mrcbt

63 events across 1 channel

Event	Title	Channel	Sample
1	Driver Loaded version.	Unknown	N
2	Driver Unloaded	Unknown	N
3	The $LogFile restart count has changed on device DeviceName.	Unknown	N
4	Successfully attached to device DeviceName.	Unknown	N
5	Device DeviceName has been stopped (IRP_MN_STOP_DEVICE).	Unknown	N
6	Device DeviceName has been removed (IRP_MN_REMOVE_DEVICE).	Unknown	N
7	Device DeviceName has been surprise removed (IRP_MN_SURPRISE_REMOVAL).	Unknown	N
8	Tracking has been enabled on device DeviceName.	Unknown	N
9	Tracking has been disabled on device DeviceName.	Unknown	N
10	MRCBT has detected that Raxco Perfectdisk DefragFs has been scheduled to perform …	Unknown	N
11	Failed to enable tracking on device DeviceName.	Unknown	N
12	IRP_MJ_SHUTDOWN received on device DeviceName.	Unknown	N
13	IOCTL_MRCBT_QUERY_VOLUME_TRACKING_INFORMATION failed on device DeviceName with …	Unknown	N
14	Invalidating boot sector on device DeviceName.	Unknown	N
15	The NTFS $LogFile has been reset.	Unknown	N
16	Failed to allocate file buffer with size ReferenceCount for device DeviceName.	Unknown	N
17	Reading boot sector on device DeviceName.	Unknown	N
18	The file-system on device DeviceName is not supported.	Unknown	N
19	The volume DeviceName is offline.	Unknown	N
20	The file-system on device DeviceName is locked.	Unknown	N
21	Failed to create log file with status ErrorCode.	Unknown	N
1000	Received GUID_TARGET_DEVICE_REMOVE_COMPLETE for device DeviceName with …	Unknown	N
1001	Received GUID_IO_VOLUME_MOUNT for device DeviceName.	Unknown	N
1002	Received GUID_IO_VOLUME_DISMOUNT for device DeviceName.	Unknown	N
1003	Received GUID_IO_VOLUME_PHYSICAL_CONFIGURATION_CHANGE for device DeviceName.	Unknown	N
1004	Failed to initialize the tracking file on device DeviceName.	Unknown	N
1005	PlugPlay notification has been registered for device DeviceName with …	Unknown	N
1006	PlugPlay notification has been unregistered for device DeviceName with …	Unknown	N
1007	Received GUID_IO_VOLUME_LOCK_FAILED for device DeviceName.	Unknown	N
1008	Received GUID_IO_VOLUME_UNLOCK for device DeviceName.	Unknown	N
1009	Received GUID_TARGET_DEVICE_REMOVE_CANCELLED for device DeviceName.	Unknown	N
1010	Received GUID_TARGET_DEVICE_QUERY_REMOVE for device DeviceName.	Unknown	N
1011	Received GUID_IO_VOLUME_LOCK for device DeviceName.	Unknown	N
1012	Received GUID_IO_VOLUME_FVE_STATUS_CHANGE for device DeviceName.	Unknown	N
1013	IRP_MJ_READ failed on device DeviceName with status ReferenceCount.	Unknown	N
1014	IRP_MJ_WRITE failed on device DeviceName with status ReferenceCount.	Unknown	N
1015	Received GUID_IO_VOLUME_SIZE_CHANGE for device DeviceName.	Unknown	N
1016	Received GUID_IO_VOLUME_DISMOUNT_FAILED for device DeviceName.	Unknown	N
1017	Received GUID_IO_VOLUME_NEED_CHKDSK for device DeviceName.	Unknown	N
2001	Failed to open an existing tracking file on device DeviceName with status …	Unknown	N
2002	Failed to protect the tracking file on device DeviceName with status …	Unknown	N
2003	Failed to get retrieval pointers for the tracking file on device DeviceName with …	Unknown	N
2004	The tracking file on device DeviceName is corrupt.	Unknown	N
2005	Failed to create the tracking file on device DeviceName with status Status.	Unknown	N
2006	Failed to write to the tracking file on device DeviceName with status Status.	Unknown	N
2007	The checksum for the tracking file on device DeviceName is incorrect.	Unknown	N
2008	The previous session did not finalize the tracking file on device DeviceName.	Unknown	N
2009	Failed to reopen an existing tracking file on device DeviceName with status …	Unknown	N
3001	Received IRP_MN_SET_POWER with type of SystemPowerState and SystemState …	Unknown	N
3002	Received IRP_MN_SET_POWER with type of DevicePowerState and DeviceState …	Unknown	N
3003	Received IRP_MN_QUERY_POWER with type of SystemPowerState and SystemState …	Unknown	N
3004	Received IRP_MN_QUERY_POWER with type of DevicePowerState and DeviceState …	Unknown	N
4004	Received IRP_MJ_WRITE request at DISPATCH_LEVEL for device DeviceName.	Unknown	N
5001	An error was encountered while processing the Ntfs system metadata on line …	Unknown	N
5002	The size of the $LogFile on device DeviceName is Size bytes with Fragments …	Unknown	N
5003	Failed to read the $LogFile metadata for device DeviceName.	Unknown	N
5004	Failed to read Length bytes from device DeviceName with status Status.	Unknown	N
5006	MappingPairsLength=Length.	Unknown	N
5007	CurrentLcn=CurrentLcn, CurrentVcn=CurrentVcn, LcnBytes=LcnBytes, …	Unknown	N
5008	Detected Windows Sandbox Virtual Disk (DeviceName).	Unknown	N
5009	Detected Windows Xvdd Virtual Disk (DeviceName).	Unknown	N
6001	Detected ReFS version MajorVersion.	Unknown	N
6002	Found ReFS SuperBlock on device DeviceName.	Unknown	N

Event ID 1: Driver Loaded version.

Provider: mrcbt
Channel: Unknown

Description

Driver Loaded version.

Message #

Driver Loaded %1

Fields #

Name	Description
`version` AnsiString

Event ID 2: Driver Unloaded

Provider: mrcbt
Channel: Unknown

Description

Driver Unloaded.

Message #

Driver Unloaded

Event ID 3: The $LogFile restart count has changed on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

The $LogFile restart count has changed on device DeviceName.

Message #

The $LogFile restart count has changed on device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 4: Successfully attached to device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Successfully attached to device DeviceName.

Message #

Successfully attached to device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 5: Device DeviceName has been stopped (IRP_MN_STOP_DEVICE).

Provider: mrcbt
Channel: Unknown

Description

Device DeviceName has been stopped (IRP_MN_STOP_DEVICE).

Message #

Device %1 has been stopped (IRP_MN_STOP_DEVICE)

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 6: Device DeviceName has been removed (IRP_MN_REMOVE_DEVICE).

Provider: mrcbt
Channel: Unknown

Description

Device DeviceName has been removed (IRP_MN_REMOVE_DEVICE).

Message #

Device %1 has been removed (IRP_MN_REMOVE_DEVICE)

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 7: Device DeviceName has been surprise removed (IRP_MN_SURPRISE_REMOVAL).

Provider: mrcbt
Channel: Unknown

Description

Device DeviceName has been surprise removed (IRP_MN_SURPRISE_REMOVAL).

Message #

Device %1 has been surprise removed (IRP_MN_SURPRISE_REMOVAL)

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 8: Tracking has been enabled on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Tracking has been enabled on device DeviceName.

Message #

Tracking has been enabled on device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 9: Tracking has been disabled on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Tracking has been disabled on device DeviceName.

Message #

Tracking has been disabled on device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 10: MRCBT has detected that Raxco Perfectdisk DefragFs has been scheduled to perform a boot-time defrag of one or more volumes.

Provider: mrcbt
Channel: Unknown

Message #

MRCBT has detected that Raxco Perfectdisk DefragFs has been scheduled to perform a boot-time defrag of one or more volumes. CBT will not be available until the system is rebooted without a boot-time defrag scheduled.

Event ID 11: Failed to enable tracking on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Failed to enable tracking on device DeviceName.

Message #

Failed to enable tracking on device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 12: IRP_MJ_SHUTDOWN received on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

IRP_MJ_SHUTDOWN received on device DeviceName.

Message #

IRP_MJ_SHUTDOWN received on device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 13: IOCTL_MRCBT_QUERY_VOLUME_TRACKING_INFORMATION failed on device DeviceName with status Status.

Provider: mrcbt
Channel: Unknown

Description

IOCTL_MRCBT_QUERY_VOLUME_TRACKING_INFORMATION failed on device DeviceName with status Status.

Message #

IOCTL_MRCBT_QUERY_VOLUME_TRACKING_INFORMATION failed on device %1 with status %2

Fields #

Name	Description
`DeviceName` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 14: Invalidating boot sector on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Invalidating boot sector on device DeviceName.

Message #

Invalidating boot sector on device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 15: The NTFS $LogFile has been reset.

Provider: mrcbt
Channel: Unknown

Description

The NTFS $LogFile has been reset. This is normally caused by the Linux NTFS-3G driver.

Message #

The NTFS $LogFile has been reset. This is normally caused by the Linux NTFS-3G driver.

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 16: Failed to allocate file buffer with size ReferenceCount for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Failed to allocate file buffer with size ReferenceCount for device DeviceName.

Message #

Failed to allocate file buffer with size %2 for device %1

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 17: Reading boot sector on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Reading boot sector on device DeviceName.

Message #

Reading boot sector on device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 18: The file-system on device DeviceName is not supported.

Provider: mrcbt
Channel: Unknown

Description

The file-system on device DeviceName is not supported.

Message #

The file-system on device %1 is not supported

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 19: The volume DeviceName is offline.

Provider: mrcbt
Channel: Unknown

Description

The volume DeviceName is offline.

Message #

The volume %1 is offline

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 20: The file-system on device DeviceName is locked.

Provider: mrcbt
Channel: Unknown

Description

The file-system on device DeviceName is locked.

Message #

The file-system on device %1 is locked

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 21: Failed to create log file with status ErrorCode.

Provider: mrcbt
Channel: Unknown

Description

Failed to create log file with status ErrorCode.

Message #

Failed to create log file with status %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 1000: Received GUID_TARGET_DEVICE_REMOVE_COMPLETE for device DeviceName with ReferenceCount ReferenceCount.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_TARGET_DEVICE_REMOVE_COMPLETE for device DeviceName with ReferenceCount ReferenceCount.

Message #

Received GUID_TARGET_DEVICE_REMOVE_COMPLETE for device %1 with ReferenceCount %2

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 1001: Received GUID_IO_VOLUME_MOUNT for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_MOUNT for device DeviceName.

Message #

Received GUID_IO_VOLUME_MOUNT for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1002: Received GUID_IO_VOLUME_DISMOUNT for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_DISMOUNT for device DeviceName.

Message #

Received GUID_IO_VOLUME_DISMOUNT for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1003: Received GUID_IO_VOLUME_PHYSICAL_CONFIGURATION_CHANGE for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_PHYSICAL_CONFIGURATION_CHANGE for device DeviceName.

Message #

Received GUID_IO_VOLUME_PHYSICAL_CONFIGURATION_CHANGE for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1004: Failed to initialize the tracking file on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Failed to initialize the tracking file on device DeviceName.

Message #

Failed to initialize the tracking file on device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1005: PlugPlay notification has been registered for device DeviceName with ReferenceCount ReferenceCount.

Provider: mrcbt
Channel: Unknown

Description

PlugPlay notification has been registered for device DeviceName with ReferenceCount ReferenceCount.

Message #

PlugPlay notification has been registered for device %1 with ReferenceCount %2

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 1006: PlugPlay notification has been unregistered for device DeviceName with ReferenceCount ReferenceCount.

Provider: mrcbt
Channel: Unknown

Description

PlugPlay notification has been unregistered for device DeviceName with ReferenceCount ReferenceCount.

Message #

PlugPlay notification has been unregistered for device %1 with ReferenceCount %2

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 1007: Received GUID_IO_VOLUME_LOCK_FAILED for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_LOCK_FAILED for device DeviceName.

Message #

Received GUID_IO_VOLUME_LOCK_FAILED for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1008: Received GUID_IO_VOLUME_UNLOCK for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_UNLOCK for device DeviceName.

Message #

Received GUID_IO_VOLUME_UNLOCK for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1009: Received GUID_TARGET_DEVICE_REMOVE_CANCELLED for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_TARGET_DEVICE_REMOVE_CANCELLED for device DeviceName.

Message #

Received GUID_TARGET_DEVICE_REMOVE_CANCELLED for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1010: Received GUID_TARGET_DEVICE_QUERY_REMOVE for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_TARGET_DEVICE_QUERY_REMOVE for device DeviceName.

Message #

Received GUID_TARGET_DEVICE_QUERY_REMOVE for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1011: Received GUID_IO_VOLUME_LOCK for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_LOCK for device DeviceName.

Message #

Received GUID_IO_VOLUME_LOCK for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1012: Received GUID_IO_VOLUME_FVE_STATUS_CHANGE for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_FVE_STATUS_CHANGE for device DeviceName.

Message #

Received GUID_IO_VOLUME_FVE_STATUS_CHANGE for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1013: IRP_MJ_READ failed on device DeviceName with status ReferenceCount.

Provider: mrcbt
Channel: Unknown

Description

IRP_MJ_READ failed on device DeviceName with status ReferenceCount.

Message #

IRP_MJ_READ failed on device %1 with status %2

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 1014: IRP_MJ_WRITE failed on device DeviceName with status ReferenceCount.

Provider: mrcbt
Channel: Unknown

Description

IRP_MJ_WRITE failed on device DeviceName with status ReferenceCount.

Message #

IRP_MJ_WRITE failed on device %1 with status %2

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 1015: Received GUID_IO_VOLUME_SIZE_CHANGE for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_SIZE_CHANGE for device DeviceName.

Message #

Received GUID_IO_VOLUME_SIZE_CHANGE for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1016: Received GUID_IO_VOLUME_DISMOUNT_FAILED for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_DISMOUNT_FAILED for device DeviceName.

Message #

Received GUID_IO_VOLUME_DISMOUNT_FAILED for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 1017: Received GUID_IO_VOLUME_NEED_CHKDSK for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received GUID_IO_VOLUME_NEED_CHKDSK for device DeviceName.

Message #

Received GUID_IO_VOLUME_NEED_CHKDSK for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 2001: Failed to open an existing tracking file on device DeviceName with status ReferenceCount.

Provider: mrcbt
Channel: Unknown

Description

Failed to open an existing tracking file on device DeviceName with status ReferenceCount.

Message #

Failed to open an existing tracking file on device %1 with status %2

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 2002: Failed to protect the tracking file on device DeviceName with status ReferenceCount.

Provider: mrcbt
Channel: Unknown

Description

Failed to protect the tracking file on device DeviceName with status ReferenceCount.

Message #

Failed to protect the tracking file on device %1 with status %2

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 2003: Failed to get retrieval pointers for the tracking file on device DeviceName with status ReferenceCount.

Provider: mrcbt
Channel: Unknown

Description

Failed to get retrieval pointers for the tracking file on device DeviceName with status ReferenceCount.

Message #

Failed to get retrieval pointers for the tracking file on device %1 with status %2

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 2004: The tracking file on device DeviceName is corrupt.

Provider: mrcbt
Channel: Unknown

Description

The tracking file on device DeviceName is corrupt.

Message #

The tracking file on device %1 is corrupt

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 2005: Failed to create the tracking file on device DeviceName with status Status.

Provider: mrcbt
Channel: Unknown

Description

Failed to create the tracking file on device DeviceName with status Status.

Message #

Failed to create the tracking file on device %1 with status %2

Fields #

Name	Description
`DeviceName` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 2006: Failed to write to the tracking file on device DeviceName with status Status.

Provider: mrcbt
Channel: Unknown

Description

Failed to write to the tracking file on device DeviceName with status Status.

Message #

Failed to write to the tracking file on device %1 with status %2

Fields #

Name	Description
`DeviceName` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 2007: The checksum for the tracking file on device DeviceName is incorrect.

Provider: mrcbt
Channel: Unknown

Description

The checksum for the tracking file on device DeviceName is incorrect. The tracking file has been reset.

Message #

The checksum for the tracking file on device %1 is incorrect. The tracking file has been reset.

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 2008: The previous session did not finalize the tracking file on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

The previous session did not finalize the tracking file on device DeviceName. The tracking file has been reset.

Message #

The previous session did not finalize the tracking file on device %1. The tracking file has been reset.

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 2009: Failed to reopen an existing tracking file on device DeviceName with status ReferenceCount.

Provider: mrcbt
Channel: Unknown

Description

Failed to reopen an existing tracking file on device DeviceName with status ReferenceCount.

Message #

Failed to reopen an existing tracking file on device %1 with status %2

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 3001: Received IRP_MN_SET_POWER with type of SystemPowerState and SystemState ReferenceCount for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received IRP_MN_SET_POWER with type of SystemPowerState and SystemState ReferenceCount for device DeviceName.

Message #

Received IRP_MN_SET_POWER with type of SystemPowerState and SystemState %2 for device %1

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 3002: Received IRP_MN_SET_POWER with type of DevicePowerState and DeviceState ReferenceCount for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received IRP_MN_SET_POWER with type of DevicePowerState and DeviceState ReferenceCount for device DeviceName.

Message #

Received IRP_MN_SET_POWER with type of DevicePowerState and DeviceState %2 for device %1

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 3003: Received IRP_MN_QUERY_POWER with type of SystemPowerState and SystemState ReferenceCount for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received IRP_MN_QUERY_POWER with type of SystemPowerState and SystemState ReferenceCount for device DeviceName.

Message #

Received IRP_MN_QUERY_POWER with type of SystemPowerState and SystemState %2 for device %1

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 3004: Received IRP_MN_QUERY_POWER with type of DevicePowerState and DeviceState ReferenceCount for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Received IRP_MN_QUERY_POWER with type of DevicePowerState and DeviceState ReferenceCount for device DeviceName.

Message #

Received IRP_MN_QUERY_POWER with type of DevicePowerState and DeviceState %2 for device %1

Fields #

Name	Description
`DeviceName` UnicodeString
`ReferenceCount` UInt32

Event ID 4004: Received IRP_MJ_WRITE request at DISPATCH_LEVEL for device DeviceName.

Provider: mrcbt
Channel: Unknown

Message #

Received IRP_MJ_WRITE request at DISPATCH_LEVEL for device %1. You are receiving this warning because a third-party filter driver has generated an illegitimate request and CBT has been forced to take appropriate steps to avoid generating a system crash. This will not effect the integrity of your backups, but is an indication that you are possibly running faulty third-party software. This message will no longer be displayed for this volume during this session.

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 5001: An error was encountered while processing the Ntfs system metadata on line SourceLine.

Provider: mrcbt
Channel: Unknown

Description

An error was encountered while processing the Ntfs system metadata on line SourceLine. Status Status.

Message #

An error was encountered while processing the Ntfs system metadata on line %1. Status %2.

Fields #

Name	Description
`SourceLine` UInt32
`Status` UInt32	NTSTATUS reference

Event ID 5002: The size of the $LogFile on device DeviceName is Size bytes with Fragments fragments.

Provider: mrcbt
Channel: Unknown

Description

The size of the $LogFile on device DeviceName is Size bytes with Fragments fragments.

Message #

The size of the $LogFile on device %1 is %2 bytes with %3 fragments

Fields #

Name	Description
`DeviceName` UnicodeString
`Size` HexInt32
`Fragments` HexInt32

Event ID 5003: Failed to read the $LogFile metadata for device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Failed to read the $LogFile metadata for device DeviceName.

Message #

Failed to read the $LogFile metadata for device %1

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 5004: Failed to read Length bytes from device DeviceName with status Status.

Provider: mrcbt
Channel: Unknown

Description

Failed to read Length bytes from device DeviceName with status Status.

Message #

Failed to read %1 bytes from device %2 with status %3

Fields #

Name	Description
`Length` UInt32
`DeviceName` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 5006: MappingPairsLength=Length.

Provider: mrcbt
Channel: Unknown

Description

MappingPairsLength=Length.

Message #

MappingPairsLength=%1

Fields #

Name	Description
`Length` UInt32

Event ID 5007: CurrentLcn=CurrentLcn, CurrentVcn=CurrentVcn, LcnBytes=LcnBytes, VcnBytes=VcnBytes.

Provider: mrcbt
Channel: Unknown

Description

CurrentLcn=CurrentLcn, CurrentVcn=CurrentVcn, LcnBytes=LcnBytes, VcnBytes=VcnBytes.

Message #

CurrentLcn=%1, CurrentVcn=%2, LcnBytes=%3, VcnBytes=%4

Fields #

Name	Description
`CurrentLcn` UInt32
`CurrentVcn` UInt32
`LcnBytes` UInt32
`VcnBytes` UInt32

Event ID 5008: Detected Windows Sandbox Virtual Disk (DeviceName).

Provider: mrcbt
Channel: Unknown

Description

Detected Windows Sandbox Virtual Disk (DeviceName). Tracking will not be available on this device.

Message #

Detected Windows Sandbox Virtual Disk (%1). Tracking will not be available on this device.

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 5009: Detected Windows Xvdd Virtual Disk (DeviceName).

Provider: mrcbt
Channel: Unknown

Description

Detected Windows Xvdd Virtual Disk (DeviceName). Tracking will not be available on this device.

Message #

Detected Windows Xvdd Virtual Disk (%1). Tracking will not be available on this device.

Fields #

Name	Description
`DeviceName` UnicodeString

Event ID 6001: Detected ReFS version MajorVersion.

Provider: mrcbt
Channel: Unknown

Description

Detected ReFS version MajorVersion.MinorVersion boot sector sector on device DeviceName.

Message #

Detected ReFS version %1.%2 boot sector sector on device %3

Fields #

Name	Description
`MajorVersion` UInt32
`MinorVersion` UInt32
`DeviceName` UnicodeString

Event ID 6002: Found ReFS SuperBlock on device DeviceName.

Provider: mrcbt
Channel: Unknown

Description

Found ReFS SuperBlock on device DeviceName.

Message #

Found ReFS SuperBlock on device %1

Fields #

Name	Description
`DeviceName` UnicodeString

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)