Microsoft-Windows-ResumeKeyFilter

96 events across 3 channels

Event	Title	Channel	Sample
1000	The filter loaded successfully.	Operational	Y
1001	The filter was successfully attached to String.	Operational	N
1002	The resume database for String was loaded successfully.	Operational	N
1003	The filter received a dismount request for String.	Operational	N
1004	The re-mount request for String completed successfully.	Operational	N
1005	The filter was detached from String.	Operational	N
1006	The filter unloaded.	Operational	N
1007	The filter detected an incomplete failover recovery and purged the resume …	Operational	N
1008	The filter failed to attach to a volume because the volume supports short names …	Operational	N
1010	The filter detected that chkdsk has been run on volume String and has purged the …	Operational	N
1011	The filter detected that a volume snap shot may have been restored on volume …	Operational	N
1100	The creation of a bypass handle on file String completed successfully.	Analytic	N
1100	Event ID 1100	Operational	N
1101	The creation of a new resume handle Guid on file String completed successfully.	Analytic	N
1101	Event ID 1101	Operational	N
1102	The replay creation of resume handle Guid on file String completed successfully.	Analytic	N
1102	Event ID 1102	Operational	N
1103	The resume of handle Guid on file String started successfully.	Analytic	N
1103	Event ID 1103	Operational	N
1104	The resume of a handle on file name String1 was successfully reparsed to file …	Analytic	N
1104	Event ID 1104	Operational	N
1105	The resume of handle Guid on file String completed successfully.	Analytic	N
1105	Event ID 1105	Operational	N
1110	The resume handle Guid on file String was suspended.	Analytic	N
1110	Event ID 1110	Operational	N
1111	The resume handle ResumeKey on file String was timed out and cancelled.	Operational	N
1112	The resume handle Guid on file String was cancelled successfully.	Analytic	N
1112	Event ID 1112	Operational	N
1113	The resume handle Guid on file String was closed.	Analytic	N
1113	Event ID 1113	Operational	N
1114	The deferred delete of file String completed successfully.	Analytic	N
1114	Event ID 1114	Operational	N
1120	The filter delayed the creation of a handle on file String1 because the resume …	Operational	N
1121	The filter failed the creation of a handle on file String because the file has …	Operational	N
1122	The filter failed the creation of a handle on file String because the file is …	Operational	N
1123	The filter failed the creation of a handle on file String because the parent …	Operational	N
1124	The filter failed the creation of a handle on file String because the parent …	Operational	N
1130	The filter failed an oplock request on file String because the file has …	Analytic	N
1130	Event ID 1130	Operational	N
1131	The filter failed a write operation on file String because the file has …	Analytic	N
1131	Event ID 1131	Operational	N
1132	The filter failed a read operation on file String because the file has …	Analytic	N
1132	Event ID 1132	Operational	N
1133	The filter failed an exclusive byte range lock request on file String because …	Analytic	N
1133	Event ID 1133	Operational	N
1134	The filter failed a shared byte range lock request on file String because the …	Analytic	N
1134	Event ID 1134	Operational	N
1135	The filter failed the create of a hard link on file String because hard links …	Operational	N
1136	The filter failed the rename of an alternate data stream on file String because …	Operational	N
1137	The filter failed a rename replace to file String because this target file has …	Analytic	N
1137	Event ID 1137	Operational	N
1138	The filter failed a set end-of-file request on file String because the file has …	Analytic	N
1138	Event ID 1138	Operational	N
1139	The filter failed a set zero data request on file String because the file has …	Analytic	N
1139	Event ID 1139	Operational	N
1140	The filter failed a rename request on file String because the resume database …	Analytic	N
1140	Event ID 1140	Operational	N
1141	The filter failed a rename request on file String because the file has …	Analytic	N
1141	Event ID 1141	Operational	N
1142	The filter failed a copy offload read operation on file String because the file …	Analytic	N
1142	Event ID 1142	Operational	N
1143	The filter failed a copy offload write operation on file String because the file …	Analytic	N
1143	Event ID 1143	Operational	N
1144	The filter failed a file trim operation on file String because the file has …	Analytic	N
1144	Event ID 1144	Operational	N
1145	The filter failed a file set read only attribute operation on file String …	Analytic	N
1145	Event ID 1145	Operational	N
1150	The creation of a new resume handle on file String failed because the file has …	Operational	N
1151	The creation of a new handle on file String failed because the supersede of a …	Operational	N
2000	The filter failed to load with error status Status.	Operational	N
2001	The filter failed to attach to String with error status Status.	Operational	N
2002	The resume database for String failed to load with error status Status.	Operational	N
2004	The re-mount request for String failed with error status Status.	Operational	N
2100	The creation of a bypass handle on file String failed with error status Status.	Analytic	N
2100	Event ID 2100	Operational	N
2101	The creation of a new resume handle Guid on file String failed with error status …	Analytic	N
2101	Event ID 2101	Operational	N
2102	The replay creation of resume handle Guid on file String failed with error …	Analytic	N
2102	Event ID 2102	Operational	N
2103	The resume of handle Guid on file String failed with error status Status.	Operational	N
2104	The resume of a handle on file name String1 failed to reparse to a valid file …	Operational	N
2112	The resume handle Guid on file String failed to cancel with error status Status.	Analytic	N
2112	Event ID 2112	Operational	N
2114	The deferred delete of file String failed with error status Status.	Operational	N
4000	Event ID 4000	Operational	N
4000	Driver entry pre enter: FileObject FileObject (FileObjectName), MajorFunction …	Performance	N
4001	Event ID 4001	Operational	N
4001	Driver entry pre exit: FileObject FileObject, MajorFunction MajorFunction …	Performance	N
4002	Event ID 4002	Operational	N
4002	Driver entry post enter: FileObject FileObject, MajorFunction MajorFunction …	Performance	N
4003	Event ID 4003	Operational	N
4003	Driver entry post exit: FileObject FileObject, MajorFunction MajorFunction …	Performance	N
4010	Event ID 4010	Operational	N
4010	Log file enter: FileObject FileObject, MajorFunction MajorFunction …	Performance	N
4011	Event ID 4011	Operational	N
4011	Log file exit: FileObject FileObject, MajorFunction MajorFunction …	Performance	N

Event ID 1000: The filter loaded successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational
Level: Informational

Description

The filter loaded successfully.

Message #

The filter loaded successfully.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-ResumeKeyFilter",
    "guid": "{38EEA17B-DB1E-46FE-84D3-07034BEAAFD0}",
    "event_source_name": "",
    "event_id": 1000,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775807,
    "time_created": "2026-05-30T02:30:35.6593862+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 720
    },
    "channel": "Microsoft-Windows-ResumeKeyFilter/Operational",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Status": "0"
  },
  "message": "The filter loaded successfully."
}

Event ID 1001: The filter was successfully attached to String.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter was successfully attached to String.

Message #

The filter was successfully attached to %2.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1002: The resume database for String was loaded successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume database for String was loaded successfully. The load operation took Valuems to complete.

Message #

The resume database for %2 was loaded successfully. The load operation took %3ms to complete.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1003: The filter received a dismount request for String.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter received a dismount request for String.

Message #

The filter received a dismount request for %2.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1004: The re-mount request for String completed successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The re-mount request for String completed successfully.

Message #

The re-mount request for %2 completed successfully.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1005: The filter was detached from String.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter was detached from String.

Message #

The filter was detached from %2.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1006: The filter unloaded.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter unloaded.

Message #

The filter unloaded.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 1007: The filter detected an incomplete failover recovery and purged the resume database for String.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter detected an incomplete failover recovery and purged the resume database for String.

Message #

The filter detected an incomplete failover recovery and purged the resume database for %2.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1008: The filter failed to attach to a volume because the volume supports short names but the filter does not support short names.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed to attach to a volume because the volume supports short names but the filter does not support short names.

Message #

The filter failed to attach to a volume because the volume supports short names but the filter does not support short names.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 1010: The filter detected that chkdsk has been run on volume String and has purged the resume database.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter detected that chkdsk has been run on volume String and has purged the resume database.

Message #

The filter detected that chkdsk has been run on volume %2 and has purged the resume database.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1011: The filter detected that a volume snap shot may have been restored on volume String and has purged the resume database.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter detected that a volume snap shot may have been restored on volume String and has purged the resume database.

Message #

The filter detected that a volume snap shot may have been restored on volume %2 and has purged the resume database.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1100: The creation of a bypass handle on file String completed successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The creation of a bypass handle on file String completed successfully.

Message #

The creation of a bypass handle on file %3 completed successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1100

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The creation of a bypass handle on file completed successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1101: The creation of a new resume handle Guid on file String completed successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The creation of a new resume handle Guid on file String completed successfully.

Message #

The creation of a new resume handle %1 on file %3 completed successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1101

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The creation of a new resume handle on file completed successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1102: The replay creation of resume handle Guid on file String completed successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The replay creation of resume handle Guid on file String completed successfully.

Message #

The replay creation of resume handle %1 on file %3 completed successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1102

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The replay creation of resume handle on file completed successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1103: The resume of handle Guid on file String started successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The resume of handle Guid on file String started successfully.

Message #

The resume of handle %1 on file %3 started successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1103

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume of handle on file started successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1104: The resume of a handle on file name String1 was successfully reparsed to file name String2.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The resume of a handle on file name String1 was successfully reparsed to file name String2.

Message #

The resume of a handle on file name %2 was successfully reparsed to file name %4.

Fields #

Name	Description
`String1Length` UInt16
`String1` UnicodeString
`String2Length` UInt16
`String2` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1104

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume of a handle on file name was successfully reparsed to file name .

Fields #

Name	Description
`String1Length` UInt16
`String1` UnicodeString
`String2Length` UInt16
`String2` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1105: The resume of handle Guid on file String completed successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The resume of handle Guid on file String completed successfully.

Message #

The resume of handle %1 on file %3 completed successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1105

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume of handle on file completed successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1110: The resume handle Guid on file String was suspended.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The resume handle Guid on file String was suspended.

Message #

The resume handle %1 on file %3 was suspended.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1110

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume handle on file was suspended.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1111: The resume handle ResumeKey on file String was timed out and cancelled.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume handle ResumeKey on file String was timed out and cancelled.

Message #

The resume handle %1 on file %3 was timed out and cancelled.

Fields #

Name	Description
`ResumeKey` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference
`RfsKey` GUID
`NodeId` GUID
`AppId` GUID
`DesiredAccess` UInt32	Process access rights reference
`ShareMode` UInt32
`CreateOptions` UInt32
`FileAttribs` UInt32
`CreateDisp` UInt32

Event ID 1112: The resume handle Guid on file String was cancelled successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The resume handle Guid on file String was cancelled successfully.

Message #

The resume handle %1 on file %3 was cancelled successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1112

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume handle on file was cancelled successfully.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1113: The resume handle Guid on file String was closed.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The resume handle Guid on file String was closed.

Message #

The resume handle %1 on file %3 was closed.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1113

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume handle on file was closed.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 1114: The deferred delete of file String completed successfully.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The deferred delete of file String completed successfully.

Message #

The deferred delete of file %2 completed successfully.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1114

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The deferred delete of file completed successfully.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1120: The filter delayed the creation of a handle on file String1 because the resume database for the volume was still loading.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter delayed the creation of a handle on file String1 because the resume database for the volume was still loading.

Message #

The filter delayed the creation of a handle on file %2 because the resume database for the volume was still loading.

Fields #

Name	Description
`String1Length` UInt16
`String1` UnicodeString
`String2Length` UInt16
`String2` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1121: The filter failed the creation of a handle on file String because the file has pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed the creation of a handle on file String because the file has pending resume handles.

Message #

The filter failed the creation of a handle on file %2 because the file has pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1122: The filter failed the creation of a handle on file String because the file is delete pending.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed the creation of a handle on file String because the file is delete pending.

Message #

The filter failed the creation of a handle on file %2 because the file is delete pending.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1123: The filter failed the creation of a handle on file String because the parent directory has pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed the creation of a handle on file String because the parent directory has pending resume handles.

Message #

The filter failed the creation of a handle on file %2 because the parent directory has pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1124: The filter failed the creation of a handle on file String because the parent directory is delete pending.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed the creation of a handle on file String because the parent directory is delete pending.

Message #

The filter failed the creation of a handle on file %2 because the parent directory is delete pending.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1130: The filter failed an oplock request on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed an oplock request on file String because the file has conflicting pending resume handles.

Message #

The filter failed an oplock request on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1130

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed an oplock request on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1131: The filter failed a write operation on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a write operation on file String because the file has conflicting pending resume handles.

Message #

The filter failed a write operation on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1131

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a write operation on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1132: The filter failed a read operation on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a read operation on file String because the file has conflicting pending resume handles.

Message #

The filter failed a read operation on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1132

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a read operation on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1133: The filter failed an exclusive byte range lock request on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed an exclusive byte range lock request on file String because the file has conflicting pending resume handles.

Message #

The filter failed an exclusive byte range lock request on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1133

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed an exclusive byte range lock request on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1134: The filter failed a shared byte range lock request on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a shared byte range lock request on file String because the file has conflicting pending resume handles.

Message #

The filter failed a shared byte range lock request on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1134

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a shared byte range lock request on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1135: The filter failed the create of a hard link on file String because hard links are not supported.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed the create of a hard link on file String because hard links are not supported.

Message #

The filter failed the create of a hard link on file %2 because hard links are not supported.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1136: The filter failed the rename of an alternate data stream on file String because rename of alternate data streams is not supported.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed the rename of an alternate data stream on file String because rename of alternate data streams is not supported.

Message #

The filter failed the rename of an alternate data stream on file %2 because rename of alternate data streams is not supported.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1137: The filter failed a rename replace to file String because this target file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a rename replace to file String because this target file has conflicting pending resume handles.

Message #

The filter failed a rename replace to file %2 because this target file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1137

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a rename replace to file because this target file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1138: The filter failed a set end-of-file request on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a set end-of-file request on file String because the file has conflicting pending resume handles.

Message #

The filter failed a set end-of-file request on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1138

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a set end-of-file request on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1139: The filter failed a set zero data request on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a set zero data request on file String because the file has conflicting pending resume handles.

Message #

The filter failed a set zero data request on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1139

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a set zero data request on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1140: The filter failed a rename request on file String because the resume database was still being processed.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a rename request on file String because the resume database was still being processed.

Message #

The filter failed a rename request on file %2 because the resume database was still being processed.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1140

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a rename request on file because the resume database was still being processed.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1141: The filter failed a rename request on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a rename request on file String because the file has conflicting pending resume handles.

Message #

The filter failed a rename request on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1141

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a rename request on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1142: The filter failed a copy offload read operation on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a copy offload read operation on file String because the file has conflicting pending resume handles.

Message #

The filter failed a copy offload read operation on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1142

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a copy offload read operation on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1143: The filter failed a copy offload write operation on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a copy offload write operation on file String because the file has conflicting pending resume handles.

Message #

The filter failed a copy offload write operation on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1143

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a copy offload write operation on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1144: The filter failed a file trim operation on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a file trim operation on file String because the file has conflicting pending resume handles.

Message #

The filter failed a file trim operation on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1144

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a file trim operation on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1145: The filter failed a file set read only attribute operation on file String because the file has conflicting pending resume handles.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The filter failed a file set read only attribute operation on file String because the file has conflicting pending resume handles.

Message #

The filter failed a file set read only attribute operation on file %2 because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1145

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed a file set read only attribute operation on file because the file has conflicting pending resume handles.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1150: The creation of a new resume handle on file String failed because the file has hard links.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The creation of a new resume handle on file String failed because the file has hard links.

Message #

The creation of a new resume handle on file %2 failed because the file has hard links.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 1151: The creation of a new handle on file String failed because the supersede of a file that has open resume handles on Alternate Data Streams is not suppor...

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The creation of a new handle on file String failed because the supersede of a file that has open resume handles on Alternate Data Streams is not supported.

Message #

The creation of a new handle on file %2 failed because the supersede of a file that has open resume handles on Alternate Data Streams is not supported.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 2000: The filter failed to load with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed to load with error status Status.

Message #

The filter failed to load with error status %1.

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 2001: The filter failed to attach to String with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The filter failed to attach to String with error status Status.

Message #

The filter failed to attach to %2 with error status %3.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 2002: The resume database for String failed to load with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume database for String failed to load with error status Status. The load operation took Valuems to complete.

Message #

The resume database for %2 failed to load with error status %4. The load operation took %3ms to complete.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2004: The re-mount request for String failed with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The re-mount request for String failed with error status Status.

Message #

The re-mount request for %2 failed with error status %3.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 2100: The creation of a bypass handle on file String failed with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The creation of a bypass handle on file String failed with error status Status.

Message #

The creation of a bypass handle on file %3 failed with error status %5.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2100

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The creation of a bypass handle on file failed with error status .

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2101: The creation of a new resume handle Guid on file String failed with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The creation of a new resume handle Guid on file String failed with error status Status.

Message #

The creation of a new resume handle %1 on file %3 failed with error status %5.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2101

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The creation of a new resume handle on file failed with error status .

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2102: The replay creation of resume handle Guid on file String failed with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The replay creation of resume handle Guid on file String failed with error status Status.

Message #

The replay creation of resume handle %1 on file %3 failed with error status %5.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2102

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The replay creation of resume handle on file failed with error status .

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2103: The resume of handle Guid on file String failed with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume of handle Guid on file String failed with error status Status.

Message #

The resume of handle %1 on file %3 failed with error status %5.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2104: The resume of a handle on file name String1 failed to reparse to a valid file name with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume of a handle on file name String1 failed to reparse to a valid file name with error status Status.

Message #

The resume of a handle on file name %2 failed to reparse to a valid file name with error status %5.

Fields #

Name	Description
`String1Length` UInt16
`String1` UnicodeString
`String2Length` UInt16
`String2` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 2112: The resume handle Guid on file String failed to cancel with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Analytic

Description

The resume handle Guid on file String failed to cancel with error status Status.

Message #

The resume handle %1 on file %3 failed to cancel with error status %5.

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2112

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The resume handle on file failed to cancel with error status .

Fields #

Name	Description
`Guid` GUID
`StringLength` UInt16
`String` UnicodeString
`Value` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 2114: The deferred delete of file String failed with error status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

The deferred delete of file String failed with error status Status.

Message #

The deferred delete of file %2 failed with error status %3.

Fields #

Name	Description
`StringLength` UInt16
`String` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 4000

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

Driver entry pre enter: FileObject (), MajorFunction (), MinorFunction , ControlCode.

Fields #

Name	Description
`FileObject` UInt64
`FileObjectNameLength` UInt16
`FileObjectName` UnicodeString
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`MinorFunction` UInt8
`ControlCode` UInt32

Event ID 4000: Driver entry pre enter: FileObject FileObject (FileObjectName), MajorFunction MajorFunction (MajorFunctionName), MinorFunction MinorFunction, ControlCode ControlCode.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Performance

Description

Driver entry pre enter: FileObject FileObject (FileObjectName), MajorFunction MajorFunction (MajorFunctionName), MinorFunction MinorFunction, ControlCode ControlCode.

Message #

Driver entry pre enter: FileObject %1 (%3), MajorFunction %4 (%5), MinorFunction %6, ControlCode %7

Fields #

Name	Description
`FileObject` UInt64
`FileObjectNameLength` UInt16
`FileObjectName` UnicodeString
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`MinorFunction` UInt8
`ControlCode` UInt32

Event ID 4001

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

Driver entry pre exit: FileObject , MajorFunction (), MinorFunction , ControlCode , Status , IoStatus , IoInformation , FltStatus.

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`MinorFunction` UInt8
`ControlCode` UInt32
`Status` UInt32	NTSTATUS reference
`IoStatus` UInt32
`IoInformation` UInt64
`FltStatus` UInt32

Event ID 4001: Driver entry pre exit: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), MinorFunction MinorFunction, ControlCode ControlCode, Status Status, IoStatus IoStatus, IoInformation ...

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Performance

Description

Driver entry pre exit: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), MinorFunction MinorFunction, ControlCode ControlCode, Status Status, IoStatus IoStatus, IoInformation IoInformation, FltStatus FltStatus.

Message #

Driver entry pre exit: FileObject %1, MajorFunction %2 (%3), MinorFunction %4, ControlCode %5, Status %6, IoStatus %7, IoInformation %8, FltStatus %9

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`MinorFunction` UInt8
`ControlCode` UInt32
`Status` UInt32	NTSTATUS reference
`IoStatus` UInt32
`IoInformation` UInt64
`FltStatus` UInt32

Event ID 4002

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

Driver entry post enter: FileObject , MajorFunction (), MinorFunction , ControlCode , IoStatus , IoInformation.

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`MinorFunction` UInt8
`ControlCode` UInt32
`IoStatus` UInt32
`IoInformation` UInt64

Event ID 4002: Driver entry post enter: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), MinorFunction MinorFunction, ControlCode ControlCode, IoStatus IoStatus, IoInformation IoInformation.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Performance

Description

Driver entry post enter: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), MinorFunction MinorFunction, ControlCode ControlCode, IoStatus IoStatus, IoInformation IoInformation.

Message #

Driver entry post enter: FileObject %1, MajorFunction %2 (%3), MinorFunction %4, ControlCode %5, IoStatus %6, IoInformation %7

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`MinorFunction` UInt8
`ControlCode` UInt32
`IoStatus` UInt32
`IoInformation` UInt64

Event ID 4003

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

Driver entry post exit: FileObject , MajorFunction (), MinorFunction , ControlCode , Status.

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`MinorFunction` UInt8
`ControlCode` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 4003: Driver entry post exit: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), MinorFunction MinorFunction, ControlCode ControlCode, Status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Performance

Description

Driver entry post exit: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), MinorFunction MinorFunction, ControlCode ControlCode, Status Status.

Message #

Driver entry post exit: FileObject %1, MajorFunction %2 (%3), MinorFunction %4, ControlCode %5, Status %6

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`MinorFunction` UInt8
`ControlCode` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 4010

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

Log file enter: FileObject , MajorFunction (), ControlCode , ByteOffset , Length.

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`ControlCode` UInt32
`ByteOffset` UInt64
`Length` UInt32

Event ID 4010: Log file enter: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), ControlCode ControlCode, ByteOffset ByteOffset, Length Length.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Performance

Description

Log file enter: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), ControlCode ControlCode, ByteOffset ByteOffset, Length Length.

Message #

Log file enter: FileObject %1, MajorFunction %2 (%3), ControlCode %4, ByteOffset %5, Length %6

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`ControlCode` UInt32
`ByteOffset` UInt64
`Length` UInt32

Event ID 4011

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Operational

Description

Log file exit: FileObject , MajorFunction (), ControlCode , Status.

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`ControlCode` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 4011: Log file exit: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), ControlCode ControlCode, Status Status.

Provider: Microsoft-Windows-ResumeKeyFilter
Channel: Performance

Description

Log file exit: FileObject FileObject, MajorFunction MajorFunction (MajorFunctionName), ControlCode ControlCode, Status Status.

Message #

Log file exit: FileObject %1, MajorFunction %2 (%3), ControlCode %4, Status %5

Fields #

Name	Description
`FileObject` UInt64
`MajorFunction` UInt8
`MajorFunctionName` AnsiString
`ControlCode` UInt32
`Status` UInt32	NTSTATUS reference

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 38eea17b-db1e-46fe-84d3-07034beaafd0

Defined in ResumeKeyFilter.sys, the binary that emits these events.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02

Downloads

Microsoft-Windows-ResumeKeyFilter registered manifest XML (in the WS2022-20348.4893 manifest pack, 1.9 MB) manifest-xml

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)