Deny access for online encryption backup data stream.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttributeCheck: Deny access for online encryption backup data stream. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; AttributeTypeCode: 0x%8!x!; Attribute Name: %9!S!.

Event ID 165: NtfsOpenAttributeCheck: File was granted write access but has image section.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttributeCheck: File was granted write access but has image section. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Previously granted access: 0x%10!08x!.

Event ID 166: NtfsOpenAttribute: Denying write access on disallowed writes.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttribute: Denying write access on disallowed writes. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Disallow write count: %8!d!; Desired Access: 0x%9!08x!.

Event ID 167: NtfsOpenAttribute: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Requested ShareAccess: 0x%10!08x!; Previously granted access: 0x%11!08x!.

Event ID 168: NtfsOpenAttribute: Open for exclusive read access is not allowed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Requested share access: 0x%7!08x!; FO flags: 0x%8!08x!.

Event ID 169: NtfsOpenAttribute: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttribute: File already has user writable references. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Requested ShareAccess: 0x%10!08x!; Previously granted access: 0x%11!08x!.

Event ID 170: NtfsOpenAttribute: Open for exclusive read access is not allowed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenAttribute: Open for exclusive read access is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Requested share access: 0x%7!08x!; FO flags: 0x%8!08x!.

Event ID 171: NtfsCheckExistingFile: Desired access conflicts with read-only state.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckExistingFile: Desired access conflicts with read-only state. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Desired Access: 0x%7!08x!; FileAttributes: 0x%8!08x!; SL control flags: 0x%9!08x!.

Event ID 172: NtfsOpenExistingEncryptedStream: No encryption driver found.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; FileAttributes: 0x!08x!; NtfsData flags: 0x!08x!.

Message #

NtfsOpenExistingEncryptedStream: No encryption driver found. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; NtfsData flags: 0x%8!08x!.

Event ID 173: NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsOpenExistingEncryptedStream: Opening for read/write access not allowed on compressed file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; Stream attribute flags: 0x%8!08x!.

Event ID 174: NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: {A10_PsGetCurrentThread()}!p!; Fcb: {A11_CurrentFcb}!p!; FileRef: 0x{A12_NtfsFullFileRefNumber( _CurrentFcb->FileReference )}!I64x!; TxfRmcb RM state: {A13_CurrentFcb->TxfRmcb->RmState}!x!.

Fields #

NameDescription
A11_CurrentFcb

Event ID 175: NtfsFindStartingNode: Opening not allowed for txf name when RM is active.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsFindStartingNode: Opening not allowed for txf name when RM is active. Thread: {A10_PsGetCurrentThread()}!p!; Fcb: {A11_CurrentFcb}!p!; FileRef: 0x{A12_NtfsFullFileRefNumber( _CurrentFcb->FileReference )}!I64x!; TxfRmcb RM state: {A13_CurrentFcb->TxfRmcb->RmState}!x!.

Fields #

NameDescription
A11_CurrentFcb

Event ID 176: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Link Name: %7!S!; DesiredAccess: 0x%8!08x!; DesiredShareAccess: 0x%9!08x!; IoShareAccessFlags: 0x%10!08x!; LinkShareAccess->OpenCount: %11!d!; LinkShareAccess->Deleters: %12!d!; LinkShareAccess->SharedDelete: %13!d!.

Event ID 177: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb Type Code: 0x%7!x!; Scb Name: %8!S!; DesiredAccess: 0x%9!08x!; DesiredShareAccess: 0x%10!08x!; IoShareAccessFlags: 0x%11!08x!; ShareAccess->OpenCount: %12!d!; ShareAccess->Readers: %13!d!; ShareAccess->Writers: %14!d!; ShareAccess->->Deleters: %15!d!; ShareAccess->SharedRead: %16!d!; ShareAccess->SharedWrite: %17!d!; ShareAccess->SharedDelete: %18!d!.

Event ID 178: NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckShareAccess: IoCheckLinkShareAccess failed with sharing violation. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb Type Code: 0x%7!x!; Scb Name: %8!S!; Link Name: %9!S!; DesiredAccess: 0x%10!08x!; DesiredShareAccess: 0x%11!08x!; IoShareAccessFlags: 0x%12!08x!; ShareAccess->OpenCount: %13!d!; ShareAccess->Readers: %14!d!; ShareAccess->Writers: %15!d!; ShareAccess->->Deleters: %16!d!; ShareAccess->SharedRead: %17!d!; ShareAccess->SharedWrite: %18!d!; ShareAccess->SharedDelete: %19!d!; LinkShareAccess->OpenCount: %20!d!; LinkShareAccess->Deleters: %21!d!; LinkShareAccess->SharedDelete: %22!d!.

Event ID 179: NtfsReCheckShareAccess: Does not meet allow open requirement.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsReCheckShareAccess: Does not meet allow open requirement. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb Type Code: 0x%7!x!; Scb Name: %8!S!; Link Name: %9!S!; Previously granted access: 0x%10!08x!; AccessState->Flags: 0x%11!08x!; DesiredShareAccess: 0x%12!08x!; CreateDisposition: 0x%13!08x!; OpenCount: %14!d!; Readers: %15!d!; Writers: %16!d!; Deleters: %17!d!; SharedRead: %18!d!; Lcb Deleters: %19!d!.

Event ID 180: %1:%2 Status: %3 ProcessName: %4.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

:!d! Status: !S! ProcessName: !S!

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 181: %1:%2 Status: %3 ProcessName: %4.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

:!d! Status: !S! ProcessName: !S!

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 182: %1:%2 Status: %3 ProcessName: %4.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

:!d! Status: !S! ProcessName: !S!

Message #

%1:%2!d! Status: %3!S! ProcessName: %4!S!

Event ID 183: NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Will tell storage we are freeing at {A11_StartingCluster}!I64x! for {A12_RunLength}!x! clusters.

Message #

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Will tell storage we are freeing at {A11_StartingCluster}!I64x! for {A12_RunLength}!x! clusters

Fields #

NameDescription
A10_Vcb
A11_StartingCluster
A12_RunLength

Event ID 184: NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Flush requested.

Message #

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Flush requested

Fields #

NameDescription
A10_Vcb

Event ID 185: NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! -  Created new MarkUnusedContext {A11_*MarkUnusedContext}!p!; DEALLOCATED_CLUSTERS {A12_(*MarkUnusedContext)->DeallocatedClusters}!p!; MCB {A13__(*MarkUnusedContext)->DeallocatedClusters->Mcb}!p!

Fields #

NameDescription
A10_Vcb

Event ID 186: NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Successfully added clusters starting at {A11_StartingCluster}!I64x! for {A12_RunLength}!x! into MCB {A13__(*MarkUnusedContext)->DeallocatedClusters->Mcb}!p!

Fields #

NameDescription
A10_Vcb
A11_StartingCluster
A12_RunLength

Event ID 187: NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - MCB {A11__(*MarkUnusedContext)->DeallocatedClusters->Mcb}!p! is full.

Message #

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - MCB {A11__(*MarkUnusedContext)->DeallocatedClusters->Mcb}!p! is full

Fields #

NameDescription
A10_Vcb

Event ID 188: NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Queuing request to IC pre-trim list; MUC {A11_*MarkUnusedContext}!p!; IC {A12_IrpContext}!p!

Message #

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Queuing request to IC pre-trim list; MUC {A11_*MarkUnusedContext}!p!; IC {A12_IrpContext}!p!

Fields #

NameDescription
A10_Vcb
A12_IrpContext

Event ID 189: NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! - Failed to allocate/initial MarkUnusedContext.

Message #

NtfsSendUnusedClustersHint: Vcb {A10_Vcb}!p! -  Failed to allocate/initial MarkUnusedContext

Fields #

NameDescription
A10_Vcb

Event ID 190: NtfsTransferMaxDataSetRanges: Src {A10_Src}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsTransferMaxDataSetRanges: Src {A10_Src}!p!; Dst {A11_Dst}!p!; SrcRemainClusCt {A12_Src->ClustersCount}!I64x!; SrcOrigClusCt {A13_Src->DeallocatedClusters->ClusterCount}!I64x!; SrcDSRL {A14_SrcDsmAttr->DataSetRangesLength}!x! - Entering

Fields #

NameDescription
A10_Src
A11_Dst

Event ID 191: NtfsTransferMaxDataSetRanges: Src {A10_Src}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsTransferMaxDataSetRanges: Src {A10_Src}!p!; Dst {A11_Dst}!p!; SrcRemainClusCt {A12_Src->ClustersCount}!I64x!; DstClusCt {A13_Dst->ClustersCount}!I64x!; DstDSRL {A14_DstDsmAttr->DataSetRangesLength}!x!; DstLIB {A15_DstFirstDataSetRangePtr->LengthInBytes}!I64x!; DstSOff {A16_DstFirstDataSetRangePtr->StartingOffset}!I64x! - Leaving

Fields #

NameDescription
A10_Src
A11_Dst

Event ID 192: NtfsTransferMaxDataSetRanges: Src {A10_Src}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsTransferMaxDataSetRanges: Src {A10_Src}!p!; Dst {A11_Dst}!p!; SrcRemainClusCt {A12_Src->ClustersCount}!I64x!; DstClusCt {A13_Dst->ClustersCount}!I64x!; DstDSRL {A14_DstDsmAttr->DataSetRangesLength}!x!; DstLIB {A15_DstFirstDataSetRangePtr->LengthInBytes}!I64x!; DstSOff {A16_DstFirstDataSetRangePtr->StartingOffset}!I64x! - Leaving

Fields #

NameDescription
A10_Src
A11_Dst

Event ID 193: NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - DC {A12_Vcb->DeallocatedClusters}!I64x!; DCIT {A13_Vcb->DeallocatedClustersListLengthInTrim}!x!; DCTD {A14_Vcb->DeallocatedClustersListLengthToDrain}!x!; CC {A15_Clusters->ClusterCount}!I64x!; IR {A16_InitialRanges}!x!

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext
A16_InitialRanges

Event ID 194: NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - Removed interior slab(s) from TP map - [LCN {A12_StartingLcn}!I64X!; len {A13_ClusterCount}!I64X!] => [LCN {A14_FreeClusterBase1}!I64X!; len {A15_FreeClusterCount1}!I64X!]; [LCN {A16_FreeClusterBase2}!I64X!; len {A17_FreeClusterCount2}!I64X!]

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext
A12_StartingLcn
A13_ClusterCount
A14_FreeClusterBase1
A15_FreeClusterCount1
A16_FreeClusterBase2
A17_FreeClusterCount2

Event ID 195: NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p! - Releasing bitmap.

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p! - Releasing bitmap

Fields #

NameDescription
A10_Vcb

Event ID 196: NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p! - CloseCount {A11_Vcb->CloseCount}!x!

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p! - CloseCount {A11_Vcb->CloseCount}!x!

Fields #

NameDescription
A10_Vcb

Event ID 197: NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p! - CloseCount {A11_Vcb->CloseCount}!x!

Message #

NtfsMarkUnusedContextPostTrimProcessing: Vcb {A10_Vcb}!p! - CloseCount {A11_Vcb->CloseCount}!x!

Fields #

NameDescription
A10_Vcb

Event ID 198: NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp {A10_Irp}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp {A10_Irp}!p!

Message #

NtfsAsyncSendUnusedClustersHintCompletionRoutine: Irp {A10_Irp}!p!

Fields #

NameDescription
A10_Irp

Event ID 199: NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!p!; IC {A11_IrpContext}!p! - Entering.

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!p!; IC {A11_IrpContext}!p! - Entering

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 200: NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!p! - Kicked off DelayedWorkQueue.

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!p! - Kicked off DelayedWorkQueue

Fields #

NameDescription
A10_Vcb

Event ID 201: NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!p! - Leaving.

Message #

NtfsMarkUnusedContextPreTrimProcessing: Vcb {A10_Vcb}!p! - Leaving

Fields #

NameDescription
A10_Vcb

Event ID 202: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb {A10_Vcb}!p!

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Entering Vcb {A10_Vcb}!p!

Fields #

NameDescription
A10_Vcb

Event ID 203: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Small MUC {A11_SmallMarkUnusedContext}!p! instead of MUC {A12_MarkUnusedContext}!p!

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Small MUC {A11_SmallMarkUnusedContext}!p! instead of MUC {A12_MarkUnusedContext}!p!

Fields #

NameDescription
A10_Vcb
A11_SmallMarkUnusedContext
A12_MarkUnusedContext

Event ID 204: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Failed to allocate small MUC so use MUC {A11_MarkUnusedContext}!p!

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Failed to allocate small MUC so use MUC {A11_MarkUnusedContext}!p!

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext

Event ID 205: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Sending storage ioctl down. MUC {A11_MarkUnusedContext}!p!

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Sending storage ioctl down.  MUC {A11_MarkUnusedContext}!p!

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext

Event ID 206: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - [{A12_TrimEntryCount++}!x!] Offset {A13_DataSetRangePtr->StartingOffset}!I64x!; Length {A14_DataSetRangePtr->LengthInBytes}!I64x! - trim entry

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext

Event ID 207: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p!; Irp {A12_IrpUsed}!p! - Completed.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p!; Irp {A12_IrpUsed}!p! - Completed

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext
A12_IrpUsed

Event ID 208: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - {A12_Status}!x! - failed to send.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - {A12_Status}!x! - failed to send

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext
A12_Status

Event ID 209: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Add MUC {A11_MarkUnusedContext}!p! to post trim list.

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Add MUC {A11_MarkUnusedContext}!p! to post trim list

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext

Event ID 210: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Free small MUC {A11_MarkUnusedContext}!p!

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Free small MUC {A11_MarkUnusedContext}!p!

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext

Event ID 211: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Sending storage ioctl down failed with {A11_Status}!x!.  MUC {A12_MarkUnusedContext}!p!; Count {A13_((MarkUnusedContext != NULL) __ (MarkUnusedContext->DeallocatedClusters != NULL)) ? MarkUnusedContext->DeallocatedClusters->ClusterCount : -1LL}!I64x!

Fields #

NameDescription
A10_Vcb
A11_Status
A12_MarkUnusedContext

Event ID 212: NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkUnusedContextPreTrimWorkItemProcessing: Vcb {A10_Vcb}!p! - Sending storage ioctl down failed with {A11_Status}!x!.  MUC {A12_MarkUnusedContext}!p!; Count {A13_((MarkUnusedContext != NULL) __ (MarkUnusedContext->DeallocatedClusters != NULL)) ? MarkUnusedContext->DeallocatedClusters->ClusterCount : -1LL}!I64x!

Fields #

NameDescription
A10_Vcb
A11_Status
A12_MarkUnusedContext

Event ID 213: NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!p! - There are waiters for DC {A11_DeallocatedClusters}!p!

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!p! - There are waiters for DC {A11_DeallocatedClusters}!p!

Fields #

NameDescription
A10_Vcb
A11_DeallocatedClusters

Event ID 214: NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!p! - Waking up waiter for DC {A11_DeallocatedClusters}!p!

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!p! - Waking up waiter for DC {A11_DeallocatedClusters}!p!

Fields #

NameDescription
A10_Vcb
A11_DeallocatedClusters

Event ID 215: NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!p! - Done waking up DC {A11_DeallocatedClusters}!p!

Message #

NtfsWakeupDeallocatedClustersWaiters: Vcb {A10_Vcb}!p! - Done waking up DC {A11_DeallocatedClusters}!p!

Fields #

NameDescription
A10_Vcb
A11_DeallocatedClusters

Event ID 216: NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p!; All {A11_All}!x! - Entering.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p!; All {A11_All}!x! - Entering

Fields #

NameDescription
A10_Vcb
A11_All

Event ID 217: NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Waiting to drain.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Waiting to drain

Fields #

NameDescription
A10_Vcb

Event ID 218: NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Waiting for partial drain.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Waiting for partial drain

Fields #

NameDescription
A10_Vcb

Event ID 219: NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Leaving.

Message #

NtfsWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Leaving

Fields #

NameDescription
A10_Vcb

Event ID 220: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Entering.

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Entering

Fields #

NameDescription
A10_Vcb

Event ID 221: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Inserted {A11_DeallocatedClustersToWaitFor->DeallocatedClusters}!p!

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Inserted {A11_DeallocatedClustersToWaitFor->DeallocatedClusters}!p!

Fields #

NameDescription
A10_Vcb

Event ID 222: NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Leaving.

Message #

NtfsPrepareToWaitForDeallocatedClustersToDrain: Vcb {A10_Vcb}!p! - Leaving

Fields #

NameDescription
A10_Vcb

Event ID 223: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb {A10_IrpContext->Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb {A10_IrpContext->Vcb}!p! - Wait for DC {A11_DeallocatedClustersToWaitFor->DeallocatedClusters}!p!

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Vcb {A10_IrpContext->Vcb}!p! - Wait for DC {A11_DeallocatedClustersToWaitFor->DeallocatedClusters}!p!

Fields #

NameDescription
A10_Vcb

Event ID 224: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for {A10_WaitInSeconds}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for {A10_WaitInSeconds}!d! (s); Exceeded by {A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ?                                     (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)}!d! (s); IC {A12_IrpContext}!p!; Vcb {A13_IrpContext->Vcb}!p!; DC {A14_DeallocatedClusters}!p!

Fields #

NameDescription
A10_WaitInSeconds
A12_IrpContext
A14_DeallocatedClusters

Event ID 225: NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for {A10_WaitInSeconds}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsWaitForDeallocatedClustersToDrainAfterPrepare: Waited for {A10_WaitInSeconds}!d! (s); Exceeded by {A11_((CurrentTime.QuadPart > DeallocatedClustersToWaitFor->EndTime.QuadPart) ?                                  (ULONG)(((CurrentTime.QuadPart - DeallocatedClustersToWaitFor->EndTime.QuadPart) * NtfsData.SystemTimeIncrement)/INTERVAL_ONE_SECOND) : 0)}!d! (s); IC {A12_IrpContext}!p!; Vcb {A13_IrpContext->Vcb}!p!; DC {A14_DeallocatedClusters}!p!

Fields #

NameDescription
A10_WaitInSeconds
A12_IrpContext
A14_DeallocatedClusters

Event ID 226: NtfsCheckForTrimThrottling: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCheckForTrimThrottling: Vcb {A10_Vcb}!p! - hitting trim threshold {A11_Vcb->DeallocatedClustersListLengthInTrim}!d!

Message #

NtfsCheckForTrimThrottling: Vcb {A10_Vcb}!p! - hitting trim threshold {A11_Vcb->DeallocatedClustersListLengthInTrim}!d!

Fields #

NameDescription
A10_Vcb

Event ID 227: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Entering.

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Entering

Fields #

NameDescription
A10_Vcb

Event ID 228: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed.

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed

Fields #

NameDescription
A10_Vcb

Event ID 229: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed; AcquiredSyncResource {A11_AcquiredVcb}!u!

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed; AcquiredSyncResource {A11_AcquiredVcb}!u!

Fields #

NameDescription
A10_Vcb
A11_AcquiredVcb

Event ID 230: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - Skipping deallocated clusters gen'd by smart trim.

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - Skipping deallocated clusters gen'd by smart trim

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext

Event ID 231: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - MCB run {A12_RunIndex}!u!; offs 0x{A13_StartingOffset}!I64X!; len 0x{A14_LengthInBytes}!I64X!

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - MCB run {A12_RunIndex}!u!; offs 0x{A13_StartingOffset}!I64X!; len 0x{A14_LengthInBytes}!I64X!

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext
A12_RunIndex
A13_StartingOffset
A14_LengthInBytes

Event ID 232: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - MUC {A11_MarkUnusedContext}!p!; DSR count {A12_DataSetRangeCount}!u!; MCB count {A13_McbRunCount}!u!; ST free slots {A14_SmartTrimFreeRangeCount}!u!

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - MUC {A11_MarkUnusedContext}!p!; DSR count {A12_DataSetRangeCount}!u!; MCB count {A13_McbRunCount}!u!; ST free slots {A14_SmartTrimFreeRangeCount}!u!

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext
A12_DataSetRangeCount
A13_McbRunCount
A14_SmartTrimFreeRangeCount

Event ID 233: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - DSR range {A12_RunIndex}!u!; offs 0x{A13_DataSetRange->StartingOffset}!I64X!; len 0x{A14_DataSetRange->LengthInBytes}!I64X!

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p!; MUC {A11_MarkUnusedContext}!p! - DSR range {A12_RunIndex}!u!; offs 0x{A13_DataSetRange->StartingOffset}!I64X!; len 0x{A14_DataSetRange->LengthInBytes}!I64X!

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext
A12_RunIndex

Event ID 234: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - MCB lcn {A11_StartingLcn}!I64X! len {A12_ClusterCount}!I64X! maps to TP map bits [0x{A13_FirstTpMapBit}!X!; 0x{A14_LastTpMapBit}!X!].

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - MCB lcn {A11_StartingLcn}!I64X! len {A12_ClusterCount}!I64X! maps to TP map bits [0x{A13_FirstTpMapBit}!X!; 0x{A14_LastTpMapBit}!X!]

Fields #

NameDescription
A10_Vcb
A11_StartingLcn
A12_ClusterCount
A13_FirstTpMapBit
A14_LastTpMapBit

Event ID 235: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Smart trim state on exit; {A11_SmartTrimState->SlabRangesCount}!u! ranges.

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Smart trim state on exit; {A11_SmartTrimState->SlabRangesCount}!u! ranges:

Fields #

NameDescription
A10_Vcb

Event ID 236: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Range {A11_SlabRangeIndex}!u!: FirstTPMapBit 0x{A12_SlabRange->FirstTPMapBit}!X!; LastTPMapBit 0x{A13_SlabRange->LastTPMapBit}!X!

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Range {A11_SlabRangeIndex}!u!: FirstTPMapBit 0x{A12_SlabRange->FirstTPMapBit}!X!; LastTPMapBit 0x{A13_SlabRange->LastTPMapBit}!X!

Fields #

NameDescription
A10_Vcb
A11_SlabRangeIndex

Event ID 237: NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Leaving.

Message #

NtfsUpdateSmartTrimState: Vcb {A10_Vcb}!p! - Leaving

Fields #

NameDescription
A10_Vcb

Event ID 238: NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Entering.

Message #

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Entering

Fields #

NameDescription
A10_Vcb

Event ID 239: NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed.

Message #

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed

Fields #

NameDescription
A10_Vcb

Event ID 240: NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed; AcquiredBitmap {A11_AcquiredBitmap}!u!

Message #

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Precondition checks failed; AcquiredBitmap {A11_AcquiredBitmap}!u!

Fields #

NameDescription
A10_Vcb
A11_AcquiredBitmap

Event ID 241: NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Checking slab 0x{A11_TpMapBit}!X! for allocations.

Message #

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Checking slab 0x{A11_TpMapBit}!X! for allocations

Fields #

NameDescription
A10_Vcb
A11_TpMapBit

Event ID 242: NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Slab 0x{A11_TpMapBit}!X! has allocations; will not trim.

Message #

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Slab 0x{A11_TpMapBit}!X! has allocations; will not trim

Fields #

NameDescription
A10_Vcb
A11_TpMapBit

Event ID 243: NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Free slab found - TP map bit 0x{A11_TpMapBit}!X!; lcn {A12_SlabBaseLcn}!I64X!; len {A13_SlabLengthInClusters}!I64X!

Message #

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Free slab found - TP map bit 0x{A11_TpMapBit}!X!; lcn {A12_SlabBaseLcn}!I64X!; len {A13_SlabLengthInClusters}!I64X!

Fields #

NameDescription
A10_Vcb
A11_TpMapBit
A12_SlabBaseLcn
A13_SlabLengthInClusters

Event ID 244: NtfsEvalSmartTrimState: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Leaving.

Message #

NtfsEvalSmartTrimState: Vcb {A10_Vcb}!p! - Leaving

Fields #

NameDescription
A10_Vcb

Event ID 245: NtfsFlushAllTrimHintsSynchronous.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushAllTrimHintsSynchronous ({A10_Vcb}!p!): Calling NtfsFreeRecentlyDeallocated.

Message #

NtfsFlushAllTrimHintsSynchronous ({A10_Vcb}!p!): Calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb

Event ID 246: NtfsFlushAllTrimHintsSynchronous.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushAllTrimHintsSynchronous ({A10_Vcb}!p!): Done calling NtfsFreeRecentlyDeallocated.

Message #

NtfsFlushAllTrimHintsSynchronous ({A10_Vcb}!p!): Done calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb

Event ID 247: NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; VcbState: 0x!08x!; SL control flags: 0x!08x!.

Message #

NtfsCommonDeviceControl: IOCTL_DISK_COPY_DATA is not allowed on unlocked volume. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; VcbState: 0x%5!08x!; SL control flags: 0x%6!08x!.

Event ID 248: NtfsVolumeDasdIo: Data section blocking flush.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsVolumeDasdIo: Data section blocking flush. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Flush status: !S!.

Message #

NtfsVolumeDasdIo: Data section blocking flush. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Flush status: %5!S!.

Event ID 251: Writing to $Bitmap.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Writing to $Bitmap. Vcb: {A10_Scb->Vcb}!p!; Offset: 0x{A11_StartingVbo}!I64x!; Length: 0x{A12_ByteCount}!x!

Message #

Writing to $Bitmap. Vcb: {A10_Scb->Vcb}!p!; Offset: 0x{A11_StartingVbo}!I64x!; Length: 0x{A12_ByteCount}!x!

Fields #

NameDescription
A11_StartingVbo
A12_ByteCount

Event ID 252: Writing to $Bitmap.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Writing to $Bitmap. Vcb: {A10_Scb->Vcb}!p!; Offset: 0x{A11_StartingVbo}!I64x!; Length: 0x{A12_ByteCount}!x!

Message #

Writing to $Bitmap. Vcb: {A10_Scb->Vcb}!p!; Offset: 0x{A11_StartingVbo}!I64x!; Length: 0x{A12_ByteCount}!x!

Fields #

NameDescription
A11_StartingVbo
A12_ByteCount

Event ID 253: NTFS: Posting hotfix on file object: {A10_FileObject}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NTFS: Posting hotfix on file object: {A10_FileObject}!p!

Message #

NTFS: Posting hotfix on file object: {A10_FileObject}!p!

Fields #

NameDescription
A10_FileObject

Event ID 254: NTFS: Freeing Bad Vcn: {A10_((ULONG)BadVcn)}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NTFS: Freeing Bad Vcn: {A10_((ULONG)BadVcn)}!08x!; {A11_((PLARGE_INTEGER)_BadVcn)->HighPart}!08x!

Message #

NTFS:     Freeing Bad Vcn: {A10_((ULONG)BadVcn)}!08x!; {A11_((PLARGE_INTEGER)_BadVcn)->HighPart}!08x!

Event ID 255: NTFS: Retiring Bad Lcn: {A10_((ULONG)BadLcn)}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NTFS: Retiring Bad Lcn: {A10_((ULONG)BadLcn)}!08x!; {A11_((PLARGE_INTEGER)_BadLcn)->HighPart}!08x!

Message #

NTFS:     Retiring Bad Lcn: {A10_((ULONG)BadLcn)}!08x!; {A11_((PLARGE_INTEGER)_BadLcn)->HighPart}!08x!

Event ID 257: IrpContext: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

IrpContext: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; NewBufferSize: 0x{A12_NewBufferSize}!08x!

Message #

IrpContext: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; NewBufferSize: 0x{A12_NewBufferSize}!08x!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_NewBufferSize

Event ID 258: IrpContext: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

IrpContext: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; NewBufferSize: 0x{A12_NewBufferSize}!08x!

Message #

IrpContext: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; NewBufferSize: 0x{A12_NewBufferSize}!08x!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_NewBufferSize

Event ID 259: Compression buffers are already big enough.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Compression buffers are already big enough. NewBufferSize: 0x{A10_NewBufferSize}!08x!; ExistingBufferSize: 0x{A11_NtfsGetCompressionBufferSize()}!08x!

Message #

Compression buffers are already big enough. NewBufferSize: 0x{A10_NewBufferSize}!08x!; ExistingBufferSize: 0x{A11_NtfsGetCompressionBufferSize()}!08x!

Fields #

NameDescription
A10_NewBufferSize

Event ID 260

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10_Status}.

Message #

{A10_Status}

Fields #

NameDescription
A10_Status

Event ID 261: IrpContext: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

IrpContext: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; NewBufferSize: 0x{A12_NewBufferSize}!08x!

Message #

IrpContext: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; NewBufferSize: 0x{A12_NewBufferSize}!08x!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12_NewBufferSize

Event ID 262: Compression buffers are already big enough.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Compression buffers are already big enough. NewBufferSize: 0x{A10_NewBufferSize}!08x!; ExistingBufferSize: 0x{A11_NtfsGetUsaBufferSize( Vcb )}!08x!

Message #

Compression buffers are already big enough. NewBufferSize: 0x{A10_NewBufferSize}!08x!; ExistingBufferSize: 0x{A11_NtfsGetUsaBufferSize( Vcb )}!08x!

Fields #

NameDescription
A10_NewBufferSize

Event ID 263

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10_Status}.

Message #

{A10_Status}

Fields #

NameDescription
A10_Status

Event ID 264: NtfsDefragFileInternal: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDefragFileInternal: Vcb {A10_Vcb}!p! - Calling FRD.

Message #

NtfsDefragFileInternal: Vcb {A10_Vcb}!p! - Calling FRD

Fields #

NameDescription
A10_Vcb

Event ID 265: NtfsDefragFileInternal: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDefragFileInternal: Vcb {A10_Vcb}!p! - Calling FRD.

Message #

NtfsDefragFileInternal: Vcb {A10_Vcb}!p! - Calling FRD

Fields #

NameDescription
A10_Vcb

Event ID 266: NtfsDefragFileInternal: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDefragFileInternal: Vcb {A10_Vcb}!p! - Done calling FRD.

Message #

NtfsDefragFileInternal: Vcb {A10_Vcb}!p! - Done calling FRD

Fields #

NameDescription
A10_Vcb

Event ID 267: NtfsDefragFileInternal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x!; CurrLcn {A16_Lcn}!I64x!; NewLcn {A17_MoveData->StartingLcn.QuadPart}!I64x!; Len {A18_CopyLength}!x!; DA {A10_Vcb}0!d!; Status {A10_Vcb}1!x! - copy offload

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A15_TransferClusters
A16_Lcn
A18_CopyLength

Event ID 268: NtfsDefragFileInternal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x!; CurrLcn {A16_Lcn}!I64x!; NewLcn {A17_MoveData->StartingLcn.QuadPart}!I64x!; Len {A18_CopyLength}!x!; DA {A10_Vcb}0!d!; Status {A10_Vcb}1!x! - copy offload

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A15_TransferClusters
A16_Lcn
A18_CopyLength

Event ID 269: NtfsDefragFileInternal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x!; CurrLcn {A16_Lcn}!I64x!; NewLcn {A17_MoveData->StartingLcn.QuadPart}!I64x!; Len {A18_CopyLength}!x!; DA {A10_Vcb}0!d!; Status {A10_Vcb}1!x!

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A15_TransferClusters
A16_Lcn
A18_CopyLength

Event ID 270: NtfsDefragFileInternal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; CurrLcn {A14_Lcn}!I64x!; Len {A15_CopyLength}!x!; Status {A16_MyStatus}!x! - read completed

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A14_Lcn
A15_CopyLength
A16_MyStatus

Event ID 271: NtfsDefragFileInternal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; NewLcn {A14_MoveData->StartingLcn.QuadPart}!I64x!; Len {A15_CopyLength}!x!; Status {A16_MyStatus}!x! - write completed

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A15_CopyLength
A16_MyStatus

Event ID 272: NtfsDefragFileInternal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x!; CurrLcn {A16_Lcn}!I64x!; NewLcn {A17_MoveData->StartingLcn.QuadPart}!I64x!; DA {A18_Flags.UseDelayedAllocation}!d!; ValidClusters {A10_Vcb}0!I64x! - beyond VDL

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A15_TransferClusters
A16_Lcn

Event ID 273: NtfsDefragFileInternal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDefragFileInternal({A10_Vcb}!p!;{A11_IrpContext}!p!): Scb {A12_Scb}!p!; FRef {A13_NtfsFullFileRefNumber( _Scb->Fcb->FileReference )}!I64x!; Vcn {A14_MoveData->StartingVcn.QuadPart}!I64x!; CC {A15_TransferClusters}!I64x! - committed

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A15_TransferClusters

Event ID 274: NtfsDefragFile: Defrag is denied without manage volume access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDefragFile: Defrag is denied without manage volume access. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Ccb flags: 0x!08x!.

Message #

NtfsDefragFile: Defrag is denied without manage volume access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb flags: 0x%7!08x!.

Event ID 275: NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!p! - Calling FRD.

Message #

NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!p! - Calling FRD

Fields #

NameDescription
A10_Vcb

Event ID 276: NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!p! - Calling FRD.

Message #

NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!p! - Calling FRD

Fields #

NameDescription
A10_Vcb

Event ID 277: NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!p! - Done calling FRD.

Message #

NtfsEncryptDecryptOnline: Vcb {A10_Vcb}!p! - Done calling FRD

Fields #

NameDescription
A10_Vcb

Event ID 278: SCB: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

SCB: {A10_Scb}!p!; VDL=0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x!; FS=0x{A12_Scb->Header.FileSize.QuadPart}!I64x!; StartOff=0x{A13_QueryDaxExtents->FileOffset}!I64x!; StartVcn=0x{A14_StartingVcn}!I64x!; Length=0x{A15_QueryDaxExtents->Length}!I64x!

Fields #

NameDescription
A10_Scb
A14_StartingVcn

Event ID 279: SCB: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

SCB: {A10_Scb}!p!; VDL=0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x!; FS=0x{A12_Scb->Header.FileSize.QuadPart}!I64x!; StartOff=0x{A13_QueryDaxExtents->FileOffset}!I64x!; StartVcn=0x{A14_StartingVcn}!I64x!; Length=0x{A15_QueryDaxExtents->Length}!I64x!

Fields #

NameDescription
A10_Scb
A14_StartingVcn

Event ID 280: StartOff=0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

StartOff=0x{A10_QueryDaxExtents->FileOffset}!I64x!; Length=0x{A11_QueryDaxExtents->Length}!I64x!; EffectiveLength=0x{A12_EffectiveInputFileRegionLength}!I64x! StartVcn=0x{A13_StartingVcn}!I64x!; BeyondEndVcn=0x{A14_BeyondEndVcn}!I64x!; Clusters=0x{A15_RemainingClusterCount}!I64x!; LastVcnInFile=0x{A16_LastVcnInFile}!I64x!

Fields #

NameDescription
A12_EffectiveInputFileRegionLength
A13_StartingVcn
A14_BeyondEndVcn
A15_RemainingClusterCount
A16_LastVcnInFile

Event ID 281: RemainingClusterCount: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; DataSetRangeIndex: {A11_DataSetRangeIndex}!d!; OutputBufferLength: 0x{A12_OutputBufferLength}!d!

Message #

RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; DataSetRangeIndex: {A11_DataSetRangeIndex}!d!; OutputBufferLength: 0x{A12_OutputBufferLength}!d!

Fields #

NameDescription
A10_RemainingClusterCount
A11_DataSetRangeIndex
A12_OutputBufferLength

Event ID 282: RemainingClusterCount: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; DataSetRangeIndex: {A11_DataSetRangeIndex}!d!; OutputBufferLength: 0x{A12_OutputBufferLength}!d!

Message #

RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; DataSetRangeIndex: {A11_DataSetRangeIndex}!d!; OutputBufferLength: 0x{A12_OutputBufferLength}!d!

Fields #

NameDescription
A10_RemainingClusterCount
A11_DataSetRangeIndex
A12_OutputBufferLength

Event ID 283: STATUS_BUFFER_TOO_SMALL from FsLib.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0x{A10_ExtentsDescriptor->NumberOfValidRuns}!x!; MaxRuns: 0x{A11_MaxRuns}!x!; BytesReturned: 0x{A12_*BytesReturned}!I64x!

Message #

STATUS_BUFFER_TOO_SMALL from FsLib. NumberOfValidRuns: 0x{A10_ExtentsDescriptor->NumberOfValidRuns}!x!; MaxRuns: 0x{A11_MaxRuns}!x!; BytesReturned: 0x{A12_*BytesReturned}!I64x!

Fields #

NameDescription
A11_MaxRuns

Event ID 284: Made an educated guess for remaining runs.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Made an educated guess for remaining runs. RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; NumberOfValidRuns: 0x{A11_ExtentsDescriptor->NumberOfValidRuns}!x!

Message #

Made an educated guess for remaining runs. RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; NumberOfValidRuns: 0x{A11_ExtentsDescriptor->NumberOfValidRuns}!x!

Fields #

NameDescription
A10_RemainingClusterCount

Event ID 285: Made a wild guess for remaining runs.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Made a wild guess for remaining runs. RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; NumberOfValidRuns: 0x{A11_ExtentsDescriptor->NumberOfValidRuns}!x!

Message #

Made a wild guess for remaining runs. RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; NumberOfValidRuns: 0x{A11_ExtentsDescriptor->NumberOfValidRuns}!x!

Fields #

NameDescription
A10_RemainingClusterCount

Event ID 286: NumberOfValidRuns: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NumberOfValidRuns: 0x{A10_ExtentsDescriptor->NumberOfValidRuns}!08x!; MaxRuns: 0x{A11_MaxRuns}!08x!; Status: 0x{A12_Status}!08x!; BytesReturned: 0x{A13_*BytesReturned}!I64x!

Message #

NumberOfValidRuns: 0x{A10_ExtentsDescriptor->NumberOfValidRuns}!08x!; MaxRuns: 0x{A11_MaxRuns}!08x!; Status: 0x{A12_Status}!08x!; BytesReturned: 0x{A13_*BytesReturned}!I64x!

Fields #

NameDescription
A11_MaxRuns
A12_Status

Event ID 287: BasePage: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

BasePage: 0x{A10_ExtentsDescriptor->Run[Index].BasePage}!-16I64x!; PageCount: 0x{A11_ExtentsDescriptor->Run[Index].PageCount}!-16I64x!

Message #

BasePage: 0x{A10_ExtentsDescriptor->Run[Index].BasePage}!-16I64x!; PageCount: 0x{A11_ExtentsDescriptor->Run[Index].PageCount}!-16I64x!

Fields #

NameDescription
A10_ZeroStart
A11_ZeroEnd

Event ID 288: About to zero range - ZeroStart: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

About to zero range - ZeroStart: 0x{A10_ZeroStart}!016I64x!; ZeroEnd: 0x{A11_ZeroEnd}!016I64x!

Message #

About to zero range - ZeroStart: 0x{A10_ZeroStart}!016I64x!; ZeroEnd: 0x{A11_ZeroEnd}!016I64x!

Fields #

NameDescription
A10_ZeroStart
A11_ZeroEnd

Event ID 289: Zeroed range - ZeroStart: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Zeroed range - ZeroStart: 0x{A10_ZeroStart}!016I64x!; ZeroEnd: 0x{A11_ZeroEnd}!016I64x!

Message #

Zeroed range - ZeroStart: 0x{A10_ZeroStart}!016I64x!; ZeroEnd: 0x{A11_ZeroEnd}!016I64x!

Fields #

NameDescription
A10_ZeroStart
A11_ZeroEnd

Event ID 290: NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCommonQueryInformation: File information query not allowed as file was opened by ID without traversal privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Ccb flags: 0x%10!08x!.

Event ID 291: NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsQueryCaseSensitiveInfo: Case sensitive info query not allowed without read attributes access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Ccb access flags: 0x%10!08x!; Granted access: 0x%11!08x!.

Event ID 292: NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsQueryNameInfo: Name info query not allowed as file was opened without traverse privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Ccb flags: 0x%10!08x!.

Event ID 293: NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsQueryLinksInfo: Link info query not allowed as file was opened without traverse privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb flags: 0x%7!08x!.

Event ID 294: NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSetCaseSensitiveInfo: Cannot mark root directory of a volume case-sensitive. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Device Object flags: 0x%10!08x!.

Event ID 295: NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Fcb state: !x!.

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a system file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Fcb state: %7!x!.

Event ID 296: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; TxfNumWriters count: %7!d!.

Event ID 297: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Lcb: %7!p!; Link name: %8!S!; TxfNumWriters count: %9!d!.

Event ID 298: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Cleanup count: !d!.

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file opened by ID. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Cleanup count: %7!d!.

Event ID 299: NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsRemoveSupersededTarget: Can not do a superseding rename over a file with open handles via either part of the long/short pair. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Lcb: %7!p!; Link name: %8!S!; Link cleanup count: %9!d!; SplitPrimaryLcb: %10!p!; Split link name: %11!S!; Split link cleanup count: %12!d!.

Event ID 300: NtfsSetRenameInfo: Can not rename a file marked for deletion.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSetRenameInfo: Can not rename a file marked for deletion. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Fcb state: 0x%7!08x!; Lcb: %8!p!; link name: %9!S!; link name flag: 0x%10!08x!; link state: 0x%11!08x!.

Event ID 301: NtfsSetRenameInfo: Can not rename a txf directory.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetRenameInfo: Can not rename a txf directory. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; File attributes: 0x!08x!.

Message #

NtfsSetRenameInfo: Can not rename a txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; File attributes: 0x%7!08x!.

Event ID 302: NtfsSetRenameInfo: Can not rename a txf directory.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetRenameInfo: Can not rename a txf directory. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; FcbState: 0x!08x!.

Message #

NtfsSetRenameInfo: Can not rename a txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!.

Event ID 303: NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSetRenameInfo: Can not rename a file that is part of a TxF transaction. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; Rmstate: 0x%8!08x!.

Event ID 304: NtfsSetRenameInfo: Can not rename a directory into itself.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetRenameInfo: Can not rename a directory into itself. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!.

Message #

NtfsSetRenameInfo: Can not rename a directory into itself. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!.

Event ID 305: NtfsSetRenameInfo: The file should not have in-memory directory descendents.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!.

Message #

NtfsSetRenameInfo: The file should not have in-memory directory descendents. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!.

Event ID 306: NtfsSetRenameInfo: Child Scb mismatch.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetRenameInfo: Child Scb mismatch. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Potential child FileRef: !I64x!.

Message #

NtfsSetRenameInfo: Child Scb mismatch. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Potential child FileRef: %7!I64x!.

Event ID 307: NtfsSetLinkInfo: Set link info is not allowed on txf directory.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; FileName: !S!.

Message #

NtfsSetLinkInfo: Set link info is not allowed on txf directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileName: %7!S!.

Event ID 308: NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSetLinkInfo: Set link info is not allowed on a file in a TxF transaction. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileName: %7!S!; TxfVisibleLinks: %8!d!.

Event ID 309: NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSetLinkInfo: Set link info failed due to caller not having FILE_WRITE_ATTRIBUTES access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileName: %7!S!; SeAccessCheck status: %8!S!.

Event ID 310: NtfsSetLinkInfo: Creating a link in system directory is not allowed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; NewLinkName: !S!.

Message #

NtfsSetLinkInfo: Creating a link in system directory is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; NewLinkName: %7!S!.

Event ID 311: NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSetLinkInfo: Creating a link in $txf is not allowed if the RM is running. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; NewLinkName: %7!S!; Target RM state: %8!x!.

Event ID 312: NtfsSetShortNameInfo: Can not set a short name on a deleted file.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Lcb: !p!; Link Name: !S!.

Message #

NtfsSetShortNameInfo: Can not set a short name on a deleted file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Lcb: %7!p!; Link Name: %8!S!.

Event ID 313: NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSetShortNameInfo: Can not set a short name on a file under the $TxF directory. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Lcb: %7!p!; Link Name: %8!S!; Parent FileRef: %9!I64x!.

Event ID 314: NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckScbForLinkRemoval: Existing handles are not allowed if Txf transaction is doing the rename. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Stream cleanup count: %7!d!.

Event ID 315: NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckScbForLinkRemoval: Not all open handles for the stream are by-id opens. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; ByID opens: %7!d!; Stream cleanup count: %8!d!.

Event ID 316: NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!p!; Vcb: {A11_Vcb}!p!; Fcb: {A12_Fcb}!p!; LocalFlags: {A13_LocalFlags->EntireFlags}!#08x!

Message #

NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!p!; Vcb: {A11_Vcb}!p!; Fcb: {A12_Fcb}!p!; LocalFlags: {A13_LocalFlags->EntireFlags}!#08x!

Fields #

NameDescription
A11_Vcb
A12_Fcb

Event ID 317: NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!p!; Vcb: {A11_Vcb}!p!; Fcb: {A12_Fcb}!p!; LocalFlags: {A13_LocalFlags->EntireFlags}!#08x!

Message #

NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!p!; Vcb: {A11_Vcb}!p!; Fcb: {A12_Fcb}!p!; LocalFlags: {A13_LocalFlags->EntireFlags}!#08x!

Fields #

NameDescription
A11_Vcb
A12_Fcb

Event ID 318: NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!p!; Scb: {A11_Scb}!p!

Message #

NtfsFlushVolumeFlushSingleFcb: Thread: {A10_PsGetCurrentThread()}!p!; Scb: {A11_Scb}!p!

Fields #

NameDescription
A11_Scb

Event ID 319: NtfsFlushVolume: Thread: {A10_PsGetCurrentThread()}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushVolume: Thread: {A10_PsGetCurrentThread()}!p!; Vcb: {A11_Vcb}!p!; LocalFlags: {A12_LocalFlags.EntireFlags}!#08x!

Message #

NtfsFlushVolume: Thread: {A10_PsGetCurrentThread()}!p!; Vcb: {A11_Vcb}!p!; LocalFlags: {A12_LocalFlags.EntireFlags}!#08x!

Fields #

NameDescription
A11_Vcb

Event ID 320: NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: {A10_Vcb->BitmapScb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: {A10_Vcb->BitmapScb}!p! Vcb: {A11_Vcb}!p!

Message #

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on BitmapScb Scb: {A10_Vcb->BitmapScb}!p! Vcb: {A11_Vcb}!p!

Fields #

NameDescription
A11_Vcb

Event ID 321: NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: {A10_Vcb->MftScb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: {A10_Vcb->MftScb}!p! Vcb: {A11_Vcb}!p!

Message #

NtfsFlushVolume setting SCB_PERSIST_VOLUME_DISMOUNTED on MftScb Scb: {A10_Vcb->MftScb}!p! Vcb: {A11_Vcb}!p!

Fields #

NameDescription
A11_Vcb

Event ID 322: NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!p! - Add context {A11_Context}!p! into completion queue.

Message #

NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!p! - Add context {A11_Context}!p! into completion queue

Fields #

NameDescription
A11_Context

Event ID 323: NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!p! - Add context {A11_Context}!p! into WorkQueue - Flink {A12_NtfsData.DiskFlushContextCompletedWorkItem.List.Flink}!p!

Message #

NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!p! - Add context {A11_Context}!p! into WorkQueue - Flink {A12_NtfsData.DiskFlushContextCompletedWorkItem.List.Flink}!p!

Fields #

NameDescription
A11_Context

Event ID 324: NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!p! - Add context {A11_Context}!p! into WorkQueue - Flink {A12_NtfsData.DiskFlushContextCompletedWorkItem.List.Flink}!p!

Message #

NtfsFlushCompletionRoutine: Vcb {A10_((PNTFS_DISK_FLUSH_CONTEXT)Context)->Vcb}!p! - Add context {A11_Context}!p! into WorkQueue - Flink {A12_NtfsData.DiskFlushContextCompletedWorkItem.List.Flink}!p!

Fields #

NameDescription
A11_Context

Event ID 325: Irp: {A10_Irp}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Irp: {A10_Irp}!p!; IC: {A11_IrpContext}!p!; Vcb: {A12_IrpContext->Vcb}!p!; MinorCode: {A13_IrpSp->MinorFunction}!02x!; FsControlCode: 0x{A14_FsControlCode}!08x!

Message #

Irp: {A10_Irp}!p!; IC: {A11_IrpContext}!p!; Vcb: {A12_IrpContext->Vcb}!p!; MinorCode: {A13_IrpSp->MinorFunction}!02x!; FsControlCode: 0x{A14_FsControlCode}!08x!

Fields #

NameDescription
A10_Irp
A11_IrpContext
A14_FsControlCode

Event ID 326: Irp: {A10_Irp}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Irp: {A10_Irp}!p!; IC: {A11_IrpContext}!p!; Vcb: {A12_IrpContext->Vcb}!p!; MinorCode: {A13_IrpSp->MinorFunction}!02x!; FsControlCode: 0x{A14_FsControlCode}!08x!

Message #

Irp: {A10_Irp}!p!; IC: {A11_IrpContext}!p!; Vcb: {A12_IrpContext->Vcb}!p!; MinorCode: {A13_IrpSp->MinorFunction}!02x!; FsControlCode: 0x{A14_FsControlCode}!08x!

Fields #

NameDescription
A10_Irp
A11_IrpContext
A14_FsControlCode

Event ID 327: Irp: {A10_Irp}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Irp: {A10_Irp}!p!; IC: {A11_IrpContext}!p!; Vcb: {A12_IrpContext->Vcb}!p!; MinorCode: {A13_IrpSp->MinorFunction}!02x!; FsControlCode: 0x{A14_FsControlCode}!08x!

Message #

Irp: {A10_Irp}!p!; IC: {A11_IrpContext}!p!; Vcb: {A12_IrpContext->Vcb}!p!; MinorCode: {A13_IrpSp->MinorFunction}!02x!; FsControlCode: 0x{A14_FsControlCode}!08x!

Fields #

NameDescription
A10_Irp
A11_IrpContext
A14_FsControlCode

Event ID 328: NtfsLockVolumeInternal: Cannot lock the volume.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsLockVolumeInternal: Cannot lock the volume. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Vcb State: 0x%5!08x!; DisallowDismountCount: %6!d!; ExplicitLock: %7!d!; Volume CleanupCount: %8!d!; Handle count: %9!d!.

Event ID 329: NtfsLockVolumeInternal: Volume is already locked.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsLockVolumeInternal: Volume is already locked.Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Vcb State: 0x!08x!.

Message #

NtfsLockVolumeInternal: Volume is already locked.Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Vcb State: 0x%5!08x!.

Event ID 330: NtfsLockVolumeInternal: Failed to flush system files on the volume.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Flush Status: !S!.

Message #

NtfsLockVolumeInternal: Failed to flush system files on the volume. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Flush Status: %5!S!.

Event ID 331: NtfsLockVolumeInternal: Failed to flush system files on the volume.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Flush Status: !S!.

Message #

NtfsLockVolumeInternal: Failed to flush system files on the volume.Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Flush Status: %5!S!.

Event ID 332: NtfsLockVolumeInternal: Outstanding user files open after flush and retry.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsLockVolumeInternal: Outstanding user files open after flush and retry. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Volume close count: %5!d!; System file close count: %6!d!; User handle count: %7!d!.

Event ID 333: {A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12_(Vcb->TxfVcb.DefaultRm != NULL) ? _Vcb->TxfVcb.DefaultRm->RmId : NULL}!S!}) up for auto-restart.

Message #

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12_(Vcb->TxfVcb.DefaultRm != NULL) ?                                  _Vcb->TxfVcb.DefaultRm->RmId :                                  NULL}!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__

Event ID 334: {A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12_(Vcb->TxfVcb.DefaultRm != NULL) ? _Vcb->TxfVcb.DefaultRm->RmId : NULL}!S!}) up for auto-restart.

Message #

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12_(Vcb->TxfVcb.DefaultRm != NULL) ?                                  _Vcb->TxfVcb.DefaultRm->RmId :                                  NULL}!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__

Event ID 335: {A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12_(Vcb->TxfVcb.DefaultRm != NULL) ? _Vcb->TxfVcb.DefaultRm->RmId : NULL}!S!}) up for auto-restart.

Message #

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12_(Vcb->TxfVcb.DefaultRm != NULL) ?                                  _Vcb->TxfVcb.DefaultRm->RmId :                                  NULL}!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__

Event ID 336: NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsUnlockVolume: Cannot unlock volume due to caller does not have manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 337: NtfsDismountVolume: IC: %1; Vcb: %2; Label: %3; DeviceName: %4.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDismountVolume: IC: !p!; Vcb: !p!; Label: !S!; DeviceName: !S!

Message #

NtfsDismountVolume: IC: %1!p!; Vcb: %2!p!; Label: %3!S!; DeviceName: %4!S!

Event ID 338: NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 339: NtfsDismountVolume: Cannot dismount volume due to volume being locked.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; VcbState: 0x!08x!.

Message #

NtfsDismountVolume: Cannot dismount volume due to volume being locked. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; VcbState: 0x%5!08x!.

Event ID 340: NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDismountVolume: Cannot dismount volume due to system/pagefiles being open for write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; VcbState: 0x%5!08x!; ReadOnlyCloseCount: %6!d!; CloseCount: %7!d!; SystemFileCloseCount: %8!d!.

Event ID 341: NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsMarkVolumeDirty: Cannot mark volume dirty due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 342: NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsGetVolumeBitmap: Cannot get volume bitmap due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 343: NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsGetBootAreaInfo: Cannot get boot area info due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 344: NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsGetRetrievalPointers: Cannot get retrieval pointers due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 345: NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 346: NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsGetRetrievalPointerBase: Cannot get revrieval pointer base info due to caller not having manage volume privilege or this is not a volume open. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!; TypeOfOpen: %6!d!.

Event ID 347: NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCreateUsnJournal: Cannot create Usn journal due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!; Irp Request Mode: %6!d!.

Event ID 348: NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsUsnTrackModifiedRanges: Cannot enable range tracking due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 349: NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsEnumerateUsnData: Cannot enumerate Usn data due to caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 350: NtfsFindFilesOwnedBySid: Caller not having manage volume privilege; backup access or can bypass traverse checks.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege; backup access or can bypass traverse checks. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!; Ccb flags: 0x%6!08x!.

Event ID 351: NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsFindFilesOwnedBySid: Caller not having manage volume privilege or backup access and is not admin. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!; Ccb flags: 0x%6!08x!; CallerId: %7!d!; Context owner ID: %8!d!.

Event ID 352: NtfsZeroRange: User mode caller not allowed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsZeroRange: User mode caller not allowed. Thread: {A10_PsGetCurrentThread()}!p!; Zero flags: 0x{A11_ZeroFlags}!08x!; Irp Requestor Mode: {A12_Irp->RequestorMode}!d!.

Message #

NtfsZeroRange: User mode caller not allowed. Thread: {A10_PsGetCurrentThread()}!p!; Zero flags: 0x{A11_ZeroFlags}!08x!; Irp Requestor Mode: {A12_Irp->RequestorMode}!d!.

Fields #

NameDescription
A11_ZeroFlags

Event ID 353: IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

IC: {A10_IrpContext}!p!; Scb: {A11_Scb}!p!; FileObject: {A12_IrpSp->FileObject}!p!

Message #

IC: {A10_IrpContext}!p!; Scb: {A11_Scb}!p!; FileObject: {A12_IrpSp->FileObject}!p!

Fields #

NameDescription
A10_IrpContext
A11_Scb

Event ID 354: NtfsZeroRange: User mode caller not allowed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsZeroRange: User mode caller not allowed. Thread: {A10_PsGetCurrentThread()}!p!; Zero flags: 0x{A11_ZeroFlags}!08x!; Irp Requestor Mode: {A12_Irp->RequestorMode}!d!.

Message #

NtfsZeroRange: User mode caller not allowed. Thread: {A10_PsGetCurrentThread()}!p!; Zero flags: 0x{A11_ZeroFlags}!08x!; Irp Requestor Mode: {A12_Irp->RequestorMode}!d!.

Fields #

NameDescription
A11_ZeroFlags

Event ID 355: IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

IC: {A10_IrpContext}!p!; Scb: {A11_Scb}!p!; FileObject: {A12_IrpSp->FileObject}!p!

Message #

IC: {A10_IrpContext}!p!; Scb: {A11_Scb}!p!; FileObject: {A12_IrpSp->FileObject}!p!

Fields #

NameDescription
A10_IrpContext
A11_Scb

Event ID 356: IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

IC: {A10_IrpContext}!p!; EncryptionOperation: 0x{A11_EncryptionOperation}!08x!

Message #

IC: {A10_IrpContext}!p!; EncryptionOperation: 0x{A11_EncryptionOperation}!08x!

Fields #

NameDescription
A10_IrpContext
A11_EncryptionOperation

Event ID 357: NtfsReadRawEncrypted: Caller does not have backup access or read data access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsReadRawEncrypted: Caller does not have backup access or read data access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 358: NtfsWriteRawEncrypted: Caller does not have write data access or restore access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsWriteRawEncrypted: Caller does not have write data access or restore access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 359: NtfsWriteRawEncrypted: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsWriteRawEncrypted: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 360: NtfsChangeVolumeSize.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsChangeVolumeSize ({A10_Vcb}!p!): Calling NtfsFreeRecentlyDeallocated.

Message #

NtfsChangeVolumeSize ({A10_Vcb}!p!): Calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb

Event ID 361: NtfsChangeVolumeSize.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsChangeVolumeSize ({A10_Vcb}!p!): Done calling NtfsFreeRecentlyDeallocated.

Message #

NtfsChangeVolumeSize ({A10_Vcb}!p!): Done calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb

Event ID 362: NtfsChangeVolumeSize.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsChangeVolumeSize ({A10_Vcb}!p!): Calling NtfsFreeRecentlyDeallocated.

Message #

NtfsChangeVolumeSize ({A10_Vcb}!p!): Calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb

Event ID 363: NtfsChangeVolumeSize.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsChangeVolumeSize ({A10_Vcb}!p!): Done calling NtfsFreeRecentlyDeallocated.

Message #

NtfsChangeVolumeSize ({A10_Vcb}!p!): Done calling NtfsFreeRecentlyDeallocated

Fields #

NameDescription
A10_Vcb

Event ID 364: NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkHandle: Caller does not have a valid volume handle or manage volume access or is not kernel model caller. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FullFileName: %7!S!; Ccb access flags: 0x%8!08x!; HandleInfo flags: 0x%9!08x!; Irp Requestor Mode: %10!d!.

Event ID 365: NtfsMarkHandle: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkHandle: Caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsMarkHandle: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 366: NtfsMarkHandle: Cannot deny defrag.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkHandle: Cannot deny defrag. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Persist flags: 0x%10!08x!; HandleInfo flags: 0x%11!08x!.

Event ID 367: NtfsMarkHandle: Cannot deny Frs consolidation.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkHandle: Cannot deny Frs consolidation. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState2: 0x%7!08x!; Scb: %8!p!; Scb Type Code: 0x%9!x!; Scb Name: %10!S!; Persist flags: 0x%11!08x!; HandleInfo flags: 0x%12!08x!.

Event ID 368: NtfsMarkHandle: Cannot filter metadata.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkHandle: Cannot filter metadata. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; Scb: %8!p!; Scb Type Code: 0x%9!x!; Scb Name: %10!S!; Persist flags: 0x%11!08x!; HandleInfo flags: 0x%12!08x!; Irp RequestorMode: %13!d!.

Event ID 369: NtfsMarkHandle: Mark handle is not allowed on system files.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; FcbState: 0x!08x!; HandleInfo flags: !x!.

Message #

NtfsMarkHandle: Mark handle is not allowed on system files. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FcbState: 0x%7!08x!; HandleInfo flags: %8!x!.

Event ID 370: NtfsMarkHandle: File already has user writable references.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkHandle: File already has user writable references. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; HandleInfo: 0x%10!08x!.

Event ID 371: NtfsMarkHandle: File was granted write access previously but no oplocks were broken.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsMarkHandle: File was granted write access previously but no oplocks were broken. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Writers: %10!d!.

Event ID 372: NtfsPrefetchFile: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsPrefetchFile: Caller not having manage volume privilege. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 373: Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x{A10_(PVOID)Vcb}!p! to {A11_InputParameter}!u!.

Message #

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x{A10_(PVOID)Vcb}!p! to {A11_InputParameter}!u!.

Fields #

NameDescription
A11_InputParameter

Event ID 374: NtfsSetShortNameBehavior: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsSetShortNameBehavior: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 375: Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x{A10_(PVOID)Vcb}!p! to {A11_InputParameter}!u!.

Message #

Setting VCB_EXT_CHAR_STATE_ALLOW_EXT_CHAR for volume 0x{A10_(PVOID)Vcb}!p! to {A11_InputParameter}!u!.

Fields #

NameDescription
A11_InputParameter

Event ID 376: NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 377: NtfsQueryPagefileEncryption: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsQueryPagefileEncryption: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 378: Resetting Volsnap behavior for VCB = 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Resetting Volsnap behavior for VCB = 0x{A10_Vcb}!p!. New state is 0x{A11_Vcb->VcbState}!x!.

Message #

Resetting Volsnap behavior for VCB = 0x{A10_Vcb}!p!.  New state is 0x{A11_Vcb->VcbState}!x!.

Fields #

NameDescription
A10_Vcb

Event ID 379: NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 380: Resetting Volsnap behavior for VCB = 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Resetting Volsnap behavior for VCB = 0x{A10_Vcb}!p!. New state is 0x{A11_Vcb->VcbState}!x!.

Message #

Resetting Volsnap behavior for VCB = 0x{A10_Vcb}!p!.  New state is 0x{A11_Vcb->VcbState}!x!.

Fields #

NameDescription
A10_Vcb

Event ID 381: NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsResetVolsnapBehaviorForVolume: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Ccb access flags: 0x%5!08x!.

Event ID 382: Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.SystemScbIndex}!u! Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Message #

Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.SystemScbIndex}!u! Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Event ID 383: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! Scrub resume from Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Message #

Scb:{A10_Scb}!p! Scrub resume from Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Fields #

NameDescription
A10_Scb

Event ID 384: Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.SystemScbIndex}!u! Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Message #

Scrub resume from SystemScbIndex: {A10_ScrubResumeContext.SystemScbIndex}!u! Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Event ID 385: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! Scrub resume from Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Message #

Scb:{A10_Scb}!p! Scrub resume from Vcn: {A11_ScrubResumeContext.ResumeVcn}!#I64x! + {A12_ScrubResumeContext.ResumeVcnOffset}!#x!

Fields #

NameDescription
A10_Scb

Event ID 386: Scrub SystemScbIndex: {A10_ScrubResumeContext.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scrub SystemScbIndex: {A10_ScrubResumeContext.SystemScbIndex}!u!

Message #

Scrub SystemScbIndex: {A10_ScrubResumeContext.SystemScbIndex}!u!

Fields #

NameDescription
A10_Scb

Event ID 387: NtfsScrubData: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsScrubData: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 388: Scrub not supported for Txf file; Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scrub not supported for Txf file; Scb: {A10_Scb}!p!; TxfScb: {A11_Scb->TxfScb}!p!

Message #

Scrub not supported for Txf file; Scb: {A10_Scb}!p!; TxfScb: {A11_Scb->TxfScb}!p!

Fields #

NameDescription
A10_Scb

Event ID 389: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Scb:{A10_Scb}!p! ScrubInternal Status: {A11_Status}!S! Repaired: {A12_ScrubContext.NumberOfBytesRepaired}!#I64x! Failed: {A13_ScrubContext.NumberOfBytesFailed}!#I64x! ParityExtentCount: {A14_ScrubContext.ParityExtentData->NumberOfParityExtents}!u!

Fields #

NameDescription
A10_Scb
A11_Status

Event ID 390: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Scb:{A10_Scb}!p! ScrubInternal OperationStatus: {A11_ScrubContext.OperationStatus}!S! Repaired: {A12_ScrubContext.NumberOfBytesRepaired}!#I64x! Failed: {A13_ScrubContext.NumberOfBytesFailed}!#I64x! FileOffset: {A14_ScrubContext.ErrorFileOffset}!#I64x! Length: {A15_ScrubContext.ErrorLength}!#I64x! ParityExtentCount: {A16_ScrubContext.ParityExtentData->NumberOfParityExtents}!u!

Fields #

NameDescription
A10_Scb

Event ID 391: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Scb:{A10_Scb}!p! ScrubInternal Status: {A11_Status}!S! Repaired: {A12_ScrubContext.NumberOfBytesRepaired}!#I64x! Failed: {A13_ScrubContext.NumberOfBytesFailed}!#I64x! ParityExtentCount: {A14_ScrubContext.ParityExtentData->NumberOfParityExtents}!u!

Fields #

NameDescription
A10_Scb
A11_Status

Event ID 392: InternalFileReference: {A10_InternalFileReference}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

InternalFileReference: {A10_InternalFileReference}!u!

Message #

InternalFileReference: {A10_InternalFileReference}!u!

Fields #

NameDescription
A10_InternalFileReference

Event ID 393: InternalFileReference:{A10_InternalFileReference}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

InternalFileReference:{A10_InternalFileReference}!u!

Message #

InternalFileReference:{A10_InternalFileReference}!u!

Fields #

NameDescription
A10_InternalFileReference

Event ID 394: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! Incomplete IoCount:{A11_ScrubIoCount}!u! Cancel:{A12_Irp->Cancel}!u! ParityExtentCount:{A13_ScrubContext.ParityExtentData->NumberOfParityExtents}!u!

Message #

Scb:{A10_Scb}!p! Incomplete IoCount:{A11_ScrubIoCount}!u! Cancel:{A12_Irp->Cancel}!u! ParityExtentCount:{A13_ScrubContext.ParityExtentData->NumberOfParityExtents}!u!

Fields #

NameDescription
A10_Scb
A11_ScrubIoCount

Event ID 395: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! Scrub StartingVcn({A11_StartingVcn}!#I64d!) is negative.

Message #

Scb:{A10_Scb}!p! Scrub StartingVcn({A11_StartingVcn}!#I64d!) is negative

Fields #

NameDescription
A10_Scb
A11_StartingVcn

Event ID 396: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! Scrub starting vcn is beyond VDL (FileOffset: {A11_FileScrubOffset}!#I64x!; SectorAlignedVdl: {A12_SectorAlignedVdl}!#I64x!).

Message #

Scb:{A10_Scb}!p! Scrub starting vcn is beyond VDL (FileOffset: {A11_FileScrubOffset}!#I64x!; SectorAlignedVdl: {A12_SectorAlignedVdl}!#I64x!)

Fields #

NameDescription
A10_Scb
A11_FileScrubOffset
A12_SectorAlignedVdl

Event ID 397: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! Scrub StartingVcn({A11_StartingVcn}!#I64d!) is negative.

Message #

Scb:{A10_Scb}!p! Scrub StartingVcn({A11_StartingVcn}!#I64d!) is negative

Fields #

NameDescription
A10_Scb
A11_StartingVcn

Event ID 398: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! Scrub starting vcn is beyond VDL (FileOffset: {A11_FileScrubOffset}!#I64x!; SectorAlignedVdl: {A12_SectorAlignedVdl}!#I64x!).

Message #

Scb:{A10_Scb}!p! Scrub starting vcn is beyond VDL (FileOffset: {A11_FileScrubOffset}!#I64x!; SectorAlignedVdl: {A12_SectorAlignedVdl}!#I64x!)

Fields #

NameDescription
A10_Scb
A11_FileScrubOffset
A12_SectorAlignedVdl

Event ID 399: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! Scrub no more Mcb entries from StartingVcn:{A11_StartingVcn}!#I64x!

Message #

Scb:{A10_Scb}!p! Scrub no more Mcb entries from StartingVcn:{A11_StartingVcn}!#I64x!

Fields #

NameDescription
A10_Scb
A11_StartingVcn

Event ID 400: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! Scrub skipping UNUSED_LCN Vcn: {A11_StartingVcn}!#I64x!; ClusterCount: {A12_ClusterCount}!#I64x!

Message #

Scb:{A10_Scb}!p! Scrub skipping UNUSED_LCN Vcn: {A11_StartingVcn}!#I64x!; ClusterCount: {A12_ClusterCount}!#I64x!

Fields #

NameDescription
A10_Scb
A11_StartingVcn
A12_ClusterCount

Event ID 401: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! StartingVcn:{A11_StartingVcn}!#I64x! is beyond Vdl.

Message #

Scb:{A10_Scb}!p! StartingVcn:{A11_StartingVcn}!#I64x! is beyond Vdl

Fields #

NameDescription
A10_Scb
A11_StartingVcn

Event ID 402: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Scb:{A10_Scb}!p! ScrubDsmRange [{A11_DsmRange.StartingOffset}!#I64x!;{A12_DsmRange.StartingOffset + DsmRange.LengthInBytes}!#I64x!) Length:{A13_DsmRange.LengthInBytes}!#I64x! (Bytes) StartingVcn:{A14_StartingVcn}!#I64x! + {A15_StartingVcnOffset}!#x! SectorAlignedVdl:{A16_SectorAlignedVdl}!#I64x!

Fields #

NameDescription
A10_Scb
A14_StartingVcn
A15_StartingVcnOffset
A16_SectorAlignedVdl

Event ID 403: Scrub found problems Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Scrub found problems Scb: {A10_Scb}!p! Vcn {A11_StartingVcn}!#I64x! FileOffset: {A12_ScrubContext->ErrorFileOffset}!#I64x! Length: {A13_ScrubbedLength}!#I64x! Status: {A14_ScrubContext->OperationStatus}!S! BytesFailed: {A15_ScrubContext->NumberOfBytesFailed}!#I64x! BytesRepaired: {A16_ScrubContext->NumberOfBytesRepaired}!#I64x! NewParityExtents: {A17_NewParityExtentCount}!u!

Fields #

NameDescription
A10_Scb
A11_StartingVcn
A13_ScrubbedLength
A17_NewParityExtentCount

Event ID 404: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! DsmAction_Scrub call failed; Status: {A11_Status}!S!

Message #

Scb:{A10_Scb}!p! DsmAction_Scrub call failed; Status: {A11_Status}!S!

Fields #

NameDescription
A10_Scb
A11_Status

Event ID 405: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! DsmAction_Scrub operation failed; Status: {A11_Status}!S!

Message #

Scb:{A10_Scb}!p! DsmAction_Scrub operation failed; Status: {A11_Status}!S!

Fields #

NameDescription
A10_Scb
A11_Status

Event ID 406: FSCTL_REPAIR_COPIES not supported for Txf file; Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

FSCTL_REPAIR_COPIES not supported for Txf file; Scb: {A10_Scb}!p!; TxfScb: {A11_Scb->TxfScb}!p!

Message #

FSCTL_REPAIR_COPIES not supported for Txf file; Scb: {A10_Scb}!p!; TxfScb: {A11_Scb->TxfScb}!p!

Fields #

NameDescription
A10_Scb

Event ID 407: Scb:%1 FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2).

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:!p! FSCTL_REPAIR_COPIES skipping resident attribute (d) (!S!).

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (d) (%2!S!)

Event ID 408: Scb:%1 FSCTL_REPAIR_COPIES skipping resident attribute (%2).

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:!p! FSCTL_REPAIR_COPIES skipping resident attribute (!S!).

Message #

Scb:%1!p! FSCTL_REPAIR_COPIES skipping resident attribute (%2!S!)

Event ID 409: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:{A11_StartingVcn}!#I64x!

Message #

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:{A11_StartingVcn}!#I64x!

Fields #

NameDescription
A10_Scb
A11_StartingVcn

Event ID 410: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:{A11_StartingVcn}!#I64x!

Message #

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:{A11_StartingVcn}!#I64x!

Fields #

NameDescription
A10_Scb
A11_StartingVcn

Event ID 411: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:{A11_StartingVcn}!#I64x!

Message #

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES no more Mcb entries from StartingVcn:{A11_StartingVcn}!#I64x!

Fields #

NameDescription
A10_Scb
A11_StartingVcn

Event ID 412: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:{A11_StartingVcn}!#I64x!

Message #

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES No more Mcb entries (unallocated) from StartingVcn:{A11_StartingVcn}!#I64x!

Fields #

NameDescription
A10_Scb
A11_StartingVcn

Event ID 413: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: {A11_StartingVcn}!#I64x!; ClusterCount: {A12_ClusterCount}!#I64x!

Message #

Scb:{A10_Scb}!p! FSCTL_REPAIR_COPIES skipping UNUSED_LCN Vcn: {A11_StartingVcn}!#I64x!; ClusterCount: {A12_ClusterCount}!#I64x!

Fields #

NameDescription
A10_Scb
A11_StartingVcn
A12_ClusterCount

Event ID 414: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Scb:{A10_Scb}!p! RepairDsmRange [{A11_RepairDataSetRange->StartingOffset}!#I64x!;{A12_RepairDataSetRange->StartingOffset +                         RepairDataSetRange->LengthInBytes}!#I64x!) Length:{A13_RepairDataSetRange->LengthInBytes}!#I64x! (Bytes) FileOffset: {A14_RepairFileOffset}!#I64x!

Fields #

NameDescription
A10_Scb
A14_RepairFileOffset

Event ID 415: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! DsmAction_Repair call failed; Status: {A11_Status}!S!

Message #

Scb:{A10_Scb}!p! DsmAction_Repair call failed; Status: {A11_Status}!S!

Fields #

NameDescription
A10_Scb
A11_Status

Event ID 416: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! DsmAction_Repair operation failed; Status: {A11_IrpStatus}!S!

Message #

Scb:{A10_Scb}!p! DsmAction_Repair operation failed; Status: {A11_IrpStatus}!S!

Fields #

NameDescription
A10_Scb
A11_IrpStatus

Event ID 417: Scb:{A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb:{A10_Scb}!p! DsmAction_Repair completed; IrpStatus: {A11_RepairCopiesOutput->Status}!S!

Message #

Scb:{A10_Scb}!p! DsmAction_Repair completed; IrpStatus: {A11_RepairCopiesOutput->Status}!S!

Fields #

NameDescription
A10_Scb

Event ID 418: NtfsQueryCachedRuns: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsQueryCachedRuns: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 419: NtfsQueryStorageClasses: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsQueryStorageClasses: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 420: NtfsQueryRegionInfo: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsQueryRegionInfo: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 421: NtfsUnloadFile: Caller not having manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsUnloadFile: Caller not having manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 422: NtfsCheckForSection: File already has image section.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCheckForSection: File already has image section. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Scb: !p!; Scb Type Code: 0x!x!; Scb Name: !S!.

Message #

NtfsCheckForSection: File already has image section. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!.

Event ID 423: NtfsShuffleFile: User mode caller is not allowed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsShuffleFile: User mode caller is not allowed. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; TypeOfOpen: !d!; Fcb: !p!; FileRef: 0x!I64x!; Ccb FullFileName: !S!; Irp RequestorMode: !d!.

Message #

NtfsShuffleFile: User mode caller is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; TypeOfOpen: %5!d!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Ccb FullFileName: %8!S!; Irp RequestorMode: %9!d!.

Event ID 424: NtfsShuffleFile: Denying access due to volume is locked.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsShuffleFile: Denying access due to volume is locked. Thread: !p!; TypeOfOpen: !d!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!; Ccb FullFileName: !S!; VcbState: 0x!08x!.

Message #

NtfsShuffleFile: Denying access due to volume is locked. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: %7!I64x!; Ccb FullFileName: %8!S!; VcbState: 0x%9!08x!.

Event ID 425: NtfsShuffleFile: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsShuffleFile: Defrag is denied. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Persist flags: 0x%10!08x!; Ccb flags: 0x%11!08x!.

Event ID 426: NtfsShuffleFile: Denying access due to conflicting with read-only state.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; SL control flags: 0x%8!08x!.

Event ID 427: NtfsRearrangeFile: User mode caller is not allowed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRearrangeFile: User mode caller is not allowed. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Ccb FullFileName: !S!; Irp RequestorMode: !d!.

Message #

NtfsRearrangeFile: User mode caller is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb FullFileName: %7!S!; Irp RequestorMode: %8!d!.

Event ID 428: NtfsRearrangeFile: Denying access due to volume is locked.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRearrangeFile: Denying access due to volume is locked. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: 0x!I64x!; Ccb FullFileName: !S!; VcbState: 0x!08x!.

Message #

NtfsRearrangeFile: Denying access due to volume is locked. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb FullFileName: %7!S!; VcbState: 0x%8!08x!.

Event ID 429: NtfsRearrangeFile: Defrag is denied.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsRearrangeFile: Defrag is denied. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Scb: %7!p!; Scb Type Code: 0x%8!x!; Scb Name: %9!S!; Persist flags: 0x%10!08x!; Ccb flags: 0x%11!08x!.

Event ID 430: NtfsShuffleFile: Denying access due to conflicting with read-only state.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsShuffleFile: Denying access due to conflicting with read-only state. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; FileAttributes: 0x%7!08x!; SL control flags: 0x%8!08x!.

Event ID 431: NtfsSparseOverAllocate: Caller does not have appropriate write access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; FileRef: !I64x!; FullFileName: !S!; Ccb access flags: !x!.

Message #

NtfsSparseOverAllocate: Caller does not have appropriate write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; FileRef: %5!I64x!; FullFileName: %6!S!; Ccb access flags: %7!x!.

Event ID 432: NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsInitiateFileMetadataOptimization: Only allowed on regular user files/directories opened for write. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: %7!I64x!; Scb AttributeTypeCode: %8!x!; FcbState2: %9!x!; Ccb FullFileName: %10!S!; Ccb Access flags: %11!x!; Ccb Flags2: %12!x!.

Event ID 433: NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsQueryFileMetadataOptimization: Only allowed on regular user files/directories opened for read. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: 0x%7!I64x!; Scb AttributeTypeCode: 0x%8!x!; Ccb FullFileName: %9!S!; Ccb Access flags: 0x%10!08x!.

Event ID 434: NtfsEnumOnMountToDeleteWorker.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Enumerate status=0x{A12_Status}!x!

Message #

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Enumerate status=0x{A12_Status}!x!

Fields #

NameDescription
A10_Vcb
A12_Status

Event ID 435: NtfsEnumOnMountToDeleteWorker(%1;%2): Open status=0x%3; path='%4'.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker(!p!;!p!): Open status=0x!x!; path='!S!'.

Message #

NtfsEnumOnMountToDeleteWorker(%1!p!;%2!p!): Open status=0x%3!x!; path='%4!S!'

Event ID 436: NtfsEnumOnMountToDeleteWorker.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Enumerate status=0x{A12_Status}!x!

Message #

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Enumerate status=0x{A12_Status}!x!

Fields #

NameDescription
A10_Vcb
A12_Status

Event ID 437: NtfsEnumOnMountToDeleteWorker.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Close dir status=0x{A12_Status}!x!

Message #

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Close dir status=0x{A12_Status}!x!

Fields #

NameDescription
A10_Vcb
A12_Status

Event ID 438: NtfsEnumMountWorker.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEnumMountWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Close status=0x{A12_Status}!x!

Message #

NtfsEnumMountWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Close status=0x{A12_Status}!x!

Fields #

NameDescription
A10_Vcb
A12_Status

Event ID 439: NtfsEnumOnMountToDeleteWorker.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Close dir status=0x{A12_Status}!x!

Message #

NtfsEnumOnMountToDeleteWorker({A10_Vcb}!p!;{A11_PsGetCurrentThread()}!p!): Close dir status=0x{A12_Status}!x!

Fields #

NameDescription
A10_Vcb
A12_Status

Event ID 440: FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!x!

Message #

FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!x!

Fields #

NameDescription
A10_Status

Event ID 441: SCB: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

SCB: {A10_Scb}!p!; StartOffset: 0x{A11_StartOffset}!I64x!; Length: 0x{A12_Length}!I64x!; StartVcn=0x{A13_StartVcn}!I64x!; BeyondEndVcn=0x{A14_BeyondEndVcn}!I64x!

Message #

SCB: {A10_Scb}!p!; StartOffset: 0x{A11_StartOffset}!I64x!; Length: 0x{A12_Length}!I64x!; StartVcn=0x{A13_StartVcn}!I64x!; BeyondEndVcn=0x{A14_BeyondEndVcn}!I64x!

Fields #

NameDescription
A10_Scb
A11_StartOffset
A12_Length
A13_StartVcn
A14_BeyondEndVcn

Event ID 442: FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!x!

Message #

FsLibGetBadAddressRanges returned Status: {A10_Status}; NumBadRanges: 0x{A11_Output->NumBadRanges}!x!

Fields #

NameDescription
A10_Status

Event ID 443: FsInputRangeIndex: {A10_FsInputRangeIndex}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

FsInputRangeIndex: {A10_FsInputRangeIndex}!u!; FileOffset: 0x{A11_FsInputRanges[FsInputRangeIndex].FileOffset}!I64x!; VolumeOffset: 0x{A12_FsInputRanges[FsInputRangeIndex].VolumeOffset}!I64x!; LengthInBytes: 0x{A13_FsInputRanges[FsInputRangeIndex].LengthInBytes}!I64x!

Fields #

NameDescription
A10_FsInputRangeIndex

Event ID 444: Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb: {A10_Scb}!p!; Status: {A11_Status}!S!; AbnormalTermination: {A12_(BOOLEAN)AbnormalTermination()}!S!

Message #

Scb: {A10_Scb}!p!; Status: {A11_Status}!S!; AbnormalTermination: {A12_(BOOLEAN)AbnormalTermination()}!S!

Fields #

NameDescription
A10_Scb
A11_Status

Event ID 445: Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Scb: {A10_Scb}!p!; Status: {A11_Status}!S!

Message #

Scb: {A10_Scb}!p!; Status: {A11_Status}!S!

Fields #

NameDescription
A10_Scb
A11_Status

Event ID 446: NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!.

Message #

NtfsEncryptionKeyCtl: Caller does not have SE_TCB_PRIVILEGE. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!.

Event ID 448: NtfsFindPrefixHashEntry: {Hash table: %1} {ParentScb: %2; '%3'} {RemainingName: '%4'}.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Hash table: !p!} {ParentScb: !p!; '!S!'} {RemainingName: '!S!'}.

Message #

NtfsFindPrefixHashEntry: {Hash table: %1!p!} {ParentScb: %2!p!; '%3!S!'} {RemainingName: '%4!S!'}

Event ID 450: NtfsFindPrefixHashEntry: {Lcb: %1; '%2'}.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFindPrefixHashEntry: {Lcb: !p!; '!S!'}.

Message #

NtfsFindPrefixHashEntry: {Lcb: %1!p!; '%2!S!'}

Event ID 452: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Checkpoint injection. Count {A11_Vcb->CheckpointInjectionCount}!d!

Message #

Vcb {A10_Vcb}!p!.  Checkpoint injection.  Count {A11_Vcb->CheckpointInjectionCount}!d!

Fields #

NameDescription
A10_Vcb

Event ID 453: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Log {A11_PercentFull}!d!%!PCT! full. Wait for CC to flush metadata first. Count {A12_Vcb->WaitForCcLoggedDataActivityCount}!d!

Message #

Vcb {A10_Vcb}!p!.  Log {A11_PercentFull}!d!%!PCT! full.  Wait for CC to flush metadata first. Count {A12_Vcb->WaitForCcLoggedDataActivityCount}!d!

Fields #

NameDescription
A10_Vcb
A11_PercentFull

Event ID 454: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Checkpoint injection. Count {A11_Vcb->CheckpointInjectionCount}!d!

Message #

Vcb {A10_Vcb}!p!.  Checkpoint injection.  Count {A11_Vcb->CheckpointInjectionCount}!d!

Fields #

NameDescription
A10_Vcb

Event ID 455: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Log {A11_PercentFull}!d!%!PCT! full. Wait for CC to flush metadata first. Count {A12_Vcb->WaitForCcLoggedDataActivityCount}!d!

Message #

Vcb {A10_Vcb}!p!.  Log {A11_PercentFull}!d!%!PCT! full.  Wait for CC to flush metadata first. Count {A12_Vcb->WaitForCcLoggedDataActivityCount}!d!

Fields #

NameDescription
A10_Vcb
A11_PercentFull

Event ID 456: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Done waiting for CC to flush metadata.

Message #

Vcb {A10_Vcb}!p!.  Done waiting for CC to flush metadata

Fields #

NameDescription
A10_Vcb

Event ID 457: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Injected checkpoint.

Message #

Vcb {A10_Vcb}!p!.  Injected checkpoint.

Fields #

NameDescription
A10_Vcb

Event ID 458: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Start of checkpoint.

Message #

Vcb {A10_Vcb}!p!.  Start of checkpoint

Fields #

NameDescription
A10_Vcb

Event ID 459: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Clean checkpoint. Count {A11_Vcb->CleanCheckpointCount}!d!

Message #

Vcb {A10_Vcb}!p!.  Clean checkpoint. Count {A11_Vcb->CleanCheckpointCount}!d!

Fields #

NameDescription
A10_Vcb

Event ID 460: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Overflowed DPT. Count {A11_Vcb->OverflowedDPTCount}!d!

Message #

Vcb {A10_Vcb}!p!.  Overflowed DPT. Count {A11_Vcb->OverflowedDPTCount}!d!

Fields #

NameDescription
A10_Vcb

Event ID 461: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Fuzzy checkpoint. Count {A11_Vcb->FuzzyCheckpointCount}!d!

Message #

Vcb {A10_Vcb}!p!.  Fuzzy checkpoint. Count {A11_Vcb->FuzzyCheckpointCount}!d!

Fields #

NameDescription
A10_Vcb

Event ID 462: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Flush oldest FO. Count {A11_Vcb->FlushOldestFOCount}!d!

Message #

Vcb {A10_Vcb}!p!.  Flush oldest FO.  Count {A11_Vcb->FlushOldestFOCount}!d!

Fields #

NameDescription
A10_Vcb

Event ID 463: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Flush starts with FRef {A11_NtfsFullSegmentNumber( _Scb->Fcb->FileReference )}!I64x!

Message #

Vcb {A10_Vcb}!p!.  Flush starts with FRef {A11_NtfsFullSegmentNumber( _Scb->Fcb->FileReference )}!I64x!

Fields #

NameDescription
A10_Vcb

Event ID 464: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Flush ends. FO {A11_DirtyPageContext.OldestFileObject}!p!

Message #

Vcb {A10_Vcb}!p!.  Flush ends.  FO {A11_DirtyPageContext.OldestFileObject}!p!

Fields #

NameDescription
A10_Vcb

Event ID 465: NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Message #

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields #

NameDescription
A10_IrpContext

Event ID 466: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Checkpoint completed.

Message #

Vcb {A10_Vcb}!p!.  Checkpoint completed.

Fields #

NameDescription
A10_Vcb

Event ID 467: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p!. Leaving NtfsCheckpointVolume.

Message #

Vcb {A10_Vcb}!p!.  Leaving NtfsCheckpointVolume.

Fields #

NameDescription
A10_Vcb

Event ID 468: NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Message #

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields #

NameDescription
A10_IrpContext

Event ID 469: NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Message #

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields #

NameDescription
A10_IrpContext

Event ID 470: NtfsCommitCurrentTransaction.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Pre NtfsWriteLog failure {A13_IrpContext->ExceptionStatus}!x!

Message #

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Pre NtfsWriteLog failure {A13_IrpContext->ExceptionStatus}!x!

Fields #

NameDescription
A10_IrpContext

Event ID 471: NtfsCommitCurrentTransaction.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Post NtfsWriteLog failure {A13_IrpContext->ExceptionStatus}!x!

Message #

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Post NtfsWriteLog failure {A13_IrpContext->ExceptionStatus}!x!

Fields #

NameDescription
A10_IrpContext

Event ID 472: NtfsCommitCurrentTransaction.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): LfsFlushToLsn failure {A13_IrpContext->ExceptionStatus}!x! Count {A14_FailedFlushCount}!d!

Fields #

NameDescription
A10_IrpContext
A14_FailedFlushCount

Event ID 473: NtfsCommitCurrentTransaction.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Pre NtfsProcessNewLengthQueue failure {A13_IrpContext->ExceptionStatus}!x!

Message #

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Pre NtfsProcessNewLengthQueue failure {A13_IrpContext->ExceptionStatus}!x!

Fields #

NameDescription
A10_IrpContext

Event ID 474: NtfsCommitCurrentTransaction.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Post NtfsProcessNewLengthQueue failure {A13_IrpContext->ExceptionStatus}!x!

Message #

NtfsCommitCurrentTransaction ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Post NtfsProcessNewLengthQueue failure {A13_IrpContext->ExceptionStatus}!x!

Fields #

NameDescription
A10_IrpContext

Event ID 475: NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x! Completed.

Message #

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x! Completed

Fields #

NameDescription
A10_IrpContext

Event ID 476: NtfsCommitCurrentTransaction IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x! Completed.

Message #

NtfsCommitCurrentTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x! Completed

Fields #

NameDescription
A10_IrpContext

Event ID 477: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Entering - ActiveLsn: {A11_ActiveLsn->QuadPart}!I64x!; ClearAll: {A12_ClearAll}!S!

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Entering - ActiveLsn: {A11_ActiveLsn->QuadPart}!I64x!; ClearAll: {A12_ClearAll}!S!

Fields #

NameDescription
A10_Vcb
A12_ClearAll

Event ID 478: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! empty list - Leaving.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! empty list - Leaving

Fields #

NameDescription
A10_Vcb

Event ID 479: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! empty list - Leaving.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! empty list  - Leaving

Fields #

NameDescription
A10_Vcb

Event ID 480: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Found frozen deallocated clusters with {A11_Clusters->ClusterCount}!I64x! clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Found frozen deallocated clusters with {A11_Clusters->ClusterCount}!I64x! clusters

Fields #

NameDescription
A10_Vcb

Event ID 481: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - No actionable deallocated clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - No actionable deallocated clusters

Fields #

NameDescription
A10_Vcb

Event ID 482: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - No actionable deallocated clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - No actionable deallocated clusters

Fields #

NameDescription
A10_Vcb

Event ID 483: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Found a deallocated clusters {A11_Clusters}!p! with {A12_Clusters->ClusterCount}!I64x! clusters; Lsn: {A13_Clusters->Lsn.QuadPart}!I64x!; Flags: {A14_Clusters->Flags}!08x!

Fields #

NameDescription
A10_Vcb
A11_Clusters

Event ID 484: Vcb: {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb: {A10_Vcb}!p!; Processing range. DeallocatedClusters: {A11_Clusters}!p!; RunIndex: {A12_i}!d!; StartingLcn: {A13_StartingLcn}!I64x!; ClusterCount: {A14_ClusterCount}!I64x!

Message #

Vcb: {A10_Vcb}!p!; Processing range. DeallocatedClusters: {A11_Clusters}!p!; RunIndex: {A12_i}!d!; StartingLcn: {A13_StartingLcn}!I64x!; ClusterCount: {A14_ClusterCount}!I64x!

Fields #

NameDescription
A10_Vcb
A11_Clusters
A12_i
A13_StartingLcn
A14_ClusterCount

Event ID 485: NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}.

Message #

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}

Fields #

NameDescription
A10_Status

Event ID 486: FsLibGroupSubExtentsByDanglingMdl failed: {A10_Status}.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

FsLibGroupSubExtentsByDanglingMdl failed: {A10_Status}.

Message #

FsLibGroupSubExtentsByDanglingMdl failed: {A10_Status}

Fields #

NameDescription
A10_Status

Event ID 487: FsLibAddBaseMcbEntryEx failed: {A10_Status}.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

FsLibAddBaseMcbEntryEx failed: {A10_Status}.

Message #

FsLibAddBaseMcbEntryEx failed: {A10_Status}

Fields #

NameDescription
A10_Status

Event ID 488: NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}.

Message #

NtfsAddToMatchingDeallocatedClusters( ExtentsWithoutDanglingMdl ) failed: {A10_Status}

Fields #

NameDescription
A10_Status

Event ID 489: NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: {A10_Status}.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: {A10_Status}.

Message #

NtfsAddToMatchingDeallocatedClusters( ExtentsWithDanglingMdl ) failed: {A10_Status}

Fields #

NameDescription
A10_Status

Event ID 490: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Got error 0x{A11_Status}!x! from below.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Got error 0x{A11_Status}!x! from below

Fields #

NameDescription
A10_Vcb
A11_Status

Event ID 491: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Telling volsnap freeing at {A11_StartingLcn}!I64x! for {A12_(ULONG)ClusterCount}!x! clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Telling volsnap freeing at {A11_StartingLcn}!I64x! for {A12_(ULONG)ClusterCount}!x! clusters

Fields #

NameDescription
A10_Vcb
A11_StartingLcn

Event ID 492: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Volsnap responsed with freeing at {A11_StartingLcn + StartingIndex}!I64x! for {A12_runLength}!x! clusters.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Volsnap responsed with freeing at {A11_StartingLcn + StartingIndex}!I64x! for {A12_runLength}!x! clusters

Fields #

NameDescription
A10_Vcb
A12_runLength

Event ID 493: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Got error 0x{A11_Status}!x! from below.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Got error 0x{A11_Status}!x! from below

Fields #

NameDescription
A10_Vcb
A11_Status

Event ID 494: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Deleting MarkUnusedContext {A11_MarkUnusedContext}!p!

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Deleting MarkUnusedContext {A11_MarkUnusedContext}!p!

Fields #

NameDescription
A10_Vcb
A11_MarkUnusedContext

Event ID 495: NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Leaving.

Message #

NtfsFreeRecentlyDeallocated: Vcb {A10_Vcb}!p! - Leaving

Fields #

NameDescription
A10_Vcb

Event ID 496: NtfsRemoveNtfsMcbEntry Scb: {A10_Mcb->Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRemoveNtfsMcbEntry Scb: {A10_Mcb->Scb}!p!; Mcb: {A11_Mcb}!p!; Vcn: 0x{A12_StartingVcn}!I64x!; Length: 0x{A13_Count}!I64x!

Message #

NtfsRemoveNtfsMcbEntry Scb: {A10_Mcb->Scb}!p!; Mcb: {A11_Mcb}!p!; Vcn: 0x{A12_StartingVcn}!I64x!; Length: 0x{A13_Count}!I64x!

Fields #

NameDescription
A11_Mcb
A12_StartingVcn
A13_Count

Event ID 497: NtfsRemoveNtfsMcbEntry Mcb: {A10_Mcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRemoveNtfsMcbEntry Mcb: {A10_Mcb}!p! Completed.

Message #

NtfsRemoveNtfsMcbEntry Mcb: {A10_Mcb}!p! Completed.

Fields #

NameDescription
A10_Mcb

Event ID 498: NtfsAddNtfsMcbEntry Scb: {A10_Mcb->Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAddNtfsMcbEntry Scb: {A10_Mcb->Scb}!p!; Mcb: {A11_Mcb}!p!; Vcn: 0x{A12_Vcn}!I64x!; Lcn: 0x{A13_Lcn}!I64x!; Length: 0x{A14_RunCount}!I64x!

Message #

NtfsAddNtfsMcbEntry Scb: {A10_Mcb->Scb}!p!; Mcb: {A11_Mcb}!p!; Vcn: 0x{A12_Vcn}!I64x!; Lcn: 0x{A13_Lcn}!I64x!; Length: 0x{A14_RunCount}!I64x!

Fields #

NameDescription
A11_Mcb
A12_Vcn
A13_Lcn
A14_RunCount

Event ID 499: NtfsAddNtfsMcbEntry Mcb: {A10_Mcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAddNtfsMcbEntry Mcb: {A10_Mcb}!p!; Result: {A11_Result}!S!

Message #

NtfsAddNtfsMcbEntry Mcb: {A10_Mcb}!p!; Result: {A11_Result}!S!

Fields #

NameDescription
A10_Mcb
A11_Result

Event ID 500: NtfsUnloadNtfsMcbRange Scb: {A10_Mcb->Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUnloadNtfsMcbRange Scb: {A10_Mcb->Scb}!p!; Mcb: {A11_Mcb}!p!; StartVcn: 0x{A12_StartingVcn}!I64x!; EndVcn: 0x{A13_EndingVcn}!I64x!; TruncateOnly: {A14_TruncateOnly}!S!

Message #

NtfsUnloadNtfsMcbRange Scb: {A10_Mcb->Scb}!p!; Mcb: {A11_Mcb}!p!; StartVcn: 0x{A12_StartingVcn}!I64x!; EndVcn: 0x{A13_EndingVcn}!I64x!; TruncateOnly: {A14_TruncateOnly}!S!

Fields #

NameDescription
A11_Mcb
A12_StartingVcn
A13_EndingVcn
A14_TruncateOnly

Event ID 501: NtfsUnloadNtfsMcbRange Mcb: {A10_Mcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsUnloadNtfsMcbRange Mcb: {A10_Mcb}!p! Completed.

Message #

NtfsUnloadNtfsMcbRange Mcb: {A10_Mcb}!p! Completed.

Fields #

NameDescription
A10_Mcb

Event ID 502: Valid NTFS boot sector.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Valid NTFS boot sector. Vcb: {A10_Vcb}!p!; BootSector: {A11_BootSector}!p!

Message #

Valid NTFS boot sector. Vcb: {A10_Vcb}!p!; BootSector: {A11_BootSector}!p!

Fields #

NameDescription
A10_Vcb
A11_BootSector

Event ID 503: Not an NTFS boot sector.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Not an NTFS boot sector. Vcb: {A10_Vcb}!p!; BootSector: {A11_BootSector}!p!; CheckNumber: {A12_CheckNumber}!d!

Message #

Not an NTFS boot sector. Vcb: {A10_Vcb}!p!; BootSector: {A11_BootSector}!p!; CheckNumber: {A12_CheckNumber}!d!

Fields #

NameDescription
A10_Vcb
A11_BootSector
A12_CheckNumber

Event ID 504: NtfsMountVolume: Vcb:{A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsMountVolume: Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p!; Growing allocation for Mft's Attribute List failed with exception:0x{A12_IrpContext->ExceptionStatus}!x!

Message #

NtfsMountVolume: Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p!; Growing allocation for Mft's Attribute List failed with exception:0x{A12_IrpContext->ExceptionStatus}!x!

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 505: NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p! Mft AttributeList not found; skipping growth.

Message #

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p! Mft AttributeList not found; skipping growth

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 506: Mounting DAX partition.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Mounting DAX partition. Vcb: {A10_Vcb}!p!

Message #

Mounting DAX partition. Vcb: {A10_Vcb}!p!

Fields #

NameDescription
A10_Vcb

Event ID 507: DAX volume mounted without DAX support because storage is not DAX capable.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: {A10_Vcb}!p!

Message #

DAX volume mounted without DAX support because storage is not DAX capable. Vcb: {A10_Vcb}!p!

Fields #

NameDescription
A10_Vcb

Event ID 508: NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p! Mft AttributeList not found; skipping growth.

Message #

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p! Mft AttributeList not found; skipping growth

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 509: NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p! Converting Resident AttributeList(size:0x{A12_AttrListAllocationSize}!I64x!) to NonResident.

Message #

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p! Converting Resident AttributeList(size:0x{A12_AttrListAllocationSize}!I64x!) to NonResident

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_AttrListAllocationSize

Event ID 510: NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p!; AttrListScb:{A12_Scb}!p! Added Allocation for NonResident AttributeList (old size:0x{A13_AttrListAllocationSize}!I64x!).

Message #

NtfsGrowMftsAttributeListAllocation Vcb:{A10_Vcb}!p!; IC:{A11_IrpContext}!p!; AttrListScb:{A12_Scb}!p! Added Allocation for NonResident AttributeList (old size:0x{A13_AttrListAllocationSize}!I64x!)

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A12_Scb
A13_AttrListAllocationSize

Event ID 511: Unexpected exception code of 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Unexpected exception code of 0x{A10_ExceptionCode}!x! received.

Message #

Unexpected exception code of 0x{A10_ExceptionCode}!x! received

Fields #

NameDescription
A10_ExceptionCode

Event ID 512: Exception code of 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Exception code of 0x{A10_ExceptionCode}!x! received during mount.

Message #

Exception code of 0x{A10_ExceptionCode}!x! received during mount.

Fields #

NameDescription
A10_ExceptionCode

Event ID 513: Unexpected exception code of 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Unexpected exception code of 0x{A10_ExceptionCode}!x! received.

Message #

Unexpected exception code of 0x{A10_ExceptionCode}!x! received.

Fields #

NameDescription
A10_ExceptionCode

Event ID 514: LogFileFull {A10_IrpContext->LogFullReason} BackTrace: ln {A11_BackTrace[0]}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

LogFileFull {A10_IrpContext->LogFullReason} BackTrace: ln {A11_BackTrace[0]}!p!; ln {A12_BackTrace[1]}!p!; ln {A13_BackTrace[2]}!p!; ln {A14_BackTrace[3]}!p!; ln {A15_BackTrace[4]}!p!; ln {A16_BackTrace[5]}!p!; ln {A17_BackTrace[6]}!p!; ln {A18_BackTrace[7]}!p!; ln {A10_IrpContext->LogFullReason}0!p!; ln {A10_IrpContext->LogFullReason}1!p!; ln {A10_IrpContext->LogFullReason}2!p!; ln {A10_IrpContext->LogFullReason}3!p!; ln {A10_IrpContext->LogFullReason}4!p!; ln {A10_IrpContext->LogFullReason}5!p!; ln {A10_IrpContext->LogFullReason}6!p!; ln {A10_IrpContext->LogFullReason}7!p!; ln {A10_IrpContext->LogFullReason}8!p!; ln {A10_IrpContext->LogFullReason}9!p!; ln {A11_BackTrace[0]}0!p!; ln {A11_BackTrace[0]}1!p!;

Fields #

NameDescription
A11_BackTrace[0]
A12_BackTrace[1]
A13_BackTrace[2]
A14_BackTrace[3]
A15_BackTrace[4]
A16_BackTrace[5]
A17_BackTrace[6]
A18_BackTrace[7]

Event ID 515: Unexpected raise of 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Unexpected raise of 0x{A10_ExceptionCode}!x! during critical non-raise code.

Message #

Unexpected raise of 0x{A10_ExceptionCode}!x! during critical non-raise code

Fields #

NameDescription
A10_ExceptionCode

Event ID 516: NtfsProcessException IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsProcessException IC: {A10_IrpContext}!p!; ExceptionCode: 0x{A11_ExceptionCode}!08x!

Message #

NtfsProcessException IC: {A10_IrpContext}!p!; ExceptionCode: 0x{A11_ExceptionCode}!08x!

Fields #

NameDescription
A10_IrpContext
A11_ExceptionCode

Event ID 517: NtfsProcessException IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsProcessException IC: {A10_IrpContext}!p!; ExceptionCode: 0x{A11_ExceptionCode}!08x!

Message #

NtfsProcessException IC: {A10_IrpContext}!p!; ExceptionCode: 0x{A11_ExceptionCode}!08x!

Fields #

NameDescription
A10_IrpContext
A11_ExceptionCode

Event ID 518: Failed to abort - IrpContext {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Failed to abort - IrpContext {A10_IrpContext}!p!; Irp {A11_Irp}!p!; Vcb {A12_IrpContext->Vcb}!p!; Count {A13_NtfsFailedAborts}!x!; Status {A14_GetExceptionCode()}!x!

Message #

Failed to abort - IrpContext {A10_IrpContext}!p!; Irp {A11_Irp}!p!; Vcb {A12_IrpContext->Vcb}!p!; Count {A13_NtfsFailedAborts}!x!; Status {A14_GetExceptionCode()}!x!

Fields #

NameDescription
A10_IrpContext
A11_Irp
A13_NtfsFailedAborts

Event ID 519: Failed to abort - IrpContext {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Failed to abort - IrpContext {A10_IrpContext}!p!; Irp {A11_Irp}!p!; Vcb {A12_IrpContext->Vcb}!p!; Scb {A13_NextScb}!p!; FileRef {A14_*(PULONGLONG)_NextScb->Fcb->FileReference}!I64x!

Message #

Failed to abort - IrpContext {A10_IrpContext}!p!; Irp {A11_Irp}!p!; Vcb {A12_IrpContext->Vcb}!p!; Scb {A13_NextScb}!p!; FileRef {A14_*(PULONGLONG)_NextScb->Fcb->FileReference}!I64x!

Fields #

NameDescription
A10_IrpContext
A11_Irp
A13_NextScb

Event ID 520: Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x{A10_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A11_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x!

Message #

Setting STATUS_CANT_WAIT in top-level exception status for write @ 0x{A10_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A11_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x!

Fields #

NameDescription
A10_IrpContext
A11_Irp
A13_NtfsFailedAborts

Event ID 521: Setting 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Setting 0x{A10_ExceptionCode}!x! in top-level exception status for write @ 0x{A11_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A12_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x!

Message #

Setting 0x{A10_ExceptionCode}!x! in top-level exception status for write @ 0x{A11_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A12_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x!

Fields #

NameDescription
A10_ExceptionCode

Event ID 522: [.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

[{A10_IrpSp->MajorFunction}; {A11_IrpSp->MinorFunction}!02x!]: Irp: {A12_Irp}!p!; IC: {A13_IrpContext}!p!; Status: {A14_Status}!S!

Message #

[{A10_IrpSp->MajorFunction}; {A11_IrpSp->MinorFunction}!02x!]: Irp: {A12_Irp}!p!; IC: {A13_IrpContext}!p!; Status: {A14_Status}!S!

Fields #

NameDescription
A12_Irp
A13_IrpContext
A14_Status

Event ID 523: [.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

[{A10_IrpSp->MajorFunction}; {A11_IrpSp->MinorFunction}!02x!]: Irp: {A12_Irp}!p!; IC: {A13_IrpContext}!p!; Status: {A14_Status}!S!

Message #

[{A10_IrpSp->MajorFunction}; {A11_IrpSp->MinorFunction}!02x!]: Irp: {A12_Irp}!p!; IC: {A13_IrpContext}!p!; Status: {A14_Status}!S!

Fields #

NameDescription
A12_Irp
A13_IrpContext
A14_Status

Event ID 524: Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!x!.

Message #

Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!x!.

Fields #

NameDescription
A10_MaxTrimTotalSize

Event ID 525: [.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

[{A10_IrpSp->MajorFunction}; {A11_IrpSp->MinorFunction}!02x!]: Irp: {A12_Irp}!p!; IC: {A13_IrpContext}!p!; Status: {A14_Status}!S!

Message #

[{A10_IrpSp->MajorFunction}; {A11_IrpSp->MinorFunction}!02x!]: Irp: {A12_Irp}!p!; IC: {A13_IrpContext}!p!; Status: {A14_Status}!S!

Fields #

NameDescription
A12_Irp
A13_IrpContext
A14_Status

Event ID 526: Updating NtfsMinTrimTotalSize to {A10_MinTrimTotalSize}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Updating NtfsMinTrimTotalSize to {A10_MinTrimTotalSize}!x!.

Message #

Updating NtfsMinTrimTotalSize to {A10_MinTrimTotalSize}!x!.

Fields #

NameDescription
A10_MinTrimTotalSize

Event ID 527: Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!x!.

Message #

Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!x!.

Fields #

NameDescription
A10_MaxTrimTotalSize

Event ID 528: {A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12__Vcb->TxfVcb.DefaultRm->RmId}!S!}) up for auto-restart.

Message #

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12__Vcb->TxfVcb.DefaultRm->RmId}!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__

Event ID 529: Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!x!.

Message #

Updating NtfsMaxTrimTotalSize to {A10_MaxTrimTotalSize}!x!.

Fields #

NameDescription
A10_MaxTrimTotalSize

Event ID 530: NtfsSetObjectId: Caller does not have restore access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsSetObjectId: Caller does not have restore access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!; Irp Minor Function: 0x%9!08x!.

Event ID 531: {A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12__Vcb->TxfVcb.DefaultRm->RmId}!S!}) up for auto-restart.

Message #

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12__Vcb->TxfVcb.DefaultRm->RmId}!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__

Event ID 532: NtfsDeleteObjectId: Caller does not have write access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDeleteObjectId: Caller does not have write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: 0x%6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!; Irp Minor Function: 0x%9!08x!.

Event ID 533: {A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12__Vcb->TxfVcb.DefaultRm->RmId}!S!}) up for auto-restart.

Message #

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)Vcb->TxfVcb.DefaultRm}!p! ({{A12__Vcb->TxfVcb.DefaultRm->RmId}!S!}) up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__

Event ID 534: Unexpected Paging-Read on DAX mappable stream; Scb=.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Unexpected Paging-Read on DAX mappable stream; Scb={A10_Scb}!p!

Message #

Unexpected Paging-Read on DAX mappable stream; Scb={A10_Scb}!p!

Fields #

NameDescription
A10_Scb

Event ID 535: NtfsAbortTransaction IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Message #

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields #

NameDescription
A10_IrpContext

Event ID 536: NtfsAbortTransaction IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Message #

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields #

NameDescription
A10_IrpContext

Event ID 537: DoAction::InitializeFRS IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

DoAction::InitializeFRS IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!

Fields #

NameDescription
A10_IrpContext

Event ID 538: NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: {A10_Vcb}!p!; Vcb->LogFileObject: {A11_Vcb->LogFileObject}!p!; IC: {A12_IrpContext}!p!

Message #

NtfsReleaseVcbCheckDelete - NtfsDeleteVcb() returned FALSE; scheduling checkpoint. Vcb: {A10_Vcb}!p!; Vcb->LogFileObject: {A11_Vcb->LogFileObject}!p!; IC: {A12_IrpContext}!p!

Fields #

NameDescription
A10_Vcb
A12_IrpContext

Event ID 539: NtfsReleaseVcbCheckDelete - deleted Vcb: {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsReleaseVcbCheckDelete - deleted Vcb: {A10_Vcb}!p!; IC: {A11_IrpContext}!p!

Message #

NtfsReleaseVcbCheckDelete - deleted Vcb: {A10_Vcb}!p!; IC: {A11_IrpContext}!p!

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 540: NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: {A10_Vcb}!p!; Vcb->LogFileObject: {A11_Vcb->LogFileObject}!p!; IC: {A12_IrpContext}!p!

Message #

NtfsReleaseVcbCheckDelete - Scheduling checkpoint due to dismounted Vcb: {A10_Vcb}!p!; Vcb->LogFileObject: {A11_Vcb->LogFileObject}!p!; IC: {A12_IrpContext}!p!

Fields #

NameDescription
A10_Vcb
A12_IrpContext

Event ID 541: NtfsAbortTransaction IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Message #

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields #

NameDescription
A10_IrpContext

Event ID 542: NtfsAbortTransaction IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Message #

NtfsAbortTransaction IC: {A10_IrpContext}!p!; TransactionId: 0x{A11_IrpContext->TransactionId}!08x!

Fields #

NameDescription
A10_IrpContext

Event ID 543: DoAction::InitializeFRS IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

DoAction::InitializeFRS IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!

Fields #

NameDescription
A10_IrpContext

Event ID 544: DoAction::DeallocateFRS IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

DoAction::DeallocateFRS IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!

Fields #

NameDescription
A10_IrpContext

Event ID 545: DoAction::WriteEndOfFRS IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

DoAction::WriteEndOfFRS IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Attrib:0x{A14_Attribute->TypeCode}!x! Off:0x{A15_LogRecord->RecordOffset}!x!; Len:0x{A16_Length}!x!

Fields #

NameDescription
A10_IrpContext
A16_Length

Event ID 546: DoAction::CreateAttribute IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

DoAction::CreateAttribute IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; Attrib:0x{A14_((PATTRIBUTE_RECORD_HEADER)Data)->TypeCode}!x!

Fields #

NameDescription
A10_IrpContext

Event ID 547: NtfsRestartChangeValue IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsRestartChangeValue IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x!; FileRef:0x{A14_NtfsFullSegmentNumber( _FileReference )}!I64x!

Fields #

NameDescription
A10_IrpContext

Event ID 548: DoAction::SetNewAttributeSizes IC:{A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

DoAction::SetNewAttributeSizes IC:{A10_IrpContext}!p!; FileRef:0x{A11_FileRecord->SegmentNumberHighPart}!04x!_{A12_FileRecord->SegmentNumberLowPart}!08x!; BaseFRS:0x{A13_NtfsFullSegmentNumber( _FileRecord->BaseFileRecordSegment )}!012I64x! OLD: Alloc:{A14_Attribute->Form.Nonresident.AllocatedLength}!I64x!; FileSize:{A15_Attribute->Form.Nonresident.FileSize}!I64x!; VDL:{A16_Attribute->Form.Nonresident.ValidDataLength}!I64x!; TotalAlloc:{A17_Attribute->Form.Nonresident.TotalAllocated}!I64x! NEW: Alloc:{A18_Sizes->AllocationSize}!I64x!; FileSize:{A10_IrpContext}0!I64x!; VDL:{A10_IrpContext}1!I64x!; TotalAlloc:{A10_IrpContext}2!I64x!

Fields #

NameDescription
A10_IrpContext

Event ID 549: DoAction(SetBitsInNonresidentBitMap) IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

DoAction(SetBitsInNonresidentBitMap) IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Bitmap: {A12__Bitmap}!p!

Message #

DoAction(SetBitsInNonresidentBitMap) IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Bitmap: {A12__Bitmap}!p!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12__Bitmap

Event ID 550: DoAction(ClearBitsInNonresidentBitMap) IC: {A10_IrpContext}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

DoAction(ClearBitsInNonresidentBitMap) IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Bitmap: {A12__Bitmap}!p!

Message #

DoAction(ClearBitsInNonresidentBitMap) IC: {A10_IrpContext}!p!; Vcb: {A11_Vcb}!p!; Bitmap: {A12__Bitmap}!p!

Fields #

NameDescription
A10_IrpContext
A11_Vcb
A12__Bitmap

Event ID 551: NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCaseSensitiveInfoAccessCheck: Caller does not have write access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!; Ccb Access flags: 0x%8!08x!.

Event ID 552: NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!; Ccb FullFileName: !S!.

Message #

NtfsCaseSensitiveInfoAccessCheck: Caller does not have appropriate access. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!.

Event ID 553: NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!; Txf Writers Count: !d!.

Message #

NtfsCheckFileForDelete: Denying access due to there are same-tx handles open to this file. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Txf Writers Count: %7!d!.

Event ID 554: NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!; Original status: !S!.

Message #

NtfsCheckFileForDelete: Denying access due to TxfCheckForLockConflict failed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Original status: %7!S!.

Event ID 555: NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!; File Attributes: 0x!08x!.

Message #

NtfsCheckFileForDelete: Denying access due to superseding view indexes are not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; File Attributes: 0x%7!08x!.

Event ID 556: NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckFileForDelete: Denying access due to non-posix delete of target directory open is not allowed. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; File Attributes: 0x%7!08x!.

Event ID 557: NtfsCheckFileForDelete: Denying access due to file is not deleteable.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!.

Message #

NtfsCheckFileForDelete: Denying access due to file is not deleteable. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!.

Event ID 558: NtfsCheckFileForDelete: Denying access due to target file is read only.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckFileForDelete: Denying access due to target file is read only. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; File Attributes: 0x%7!08x!; IrpSp->Flags: 0x%8!08x!.

Event ID 559: NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed).

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckFileForDelete: Caller does not have write attributes access (TxfAccessCheck failed). Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb AccessFlags: 0x%7!08x!; TxfAccessCheck access status: %8!S!.

Event ID 560: NtfsCheckFileForDelete: Denying access due to failing to remove image section.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsCheckFileForDelete: Denying access due to failing to remove image section. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Scb: %7!p!; AttributeTypeCode: 0x%8!x!; Attribute Name: %9!S!.

Event ID 561: NtfsGlobalSdUpdate: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!; Ccb FullFileName: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsGlobalSdUpdate: Caller does not have manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 562: NtfsRepairItem: Denying access due to volume is locked.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRepairItem: Denying access due to volume is locked. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; VcbState: 0x!08x!.

Message #

NtfsRepairItem: Denying access due to volume is locked. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; VcbState: 0x%5!08x!.

Event ID 563: NtfsSetRepairState: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!; Ccb FullFileName: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsSetRepairState: Caller does not have manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 564: NtfsInitiateRepair: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; Fcb: !p!; FileRef: !I64x!; Ccb FullFileName: !S!; Ccb access flags: 0x!08x!.

Message #

NtfsInitiateRepair: Caller does not have manage volume privilege. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; Fcb: %5!p!; FileRef: %6!I64x!; Ccb FullFileName: %7!S!; Ccb access flags: 0x%8!08x!.

Event ID 566: NtfsDefineStorageReserve: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDefineStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: %7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 567: NtfsDeleteStorageReserve: Caller does not have manage volume privilege.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsDeleteStorageReserve: Caller does not have manage volume privilege. Thread: %1!p!; TypeOfOpen: %2!d!; Vcb: %3!p!; VolumeName: %4!S!; VolumeLabel: %5!S!; Fcb: %6!p!; FileRef: %7!I64x!; Ccb FullFileName: %8!S!; Ccb access flags: 0x%9!08x!.

Event ID 568: Failed to get a non-volatile token for Vcb: {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Failed to get a non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Message #

Failed to get a non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Fields #

NameDescription
A10_Vcb
A11_Status

Event ID 569: Failed to free non-volatile token for Vcb: {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Failed to free non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Message #

Failed to free non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Fields #

NameDescription
A10_Vcb
A11_Status

Event ID 570: NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!p!; TotalAllocated: 0x{A11_Scb->TotalAllocated}!I64x!

Message #

NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!p!; TotalAllocated: 0x{A11_Scb->TotalAllocated}!I64x!

Fields #

NameDescription
A10_Scb

Event ID 571: NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!p!; Lsn: {A11_CurrentClusters->Lsn.QuadPart}!I64x!

Message #

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!p!; Lsn: {A11_CurrentClusters->Lsn.QuadPart}!I64x!

Fields #

NameDescription
A10_CurrentClusters

Event ID 572: ClustersLinkAsHead: {A10_ClustersLinkAsHead}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

ClustersLinkAsHead: {A10_ClustersLinkAsHead}!p!; FlagsToMatch: 0x{A11_FlagsToMatch}!x!; InsertAfter: {A12_InsertAfter}!S!

Message #

ClustersLinkAsHead: {A10_ClustersLinkAsHead}!p!; FlagsToMatch: 0x{A11_FlagsToMatch}!x!; InsertAfter: {A12_InsertAfter}!S!

Fields #

NameDescription
A10_ClustersLinkAsHead
A11_FlagsToMatch
A12_InsertAfter

Event ID 573: Clusters: {A10_Clusters}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Clusters: {A10_Clusters}!p!; Flags: 0x{A11_Clusters->Flags}!x!

Message #

Clusters: {A10_Clusters}!p!; Flags: 0x{A11_Clusters->Flags}!x!

Fields #

NameDescription
A10_Clusters

Event ID 574: Failed to get a non-volatile token for Vcb: {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Failed to get a non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Message #

Failed to get a non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Fields #

NameDescription
A10_Vcb
A11_Status

Event ID 575: Failed to free non-volatile token for Vcb: {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Failed to free non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Message #

Failed to free non-volatile token for Vcb: {A10_Vcb}!p!; Status: {A11_Status}!S!

Fields #

NameDescription
A10_Vcb
A11_Status

Event ID 576: NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!p!; TotalAllocated: 0x{A11_Scb->TotalAllocated}!I64x!

Message #

NtfsRestoreScbSnapshots: Restored TotalAllocated; Scb: {A10_Scb}!p!; TotalAllocated: 0x{A11_Scb->TotalAllocated}!I64x!

Fields #

NameDescription
A10_Scb

Event ID 577: NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!p!; Lsn: {A11_CurrentClusters->Lsn.QuadPart}!I64x!

Message #

NtfsGetDeallocatedClusters: Lsn updated for DeallocatedClusters: {A10_CurrentClusters}!p!; Lsn: {A11_CurrentClusters->Lsn.QuadPart}!I64x!

Fields #

NameDescription
A10_CurrentClusters

Event ID 578: ClustersLinkAsHead: {A10_ClustersLinkAsHead}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

ClustersLinkAsHead: {A10_ClustersLinkAsHead}!p!; FlagsToMatch: 0x{A11_FlagsToMatch}!x!; InsertAfter: {A12_InsertAfter}!S!

Message #

ClustersLinkAsHead: {A10_ClustersLinkAsHead}!p!; FlagsToMatch: 0x{A11_FlagsToMatch}!x!; InsertAfter: {A12_InsertAfter}!S!

Fields #

NameDescription
A10_ClustersLinkAsHead
A11_FlagsToMatch
A12_InsertAfter

Event ID 579: Clusters: {A10_Clusters}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Clusters: {A10_Clusters}!p!; Flags: 0x{A11_Clusters->Flags}!x!

Message #

Clusters: {A10_Clusters}!p!; Flags: 0x{A11_Clusters->Flags}!x!

Fields #

NameDescription
A10_Clusters

Event ID 580: Matching cluster: {A10_Clusters}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Matching cluster: {A10_Clusters}!p!; NumberOfRuns: 0x{A11_NumberOfRuns}!x!

Message #

Matching cluster: {A10_Clusters}!p!; NumberOfRuns: 0x{A11_NumberOfRuns}!x!

Fields #

NameDescription
A10_Clusters
A11_NumberOfRuns

Event ID 581: Clusters: {A10_Clusters}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Clusters: {A10_Clusters}!p!

Message #

Clusters: {A10_Clusters}!p!

Fields #

NameDescription
A10_Clusters

Event ID 582: Need to add Range.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Need to add Range. DanglingMdl: {A10_!FlagOn( Clusters->Flags; DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL )}; DeallocatedClusters: {A11_Clusters}!p!; Lcn: {A12_Lcn}!I64x!; ClusterCount: {A13_ClusterCount}!I64x!

Fields #

NameDescription
A11_Clusters
A12_Lcn
A13_ClusterCount

Event ID 583: Need to add Range.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Need to add Range. DanglingMdl: {A10_!FlagOn( Clusters->Flags; DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL )}; DeallocatedClusters: {A11_Clusters}!p!; Lcn: {A12_Lcn}!I64x!; ClusterCount: {A13_ClusterCount}!I64x!

Fields #

NameDescription
A11_Clusters
A12_Lcn
A13_ClusterCount

Event ID 584: Added range.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Added range. DanglingMdl: {A10_!FlagOn( Clusters->Flags; DEALLOCATED_CLUSTERS_FLAG_NO_DANGLING_MDL )}; DeallocatedClusters: {A11_Clusters}!p!; Lcn: {A12_Lcn}!I64x!; ClusterCount: {A13_ClusterCount}!I64x!

Fields #

NameDescription
A11_Clusters
A12_Lcn
A13_ClusterCount

Event ID 585: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A13_TxfTrans

Event ID 586: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A13_TxfTrans

Event ID 587: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.TxfRmcb}!p! {{A12__CalloutParameters->TxfFlush.TxfRmcb->RmId}!S!}: Unexpected exception code of 0x{A13_GetExceptionCode()}!x! received.

Fields #

NameDescription
A10___FUNCTION__

Event ID 588: {A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt.

Message #

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt

Fields #

NameDescription
A10___FUNCTION__

Event ID 589: {A10___FUNCTION__}: from {A11_CallerFunction}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

{A10___FUNCTION__}: from {A11_CallerFunction}!S! ({A12_CallerFile}!S!:{A13_CallerLineNumber}!d!) RM at 0x{A14_(PVOID)TxfRmcb}!p! {{A15__TxfRmcb->RmId}!S!}; Tx at 0x{A16_(PVOID)TxfTrans}!p! {{A17__TxfTrans->KtmUow}!S!}; Status was 0x{A18_AbortReasonStatus}!x!

Fields #

NameDescription
A10___FUNCTION__
A11_CallerFunction
A12_CallerFile
A13_CallerLineNumber
A18_AbortReasonStatus

Event ID 590: {A10___FUNCTION__}: from {A11_CallerFunction}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

{A10___FUNCTION__}: from {A11_CallerFunction}!S! ({A12_CallerFile}!S!:{A13_CallerLineNumber}!d!) RM at 0x{A14_(PVOID)TxfRmcb}!p! {{A15__TxfRmcb->RmId}!S!}; Tx at 0x{A16_(PVOID)TxfTrans}!p! {{A17__TxfTrans->KtmUow}!S!}; Status was 0x{A18_Status}!x!

Fields #

NameDescription
A10___FUNCTION__
A11_CallerFunction
A12_CallerFile
A13_CallerLineNumber
A18_Status

Event ID 591: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A13_TxfTrans

Event ID 592: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A13_TxfTrans

Event ID 593: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)CalloutParameters->TxfFlush.TxfRmcb}!p! {{A12__CalloutParameters->TxfFlush.TxfRmcb->RmId}!S!}: Unexpected exception code of 0x{A13_GetExceptionCode()}!x! received.

Fields #

NameDescription
A10___FUNCTION__

Event ID 594: {A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt.

Message #

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM metadata corrupt

Fields #

NameDescription
A10___FUNCTION__

Event ID 595: {A10___FUNCTION__}: TxfStartRm reports RM will be reset: TM could not be initialized.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: TM could not be initialized.

Message #

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: TM could not be initialized

Fields #

NameDescription
A10___FUNCTION__

Event ID 596: {A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM log corrupt.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM log corrupt.

Message #

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: RM log corrupt

Fields #

NameDescription
A10___FUNCTION__

Event ID 597: {A10___FUNCTION__}: TxfStartRm reports RM will be reset: log version changed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: log version changed.

Message #

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: log version changed

Fields #

NameDescription
A10___FUNCTION__

Event ID 598: {A10___FUNCTION__}: TxfStartRm reports RM will be reset: dedicated log found; need multiplexed.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: dedicated log found; need multiplexed.

Message #

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: dedicated log found; need multiplexed

Fields #

NameDescription
A10___FUNCTION__

Event ID 599: {A10___FUNCTION__}: TxfStartRm reports RM will be reset: multiplexed log found; need dedicated.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: multiplexed log found; need dedicated.

Message #

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: multiplexed log found; need dedicated

Fields #

NameDescription
A10___FUNCTION__

Event ID 600: {A10___FUNCTION__}: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: CLFS log metadata corrupt.

Message #

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: CLFS log metadata corrupt

Fields #

NameDescription
A10___FUNCTION__

Event ID 601: {A10___FUNCTION__}: TxfStartRm reports RM will be reset: 0x{A11_FailureStatus}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: 0x{A11_FailureStatus}!x!

Message #

{A10___FUNCTION__}: TxfStartRm reports RM will be reset: 0x{A11_FailureStatus}!x!

Fields #

NameDescription
A10___FUNCTION__
A11_FailureStatus

Event ID 602: {A10___FUNCTION__}: RM did not start and WILL NOT be reset; status code is 0x{A11_FailureStatus}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM did not start and WILL NOT be reset; status code is 0x{A11_FailureStatus}!x!!

Message #

{A10___FUNCTION__}: RM did not start and WILL NOT be reset; status code is 0x{A11_FailureStatus}!x!!

Fields #

NameDescription
A10___FUNCTION__
A11_FailureStatus

Event ID 603: {A10___FUNCTION__}: Could not initialize IrpContext: 0x{A11_Status}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Could not initialize IrpContext: 0x{A11_Status}!x!

Message #

{A10___FUNCTION__}: Could not initialize IrpContext: 0x{A11_Status}!x!

Fields #

NameDescription
A10___FUNCTION__
A11_Status

Event ID 604: {A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!}).

Message #

{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!})

Fields #

NameDescription
A10___FUNCTION__

Event ID 605: {A10___FUNCTION__}: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x{A11_TempStatus}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x{A11_TempStatus}!x! for default RM on VCB at 0x{A12_(PVOID)Vcb}!p!

Message #

{A10___FUNCTION__}: IOCTL_VOLUME_GET_GPT_ATTRIBUTES returned 0x{A11_TempStatus}!x! for default RM on VCB at 0x{A12_(PVOID)Vcb}!p!

Fields #

NameDescription
A10___FUNCTION__
A11_TempStatus

Event ID 606: {A10___FUNCTION__}: Exception code 0x{A11_GetExceptionCode()}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Exception code 0x{A11_GetExceptionCode()}!x!; Status 0x{A12_Status}!x! for default RM on VCB at 0x{A13_(PVOID)Vcb}!p!

Message #

{A10___FUNCTION__}: Exception code 0x{A11_GetExceptionCode()}!x!; Status 0x{A12_Status}!x! for default RM on VCB at 0x{A13_(PVOID)Vcb}!p!

Fields #

NameDescription
A10___FUNCTION__
A12_Status

Event ID 607: {A10___FUNCTION__}: Couldn't reset default RM on VCB at 0x{A11_(PVOID)Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Couldn't reset default RM on VCB at 0x{A11_(PVOID)Vcb}!p! after {A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT}!d! tries: 0x{A13_OldStatus}!x!

Message #

{A10___FUNCTION__}: Couldn't reset default RM on VCB at 0x{A11_(PVOID)Vcb}!p! after {A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT}!d! tries: 0x{A13_OldStatus}!x!

Fields #

NameDescription
A10___FUNCTION__
A12_TXF_MAX_RESET_ATTEMPTS_ON_MOUNT
A13_OldStatus

Event ID 608: {A10___FUNCTION__}: Exception 0x{A11_GetExceptionCode()}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Exception 0x{A11_GetExceptionCode()}!x! raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x{A12_(PVOID)Vcb}!p!. RM will NOT be reset.

Message #

{A10___FUNCTION__}: Exception 0x{A11_GetExceptionCode()}!x! raised from TxfConvertRmStartFailureStatusCode for default RM on VCB at 0x{A12_(PVOID)Vcb}!p!.  RM will NOT be reset.

Fields #

NameDescription
A10___FUNCTION__

Event ID 609: {A10___FUNCTION__}: {A11_.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: {A11_(NT_SUCCESS( Status ) ? 'Succeeded' : 'FAILED')}!S! auto-restart of RM at 0x{A12_(PVOID)TxfRmcb}!p! ({{A13__TxfRmcb->RmId}!S!}): 0x{A14_Status}!x!

Message #

{A10___FUNCTION__}: {A11_(NT_SUCCESS( Status ) ? 'Succeeded' : 'FAILED')}!S! auto-restart of RM at 0x{A12_(PVOID)TxfRmcb}!p! ({{A13__TxfRmcb->RmId}!S!}): 0x{A14_Status}!x!

Fields #

NameDescription
A10___FUNCTION__
A14_Status

Event ID 610: {A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!}).

Message #

{A10___FUNCTION__}: Attempting auto-restart of RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!})

Fields #

NameDescription
A10___FUNCTION__

Event ID 611: {A10___FUNCTION__}: Volume too small to start RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Volume too small to start RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!}).

Message #

{A10___FUNCTION__}: Volume too small to start RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!})

Fields #

NameDescription
A10___FUNCTION__

Event ID 612: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: invalid flags in $Tops.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: invalid flags in $Tops

Fields #

NameDescription
A10___FUNCTION__

Event ID 613: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: restart area already exists.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: restart area already exists

Fields #

NameDescription
A10___FUNCTION__

Event ID 614: {A10___FUNCTION__}: Raising to reset RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Raising to reset RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!}): Explicit reset requested.

Message #

{A10___FUNCTION__}: Raising to reset RM at 0x{A11_(PVOID)TxfRmcb}!p! ({{A12__TxfRmcb->RmId}!S!}): Explicit reset requested

Fields #

NameDescription
A10___FUNCTION__

Event ID 615: {A10___FUNCTION__}: Got {A11_Status}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Got {A11_Status}!d! from ClfsGetLogFileInformation for RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Got {A11_Status}!d! from ClfsGetLogFileInformation for RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}

Fields #

NameDescription
A10___FUNCTION__
A11_Status

Event ID 616: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: no TXF_DATA in root.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: no TXF_DATA in root

Fields #

NameDescription
A10___FUNCTION__

Event ID 617: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Different nesting levels of 0x{A13_LogNestingLevel}!x! and 0x{A14_DiskNestingLevel}!x!

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Different nesting levels of 0x{A13_LogNestingLevel}!x! and 0x{A14_DiskNestingLevel}!x!

Fields #

NameDescription
A10___FUNCTION__
A13_LogNestingLevel
A14_DiskNestingLevel

Event ID 618: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: restart area already exists.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: restart area already exists

Fields #

NameDescription
A10___FUNCTION__

Event ID 619: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: restart area already exists.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: restart area already exists

Fields #

NameDescription
A10___FUNCTION__

Event ID 620: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: RmID in restart area does not match {{A13__ClfsRestartArea->RmId}!S!}.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: RmID in restart area does not match {{A13__ClfsRestartArea->RmId}!S!}

Fields #

NameDescription
A10___FUNCTION__

Event ID 621: {A10___FUNCTION__}: Got {A11_Status}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Got {A11_Status}!d! from ClfsGetLogFileInformation for RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Got {A11_Status}!d! from ClfsGetLogFileInformation for RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}

Fields #

NameDescription
A10___FUNCTION__
A11_Status

Event ID 622: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Restart LSN is before beginning of log.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Restart LSN is before beginning of log.

Fields #

NameDescription
A10___FUNCTION__

Event ID 623: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: MinRollforwardEndLsn is beyond end of log.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: MinRollforwardEndLsn is beyond end of log.

Fields #

NameDescription
A10___FUNCTION__

Event ID 624: {A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} started successfully.

Message #

{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} started successfully.

Fields #

NameDescription
A10___FUNCTION__

Event ID 625: {A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} failed to start with Status 0x{A13_Status}!x! {A14_AbnormalTermination() ? '(abnormal termination)' : ''}!S!

Message #

{A10___FUNCTION__}: TxF RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} failed to start with Status 0x{A13_Status}!x! {A14_AbnormalTermination() ? '(abnormal termination)' : ''}!S!

Fields #

NameDescription
A10___FUNCTION__
A13_Status

Event ID 626: {A10___FUNCTION__}: Shutting down {A11_.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

{A10___FUNCTION__}: Shutting down {A11_(TxfIsDefaultRm( TxfRmcb ) ? 'default' : 'secondary')}!S! RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}.  Shutdown is {A14_(ForceDirtyShutdown ? 'DIRTY!' : 'CLEAN.')}!S!

Fields #

NameDescription
A10___FUNCTION__

Event ID 627: {A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} up for auto-restart.

Message #

{A10___FUNCTION__}: Setting RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} up for auto-restart.

Fields #

NameDescription
A10___FUNCTION__

Event ID 628: (.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

({A10_FILEID_FROM_SOURCE( FileNLine )}:{A11_LINENUM_FROM_SOURCE( FileNLine )}!d!) - TXF_HARD_ERROR on RM at 0x{A12_TxfRmcb}!p! ({{A13__TxfRmcb->RmId}!S!}): {A14_Status}!S!).

Message #

({A10_FILEID_FROM_SOURCE( FileNLine )}:{A11_LINENUM_FROM_SOURCE( FileNLine )}!d!) - TXF_HARD_ERROR on RM at 0x{A12_TxfRmcb}!p! ({{A13__TxfRmcb->RmId}!S!}): {A14_Status}!S!)

Fields #

NameDescription
A12_TxfRmcb
A14_Status

Event ID 629: (.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

({A10_FILEID_FROM_SOURCE( FileNLine )}:{A11_LINENUM_FROM_SOURCE( FileNLine )}!d!) - TXF_HARD_ERROR on RM at 0x{A12_TxfRmcb}!p! ({{A13__TxfRmcb->RmId}!S!}): {A14_Status}!S!).

Message #

({A10_FILEID_FROM_SOURCE( FileNLine )}:{A11_LINENUM_FROM_SOURCE( FileNLine )}!d!) - TXF_HARD_ERROR on RM at 0x{A12_TxfRmcb}!p! ({{A13__TxfRmcb->RmId}!S!}): {A14_Status}!S!)

Fields #

NameDescription
A12_TxfRmcb
A14_Status

Event ID 630: {A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!p! from {{A12__OldGuid}!S!} to {{A13__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!p! from {{A12__OldGuid}!S!} to {{A13__TxfRmcb->RmId}!S!}

Fields #

NameDescription
A10___FUNCTION__
A12__OldGuid

Event ID 631: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}; rolling back Tx at 0x{A13_(PVOID)TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}; Status was 0x{A15_Status}!x!

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}; rolling back Tx at 0x{A13_(PVOID)TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!}; Status was 0x{A15_Status}!x!

Fields #

NameDescription
A10___FUNCTION__
A15_Status

Event ID 632: {A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!p! from {{A12__OldGuid}!S!} to {{A13__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Renamed RM at 0x{A11_(PVOID)TxfRmcb}!p! from {{A12__OldGuid}!S!} to {{A13__TxfRmcb->RmId}!S!}

Fields #

NameDescription
A10___FUNCTION__
A12__OldGuid

Event ID 633: TxfFsctlWriteBackupInformation: Denying access due RM is active.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: !p!; Vcb: !p!; VolumeName: !S!; VolumeLabel: !S!; BackupInfo flags: 0x!08x!.

Message #

TxfFsctlWriteBackupInformation: Denying access due RM is active. Thread: %1!p!; Vcb: %2!p!; VolumeName: %3!S!; VolumeLabel: %4!S!; BackupInfo flags: 0x%5!08x!.

Event ID 634: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found too high of a TxF ID in log.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found too high of a TxF ID in log

Fields #

NameDescription
A10___FUNCTION__

Event ID 635: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found too high of a TxF ID in log.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found too high of a TxF ID in log

Fields #

NameDescription
A10___FUNCTION__

Event ID 636: {A10___FUNCTION__}: Error Setting Delete Disposition: 0x{A11_Status}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Error Setting Delete Disposition: 0x{A11_Status}!x! FileObject: 0x{A12_(PVOID)FileObject}!p!

Message #

{A10___FUNCTION__}: Error Setting Delete Disposition: 0x{A11_Status}!x!  FileObject: 0x{A12_(PVOID)FileObject}!p!

Fields #

NameDescription
A10___FUNCTION__
A11_Status

Event ID 637: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Got a RECOVER notification for a transaction that isn't in-doubt.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Got a RECOVER notification for a transaction that isn't in-doubt

Fields #

NameDescription
A10___FUNCTION__

Event ID 638: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!} (notify rollback).

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!} (notify rollback)

Fields #

NameDescription
A10___FUNCTION__
A13_TxfTrans

Event ID 639: {A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!p! {{A12__Trans->TxfRmcb->RmId}!S!}: 0x{A13_FlushStatus}!x!

Message #

{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!p! {{A12__Trans->TxfRmcb->RmId}!S!}: 0x{A13_FlushStatus}!x!

Fields #

NameDescription
A10___FUNCTION__
A13_FlushStatus

Event ID 640: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} trying to abort transaction at 0x{A13_Trans}!p! {{A14__Trans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} trying to abort transaction at 0x{A13_Trans}!p! {{A14__Trans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A13_Trans

Event ID 641: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} raising 0x{A13_ExceptionCode}!x! to KTM!

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} raising 0x{A13_ExceptionCode}!x! to KTM!

Fields #

NameDescription
A10___FUNCTION__
A13_ExceptionCode

Event ID 642: {A10___FUNCTION__}: Commit.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

{A10___FUNCTION__}: Commit (0x{A11_TransactionNotification}!x!) of{A12_(TransactionAlreadyPrepared ? ' **PREPARED** ' : ' ')}!S!tx {{A13__TxfTrans->KtmUow}!S!} on RM at 0x{A14_(PVOID)TxfRmcb}!p! {{A15__TxfRmcb->RmId}!S!} failed with 0x{A16_Status}!x!

Fields #

NameDescription
A10___FUNCTION__
A11_TransactionNotification
A16_Status

Event ID 643: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!} (notify commit).

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!} (notify commit)

Fields #

NameDescription
A10___FUNCTION__
A13_TxfTrans

Event ID 644: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!} (notify rollback).

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_TxfTrans}!p! {{A14__TxfTrans->KtmUow}!S!} (notify rollback)

Fields #

NameDescription
A10___FUNCTION__
A13_TxfTrans

Event ID 645: {A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!p! {{A12__Trans->TxfRmcb->RmId}!S!}: 0x{A13_FlushStatus}!x!

Message #

{A10___FUNCTION__}: Error doing IRP_MJ_FLUSH_BUFFERS on RM at 0x{A11_(PVOID)Trans->TxfRmcb}!p! {{A12__Trans->TxfRmcb->RmId}!S!}: 0x{A13_FlushStatus}!x!

Fields #

NameDescription
A10___FUNCTION__
A13_FlushStatus

Event ID 646: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} trying to abort transaction at 0x{A13_Trans}!p! {{A14__Trans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} trying to abort transaction at 0x{A13_Trans}!p! {{A14__Trans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A13_Trans

Event ID 647: {A10___FUNCTION__}: Aborting call stack: 0x{A11_CallStack[0]}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Aborting call stack: 0x{A11_CallStack[0]}!p! 0x{A12_CallStack[1]}!p! 0x{A13_CallStack[2]}!p! 0x{A14_CallStack[3]}!p! 0x{A15_CallStack[4]}!p!

Message #

{A10___FUNCTION__}: Aborting call stack: 0x{A11_CallStack[0]}!p! 0x{A12_CallStack[1]}!p! 0x{A13_CallStack[2]}!p! 0x{A14_CallStack[3]}!p! 0x{A15_CallStack[4]}!p!

Fields #

NameDescription
A10___FUNCTION__
A11_CallStack[0]
A12_CallStack[1]
A13_CallStack[2]
A14_CallStack[3]
A15_CallStack[4]

Event ID 648: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_Trans}!p! {{A14__Trans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} aborting transaction at 0x{A13_Trans}!p! {{A14__Trans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A13_Trans

Event ID 649: {A10___FUNCTION__}: 0x{A11_Status}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: 0x{A11_Status}!x! initializing IrpContext for tx at {A12_(PVOID)Trans}!p! {{A13__Trans->KtmUow}!S!}; RM at {A14_(PVOID)TxfRmcb}!p! {{A15__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: 0x{A11_Status}!x! initializing IrpContext for tx at {A12_(PVOID)Trans}!p! {{A13__Trans->KtmUow}!S!}; RM at {A14_(PVOID)TxfRmcb}!p! {{A15__TxfRmcb->RmId}!S!}

Fields #

NameDescription
A10___FUNCTION__
A11_Status

Event ID 650: {A10___FUNCTION__}: 0x{A11_Status}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: 0x{A11_Status}!x! writing log record for RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}; Tx at 0x{A14_(PVOID)Trans}!p! {{A15__Trans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: 0x{A11_Status}!x! writing log record for RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}; Tx at 0x{A14_(PVOID)Trans}!p! {{A15__Trans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A11_Status

Event ID 651: {A10___FUNCTION__}: About to force aborts on RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: About to force aborts on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: About to force aborts on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields #

NameDescription
A10___FUNCTION__

Event ID 652: {A10___FUNCTION__}: BaseLsn is greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: BaseLsn is greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: BaseLsn is greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields #

NameDescription
A10___FUNCTION__

Event ID 653: {A10___FUNCTION__}: No transactions remain on RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: No transactions remain on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: No transactions remain on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields #

NameDescription
A10___FUNCTION__

Event ID 654: {A10___FUNCTION__}: Transaction's first undo LSN greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Transaction's first undo LSN greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Transaction's first undo LSN greater than TargetLsn on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields #

NameDescription
A10___FUNCTION__

Event ID 655: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} surprise-aborting transaction at 0x{A13_OldestTrans}!p! {{A14__OldestTrans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} surprise-aborting transaction at 0x{A13_OldestTrans}!p! {{A14__OldestTrans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A13_OldestTrans

Event ID 656: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} got 0x{A13_Status}!x! from TxfTryAbortTransaction on Tx 0x{A14_OldestTrans}!p! {{A15__OldestTrans->KtmUow}!S!}.

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!} got 0x{A13_Status}!x! from TxfTryAbortTransaction on Tx 0x{A14_OldestTrans}!p! {{A15__OldestTrans->KtmUow}!S!}

Fields #

NameDescription
A10___FUNCTION__
A13_Status
A14_OldestTrans

Event ID 657: {A10___FUNCTION__}: Inactive RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Inactive RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Inactive RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields #

NameDescription
A10___FUNCTION__

Event ID 658: {A10___FUNCTION__}: Log is pinned on RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Log is pinned on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Log is pinned on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields #

NameDescription
A10___FUNCTION__

Event ID 659: {A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

{A10___FUNCTION__}: RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}; rolling back KTM Tx at 0x{A13_(PVOID)TransToDereference}!p! {{A14__TransToDereference->KtmUow}!S!}; Status was 0x{A15_Status}!x!

Fields #

NameDescription
A10___FUNCTION__
A15_Status

Event ID 660: {A10___FUNCTION__}: Log pinned trying to advance RestartLsn on RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Log pinned trying to advance RestartLsn on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Log pinned trying to advance RestartLsn on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields #

NameDescription
A10___FUNCTION__

Event ID 661: {A10___FUNCTION__}: Log pinned by doomed transaction on RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Log pinned by doomed transaction on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Log pinned by doomed transaction on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields #

NameDescription
A10___FUNCTION__

Event ID 662: {A10___FUNCTION__}: Reporting 0x{A11_PinnedStatus}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Reporting 0x{A11_PinnedStatus}!X! to CLFS from RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}: 0x{A14_Status}!x!

Message #

{A10___FUNCTION__}: Reporting 0x{A11_PinnedStatus}!X! to CLFS from RM at 0x{A12_(PVOID)TxfRmcb}!p! {{A13__TxfRmcb->RmId}!S!}: 0x{A14_Status}!x!

Fields #

NameDescription
A10___FUNCTION__
A11_PinnedStatus
A14_Status

Event ID 663: {A10___FUNCTION__}: Done forcing aborts on RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Done forcing aborts on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Message #

{A10___FUNCTION__}: Done forcing aborts on RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}.

Fields #

NameDescription
A10___FUNCTION__

Event ID 664: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Txf directory is missing in pre-existing RM.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Txf directory is missing in pre-existing RM

Fields #

NameDescription
A10___FUNCTION__

Event ID 665: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found $Txf without DUP_INDEX_IS_DOLLAR_TXF_DIRECTORY

Fields #

NameDescription
A10___FUNCTION__

Event ID 666: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found non-empty $Txf but there is no log.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found non-empty $Txf but there is no log

Fields #

NameDescription
A10___FUNCTION__

Event ID 667: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find $INDEX_ROOT on $Txf.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find $INDEX_ROOT on $Txf

Fields #

NameDescription
A10___FUNCTION__

Event ID 668: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find TXF_DATA_ATTR on $Txf.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find TXF_DATA_ATTR on $Txf

Fields #

NameDescription
A10___FUNCTION__

Event ID 669: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found TXF_DATA_ATTR for normal file on $Txf.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Found TXF_DATA_ATTR for normal file on $Txf

Fields #

NameDescription
A10___FUNCTION__

Event ID 670: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Expected a secondary RM here.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Expected a secondary RM here

Fields #

NameDescription
A10___FUNCTION__

Event ID 671: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is missing but $Txf is non-empty.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is missing but $Txf is non-empty

Fields #

NameDescription
A10___FUNCTION__

Event ID 672: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is missing but there is already a log.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is missing but there is already a log

Fields #

NameDescription
A10___FUNCTION__

Event ID 673: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is {A13_(IsEncrypted( _TopsFcb->Info ) ? 'encrypted' : 'compressed')}!S!

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is {A13_(IsEncrypted( _TopsFcb->Info ) ? 'encrypted' : 'compressed')}!S!

Fields #

NameDescription
A10___FUNCTION__

Event ID 674: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Missing $STANDARD_INFORMATION.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Missing $STANDARD_INFORMATION

Fields #

NameDescription
A10___FUNCTION__

Event ID 675: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find file attributes.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find file attributes

Fields #

NameDescription
A10___FUNCTION__

Event ID 676: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is corrupt.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops is corrupt

Fields #

NameDescription
A10___FUNCTION__

Event ID 677: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Could not find unnamed data stream.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Could not find unnamed data stream

Fields #

NameDescription
A10___FUNCTION__

Event ID 678: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops metadata is the wrong version or records wrong size.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops metadata is the wrong version or records wrong size

Fields #

NameDescription
A10___FUNCTION__

Event ID 679: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops metadata is the wrong size.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: $Tops metadata is the wrong size

Fields #

NameDescription
A10___FUNCTION__

Event ID 680: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Non-NULL RM ID found in $Tops and there is no log.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Non-NULL RM ID found in $Tops and there is no log

Fields #

NameDescription
A10___FUNCTION__

Event ID 681: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Epoch in $Tops metadata doesn't match RM.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Epoch in $Tops metadata doesn't match RM

Fields #

NameDescription
A10___FUNCTION__

Event ID 682: {A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find $T stream.

Message #

{A10___FUNCTION__}: Corrupt RM at 0x{A11_(PVOID)TxfRmcb}!p! {{A12__TxfRmcb->RmId}!S!}: Couldn't find $T stream

Fields #

NameDescription
A10___FUNCTION__

Event ID 683: TrimUsnJournal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Checkpointed.

Message #

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Checkpointed

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 684: TrimUsnJournal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Decided to trim usn journal.  FirstValidUsn {A12_Vcb->FirstValidUsn}!I64x!; new FirstValidUsn {A13_FirstValidUsn}!I64x!; FS {A14_TrackUsnJournalFileSize}!I64x!; AS {A15_TrackUsnJournalAllocationSize}!I64x!; MaxSize {A16_TrackUsnJournalMaxSize}!I64x!; DeltaSize {A17_TrackUsnJournalDeltaAllocation}!I64x!

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A13_FirstValidUsn
A14_TrackUsnJournalFileSize
A15_TrackUsnJournalAllocationSize
A16_TrackUsnJournalMaxSize
A17_TrackUsnJournalDeltaAllocation

Event ID 685: TrimUsnJournal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): About to delete allocation till {A12_FirstValidUsn - 1}!I64x!; SavedReserve {A13_SavedReserved}!I64x!; RequiredReserve {A14_RequiredReserved}!I64x!

Message #

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): About to delete allocation till {A12_FirstValidUsn - 1}!I64x!; SavedReserve {A13_SavedReserved}!I64x!; RequiredReserve {A14_RequiredReserved}!I64x!

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A13_SavedReserved
A14_RequiredReserved

Event ID 686: TrimUsnJournal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Before trimming journal AS {A12_UsnJournal->Header.AllocationSize.QuadPart}!I64x!; FS {A13_UsnJournal->Header.FileSize.QuadPart}!I64x!; VDL {A14_UsnJournal->Header.ValidDataLength.QuadPart}!I64x!; TA {A15_UsnJournal->TotalAllocated}!I64x!

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 687: TrimUsnJournal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): After trimming journal AS {A12_UsnJournal->Header.AllocationSize.QuadPart}!I64x!; FS {A13_UsnJournal->Header.FileSize.QuadPart}!I64x!; VDL {A14_UsnJournal->Header.ValidDataLength.QuadPart}!I64x!; TA {A15_UsnJournal->TotalAllocated}!I64x!

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 688: TrimUsnJournal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Mapping pairs validated.

Message #

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Mapping pairs validated

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 689: TrimUsnJournal.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Checkpointed.

Message #

TrimUsnJournal ({A10_Vcb}!p!; {A11_IrpContext}!p!): Checkpointed

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 690: OfsSetLength.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsWriteFileSizes.

Message #

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsWriteFileSizes

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 691: OfsSetLength.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsSetCcFileSizesUsnBiasAware.

Message #

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsSetCcFileSizesUsnBiasAware

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 692: NtOfsPostNewLength.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtOfsPostNewLength ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Status {A13_IrpContext->ExceptionStatus}!x! before calling NtfsReadUsnJournal.

Message #

NtOfsPostNewLength ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Status {A13_IrpContext->ExceptionStatus}!x! before calling NtfsReadUsnJournal

Fields #

NameDescription
A10_IrpContext

Event ID 693: NtfsIsRegionDangling: RemainingClusterCount: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsIsRegionDangling: RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; Scb: {A11_Scb}!p!; Vcn: 0x{A12_Vcn}!I64x!; Lcn: 0x{A13_Lcn}!I64x!; Clusters: 0x{A14_ClusterCount}!I64x!

Message #

NtfsIsRegionDangling: RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; Scb: {A11_Scb}!p!; Vcn: 0x{A12_Vcn}!I64x!; Lcn: 0x{A13_Lcn}!I64x!; Clusters: 0x{A14_ClusterCount}!I64x!

Fields #

NameDescription
A10_RemainingClusterCount
A11_Scb
A12_Vcn
A13_Lcn
A14_ClusterCount

Event ID 694: OfsSetLength.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): Extending journal from AS {A14_Scb->Header.AllocationSize.QuadPart}!I64x!; FS {A15_Scb->Header.FileSize.QuadPart}!I64x!; VDL {A16_Scb->Header.ValidDataLength.QuadPart}!I64x!; to AS {A17_NewAllocationSize}!I64x!

Fields #

NameDescription
A10_Vcb
A11_IrpContext
A17_NewAllocationSize

Event ID 695: OfsSetLength.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): Done extending journal AS {A14_Scb->Header.AllocationSize.QuadPart}!I64x!; FS {A15_Scb->Header.FileSize.QuadPart}!I64x!; VDL {A16_Scb->Header.ValidDataLength.QuadPart}!I64x!; TA {A17_Scb->TotalAllocated}!I64x!

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 696: OfsSetLength.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsWriteFileSizes.

Message #

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsWriteFileSizes

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 697: OfsSetLength.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsSetCcFileSizesUsnBiasAware.

Message #

OfsSetLength ({A10_Vcb}!p!;{A11_IrpContext}!p!;{A12_IrpContext->OriginatingIrp}!p!;{A13_PsGetCurrentThread()}!p!): After NtfsSetCcFileSizesUsnBiasAware

Fields #

NameDescription
A10_Vcb
A11_IrpContext

Event ID 698: NtOfsPostNewLength.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtOfsPostNewLength ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Status {A13_IrpContext->ExceptionStatus}!x! before calling NtfsReadUsnJournal.

Message #

NtOfsPostNewLength ({A10_IrpContext}!p!;{A11_IrpContext->OriginatingIrp}!p!;{A12_PsGetCurrentThread()}!p!): Status {A13_IrpContext->ExceptionStatus}!x! before calling NtfsReadUsnJournal

Fields #

NameDescription
A10_IrpContext

Event ID 699: NtfsIsRegionDangling: RemainingClusterCount: 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsIsRegionDangling: RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; Scb: {A11_Scb}!p!; Vcn: 0x{A12_Vcn}!I64x!; Lcn: 0x{A13_Lcn}!I64x!; Clusters: 0x{A14_ClusterCount}!I64x!

Message #

NtfsIsRegionDangling: RemainingClusterCount: 0x{A10_RemainingClusterCount}!I64x!; Scb: {A11_Scb}!p!; Vcn: 0x{A12_Vcn}!I64x!; Lcn: 0x{A13_Lcn}!I64x!; Clusters: 0x{A14_ClusterCount}!I64x!

Fields #

NameDescription
A10_RemainingClusterCount
A11_Scb
A12_Vcn
A13_Lcn
A14_ClusterCount

Event ID 700: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p! - has *no* active PFNs.

Message #

Vcb {A10_Vcb}!p! - has *no* active PFNs

Fields #

NameDescription
A10_Vcb

Event ID 701: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p! - failed to query active PFNs assuming there are some.

Message #

Vcb {A10_Vcb}!p! - failed to query active PFNs assuming there are some

Fields #

NameDescription
A10_Vcb

Event ID 702: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Vcb {A10_Vcb}!p! - has active PFNs.

Message #

Vcb {A10_Vcb}!p! - has active PFNs

Fields #

NameDescription
A10_Vcb

Event ID 703: NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p!

Message #

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p!

Fields #

NameDescription
A10_Vcb

Event ID 704: NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p! - Found frozen deallocated clusters.

Message #

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p! - Found frozen deallocated clusters

Fields #

NameDescription
A10_Vcb

Event ID 705: NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p! - Wait for any on going trim to finish.

Message #

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p! - Wait for any on going trim to finish

Fields #

NameDescription
A10_Vcb

Event ID 706: NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p! - No more on going trim.

Message #

NtfsPerformDismountOnVcb: Vcb {A10_Vcb}!p! - No more on going trim

Fields #

NameDescription
A10_Vcb

Event ID 707: Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb=.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb={A10_Scb}!p!

Message #

Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb={A10_Scb}!p!

Fields #

NameDescription
A10_Scb

Event ID 708: NtfsPostVcbIsCorrupt.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

NtfsPostVcbIsCorrupt({A10_IrpContext}!p!; {A11_Status}!x!; {A12_FileReference}!p!; {A13_Fcb}!p!; {A14_Source}!016I64x!): IrpContext->TopLevelIrpContext->ExceptionStatus == {A15_TopLevelExceptionStatus}!x! before NtfsSetVcbDirtyFlag.

Fields #

NameDescription
A10_IrpContext
A11_Status
A12_FileReference
A13_Fcb
A14_Source
A15_TopLevelExceptionStatus

Event ID 709: NtfsPostVcbIsCorrupt: Marking volume dirty.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

NtfsPostVcbIsCorrupt: Marking volume dirty. Vcb {A10_Vcb}!p!; WasDirty: {A11_WasDirty}!x!; FileReference {A12_NtfsFullSegmentNumber( _BugCheckFileReference )}!I64x!; Source {A13_Source}!016I64x!

Message #

NtfsPostVcbIsCorrupt: Marking volume dirty.  Vcb {A10_Vcb}!p!; WasDirty: {A11_WasDirty}!x!; FileReference {A12_NtfsFullSegmentNumber( _BugCheckFileReference )}!I64x!; Source {A13_Source}!016I64x!

Fields #

NameDescription
A10_Vcb
A11_WasDirty
A13_Source

Event ID 710: Truncating write from 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Truncating write from 0x{A10_ByteRange}!I64x! to 0x{A11_SectorAlignedVdl}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Message #

Truncating write from 0x{A10_ByteRange}!I64x! to 0x{A11_SectorAlignedVdl}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Fields #

NameDescription
A10_ByteRange
A11_SectorAlignedVdl

Event ID 711: Succeeding log write @ 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Succeeding log write @ 0x{A10_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A11_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x! after getting 0x{A12_IrpContext->TopLevelIrpContext->ExceptionStatus}!x! in top-level irpcontext

Event ID 712: Succeeding log write @ 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Message #

Succeeding log write @ 0x{A10_IrpSp->Parameters.Write.ByteOffset.HighPart}!08x!{A11_IrpSp->Parameters.Write.ByteOffset.LowPart}!08x! after getting 0x{A12_IrpContext->TopLevelIrpContext->ExceptionStatus}!x! in top-level irpcontext

Fields #

NameDescription
A10_Scb

Event ID 713: Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb=.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb={A10_Scb}!p!

Message #

Unexpected Paging-Write on stream accessed in Direct-Access mode; Scb={A10_Scb}!p!

Fields #

NameDescription
A10_Scb

Event ID 714: Ignoring write to 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Ignoring write to 0x{A10_StartingVbo}!I64x!; SCB length is 0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Message #

Ignoring write to 0x{A10_StartingVbo}!I64x!; SCB length is 0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Fields #

NameDescription
A10_StartingVbo

Event ID 715: Ignoring write to 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Ignoring write to 0x{A10_StartingVbo}!I64x!; SCB length is 0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Message #

Ignoring write to 0x{A10_StartingVbo}!I64x!; SCB length is 0x{A11_Scb->Header.ValidDataLength.QuadPart}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Fields #

NameDescription
A10_StartingVbo

Event ID 716: Truncating write from 0x.

#
Provider
Microsoft-Windows-NtfsLog
Channel
Operational

Description

Truncating write from 0x{A10_ByteRange}!I64x! to 0x{A11_SectorAlignedVdl}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Message #

Truncating write from 0x{A10_ByteRange}!I64x! to 0x{A11_SectorAlignedVdl}!I64x! for SCB 0x{A12_(ptrdiff_t) Scb}!Ix!

Fields #

NameDescription
A10_ByteRange
A11_SectorAlignedVdl