Saturday, February 14, 2015

Windows 8.1 Events - NTFS Operational - Volume Data

I just wanted to post a quick note about something I came across in the Windows 8.1 Event Logs recently.  There is an Event Log called NTFS/Operational, which now has some interesting information. I say "now" because after some Windows Update testing I performed in a VM, I discovered an update from April 2014 (KB2919355) seems to have enabled this quite handy little event. 

If you want to skip down to the good stuff, feel free.  I wanted to mention that this Event Log appears in a fresh, new install, of Windows 8.0, and 8.1, but I have yet to see it get any updates with my testing. I have also not attempted to see if there is a way to turn this event on manually.  That said, the Microsoft Knowledge Base for KB2919355, does mention this update applies to, Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.

Ok, let's cut to the chase.  As you can see from this image, the Event ID is 142.  (So far, this is the only Event ID I've seen here.)  Here is what we see in this log:
  • Free space each time the device is read.
  • Page file size (Though, I have not see anything but 0 so far, even on my C: drive.)
  • Volume GUID (sweet!)
  • Volume name (This is cool, though I've only seen the drive letter here so far, which is still pretty nice.)
  • Boolean for Boot Volume (My C: drive is shown as True.)
So far, each time I've plugged in a device with an NTFS partition, the system scans the device and pulls this information.  It will also scan the device for this information immediately after formatting a device as NFTS.

Above, in the Orange section, are some of the entries I have from plugging in a Thumbdrive to watch the log update.  The green and blue sections are different, these are times when I booted my computer.  Current, I have six NTFS volumes on or in my computer, yet 7 volumes total.  I have three hard drives, one split into two partitions, and two thumbdrives connected (one NTFS and one FAT)

Most all the devices were scanned at the same time.  You'll notice one of the entries is off by 11 seconds, both times.  This entry was quite different, the volume GUID was all 0s, though it still had free space showing of 69287936.  After unplugging all my devices inside and out, aside from my OS drive, and still getting this entry, I loaded up FTK imager to look at my recovery partition.  From here, I tallied up the size of all the unallocated space (in my case 4 + 26772 + 2304 + 440 + 38144 = 67664) and multiplied it by 1024 and came up with 69287936.  So it was just reading my recovery partition.

So, if someone has several NTFS volumes attached, you may be able to correspond this activity to a boot time.  I have not tested to see if there is another way to have it rescan all the volumes at the same time.

Regarding the free space in bytes, after you've created new data on an NTFS volume and the system rescans it, it will come up with a smaller number.  Deletion of data from the volume results in a larger number, after a rescan.  It's interesting, and kinda cool, that it keeps this information.

Thanks for reading, I hope this helps someone out!