SOC Event Lookup
Event ID 9RawAccessP3

Sysmon Event ID 9: RawAccessRead

Sysmon Event ID 9 records raw read access to disks or volumes using the \.\ denotation.

Applicable version
Sysmon with this event enabled
Last reviewed
2026-07-13

Trigger Scenarios

Microsoft documents that RawAccessRead detects a process conducting reading operations from the drive using \.\ notation, often to bypass file access auditing or read locked files.

Key Fields

Device

The target raw device path, such as \.\C: or \.\PhysicalDrive0, from the official Sysmon schema example.

Image / ProcessGuid / ProcessId

The process that opened the raw device. Microsoft documents these fields in the RawAccessRead schema example.

UtcTime

UTC timestamp used to correlate raw access with backup tools, forensic tools, or suspicious file staging.

Common False Positives

  • Backup agents, EDR products, disk encryption tools, forensic tools, and defragmentation utilities may legitimately read raw volumes.
  • Baseline approved Image values before treating every raw read as malicious.

Related Events

MITRE ATT&CK Mapping

  • T1006Direct Volume Access

Detection Notes

Alert when Device is \.\C: or \.\PhysicalDrive0 and Image is not an approved backup, EDR, encryption, or forensic binary. Microsoft documents Event 9 for raw reads using \.\ notation and MITRE T1006 describes direct volume access used to bypass file access controls and monitoring. Correlate ProcessGuid to Event 1 and inspect whether the same process later writes files under C:\Users\, C:\ProgramData\, or C:\Windows\Temp.

Microsoft Sentinel KQL
Sysmon
| where EventID == 9
| project TimeGenerated, Computer, Image, Device, ProcessGuid
Splunk SPL
index=sysmon EventCode=9 | table _time, host, Image, Device, ProcessGuid
Sample Log
UtcTime: 2026-07-13 03:01:00.000
ProcessGuid: {REDACTED}
ProcessId: 4812
Image: C:\Users\Public\rawcopy.exe
Device: \.\PhysicalDrive0

Source