Microsoft-Windows-ReadyBoostDriver

33 events across 2 channels

Event	Title	Channel	Sample
1	StoreReadStart_V2	Analytic	N
2	StoreReadStop_V1	Analytic	N
3	StoreAdd_V2	Analytic	N
4	StoreRemove_V1	Analytic	N
5	StoreCreate	Analytic	N
6	StoreDelete_V1	Analytic	N
7	StoreRundown	Analytic	N
8	VolumeMapRundown	Analytic	Y
9	VolumeMapCreate_V1	Analytic	N
10	VolumeMapRemove_V1	Analytic	N
11	StoreIgnoredIO_V1	Analytic	N
12	ReadyBootIO_V2	Analytic	N
13	VirtualAddress Virtual Address: Physical_Address Physical Address: …	Operational	N
14	StorePageRundown_V1	Analytic	N
15	RegionEvict_V2	Analytic	N
16	RegionWrite_V2	Analytic	N
17	A ReadyBoost cache partially or fully failed to persist across boot.	Operational	N
18	UserActive_V1	Analytic	N
19	StoreIoStats_V1	Analytic	N
20	GlobalStats	Analytic	Y
21	StoreEmpty_V1	Analytic	N
22	RegionRelease_V1	Analytic	N
23	RegionCompactStart_V1	Analytic	N
24	RegionCompactStop_V1	Analytic	N
25	RegionRundown_V1	Analytic	N
26	WriteEvict_V1	Analytic	N
27	Device_name Device name: FailStatus Cache path: DeviceDescription.	Operational	N
28	ReadyBootPeriodicStats_V1	Analytic	N
29	task_0	Operational	N
30	ReadyBootCacheOp_V1	Analytic	N
31	HbdrvIrpTag_V1	Analytic	N
32	SyncCallStart	Analytic	N
33	SyncCallStop	Analytic	N

Event ID 1: StoreReadStart_V2

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreRead
Opcode: Start

Fields #

Name	Description
`ByteOffset` UInt64
`Irp` Pointer
`ByteLength` UInt32
`Flags` UInt32
`FileKey` Pointer
`StoreId` UInt16
`VolumeId` UInt16

Event ID 2: StoreReadStop_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreRead
Opcode: Stop

Fields #

Name	Description
`Irp` Pointer
`Status` UInt32	NTSTATUS reference

Event ID 3: StoreAdd_V2

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreAdd

Fields #

Name	Description
`DataKey` UInt64
`DataMgr` Pointer
`StoreOffset` UInt32
`CompressedSize` UInt16
`Flags` UInt16

Event ID 4: StoreRemove_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreRemove

Fields #

Name	Description
`DataKey` UInt64
`DataMgr` Pointer
`StoreOffset` UInt32

Event ID 5: StoreCreate

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreCreate
Opcode: Info

Fields #

Name	Description
`StoreKey` Pointer
`StoreFileKey` Pointer
`UserDataMgr` Pointer
`MetadataMgr` Pointer
`RegionSize` UInt32
`RegionCount` UInt32
`BlockSize` UInt32
`SectorSize` UInt32
`EncryptionStrength` UInt32
`StoreType` UInt16
`StoreId` UInt16
`BlocksStored` UInt32
`RegionsInUse` UInt32
`TotalSpaceUsed` UInt32
`Flags` UInt32
`MetaRegionCount` UInt32
`MetaRegionsInUse` UInt32
`MetaRegionsSpaceUsed` UInt32
`StoreTime` UInt32
`OwnerProcessId` UInt32
`PartitionId` UInt32

Event ID 6: StoreDelete_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreDelete

Fields #

Name	Description
`StoreKey` Pointer

Event ID 7: StoreRundown

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreRundown
Opcode: Info

Fields #

Name	Description
`StoreKey` Pointer
`StoreFileKey` Pointer
`UserDataMgr` Pointer
`MetadataMgr` Pointer
`RegionSize` UInt32
`RegionCount` UInt32
`BlockSize` UInt32
`SectorSize` UInt32
`EncryptionStrength` UInt32
`StoreType` UInt16
`StoreId` UInt16
`BlocksStored` UInt32
`RegionsInUse` UInt32
`TotalSpaceUsed` UInt32
`Flags` UInt32
`MetaRegionCount` UInt32
`MetaRegionsInUse` UInt32
`MetaRegionsSpaceUsed` UInt32
`StoreTime` UInt32
`OwnerProcessId` UInt32
`PartitionId` UInt32

Event ID 8: VolumeMapRundown

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: VolumeMapRundown
Opcode: win:Info

Fields #

Name	Description
`VolumeId` UInt16
`VolumeNameLength` UInt16
`VolumePath` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ReadyBoostDriver",
    "guid": "{2A274310-42D5-4019-B816-E4B8C7ABE95C}",
    "event_source_name": "",
    "event_id": 8,
    "version": 1,
    "level": 4,
    "task": 7,
    "opcode": 0,
    "keywords": "0x0000000000000010",
    "time_created": "2026-06-02T06:00:43.283+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 5852,
      "thread_id": 16092
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "VolumeId": 0,
    "VolumeNameLength": 23,
    "VolumePath": "\\Device\\HarddiskVolume4"
  },
  "message": "VolumeMapRundown"
}

Event ID 9: VolumeMapCreate_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: VolumeMapCreate

Fields #

Name	Description
`VolumeId` UInt16
`VolumeNameLength` UInt16
`VolumePath` UnicodeString

Event ID 10: VolumeMapRemove_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: VolumeMapRemove

Fields #

Name	Description
`VolumeId` UInt16
`VolumeNameLength` UInt16
`VolumePath` UnicodeString

Event ID 11: StoreIgnoredIO_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreIgnoredIO

Fields #

Name	Description
`Irp` Pointer
`Reason` UInt16
`Flags` UInt16

Event ID 12: ReadyBootIO_V2

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: ReadyBootIO

Fields #

Name	Description
`StartTime` UInt64
`ByteOffset` UInt64
`FileKey` Pointer
`ProcessKey` Pointer
`ByteLength` UInt32
`Flags` UInt32

Event ID 13: VirtualAddress Virtual Address: Physical_Address Physical Address: Corruption_Window_Size Corruption Window Size: DataMgr.

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Operational
Task: StoreCorruption

Description

FileBacked Virtual Address: VirtualAddress Physical Address: PhysicalAddress Corruption Window Size: Size

Message #

%5



Virtual Address: %2

Physical Address: %3

Corruption Window Size: %4

Fields #

Name	Description
`DataMgr` Pointer
`VirtualAddress` Pointer
`PhysicalAddress` UInt64
`Size` UInt16
`FileBacked` UInt8
`CorruptionType` UInt8
`Flags` UInt32

Event ID 14: StorePageRundown_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StorePageRundown

Fields #

Name	Description
`DataKey` UInt64
`DataMgr` Pointer
`StoreOffset` UInt32
`CompressedSize` UInt16
`Flags` UInt16

Event ID 15: RegionEvict_V2

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: RegionEvict

Fields #

Name	Description
`DataMgr` Pointer
`RegionIndex` UInt32
`Status` UInt32	NTSTATUS reference
`SpaceUsed` UInt16
`LastAccessTime` UInt16

Event ID 16: RegionWrite_V2

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: RegionWrite

Fields #

Name	Description
`DataMgr` Pointer
`RegionIndex` UInt32
`Status` UInt32	NTSTATUS reference
`SpaceUsed` UInt16
`LastAccessTime` UInt16

Event ID 17: A ReadyBoost cache partially or fully failed to persist across boot.

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Operational
Task: UnpersistFailure

Description

A ReadyBoost cache partially or fully failed to persist across boot. This may happen if the cache device was modified on another computer or if this computer was booted into another operating system.

Message #

A ReadyBoost cache partially or fully failed to persist across boot. This may happen if the cache device was modified on another computer or if this computer was booted into another operating system.

Fields #

Name	Description
`FailReason` UInt32
`FailStatus` HexInt32
`ObjectPathLength` UInt16
`ObjectPath` UnicodeString

Event ID 18: UserActive_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: UserActive

Fields #

Name	Description
`UserActive` UInt8

Event ID 19: StoreIoStats_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreIoStats

Fields #

Name	Description
`StoreKey` Pointer
`Size` UInt32
`Data` Binary

Event ID 20: GlobalStats

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Also via: realtime ETW trace
Level: Informational
Task: GlobalStats
Opcode: win:Info

Fields #

Name	Description
`Size` UInt32
`Data` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ReadyBoostDriver",
    "guid": "{2A274310-42D5-4019-B816-E4B8C7ABE95C}",
    "event_source_name": "",
    "event_id": 20,
    "version": 1,
    "level": 4,
    "task": 19,
    "opcode": 0,
    "keywords": "0x0000000000000010",
    "time_created": "2026-06-02T06:00:43.283+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 5852,
      "thread_id": 16092
    },
    "channel": "ETW Trace",
    "computer": "DESKTOP-FF3N5XK",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": "00040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F401000000000000E803000000000000B80B00000000000088130000000000001027000000000000204E00000000000050C3000000000000FFFFFFFF00000000",
    "Size": 896
  },
  "message": "GlobalStats"
}

Event ID 21: StoreEmpty_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: StoreEmpty

Fields #

Name	Description
`StoreKey` Pointer
`Param` Pointer

Event ID 22: RegionRelease_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: RegionRelease

Fields #

Name	Description
`DataMgr` Pointer
`RegionIndex` UInt32
`Status` UInt32	NTSTATUS reference
`SpaceUsed` UInt16
`LastAccessTime` UInt16

Event ID 23: RegionCompactStart_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: RegionCompact
Opcode: Start

Fields #

Name	Description
`DataMgr` Pointer
`RegionIndex` UInt32
`Status` UInt32	NTSTATUS reference
`SpaceUsed` UInt16
`LastAccessTime` UInt16

Event ID 24: RegionCompactStop_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: RegionCompact
Opcode: Stop

Fields #

Name	Description
`DataMgr` Pointer
`RegionIndex` UInt32
`Status` UInt32	NTSTATUS reference
`SpaceUsed` UInt16
`LastAccessTime` UInt16

Event ID 25: RegionRundown_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: RegionRundown

Fields #

Name	Description
`DataMgr` Pointer
`RegionIndex` UInt32
`Status` UInt32	NTSTATUS reference
`SpaceUsed` UInt16
`LastAccessTime` UInt16

Event ID 26: WriteEvict_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: WriteEvict

Fields #

Name	Description
`DataKey` UInt64
`LengthInBytes` UInt64

Event ID 27: Device_name Device name: FailStatus Cache path: DeviceDescription.

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Operational
Task: CacheTermination

Description

Reason Device name: DeviceDescription Cache path: ObjectPath

Message #

%1



Device name: %4

Cache path: %6

Fields #

Name	Description
`Reason` UInt8
`FailStatus` HexInt32
`DeviceDescLength` UInt16
`DeviceDescription` UnicodeString
`ObjectPathLength` UInt16
`ObjectPath` UnicodeString

Event ID 28: ReadyBootPeriodicStats_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: ReadyBootPeriodicStats

Fields #

Name	Description
`Size` UInt32
`Data` Binary

Event ID 29: task_0

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Operational
Opcode: Info

Fields #

Name	Description
`SqmType` UInt32
`SqmSessionGuid` GUID
`SqmID` UInt32
`SqmStreamRowLength` UInt32
`SqmStreamRow` Int16

Event ID 30: ReadyBootCacheOp_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: ReadyBootCacheOp

Fields #

Name	Description
`Key` Pointer
`Operation` UInt32	Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`Flags` UInt32

Event ID 31: HbdrvIrpTag_V1

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: HbdrvIrpTag

Fields #

Name	Description
`VolumeOffset` UInt64
`Length` UInt32
`Read` UInt8
`Priority` UInt16
`PartialBmpHit` UInt8

Event ID 32: SyncCallStart

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: SyncCall
Opcode: Start

Fields #

Name	Description
`Key` Pointer

Event ID 33: SyncCallStop

Provider: Microsoft-Windows-ReadyBoostDriver
Channel: Analytic
Task: SyncCall
Opcode: Stop

Fields #

Name	Description
`Key` Pointer
`Flags` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {2A274310-42D5-4019-B816-E4B8C7ABE95C}

Defined in rdyboost.sys, the binary that emits these events.

Observed on:

Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.5074, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02

Downloads

Microsoft-Windows-ReadyBoostDriver registered manifest XML (in the Win11-26200.6584 manifest pack, 2.0 MB) manifest-xml

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)