Microsoft-Windows-Partition
16 events across 3 channels
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1001 | Operation started. | Diagnostic | N |
| 1002 | Operation completed. | Diagnostic | N |
| 1003 | task_01003 | Analytic | Y |
| 1004 | task_01004 | Analytic | Y |
| 1005 | task_01005 | Analytic | Y |
| 1006 | For internal use only. | Diagnostic | Y |
| 1007 | Disk DiskNumber has HiddenPartitionsCount hidden partitions. | Diagnostic | N |
| 1008 | Critical partition error: failed to change the layout for disk DiskNumber due to … | Diagnostic | N |
| 1009 | Service partition error: failed to set partition information for disk DiskNumber … | Diagnostic | N |
| 5000 | WakeNotificationWorkItem | Debug | N |
| 5001 | NotificationWorkItemLoop | Debug | N |
| 5002 | NotificationWorkItemExit | Debug | N |
| 5003 | QueryRemovalRelationsEnter | Debug | N |
| 5004 | QueryRemovalRelationsWait | Debug | N |
| 5005 | QueryRemovalRelationsExit | Debug | N |
| 5006 | QueryDepends | Debug | N |
Event ID 1001: Operation started.
#Event ID 1002: Operation completed.
#Description
Operation completed.
Message #
Fields #
| Name | Description |
|---|---|
DiskNumber UInt32 | |
ControlCode UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 1003: task_01003
#Fields #
| Name | Description |
|---|---|
Process Pointer | |
IncrementEnergy UInt64 | |
SrvTime UInt64 | |
EndByteOffset UInt64 | |
IoSize UInt32 | |
LastIdleState UInt8 | |
IsRandom UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Partition",
"guid": "{412BDFF2-A8C4-470D-8F33-63FE0D8C20E2}",
"event_source_name": "",
"event_id": 1003,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x4000000000000001",
"time_created": "2026-06-02T06:00:15.145+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"EndByteOffset": 609107968,
"IncrementEnergy": 543750000,
"IoSize": 4096,
"IsRandom": 1,
"LastIdleState": 2,
"Process": "0xFFFFBD09DF6A2040",
"SrvTime": 0
},
"message": ""
}
Event ID 1004: task_01004
#Fields #
| Name | Description |
|---|---|
Process Pointer | |
IncrementEnergy UInt64 | |
IdleTime UInt64 | |
LastIdleState UInt8 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Partition",
"guid": "{412BDFF2-A8C4-470D-8F33-63FE0D8C20E2}",
"event_source_name": "",
"event_id": 1004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x4000000000000001",
"time_created": "2026-06-02T06:00:15.145+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 11208
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"IdleTime": 12095170,
"IncrementEnergy": 10247522400,
"LastIdleState": 2,
"Process": "0xFFFFBD09DF6A2040"
},
"message": ""
}
Event ID 1005: task_01005
#Fields #
| Name | Description |
|---|---|
LocalLastCompTime UInt64 | |
SharedLastCompTime UInt64 | |
CompTime UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Partition",
"guid": "{412BDFF2-A8C4-470D-8F33-63FE0D8C20E2}",
"event_source_name": "",
"event_id": 1005,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": "0x4000000000000001",
"time_created": "2026-06-02T06:00:16.729+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8936
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"CompTime": 1232263626741,
"LocalLastCompTime": 1232263628098,
"SharedLastCompTime": 1232263628098
},
"message": ""
}
Event ID 1006: For internal use only.
#Description
For internal use only.
Message #
Fields #
| Name | Description |
|---|---|
DiskNumber UInt32 | |
Flags UInt32 | |
Characteristics UInt32 | |
IsSystemCritical Boolean | |
PagingCount UInt32 | |
HibernationCount UInt32 | |
DumpCount UInt32 | |
BytesPerSector UInt32 | |
Capacity UInt64 | |
BusType UInt32 | |
Manufacturer UnicodeString | |
Model UnicodeString | |
Revision UnicodeString | |
SerialNumber UnicodeString | |
Location UnicodeString | |
ParentId UnicodeString | |
Socket Int32 | |
Slot Int32 | |
Bus Int32 | |
Device Int32 | |
Function Int32 | |
Adapter Int32 | |
Port Int32 | |
Target Int32 | |
Lun Int32 | |
IoctlSupport UInt64 | |
IdFlags UInt32 | |
DiskId GUID | |
AdapterId GUID | |
RegistryId GUID | |
PoolId GUID | |
FirmwareSupportsUpgrade Boolean | |
FirmwareSlotCount UInt8 | |
StorageIdCount UInt32 | |
StorageIdCodeSet UInt32 | |
StorageIdType UInt32 | |
StorageIdAssociation UInt32 | |
StorageIdBytes UInt32 | |
StorageId Binary | |
WriteCacheType UInt32 | |
WriteCacheEnabled UInt32 | |
WriteCacheChangeable UInt32 | |
WriteThroughSupported UInt32 | |
FlushCacheSupported Boolean | |
IsPowerProtected Boolean | |
NVCacheEnabled Boolean | |
BytesPerLogicalSector UInt32 | |
BytesPerPhysicalSector UInt32 | |
BytesOffsetForSectorAlignment UInt32 | |
IncursSeekPenalty Boolean | |
IsTrimSupported Boolean | |
IsThinProvisioned Boolean | |
OptimalUnmapGranularity UInt64 | |
UnmapAlignment UInt64 | |
NumberOfLogicalCopies UInt32 | |
NumberOfPhysicalCopies UInt32 | |
FaultTolerance UInt32 | |
NumberOfColumns UInt32 | |
InterleaveBytes UInt32 | |
HybridSupported Boolean | |
HybridCacheBytes UInt64 | |
AdapterMaximumTransferBytes UInt32 | |
AdapterMaximumTransferPages UInt32 | |
AdapterAlignmentMask UInt32 | |
AdapterSerialNumber UnicodeString | |
PortDriver UInt32 | |
UserRemovalPolicy Boolean | |
PartitionStyle UInt32 | |
PartitionCount UInt32 | |
PartitionTableBytes UInt32 | |
PartitionTable Binary | |
MbrBytes UInt32 | |
Mbr Binary | |
Vbr0Bytes UInt32 | |
Vbr0 Binary | |
Vbr1Bytes UInt32 | |
Vbr1 Binary | |
Vbr2Bytes UInt32 | |
Vbr2 Binary | |
Vbr3Size UInt32 | |
Vbr3 Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Partition",
"guid": "412BDFF2-A8C4-470D-8F33-63FE0D8C20E2",
"event_source_name": "",
"event_id": 1006,
"version": 4,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:12.672631+00:00",
"event_record_id": 11,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 236
},
"channel": "Microsoft-Windows-Partition/Diagnostic",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DiskNumber": 0,
"Flags": 538976528,
"Characteristics": 262400,
"IsSystemCritical": true,
"PagingCount": 0,
"HibernationCount": 0,
"DumpCount": 0,
"BytesPerSector": 512,
"Capacity": 134217728000,
"BusType": 10,
"Manufacturer": "VMware,",
"Model": "VMware Virtual S",
"Revision": "1.0",
"SerialNumber": "NULL",
"Location": "PCI Slot 160 : Bus 3 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0",
"ParentId": "PCI\\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\\4&2509f6e&0&00A8",
"Socket": -1,
"Slot": 160,
"Bus": 3,
"Device": 0,
"Function": 0,
"Adapter": 0,
"Port": 0,
"Target": 0,
"Lun": 0,
"IoctlSupport": 59751,
"IdFlags": 2,
"DiskId": "33A0A150-7C6D-11EE-9369-806E6F6E6963",
"AdapterId": "C831DD37-73BE-11EE-935E-806E6F6E6963",
"RegistryId": "C831DD44-73BE-11EE-935E-806E6F6E6963",
"PoolId": "00000000-0000-0000-0000-000000000000",
"FirmwareSupportsUpgrade": true,
"FirmwareSlotCount": 1,
"StorageIdCount": 0,
"StorageIdCodeSet": 0,
"StorageIdType": 0,
"StorageIdAssociation": 0,
"StorageIdBytes": 0,
"StorageId": "",
"WriteCacheType": 0,
"WriteCacheEnabled": 0,
"WriteCacheChangeable": 0,
"WriteThroughSupported": 0,
"FlushCacheSupported": false,
"IsPowerProtected": false,
"NVCacheEnabled": false,
"BytesPerLogicalSector": 512,
"BytesPerPhysicalSector": 512,
"BytesOffsetForSectorAlignment": 0,
"IncursSeekPenalty": false,
"IsTrimSupported": false,
"IsThinProvisioned": false,
"OptimalUnmapGranularity": 0,
"UnmapAlignment": 0,
"NumberOfLogicalCopies": 0,
"NumberOfPhysicalCopies": 0,
"FaultTolerance": 0,
"NumberOfColumns": 0,
"InterleaveBytes": 0,
"HybridSupported": false,
"HybridCacheBytes": 0,
"AdapterMaximumTransferBytes": 16777215,
"AdapterMaximumTransferPages": 257,
"AdapterAlignmentMask": 0,
"AdapterSerialNumber": "NULL",
"PortDriver": 1,
"UserRemovalPolicy": false,
"PartitionStyle": 1,
"PartitionCount": 4,
"PartitionTableBytes": 624,
"PartitionTable": "0100000004000000215EE82F29506742BFFD03FE966FCE0E0044000000000000007AFF3F1F0000008000000000000000010000000000000000001000000000000000C012000000000100000000000000A4BB94DED106404DA16ABFD50179D6AC0A74B2F82423DB44BBF880523FE5334B01000000000000804200610073006900630020006400610074006100200070006100720074006900740069006F006E0000000000000000009AE46A7CC1260000EA113C27FA7F0000090000000000000001000000000000000000D012000000000000400600000000020000000000000028732AC11FF8D211BA4B00A0C93EC93BB06A6BD681E41D4CA3B9CD12F12570F700000000000000804500460049002000730079007300740065006D00200070006100720074006900740069006F006E000000000000000000000000000000000000000000000000000000000000000000010000000000000000001019000000000000000800000000030000000000000016E3C9E35C0BB84D817DF92DF00215AE939D5ACC01EDF948B355D70EA2CD61CA00000000000000804D006900630072006F0073006F0066007400200072006500730065007200760065006400200070006100720074006900740069006F006E0000000000000000000000000000000000010000000000000000001021000000000000E01E1F0000000400000000000000A2A0D0EBE5B9334487C068B6B72699C7A3D297750444994FB9796233378A81BF00000000000000004200610073006900630020006400610074006100200070006100720074006900740069006F006E0000000000000000009AE46A7CC1260000EA113C27FA7F00000900000000000000",
"MbrBytes": 0,
"Mbr": "",
"Vbr0Bytes": 0,
"Vbr0": "",
"Vbr1Bytes": 0,
"Vbr1": "",
"Vbr2Bytes": 0,
"Vbr2": "",
"Vbr3Size": 0,
"Vbr3": ""
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1007: Disk DiskNumber has HiddenPartitionsCount hidden partitions.
#Event ID 1008: Critical partition error: failed to change the layout for disk DiskNumber due to partition PartitionNumber.
#Event ID 1009: Service partition error: failed to set partition information for disk DiskNumber partition PartitionNumber.
#Event ID 5000: WakeNotificationWorkItem
#Description
WakeNotificationWorkItem.
Message #
Fields #
| Name | Description |
|---|---|
DiskNumber UInt32 | |
Flags HexInt32 | |
Status HexInt32 | NTSTATUS reference |
Caller AnsiString |
Event ID 5001: NotificationWorkItemLoop
#Event ID 5002: NotificationWorkItemExit
#Event ID 5003: QueryRemovalRelationsEnter
#Event ID 5004: QueryRemovalRelationsWait
#Description
QueryRemovalRelationsWait.
Message #
Fields #
| Name | Description |
|---|---|
DiskNumber UInt32 | |
Irp Pointer | |
Status HexInt32 | NTSTATUS reference |
Event ID 5005: QueryRemovalRelationsExit
#Event ID 5006: QueryDepends
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {412BDFF2-A8C4-470D-8F33-63FE0D8C20E2}
Defined in partmgr.sys, the binary that emits these events.
Observed on:
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.4768, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4768, captured 2026-06-02