Microsoft-Windows-StorageVolume
5 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1001 | Volume arrived: volume VolumeNumber disk DiskNumber offset PartitionOffset. | Operational | Y |
| 1002 | Volume removed: volume VolumeNumber disk DiskNumber offset PartitionOffset … | Operational | N |
| 1003 | Spaces conversion started: volume VolumeNumber disk DiskNumber offset … | Operational | N |
| 1004 | Spaces conversion cancelled: volume VolumeNumber disk DiskNumber offset … | Operational | N |
| 1005 | Spaces conversion complete: volume VolumeNumber disk DiskNumber offset … | Operational | N |
Event ID 1001: Volume arrived: volume VolumeNumber disk DiskNumber offset PartitionOffset.
#Description
Volume arrived: volume VolumeNumber disk DiskNumber offset PartitionOffset.
Message #
Fields #
| Name | Description |
|---|---|
VolumeNumber UInt32 | |
DiskInstancePath UnicodeString | |
DiskNumber UInt32 | |
PartitionOffset UInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-StorageVolume",
"event_id": 1001,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-05-27T19:31:43.2940676+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-StorageVolume"
},
"event_data": {
"VolumeNumber": "5",
"DiskNumber": "0",
"DiskInstancePath": "SCSI\\Disk&Ven_Red_Hat&Prod_VirtIO\\4&27142409&0&000000",
"PartitionOffset": "267658461184"
}
}
Event ID 1002: Volume removed: volume VolumeNumber disk DiskNumber offset PartitionOffset deleted Deleted.
#Event ID 1003: Spaces conversion started: volume VolumeNumber disk DiskNumber offset PartitionOffset.
#Event ID 1004: Spaces conversion cancelled: volume VolumeNumber disk DiskNumber offset PartitionOffset.
#Event ID 1005: Spaces conversion complete: volume VolumeNumber disk DiskNumber offset PartitionOffset.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID c8127b86-e611-5638-63f4-ae37539084d2
Defined in volmgr.sys, the binary that emits these events.
Observed on:
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02