E
elgato
I have 30 MB (!) logfile under the windows/system32/logfiles/WMI folder
Can anyone tell me what is it that it logs and is it safe to delete?
TIA
Can anyone tell me what is it that it logs and is it safe to delete?
TIA
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
W
Wesley Vogel
%windir%\system32\logfiles\WMI\trace.log
Try this first.
Open the Registry Editor...
Start | Run | Type: regedit | Click OK |
Navigate to >>>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger
In the right hand pane you may see Start listed under the Name column.
If you do, and the Data is 1, double click on Start and set the value to 0.
Reboot your machine. Check the setting in the above registry key to see
that it's still set to 0.
Navigate to %windir%\system32\logfiles\WMI and delete trace.log.
Normal WMI logs are found in...
%windir%\system32\wbem\logs
or
C:\WINDOWS\system32\wbem\logs
You may see a bunch of logs in that folder.
Did you ever use bootvis.exe?
If yes...
[[After running the MS Bootvis utility, the file
C:\WINDOWS\System32\LogFiles\WMI\trace.log becomes hugely inflated.
The file shrinks on rebooting but may rapidly grow to a few gig's in size,
to cure the problem run BootVis again and click Trace-->Stop Tracing, the
file will now stop growing and may be safely deleted.]]
From...
http://forums.infoprosjoint.net/showthread.php?t=2806
If that wasn't it, try this, it will List all trace sessions.
TRACELOG is tracelog.exe (WMI Event Trace Logger).
tracelog.exe is part of Windows Support Tools.
Open a command prompt...
Start | Run | Type: cmd | Click OK |
When the command prompt opens type or paste:
TRACELOG -L
Hit your Enter key.
If anything is running a trace it should show up, otherwise it returns to
the prompt.
-----
I have no idea what started NT Kernel Logger. Apparently it logs every dang
thing.
I have a suspicion.
First look at Performance.
Start | Run | Type: perfmon.msc | Click OK |
Click on Performance Logs and Alerts and look around.
OK, I just found this...
From Performance HELP:
[[Any existing logs will be listed in the details pane. A green icon
indicates that a log is running; a red icon indicates that a log has been
stopped.]]
[[To view or change properties of a log or alert
1. Open Performance.
2. Double-click Performance Logs and Alerts.
3. Click Counter Logs, Trace Logs, or Alerts.
4. In the details pane, double-click the name of the log or alert.
5. View or change the log properties as needed.]]
[[To define start or stop parameters for a log or alert
1. Open Performance.
2. Double-click Performance Logs and Alerts, and then click Counter Logs,
Trace Logs, or Alerts.
3. In the details pane, double-click the name of the log or alert.
4. Click the Schedule tab.
5. Is for Start, we do not want that.
6. Under Stop log, select one of the following options:
To stop the log or alert manually, click Manually. When this option is
selected, to stop the log or alert, right-click the log or alert name in the
details pane, and click Stop.]]
You can disable the WMI Performance Adapter service in Services.
Start | Run | Type: services.msc | Click OK |
Scroll clear down to and double click WMI Performance Adapter |
Click the Stop button | Set the Startup type to Disabled | Click Apply |
Click OK | Close Services | Maybe you have to reboot for it to stop and not
get started again, I'm not sure. Been to long since I disabled it for me to
remember.
If the WMI Performance Adapter service is disabled, no Performance logging
can take place. I have it disabled. For instance if you open Performance
(perfmon.msc), Console1.msc or and click on Performance Logs and Alerts
you'll get a message...
[[The service cannot be started, either because it is disabled or because it
has no enabled devices associated with it.]]
If you find that the problem was from Performance, disable the WMI
Performance Adapter service so that it can't happen again.
-----
If nothing above helped, read on.
You can type this in a command prompt for help on tracelog.
tracelog /?
This command will Stop all active trace sessions...
tracelog -x
works only for the current session. But NT Kernel Logger will start again
after rebooting.
I do not know if this command will work, type or paste into a command
prompt...
tracelog -stop NT Kernel Logger
It's worth a shot, if nothing above helped.
Same with..
tracelog -disable NT Kernel Logger
You can read through this, if you want...
http://www.techspot.com/vb/all/windows/t-490-Difficulty-finding-LogFiles.html
More info...
NT Kernel Logger Trace Session
http://msdn.microsoft.com/library/d..._85d66a98-bc80-4dc4-bce8-7bb7618ff5be.xml.asp
Start an NT Kernel Logger Trace Session
http://msdn.microsoft.com/library/e..._ead9da62-ba78-4926-8f62-e68d8d6292ba.xml.asp
Tracelog Commands
http://msdn.microsoft.com/library/e..._b6beb1b9-7356-4975-8f53-2f2338ae1927.xml.asp
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In
Try this first.
Open the Registry Editor...
Start | Run | Type: regedit | Click OK |
Navigate to >>>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger
In the right hand pane you may see Start listed under the Name column.
If you do, and the Data is 1, double click on Start and set the value to 0.
Reboot your machine. Check the setting in the above registry key to see
that it's still set to 0.
Navigate to %windir%\system32\logfiles\WMI and delete trace.log.
Normal WMI logs are found in...
%windir%\system32\wbem\logs
or
C:\WINDOWS\system32\wbem\logs
You may see a bunch of logs in that folder.
Did you ever use bootvis.exe?
If yes...
[[After running the MS Bootvis utility, the file
C:\WINDOWS\System32\LogFiles\WMI\trace.log becomes hugely inflated.
The file shrinks on rebooting but may rapidly grow to a few gig's in size,
to cure the problem run BootVis again and click Trace-->Stop Tracing, the
file will now stop growing and may be safely deleted.]]
From...
http://forums.infoprosjoint.net/showthread.php?t=2806
If that wasn't it, try this, it will List all trace sessions.
TRACELOG is tracelog.exe (WMI Event Trace Logger).
tracelog.exe is part of Windows Support Tools.
Open a command prompt...
Start | Run | Type: cmd | Click OK |
When the command prompt opens type or paste:
TRACELOG -L
Hit your Enter key.
If anything is running a trace it should show up, otherwise it returns to
the prompt.
-----
I have no idea what started NT Kernel Logger. Apparently it logs every dang
thing.
I have a suspicion.
First look at Performance.
Start | Run | Type: perfmon.msc | Click OK |
Click on Performance Logs and Alerts and look around.
OK, I just found this...
From Performance HELP:
[[Any existing logs will be listed in the details pane. A green icon
indicates that a log is running; a red icon indicates that a log has been
stopped.]]
[[To view or change properties of a log or alert
1. Open Performance.
2. Double-click Performance Logs and Alerts.
3. Click Counter Logs, Trace Logs, or Alerts.
4. In the details pane, double-click the name of the log or alert.
5. View or change the log properties as needed.]]
[[To define start or stop parameters for a log or alert
1. Open Performance.
2. Double-click Performance Logs and Alerts, and then click Counter Logs,
Trace Logs, or Alerts.
3. In the details pane, double-click the name of the log or alert.
4. Click the Schedule tab.
5. Is for Start, we do not want that.
6. Under Stop log, select one of the following options:
To stop the log or alert manually, click Manually. When this option is
selected, to stop the log or alert, right-click the log or alert name in the
details pane, and click Stop.]]
You can disable the WMI Performance Adapter service in Services.
Start | Run | Type: services.msc | Click OK |
Scroll clear down to and double click WMI Performance Adapter |
Click the Stop button | Set the Startup type to Disabled | Click Apply |
Click OK | Close Services | Maybe you have to reboot for it to stop and not
get started again, I'm not sure. Been to long since I disabled it for me to
remember.
If the WMI Performance Adapter service is disabled, no Performance logging
can take place. I have it disabled. For instance if you open Performance
(perfmon.msc), Console1.msc or and click on Performance Logs and Alerts
you'll get a message...
[[The service cannot be started, either because it is disabled or because it
has no enabled devices associated with it.]]
If you find that the problem was from Performance, disable the WMI
Performance Adapter service so that it can't happen again.
-----
If nothing above helped, read on.
You can type this in a command prompt for help on tracelog.
tracelog /?
This command will Stop all active trace sessions...
tracelog -x
works only for the current session. But NT Kernel Logger will start again
after rebooting.
I do not know if this command will work, type or paste into a command
prompt...
tracelog -stop NT Kernel Logger
It's worth a shot, if nothing above helped.
Same with..
tracelog -disable NT Kernel Logger
You can read through this, if you want...
http://www.techspot.com/vb/all/windows/t-490-Difficulty-finding-LogFiles.html
More info...
NT Kernel Logger Trace Session
http://msdn.microsoft.com/library/d..._85d66a98-bc80-4dc4-bce8-7bb7618ff5be.xml.asp
Start an NT Kernel Logger Trace Session
http://msdn.microsoft.com/library/e..._ead9da62-ba78-4926-8f62-e68d8d6292ba.xml.asp
Tracelog Commands
http://msdn.microsoft.com/library/e..._b6beb1b9-7356-4975-8f53-2f2338ae1927.xml.asp
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.