Excessive logging to SpoolerETW.ETL

[Dave Nuttall]

The print spooler generates a set of 3 log entries (example below) about
every 0.25 seconds. These go to SpoolerETW.ETL in the Windows\System32\Spool
directory. This behaviour exists on one of three "identically" configured
systems, and is triggered by a user login (but not by the Admin login). The
printers set up on this system are a minimal subset of those available (in
order to try and work around this problem). As the log entries don't really
say what is causing the problem, can anyone point me in the right direction?

TIA, Dave

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PrintSpooler"
Guid="{e4c60dfa-ecc5-4889-b406-e9ddd38463c8}" />
<EventID>121</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>12</Opcode>
<Keywords>0x4000000000000010</Keywords>
<TimeCreated SystemTime="2007-11-25T02:31:31.167513600Z" />
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
<Execution ProcessID="1584" ThreadID="2268" ProcessorID="1" KernelTime="0"
UserTime="0" />
<Channel>Microsoft-Windows-PrintSpooler/Core-Debug</Channel>
<Computer />
</System>
<UserData>
<SpoolerGenericEvent
xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events'
xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'><Routine>SplOpenPrinter</Routine><File>d:\vista_gdr\printscan\print\spooler\localspl\openprn.c</File><Line>2018</Line><ErrorCode>0x7B</ErrorCode><ObjectName>Uninitialized</ObjectName></SpoolerGenericEvent>
</UserData>
<RenderingInfo Culture="en-US">
<Level>Error </Level>
<Opcode>Operation failed </Opcode>
<Keywords>
<Keyword>Local spooler events </Keyword>
</Keywords>
<Task>Opening a printer handle </Task>
<Message>Open Printer Checkpoint Failed </Message>
<Channel>Microsoft-Windows-PrintSpooler/Core-Debug</Channel>
<Provider>Microsoft-Windows-PrintSpooler </Provider>
</RenderingInfo>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PrintSpooler"
Guid="{e4c60dfa-ecc5-4889-b406-e9ddd38463c8}" />
<EventID>119</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>12</Opcode>
<Keywords>0x8000000000000010</Keywords>
<TimeCreated SystemTime="2007-11-25T02:31:31.167516200Z" />
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
<Execution ProcessID="1584" ThreadID="2268" ProcessorID="1" KernelTime="0"
UserTime="0" />
<Channel>Microsoft-Windows-PrintSpooler/Core-Analytic</Channel>
<Computer />
</System>
<UserData>
<SpoolerGenericEvent
xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events'
xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'><Routine>SplOpenPrinter</Routine><File>d:\vista_gdr\printscan\print\spooler\localspl\openprn.c</File><Line>752</Line><ErrorCode>0x7B</ErrorCode><ObjectName>Uninitialized</ObjectName></SpoolerGenericEvent>
</UserData>
<RenderingInfo Culture="en-US">
<Level>Error </Level>
<Opcode>Operation failed </Opcode>
<Keywords>
<Keyword>Local spooler events </Keyword>
</Keywords>
<Task>Opening a printer handle </Task>
<Message>Open Printer Failed </Message>
<Channel>Microsoft-Windows-PrintSpooler/Core-Analytic</Channel>
<Provider>Microsoft-Windows-PrintSpooler </Provider>
</RenderingInfo>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PrintSpooler"
Guid="{e4c60dfa-ecc5-4889-b406-e9ddd38463c8}" />
<EventID>207</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>12</Opcode>
<Keywords>0x8000000000000020</Keywords>
<TimeCreated SystemTime="2007-11-25T02:31:31.167571100Z" />
<Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
<Execution ProcessID="1584" ThreadID="2268" ProcessorID="1" KernelTime="0"
UserTime="0" />
<Channel>Microsoft-Windows-PrintSpooler/Core-Analytic</Channel>
<Computer />
</System>
<UserData>
<SpoolerGenericEvent
xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events'
xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'><Routine>ppOpenPrinterEx</Routine><File>d:\vistartm\printscan\print\spooler\spoolss\csr\core\csropen.cxx</File><Line>343</Line><ErrorCode>0x8004BEBE</ErrorCode><ObjectName>-</ObjectName></SpoolerGenericEvent>
</UserData>
<RenderingInfo Culture="en-US">
<Level>Error </Level>
<Opcode>Operation failed </Opcode>
<Keywords>
<Keyword>Remote spooler events </Keyword>
</Keywords>
<Task>Opening a printer handle </Task>
<Message>CSR Open Printer Failed </Message>
<Channel>Microsoft-Windows-PrintSpooler/Core-Analytic</Channel>
<Provider>Microsoft-Windows-PrintSpooler </Provider>
</RenderingInfo>
</Event>

 

[Dave Nuttall]

I have removed all the printer references from the system (deleted all
printers, printer drivers, and cleaned up the registry), so that the system
should be back to a clean state as far as printing is concerned.

The net effect of this is that the logging has now increased in frequency -
I guess that this is all the spooler has to do! I also noticed that the print
spooler logging is disabled in the registry, so it must be using some
"private" logging scheme that cannot be turned off.

The summary of the contents of SpoolerETW.ETL (below) produced by tracerpt
shows 1677 events being generated in 78 seconds.

Doesn't anyone know how to stop this? Please??

Files Processed:
SpoolerETW.etl
Total Buffers Processed 114
Total Events Processed 1678
Total Events Lost 0
Start Time Monday, 26 November, 2007
End Time Monday, 26 November, 2007
Elapsed Time 78 se
+-------------------------------------------------------------------------------------------------------------------------+
|Event Count Event Name Task Opcode Version
Guid
+-------------------------------------------------------------------------------------------------------------------------+
| 1 EventTrace 0 Header 2
{68fdd900-4a3e-11d1-84f4-0000f80464e3}|
| 1677 Microsoft-Windows-PrintSpooler 2 Operation
failed 0 {e4c60dfa-ecc5-4889-b406-e9ddd38463c8}
+-------------------------------------------------------------------------------------------------------------------------
+---------------------------------------------------------------------------------------------------------+
|Event Count Event Name Event ID Version Guid

+---------------------------------------------------------------------------------------------------------+
| 1 EventTrace 0 2
{68fdd900-4a3e-11d1-84f4-0000f80464e3}|
| 559 Microsoft-Windows-PrintSpooler 119 0
{e4c60dfa-ecc5-4889-b406-e9ddd38463c8}|
| 559 Microsoft-Windows-PrintSpooler 121 0
{e4c60dfa-ecc5-4889-b406-e9ddd38463c8}|
| 559 Microsoft-Windows-PrintSpooler 207 0
{e4c60dfa-ecc5-4889-b406-e9ddd38463c8}
+---------------------------------------------------------------------------------------------------------+

 

[Alan Morris [MSFT]]

the ETW logging is disabled by default. How did you enable it?

If you enabled in the event viewer you can disable it there as well.


Launch mmc, add Event Viewer

Applications and Services Logs
Microsoft
Print Spooler

right click on the log type and disable logging



--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dave Nuttall]

the ETW logging is disabled by default. How did you enable it?

If you enabled in the event viewer you can disable it there as well.


Launch mmc, add Event Viewer

Applications and Services Logs
Microsoft
Print Spooler

right click on the log type and disable logging

There is not a "Print Spooler" entry, either under Microsoft or under
Microsoft-Windows. Perhaps in the absence of this entry logging gets turned
on?

There also seem to be other entries missing from the list - I'm not sure how
this happened. Is there an easy way to re-populate this?

 

[Dave Nuttall]

There also seem to be other entries missing from the list - I'm not sure how

this happened. Is there an easy way to re-populate this?

Let me correct that statement. Comparing the system with the problem with
other systems, the list of logs under Microsoft-Windows is the same on all.

There are many extra logs listed in a script I downloaded to clear out all
logs -
http://mickrussom.blogspot.com/2007/05/batch-file-for-clearing-all-logs-at.html
- including four for Microsoft-Windows-PrintSpooler whcih are not present on
any system.

 

[Alan Morris [MSFT]]

You will need to show Analytic and Debug logs. I had to hunt this down as
well.


Select Windows or Microsoft
right click
View


--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dave Nuttall]

the ETW logging is disabled by default. How did you enable it?

Regardless of whether the logging is enabled or disabled, the print spooler
is encountering an error:

<Task>Opening a printer handle </Task>
<Message>Open Printer Checkpoint Failed </Message>

As there are no printers defined on the system, which printer is it trying
to open? It would help if information about the "printer" were included in
the log, as this may give some clue as to where to go to fix the problem.

 

[Dave Nuttall]

You will need to show Analytic and Debug logs. I had to hunt this down as
well.

Found them, thanks!.

All four of the print spooler logs were, and still are, show as disabled in
the Event Viewer. They are also empty (not surprisingly!).

This does seem to be some kind of "extracurricular" logging that got turned
on somewhere else.

 

[Alan Morris [MSFT]]

Are there other users on this machine that may have made a printer
connection to another machine?

Check for a registry key in this format with an old machine name.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Print\Providers\Client Side Rendering Print
Provider\Servers\Servername\Printers

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Dave Nuttall]

Are there other users on this machine that may have made a printer
connection to another machine?

Check for a registry key in this format with an old machine name.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Print\Providers\Client Side Rendering Print
Provider\Servers\Servername\Printers

As part of the clean up of printers (several days ago) I deleted the key
above from "Providers" on down, as "Providers" did not exist on a system that
had no printers defined.

Prior to deleting the keys, I did notice a printer server named "CSR|Merry".
The actual printer server on the network is called "Merry". I'm not sure
where the CSR variant came from, or whether the name is still lurking
somewhere outside of the registry.

I also just noticed that when the spooler service was started it produced a
new System32\Spool\spooler.xml file (below) that implies that there is still
information in the registry that I have not cleaned up. Is it "safe" to track
down and remove this information?

- <SpoolerErrorLog>
- <RegistryData>
- <PrintProvidor name="Internet Print Provider">
- <DisplayName>
- <![CDATA[ HTTP Print Services ]]>
</DisplayName>
- <Name>
- <![CDATA[ inetpp.dll ]]>
</Name>
</PrintProvidor>
- <PrintProvidor name="LanMan Print Services">
- <DisplayName>
- <![CDATA[ LanMan Print Services ]]>
</DisplayName>
- <Name>
- <![CDATA[ win32spl.dll ]]>
</Name>
<Node name="PortNames" />
- <Node name="Servers">
<AddPrinterDrivers>0x0</AddPrinterDrivers>
</Node>
</PrintProvidor>
- <PrintProcessor name="Epson Inkjet">
- <Driver>
- <![CDATA[ EP0NPP01.DLL ]]>
</Driver>
</PrintProcessor>
- <PrintProcessor name="hpzpplhn">
- <Driver>
- <![CDATA[ hpzpplhn.dll ]]>
</Driver>
</PrintProcessor>
- <PrintProcessor name="OneNotePrint2007">
- <Driver>
- <![CDATA[ msonpppr.dll ]]>
</Driver>
</PrintProcessor>
- <PrintProcessor name="winprint">
- <Driver>
- <![CDATA[ localspl.dll ]]>
</Driver>
</PrintProcessor>
- <PortMonitor name="Epson Inbox Language Monitor">
- <Driver>
- <![CDATA[ EP0SLM00.DLL ]]>
</Driver>
</PortMonitor>
- <PortMonitor name="Local Port">
- <Driver>
- <![CDATA[ localspl.dll ]]>
</Driver>
</PortMonitor>
- <PortMonitor name="Send To Microsoft OneNote Monitor">
- <Driver>
- <![CDATA[ msonpmon.dll ]]>
</Driver>
</PortMonitor>
- <PortMonitor name="Standard TCP/IP Port">
- <Driver>
- <![CDATA[ tcpmon.dll ]]>
</Driver>
- <Node name="Ports">
<StatusUpdateInterval>0xa</StatusUpdateInterval>
<StatusUpdateEnabled>0x1</StatusUpdateEnabled>
<LprAckTimeout>0xb4</LprAckTimeout>
</Node>
</PortMonitor>
- <PortMonitor name="USB Monitor">
- <Driver>
- <![CDATA[ usbmon.dll ]]>
</Driver>
</PortMonitor>
- <PortMonitor name="WSD Port">
- <Driver>
- <![CDATA[ WSDMon.dll ]]>
</Driver>
</PortMonitor>
</RegistryData>
<EventLogData />
<SpoolerObjects />
<CSRCacheData />
</SpoolerErrorLog>

 

[Alan Morris [MSFT]]

An open printer call to CSR|Servername will always fail. If the connection
is not in use you can delete this key. If an active connection does exist
do not delete the key as other information from this setting is used by the
spooler.

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

Are there other users on this machine that may have made a printer
connection to another machine?

Check for a registry key in this format with an old machine name.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Print\Providers\Client Side Rendering Print
Provider\Servers\Servername\Printers

As part of the clean up of printers (several days ago) I deleted the key
above from "Providers" on down, as "Providers" did not exist on a system
that
had no printers defined.

Prior to deleting the keys, I did notice a printer server named
"CSR|Merry".
The actual printer server on the network is called "Merry". I'm not sure
where the CSR variant came from, or whether the name is still lurking
somewhere outside of the registry.

I also just noticed that when the spooler service was started it produced
a
new System32\Spool\spooler.xml file (below) that implies that there is
still
information in the registry that I have not cleaned up. Is it "safe" to
track
down and remove this information?

- <SpoolerErrorLog>
- <RegistryData>
- <PrintProvidor name="Internet Print Provider">
- <DisplayName>
- <![CDATA[ HTTP Print Services ]]>
</DisplayName>
- <Name>
- <![CDATA[ inetpp.dll ]]>
</Name>
</PrintProvidor>
- <PrintProvidor name="LanMan Print Services">
- <DisplayName>
- <![CDATA[ LanMan Print Services ]]>
</DisplayName>
- <Name>
- <![CDATA[ win32spl.dll ]]>
</Name>
<Node name="PortNames" />
- <Node name="Servers">
<AddPrinterDrivers>0x0</AddPrinterDrivers>
</Node>
</PrintProvidor>
- <PrintProcessor name="Epson Inkjet">
- <Driver>
- <![CDATA[ EP0NPP01.DLL ]]>
</Driver>
</PrintProcessor>
- <PrintProcessor name="hpzpplhn">
- <Driver>
- <![CDATA[ hpzpplhn.dll ]]>
</Driver>
</PrintProcessor>
- <PrintProcessor name="OneNotePrint2007">
- <Driver>
- <![CDATA[ msonpppr.dll ]]>
</Driver>
</PrintProcessor>
- <PrintProcessor name="winprint">
- <Driver>
- <![CDATA[ localspl.dll ]]>
</Driver>
</PrintProcessor>
- <PortMonitor name="Epson Inbox Language Monitor">
- <Driver>
- <![CDATA[ EP0SLM00.DLL ]]>
</Driver>
</PortMonitor>
- <PortMonitor name="Local Port">
- <Driver>
- <![CDATA[ localspl.dll ]]>
</Driver>
</PortMonitor>
- <PortMonitor name="Send To Microsoft OneNote Monitor">
- <Driver>
- <![CDATA[ msonpmon.dll ]]>
</Driver>
</PortMonitor>
- <PortMonitor name="Standard TCP/IP Port">
- <Driver>
- <![CDATA[ tcpmon.dll ]]>
</Driver>
- <Node name="Ports">
<StatusUpdateInterval>0xa</StatusUpdateInterval>
<StatusUpdateEnabled>0x1</StatusUpdateEnabled>
<LprAckTimeout>0xb4</LprAckTimeout>
</Node>
</PortMonitor>
- <PortMonitor name="USB Monitor">
- <Driver>
- <![CDATA[ usbmon.dll ]]>
</Driver>
</PortMonitor>
- <PortMonitor name="WSD Port">
- <Driver>
- <![CDATA[ WSDMon.dll ]]>
</Driver>
</PortMonitor>
</RegistryData>
<EventLogData />
<SpoolerObjects />
<CSRCacheData />
</SpoolerErrorLog>

 

[Dave Nuttall]

An open printer call to CSR|Servername will always fail. If the connection
is not in use you can delete this key. If an active connection does exist
do not delete the key as other information from this setting is used by the
spooler.

The key was deleted several days ago, and a search of the registry shows
nothing containing "CSR|".

 

[Dave Nuttall]

Regardless of whether the logging is enabled or disabled, the print spooler

is encountering an error:

<Task>Opening a printer handle </Task>
<Message>Open Printer Checkpoint Failed </Message>

As there are no printers defined on the system, which printer is it trying
to open? It would help if information about the "printer" were included in
the log, as this may give some clue as to where to go to fix the problem.

Here is a clue: I'm running the system with the spooler turned off - if
access to a printer (two networked printers are now defined) is needed the
user does a "net start spooler" in an admin command prompt that is left
running for that purpose. I noticed that a Bluetooth enabled cell phone (that
was previously "introduced" to the system) became connected as the spooler
started. Messing around with this, there is a definite link between the
spooler starting and the cell phone connecting to the system.

I removed the Bluetooth device from the system (Control Panel / Bluetooth)
and restarted the spooler - and the phone did not react. Unfortunately, the
logging still continues.

Why was the spooler talking to the phone in the first place, and is there
something else I need to do to clean up the information about the phone on
the system?