Sysmon Event ID 9: RawAccessRead
Sysmon Event ID 9 records raw read access to disks or volumes using the \.\ denotation.
- Applicable version
- Sysmon with this event enabled
- Last reviewed
- 2026-07-13
Trigger Scenarios
Microsoft documents that RawAccessRead detects a process conducting reading operations from the drive using \.\ notation, often to bypass file access auditing or read locked files.
Key Fields
Device
The target raw device path, such as \.\C: or \.\PhysicalDrive0, from the official Sysmon schema example.
Image / ProcessGuid / ProcessId
The process that opened the raw device. Microsoft documents these fields in the RawAccessRead schema example.
UtcTime
UTC timestamp used to correlate raw access with backup tools, forensic tools, or suspicious file staging.
Common False Positives
- Backup agents, EDR products, disk encryption tools, forensic tools, and defragmentation utilities may legitimately read raw volumes.
- Baseline approved Image values before treating every raw read as malicious.
Related Events
MITRE ATT&CK Mapping
- T1006Direct Volume Access
Detection Notes
Alert when Device is \.\C: or \.\PhysicalDrive0 and Image is not an approved backup, EDR, encryption, or forensic binary. Microsoft documents Event 9 for raw reads using \.\ notation and MITRE T1006 describes direct volume access used to bypass file access controls and monitoring. Correlate ProcessGuid to Event 1 and inspect whether the same process later writes files under C:\Users\, C:\ProgramData\, or C:\Windows\Temp.
Sysmon
| where EventID == 9
| project TimeGenerated, Computer, Image, Device, ProcessGuidindex=sysmon EventCode=9 | table _time, host, Image, Device, ProcessGuidUtcTime: 2026-07-13 03:01:00.000
ProcessGuid: {REDACTED}
ProcessId: 4812
Image: C:\Users\Public\rawcopy.exe
Device: \.\PhysicalDrive0