Microsoft-Windows-VolumeSnapshot-Driver

92 events across 2 channels

Event	Title	Channel	Sample
0	vs:PrepareStart	Analytic	N
1	vs:PrepareStop	Analytic	N
2	vs:PreExposureStart	Analytic	N
3	vs:PreExposureStop	Analytic	N
4	vs:AdjustBitmapStart	Analytic	N
5	vs:AdjustBitmapStop	Analytic	N
6	vs:EndCommitStart	Analytic	N
7	vs:EndCommitStop	Analytic	N
8	vs:ActivateStart	Analytic	N
9	vs:ActivateStop	Analytic	N
10	vs:SetIgnorableStart	Analytic	N
11	vs:SetIgnorableStop	Analytic	N
12	vs:IgnorableProductStart	Analytic	N
13	vs:IgnorableProductStop	Analytic	N
14	vs:DismountStart	Analytic	N
15	vs:DismountStop	Analytic	N
16	vs:RemountStart	Analytic	N
17	vs:RemountStop	Analytic	N
18	vs:DeleteProcessStart	Analytic	N
19	vs:DeleteProcessStop	Analytic	N
20	vs:RevertStart	Analytic	N
21	vs:RevertStop	Analytic	N
22	vs:ProtectedBitmapStart	Analytic	N
23	vs:ProtectedBitmapStop	Analytic	N
24	vs:FlushHoldFsStart	Analytic	N
25	vs:FlushHoldFsStop	Analytic	N
26	vs:ActivateLoopStart	Analytic	N
27	vs:ActivateLoopStop	Analytic	N
28	vs:ValidateFilesStart	Analytic	N
29	vs:ValidateFilesStop	Analytic	N
30	vs:VolumeSafeStart	Analytic	N
31	vs:VolumeSafeStop	Analytic	N
32	vs:DiscoverSnapshotsStart	Analytic	N
33	vs:DiscoverSnapshotsStop	Analytic	N
100	The volume snapshot driver has begun processing for volume online.	Operational	Y
101	The volume snapshot driver has completed processing for volume online.	Operational	Y
102	The volume snapshot driver encountered an error while performing processing for …	Operational	N
103	Activation of discovered snapshots began.	Operational	Y
104	Activation of discovered snapshots completed.	Operational	Y
105	Activation of discovered snapshots encountered an error.	Operational	N
106	A persistent snapshot was activated.	Operational	Y
107	Reading of a snapshot diff area's metadata began.	Operational	Y
108	Reading of a snapshot diff area's metadata completed.	Operational	Y
109	Reading of a snapshot diff area's metadata encountered an error.	Operational	N
110	Validation of diff area files began.	Operational	Y
111	Validation of diff area files completed.	Operational	Y
112	Validation of diff area files encountered an error.	Operational	N
113	The volume is preparing to be taken offline.	Operational	N
114	The volume snapshot driver has begun processing for dismount.	Operational	Y
115	The volume snapshot driver has completed processing for dismount.	Operational	Y
116	The volume snapshot driver has begun processing for volume offline.	Operational	Y
117	The volume snapshot driver has completed processing for volume offline.	Operational	Y
118	The volume snapshot driver encountered an error while performing processing for …	Operational	N
119	The volume snapshot driver encountered an error while performing processing for …	Operational	N
120	Activation of discovered snapshots took too long and was aborted.	Operational	N
121	The volume snapshot driver was unable to log an event to the legacy System event …	Operational	N
122	The volume snapshot driver encountered an error when attempting to determine …	Operational	N
123	Persistent snapshots are not supported on this edition of Windows.	Operational	N
1000	PrepareForSnapshot (Enter)	Analytic	N
1001	PrepareForSnapshot (Leave)	Analytic	N
1002	PreExposure (Enter)	Analytic	N
1003	PreExposure (Leave)	Analytic	N
1004	AdjustBitmap (Enter)	Analytic	N
1005	AdjustBitmap (Leave)	Analytic	N
1006	EndCommit (Enter)	Analytic	N
1007	EndCommit (Leave)	Analytic	N
1008	Activate (Enter)	Analytic	N
1009	Activate (Leave)	Analytic	N
1010	SetIgnorable (Enter)	Analytic	N
1011	SetIgnorable (Leave)	Analytic	N
1012	ComputeIgnorableProduct (Enter)	Analytic	N
1013	ComputeIgnorableProduct (Leave)	Analytic	N
1014	Dismount (Enter)	Analytic	N
1015	Dismount (Leave)	Analytic	N
1016	Remount (Enter)	Analytic	N
1017	Remount (Leave)	Analytic	N
1018	DeleteProcess (Enter)	Analytic	N
1019	DeleteProcess (Leave)	Analytic	N
1020	Revert (Enter)	Analytic	N
1021	Revert (Leave)	Analytic	N
1022	ComputeProtectedBitmap (Enter)	Analytic	N
1023	ComputeProtectedBitmap (Leave)	Analytic	N
1024	FlushHoldFs (Enter)	Analytic	N
1025	FlushHoldFs (Leave)	Analytic	N
1026	ActivateLoop (Enter)	Analytic	N
1027	ActivateLoop (Leave)	Analytic	N
1028	ValidateDiffAreaFiles (Enter)	Analytic	N
1029	ValidateDiffAreaFiles (Leave)	Analytic	N
1030	VolumesSafeForWrite (Enter)	Analytic	N
1031	VolumesSafeForWrite (Leave)	Analytic	N
1032	DiscoverSnapshots (Enter)	Analytic	N
1033	DiscoverSnapshots (Leave)	Analytic	N

Event ID 0: vs:PrepareStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Prepare
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 1: vs:PrepareStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Prepare
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`SnapshotGuid` GUID

Event ID 2: vs:PreExposureStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:PreExposure
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 3: vs:PreExposureStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:PreExposure
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 4: vs:AdjustBitmapStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:AdjustBitmap
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`SnapshotGuid` GUID

Event ID 5: vs:AdjustBitmapStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:AdjustBitmap
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`SnapshotGuid` GUID

Event ID 6: vs:EndCommitStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:EndCommit
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 7: vs:EndCommitStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:EndCommit
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 8: vs:ActivateStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Activate
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 9: vs:ActivateStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Activate
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 10: vs:SetIgnorableStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:SetIgnorable
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`SnapshotGuid` GUID

Event ID 11: vs:SetIgnorableStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:SetIgnorable
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`SnapshotGuid` GUID

Event ID 12: vs:IgnorableProductStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:IgnorableProduct
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`SnapshotGuid` GUID

Event ID 13: vs:IgnorableProductStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:IgnorableProduct
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`SnapshotGuid` GUID

Event ID 14: vs:DismountStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Dismount
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 15: vs:DismountStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Dismount
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 16: vs:RemountStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Remount
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 17: vs:RemountStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Remount
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 18: vs:DeleteProcessStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:DeleteProcess
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 19: vs:DeleteProcessStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:DeleteProcess
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 20: vs:RevertStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Revert
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 21: vs:RevertStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Revert
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 22: vs:ProtectedBitmapStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ProtectedBitmap
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 23: vs:ProtectedBitmapStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ProtectedBitmap
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 24: vs:FlushHoldFsStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:FlushHoldFs
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32

Event ID 25: vs:FlushHoldFsStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:FlushHoldFs
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32

Event ID 26: vs:ActivateLoopStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ActivateLoop
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32

Event ID 27: vs:ActivateLoopStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ActivateLoop
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32

Event ID 28: vs:ValidateFilesStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ValidateFiles
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32

Event ID 29: vs:ValidateFilesStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ValidateFiles
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32

Event ID 30: vs:VolumeSafeStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:VolumeSafe
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32

Event ID 31: vs:VolumeSafeStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:VolumeSafe
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32

Event ID 32: vs:DiscoverSnapshotsStart

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:DiscoverSnapshots
Opcode: Start

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 33: vs:DiscoverSnapshotsStop

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:DiscoverSnapshots
Opcode: Stop

Fields #

Name	Description
`RealThreadID` UInt32
`VolumeGuid` GUID

Event ID 100: The volume snapshot driver has begun processing for volume online.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Start

Description

The volume snapshot driver has begun processing for volume online.

Message #

The volume snapshot driver has begun processing for volume online.

Volume GUID: %1

Guidance:
When a volume is brought online the volume snapshot driver scans for any persistent snapshots that may be on the volume.

You should expect this event when a volume is brought online.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "{67FE2216-727A-40CB-94B2-C02211EDB34A}",
    "event_source_name": "",
    "event_id": 100,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-29T16:32:44.8324115+00:00",
    "event_record_id": 91,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 196
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "{77ac4d73-0000-0000-0000-100000000000}",
    "SourceFile": "0x1",
    "SourceLine": "38521",
    "SourceTag": "124"
  },
  "message": "The volume snapshot driver has begun processing for volume online.\r\n\r\nVolume GUID: {77ac4d73-0000-0000-0000-100000000000}\r\n\r\nGuidance:\r\nWhen a volume is brought online the volume snapshot driver scans for any persistent snapshots that may be on the volume.\r\n\r\nYou should expect this event when a volume is brought online.  No user action is required."
}

Event ID 101: The volume snapshot driver has completed processing for volume online.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Stop

Description

The volume snapshot driver has completed processing for volume online.

Message #

The volume snapshot driver has completed processing for volume online.

Volume GUID: %1

Guidance:
The volume snapshot driver was able to scan for any persistent snapshots on this volume.

You should expect this event when a volume is brought online.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "{67FE2216-727A-40CB-94B2-C02211EDB34A}",
    "event_source_name": "",
    "event_id": 101,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 2,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-29T16:32:44.9120058+00:00",
    "event_record_id": 98,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 200
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "{77ac4d73-0000-0000-0000-100000000000}",
    "SourceFile": "0x1",
    "SourceLine": "39103",
    "SourceTag": "129"
  },
  "message": "The volume snapshot driver has completed processing for volume online.\r\n\r\nVolume GUID: {77ac4d73-0000-0000-0000-100000000000}\r\n\r\nGuidance:\r\nThe volume snapshot driver was able to scan for any persistent snapshots on this volume.\r\n\r\nYou should expect this event when a volume is brought online.  No user action is required."
}

Event ID 102: The volume snapshot driver encountered an error while performing processing for volume online.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Stop

Description

The volume snapshot driver encountered an error while performing processing for volume online.

Message #

The volume snapshot driver encountered an error while performing processing for volume online.

Error: %2

Volume GUID: %1

Guidance:
When a volume is brought online the volume snapshot driver scans for any persistent snapshots that may be on the volume.  In case of an error this scan is not performed.  The error may have originated in storage drivers beneath the volume snapshot driver; check their logs.

If the error is STATUS_DEVICE_NOT_CONNECTED this means the volume is in snapshot protection mode and has been taken offline to prevent loss of snapshots.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`Error` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 103: Activation of discovered snapshots began.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Start

Description

Activation of discovered snapshots began.

Message #

Activation of discovered snapshots began.

Volume GUID: %1

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.

You should expect this event when a volume is brought online or reverted to a snapshot.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 103,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-11T06:27:09.486348+00:00",
    "event_record_id": 184,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 352
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "CE657EBB-70C7-4B8B-A13F-FF11B9725249",
    "SourceFile": "0x1",
    "SourceLine": 22127,
    "SourceTag": 93
  },
  "message": ""
}

Event ID 104: Activation of discovered snapshots completed.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Stop

Description

Activation of discovered snapshots completed.

Message #

Activation of discovered snapshots completed.

Volume GUID: %1
Total Number of Snapshots Found: %2
Number of Snapshots Marked for Delete: %3
Number of Visible Snapshots Found: %4

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  Some snapshots may be marked 'visible', meaning they were exposed as a local volume or file share.  Some detected snapshots may be marked 'deleted', meaning they are no longer available for use and their diff area space will be reclaimed when all older snapshots are deleted.  Look for instances of event 106 to see each snapshot that was discovered and whether it was 'visible' or 'deleted'.

You should expect this event when a volume is brought online or reverted to a snapshot.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SnapshotCount` UInt32
`CountDeleted` UInt32
`CountVisible` UInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 104,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 2,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-11T06:27:09.508914+00:00",
    "event_record_id": 190,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 352
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "CE657EBB-70C7-4B8B-A13F-FF11B9725249",
    "SnapshotCount": 3,
    "CountDeleted": 0,
    "CountVisible": 0,
    "SourceFile": "0x1",
    "SourceLine": 23009,
    "SourceTag": 107
  },
  "message": ""
}

Event ID 105: Activation of discovered snapshots encountered an error.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Stop

Description

Activation of discovered snapshots encountered an error.

Message #

Activation of discovered snapshots encountered an error.

Error: %2

Volume GUID: %1

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  Unless the volume is in snapshot protection mode or the error code indicates the volume is offline, a failure during this process results in loss of all snapshots on the volume.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`Error` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 106: A persistent snapshot was activated.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Info

Description

A persistent snapshot was activated.

Message #

A persistent snapshot was activated.

Volume GUID: %1
Snapshot GUID: %2
Snapshot Marked Deleted: %3
Snapshot Visible: %4
Snapshot Commit Timestamp: %5

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  If the snapshot is 'visible', it was exposed as a local volume or file share.  If the snapshot is 'deleted', it is no longer available for use and its diff area space will be reclaimed when all older snapshots are deleted.

You should expect this event when a volume containing persistent snapshots is brought online or reverted to a snapshot.  If all discovered snapshots are successfully activated you should expect event 104, otherwise you will see event 105.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`Deleted` Boolean
`Visible` Boolean
`CommitTime` SYSTEMTIME
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 106,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-11T06:27:09.499366+00:00",
    "event_record_id": 189,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 352
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "CE657EBB-70C7-4B8B-A13F-FF11B9725249",
    "SnapshotGuid": "465863F8-1B56-11F1-9FBF-C6B26F270F0B",
    "Deleted": false,
    "Visible": false,
    "CommitTime": "2026-03-11T03:42:04.594000Z",
    "SourceFile": "0x1",
    "SourceLine": 20745,
    "SourceTag": 92
  },
  "message": ""
}

Event ID 107: Reading of a snapshot diff area's metadata began.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Start

Description

Reading of a snapshot diff area's metadata began.

Message #

Reading of a snapshot diff area's metadata began.

Volume GUID: %1
Snapshot GUID: %2

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver reads the diff area for the most-recent persistent snapshot (if any).  The diff area for earlier persistent snapshots is typically read the first time the snapshot is read from.

You should expect this event when a volume is brought online, reverted to a snapshot, or when reading from a persistent snapshot for the first time after bringing a volume online.  This event may also occur if a volume is dismounted that contains snapshots that have not been read since the volume was brought online.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 107,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-11T06:28:15.280120+00:00",
    "event_record_id": 192,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4156
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "CE657EBB-70C7-4B8B-A13F-FF11B9725249",
    "SnapshotGuid": "465845A3-1B56-11F1-9FBF-C6B26F270F0B",
    "SourceFile": "0x7",
    "SourceLine": 4286,
    "SourceTag": 84
  },
  "message": ""
}

Event ID 108: Reading of a snapshot diff area's metadata completed.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Stop

Description

Reading of a snapshot diff area's metadata completed.

Message #

Reading of a snapshot diff area's metadata completed.

Volume GUID: %1
Snapshot GUID: %2
Count of 1MB Reads: %3
Count of 16KB Reads: %4
Diff Area Metadata Size: %5 Bytes
Total Data Read: %6 Bytes

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver reads the diff area for the most-recent persistent snapshot (if any).  The diff area for earlier persistent snapshots is typically read the first time the snapshot is read from.  The size of the diff area metadata may be less than the total number of bytes read if the diff area is discontiguous on disk.

You should expect this event when a volume is brought online, reverted to a snapshot, or when reading from a persistent snapshot for the first time after bringing a volume online.  This event may also occur if a volume is dismounted that contains snapshots that have not been read since the volume was brought online.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`LargeReadCount` UInt32
`SmallReadCount` UInt32
`TableDataBytes` UInt64
`TotalBytesRead` UInt64
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 108,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 2,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-11T06:28:15.323019+00:00",
    "event_record_id": 193,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4156
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "CE657EBB-70C7-4B8B-A13F-FF11B9725249",
    "SnapshotGuid": "465845A3-1B56-11F1-9FBF-C6B26F270F0B",
    "LargeReadCount": 3,
    "SmallReadCount": 2,
    "TableDataBytes": 3162112,
    "TotalBytesRead": 3178496,
    "SourceFile": "0x7",
    "SourceLine": 4683,
    "SourceTag": 89
  },
  "message": ""
}

Event ID 109: Reading of a snapshot diff area's metadata encountered an error.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Stop

Description

Reading of a snapshot diff area's metadata encountered an error.

Message #

Reading of a snapshot diff area's metadata encountered an error.

Error: %3

Volume GUID: %1
Snapshot GUID: %2
Count of 1MB Reads: %4
Count of 16KB Reads: %5
Amount of Diff Area Metadata Read: %6 Bytes
Total Data Read: %7 Bytes

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver reads the diff area for the most-recent persistent snapshot (if any).  The diff area for earlier persistent snapshots is typically read the first time the snapshot is read from.  Unless the volume is in snapshot protection mode, a failure during this process results in loss of all snapshots on the volume.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`Error` HexInt32
`LargeReadCount` UInt32
`SmallReadCount` UInt32
`TableDataBytes` UInt64
`TotalBytesRead` UInt64
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 110: Validation of diff area files began.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Start

Description

Validation of diff area files began.

Message #

Validation of diff area files began.

Volume GUID: %1

Guidance:
When a volume is mounted, the volume snapshot driver reads and validates all the diff area files located on the volume.  These diff area files may be for persistent snapshots of the volume being mounted, or for persistent snapshots of other volumes.

You should expect this event when mounting a volume.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "{67FE2216-727A-40CB-94B2-C02211EDB34A}",
    "event_source_name": "",
    "event_id": 110,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-30T02:25:57.1550528+00:00",
    "event_record_id": 110,
    "correlation": {
      "ActivityID": "{711F4B45-D577-44CE-BE9F-CD60AE82F8E8}"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 3544
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "{df5f85cf-0000-0000-0000-010000000000}",
    "SourceFile": "0x1",
    "SourceLine": "37361",
    "SourceTag": "116"
  },
  "message": "Validation of diff area files began.\r\n\r\nVolume GUID: {df5f85cf-0000-0000-0000-010000000000}\r\n\r\nGuidance:\r\nWhen a volume is mounted, the volume snapshot driver reads and validates all the diff area files located on the volume.  These diff area files may be for persistent snapshots of the volume being mounted, or for persistent snapshots of other volumes.\r\n\r\nYou should expect this event when mounting a volume.  No user action is required."
}

Event ID 111: Validation of diff area files completed.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Stop

Description

Validation of diff area files completed.

Message #

Validation of diff area files completed.

Number of Diff Areas: %2

Guidance:
When a volume is mounted, the volume snapshot driver reads and validates all the diff area files located on the volume.  These diff area files may be for persistent snapshots of the volume being mounted, or for persistent snapshots of other volumes.

You should expect this event when mounting a volume.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`DiffAreaCount` UInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "{67FE2216-727A-40CB-94B2-C02211EDB34A}",
    "event_source_name": "",
    "event_id": 111,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 2,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-30T02:25:57.1673438+00:00",
    "event_record_id": 111,
    "correlation": {
      "ActivityID": "{711F4B45-D577-44CE-BE9F-CD60AE82F8E8}"
    },
    "execution": {
      "process_id": 4,
      "thread_id": 3544
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "{df5f85cf-0000-0000-0000-010000000000}",
    "DiffAreaCount": "1",
    "SourceFile": "0x1",
    "SourceLine": "37372",
    "SourceTag": "117"
  },
  "message": "Validation of diff area files completed.\r\n\r\nNumber of Diff Areas: 1\r\n\r\nGuidance:\r\nWhen a volume is mounted, the volume snapshot driver reads and validates all the diff area files located on the volume.  These diff area files may be for persistent snapshots of the volume being mounted, or for persistent snapshots of other volumes.\r\n\r\nYou should expect this event when mounting a volume.  No user action is required."
}

Event ID 112: Validation of diff area files encountered an error.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Stop

Description

Validation of diff area files encountered an error.

Message #

Validation of diff area files encountered an error.

Error: %2

Volume GUID: %1

Guidance:
When a volume is mounted, the volume snapshot driver reads and validates all the diff area files located on the volume.  These diff area files may be for persistent snapshots of the volume being mounted, or for persistent snapshots of other volumes.  A failure during this process results in loss of all snapshots whose diff area files are located on the volume, unless those snapshots are of volumes that are in snapshot protection mode.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`Error` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 113: The volume is preparing to be taken offline.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Info

Description

The volume is preparing to be taken offline.

Message #

The volume is preparing to be taken offline.

Volume GUID: %1

Guidance:
Some system services, such as the cluster service, inform the volume snapshot driver when they are about to take the volume offline.

You should expect this event when an entity such as the cluster service prepares to take a volume offline.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 114: The volume snapshot driver has begun processing for dismount.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Start

Description

The volume snapshot driver has begun processing for dismount.

Message #

The volume snapshot driver has begun processing for dismount.

Volume GUID: %1

Guidance:
When a volume is dismounted, the volume snapshot driver closes any handles it may have open on the dismounting volume, such as handles to diff areas.  All auto-release snapshots that have diff areas on the dismounting volume are deleted at this time. The volume snapshot driver may also perform some work to detect whether any future direct writes to the volume are to diff area space for persistent snapshots.  If such writes occur this detection work allows the volume snapshot driver to destroy the snapshots, since the direct volume writes may corrupt them.

You should expect this event when a volume dismounts.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 114,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T16:45:03.737710+00:00",
    "event_record_id": 9,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 32
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "E856EAFF-60EA-4D9C-8467-32D0B50DBFFC",
    "SourceFile": "0x1",
    "SourceLine": 37521,
    "SourceTag": 119
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 115: The volume snapshot driver has completed processing for dismount.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Stop

Description

The volume snapshot driver has completed processing for dismount.

Message #

The volume snapshot driver has completed processing for dismount.

Volume GUID: %1

Guidance:
When a volume is dismounted, the volume snapshot driver closes any handles it may have open on the dismounting volume, such as handles to diff areas.  All auto-release snapshots that have diff areas on the dismounting volume are deleted at this time. The volume snapshot driver may also perform some work to detect whether any future direct writes to the volume are to diff area space for persistent snapshots.  If such writes occur this detection work allows the volume snapshot driver to destroy the snapshots, since the direct volume writes may corrupt them.

You should expect this event when a volume dismounts.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 115,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 2,
    "keywords": 4611686018427387904,
    "time_created": "2022-04-07T16:45:03.737712+00:00",
    "event_record_id": 10,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 32
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "E856EAFF-60EA-4D9C-8467-32D0B50DBFFC",
    "SourceFile": "0x1",
    "SourceLine": 38322,
    "SourceTag": 122
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 116: The volume snapshot driver has begun processing for volume offline.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Start

Description

The volume snapshot driver has begun processing for volume offline.

Message #

The volume snapshot driver has begun processing for volume offline.

Volume GUID: %1

Guidance:
When a volume is taken offline, the volume snapshot driver disables any persistent snapshots that still exist for the volume (autorelease snapshots were deleted when the volume was dismounted).  Snapshots of other volumes whose diff areas are on the offlining volume are destroyed, unless those volumes are in snapshot protection mode.  In that case those volumes are taken offline.

You should expect this event when a volume is taken offline.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 116,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 1,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:08:10.764027+00:00",
    "event_record_id": 113,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4464
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "E3E83FDF-1F17-11F1-9FBA-010101010000",
    "SourceFile": "0x1",
    "SourceLine": 34284,
    "SourceTag": 113
  },
  "message": ""
}

Event ID 117: The volume snapshot driver has completed processing for volume offline.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Level: Informational
Opcode: Stop

Description

The volume snapshot driver has completed processing for volume offline.

Message #

The volume snapshot driver has completed processing for volume offline.

Volume GUID: %1

Guidance:
When a volume is taken offline, the volume snapshot driver disables any persistent snapshots that still exist for the volume (autorelease snapshots were deleted when the volume was dismounted).  Snapshots of other volumes whose diff areas are on the offlining volume are destroyed, unless those volumes are in snapshot protection mode.  In that case those volumes are taken offline.

You should expect this event when a volume is taken offline.  No user action is required.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-VolumeSnapshot-Driver",
    "guid": "67FE2216-727A-40CB-94B2-C02211EDB34A",
    "event_source_name": "",
    "event_id": 117,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 2,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-13T20:08:10.764058+00:00",
    "event_record_id": 114,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4464
    },
    "channel": "Microsoft-Windows-VolumeSnapshot-Driver/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetVolumeGuid": "E3E83FDF-1F17-11F1-9FBA-010101010000",
    "SourceFile": "0x1",
    "SourceLine": 34312,
    "SourceTag": 114
  },
  "message": ""
}

Event ID 118: The volume snapshot driver encountered an error while performing processing for volume offline.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Stop

Description

The volume snapshot driver encountered an error while performing processing for volume offline.

Message #

The volume snapshot driver encountered an error while performing processing for volume offline.

Error: %2

Volume GUID: %1

Guidance:
When a volume is taken offline, the volume snapshot driver disables any persistent snapshots that still exist for the volume (autorelease snapshots were deleted when the volume was dismounted).  Snapshots of other volumes whose diff areas are on the offlining volume are destroyed, unless those volumes are in snapshot protection mode.  In that case those volumes are taken offline.

If the error is STATUS_INSUFFICIENT_RESOURCES (0xc000009a), the volume snapshot driver may have been unable to allocate memory.  Other error codes originate from lower drivers.  Please check their log(s) for further information.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`Error` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 119: The volume snapshot driver encountered an error while performing processing for dismount.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Stop

Description

The volume snapshot driver encountered an error while performing processing for dismount.

Message #

The volume snapshot driver encountered an error while performing processing for dismount.

Error: %3
Error Details: %2

Volume GUID: %1

Guidance:
When a volume is dismounted, the volume snapshot driver closes any handles it may have open on the dismounting volume, such as handles to diff areas.  All auto-release snapshots that have diff areas on the dismounting volume are deleted at this time. The volume snapshot driver may also perform some work to detect whether any future direct writes to the volume are to diff area space for persistent snapshots.  If such writes occur this detection work allows the volume snapshot driver to destroy the snapshots, since the direct volume writes may corrupt them.

A failure during this process results in loss of all snapshots whose diff area files are located on the volume, unless those snapshots are of volumes that are in snapshot protection mode.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`PersistentDeleteReason` UInt16
`PersistentDeleteStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 120: Activation of discovered snapshots took too long and was aborted.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Stop

Description

Activation of discovered snapshots took too long and was aborted.

Message #

Activation of discovered snapshots took too long and was aborted.

Volume GUID: %1
Timeout Value (in seconds): %2

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  This process took longer than the amount of time allowed on this system, so activation has been aborted.  Unless the volume is in snapshot protection mode, all snapshots on this volume have been deleted.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`TimeoutInSeconds` UInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 121: The volume snapshot driver was unable to log an event to the legacy System event log.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Info

Description

The volume snapshot driver was unable to log an event to the legacy System event log.

Message #

The volume snapshot driver was unable to log an event to the legacy System event log.

Volume Name: %2
Diff Volume Name (if applicable): %4
Original Error Event Code: %5
Original Error Status: %6
Cause of Logging Failure:%10

Fields #

Name	Description
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`DiffVolumeNameLength` UInt16
`DiffVolumeName` UnicodeString
`OriginalErrorLogCode` UInt32
`OriginalErrorStatus` HexInt32
`OriginalSourceFile` HexInt32
`OriginalSourceLine` UInt16
`OriginalSourceTag` UInt32
`ErrorStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 122: The volume snapshot driver encountered an error when attempting to determine whether the volume is clustered.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Info

Description

The volume snapshot driver encountered an error when attempting to determine whether the volume is clustered.

Message #

The volume snapshot driver encountered an error when attempting to determine whether the volume is clustered.

Error: %2

Volume GUID: %1

Guidance:
When a volume is brought online or reverted to a snapshot, the volume snapshot driver scans for and activates any persistent snapshots that may be on the volume.  This process attempts to determine whether the volume is part of a cluster shared resource, but the query to determine this failed.

This error does not indicate that any snapshots have been deleted.  You should expect this event if the volume is on a dynamic disk or is managed by a third-party volume manager.

Fields #

Name	Description
`TargetVolumeGuid` GUID
`Error` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 123: Persistent snapshots are not supported on this edition of Windows.

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Operational
Opcode: Info

Description

Persistent snapshots are not supported on this edition of Windows.

Message #

Persistent snapshots are not supported on this edition of Windows.

Guidance:
This edition of Windows does not support creation of persistent snapshots.  Autorelease snapshots are supported.

Fields #

Name	Description
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1000: PrepareForSnapshot (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Prepare
Opcode: Start

Description

PrepareForSnapshot (Enter).

Message #

PrepareForSnapshot (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1001: PrepareForSnapshot (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Prepare
Opcode: Stop

Description

PrepareForSnapshot (Leave).

Message #

PrepareForSnapshot (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1002: PreExposure (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:PreExposure
Opcode: Start

Description

PreExposure (Enter).

Message #

PreExposure (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1003: PreExposure (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:PreExposure
Opcode: Stop

Description

PreExposure (Leave).

Message #

PreExposure (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1004: AdjustBitmap (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:AdjustBitmap
Opcode: Start

Description

AdjustBitmap (Enter).

Message #

AdjustBitmap (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1005: AdjustBitmap (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:AdjustBitmap
Opcode: Stop

Description

AdjustBitmap (Leave).

Message #

AdjustBitmap (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1006: EndCommit (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:EndCommit
Opcode: Start

Description

EndCommit (Enter).

Message #

EndCommit (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1007: EndCommit (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:EndCommit
Opcode: Stop

Description

EndCommit (Leave).

Message #

EndCommit (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1008: Activate (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Activate
Opcode: Start

Description

Activate (Enter).

Message #

Activate (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1009: Activate (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Activate
Opcode: Stop

Description

Activate (Leave).

Message #

Activate (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1010: SetIgnorable (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:SetIgnorable
Opcode: Start

Description

SetIgnorable (Enter).

Message #

SetIgnorable (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1011: SetIgnorable (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:SetIgnorable
Opcode: Stop

Description

SetIgnorable (Leave).

Message #

SetIgnorable (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1012: ComputeIgnorableProduct (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:IgnorableProduct
Opcode: Start

Description

ComputeIgnorableProduct (Enter).

Message #

ComputeIgnorableProduct (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1013: ComputeIgnorableProduct (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:IgnorableProduct
Opcode: Stop

Description

ComputeIgnorableProduct (Leave).

Message #

ComputeIgnorableProduct (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1014: Dismount (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Dismount
Opcode: Start

Description

Dismount (Enter).

Message #

Dismount (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1015: Dismount (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Dismount
Opcode: Stop

Description

Dismount (Leave).

Message #

Dismount (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1016: Remount (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Remount
Opcode: Start

Description

Remount (Enter).

Message #

Remount (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1017: Remount (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Remount
Opcode: Stop

Description

Remount (Leave).

Message #

Remount (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1018: DeleteProcess (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:DeleteProcess
Opcode: Start

Description

DeleteProcess (Enter).

Message #

DeleteProcess (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1019: DeleteProcess (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:DeleteProcess
Opcode: Stop

Description

DeleteProcess (Leave).

Message #

DeleteProcess (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1020: Revert (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Revert
Opcode: Start

Description

Revert (Enter).

Message #

Revert (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1021: Revert (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:Revert
Opcode: Stop

Description

Revert (Leave).

Message #

Revert (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1022: ComputeProtectedBitmap (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ProtectedBitmap
Opcode: Start

Description

ComputeProtectedBitmap (Enter).

Message #

ComputeProtectedBitmap (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1023: ComputeProtectedBitmap (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ProtectedBitmap
Opcode: Stop

Description

ComputeProtectedBitmap (Leave).

Message #

ComputeProtectedBitmap (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1024: FlushHoldFs (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:FlushHoldFs
Opcode: Start

Description

FlushHoldFs (Enter).

Message #

FlushHoldFs (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1025: FlushHoldFs (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:FlushHoldFs
Opcode: Stop

Description

FlushHoldFs (Leave).

Message #

FlushHoldFs (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1026: ActivateLoop (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ActivateLoop
Opcode: Start

Description

ActivateLoop (Enter).

Message #

ActivateLoop (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1027: ActivateLoop (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ActivateLoop
Opcode: Stop

Description

ActivateLoop (Leave).

Message #

ActivateLoop (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1028: ValidateDiffAreaFiles (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ValidateFiles
Opcode: Start

Description

ValidateDiffAreaFiles (Enter).

Message #

ValidateDiffAreaFiles (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1029: ValidateDiffAreaFiles (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:ValidateFiles
Opcode: Stop

Description

ValidateDiffAreaFiles (Leave).

Message #

ValidateDiffAreaFiles (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1030: VolumesSafeForWrite (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:VolumeSafe
Opcode: Start

Description

VolumesSafeForWrite (Enter).

Message #

VolumesSafeForWrite (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1031: VolumesSafeForWrite (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:VolumeSafe
Opcode: Stop

Description

VolumesSafeForWrite (Leave).

Message #

VolumesSafeForWrite (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1032: DiscoverSnapshots (Enter)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:DiscoverSnapshots
Opcode: Start

Description

DiscoverSnapshots (Enter).

Message #

DiscoverSnapshots (Enter)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Event ID 1033: DiscoverSnapshots (Leave)

Provider: Microsoft-Windows-VolumeSnapshot-Driver
Channel: Analytic
Task: vs:DiscoverSnapshots
Opcode: Stop

Description

DiscoverSnapshots (Leave).

Message #

DiscoverSnapshots (Leave)

Fields #

Name	Description
`DiagPrefixLength` UInt16
`DiagPrefix` UnicodeString
`VolumeNameLength` UInt16
`VolumeName` UnicodeString
`TargetVolumeGuid` GUID
`SnapshotGuid` GUID
`ExitStatus` HexInt32
`SourceFile` HexInt32
`SourceLine` UInt16
`SourceTag` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 67fe2216-727a-40cb-94b2-c02211edb34a

Defined in volsnap.sys, the binary that emits these events.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)