Trace logs

N

NickvW

Why can't I run a trace log in Windows XP Professional + SP2 for TCP/IP
events using the system provider?

I am logged on as a member of the Administrators group but when I try to
start a trace log I get the error

"The myTraceLog log or alert has not started. Refresh the log or alert list
to view current status, or see the application event log for any errors.
Some logs and alerts might require a few minutes to start, especially if
they include many counters."

In the application log I get a Warning with Event ID 2014 from SysmonLog.

"Unable to start the trace session for the myTraceLog2 trace log
configuration. The Kernel trace provider and some application trace
providers require Administrator privileges in order to collect data. Use the
Run As option in the configuration application to log under an Administrator
account for these providers. System error code returned is in the data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp."

The system error code returned is
0000: 05 00 00 00

Under Provider Status it appears that the Windows Kernel Trace provider is
not enabled i.e. it disappears from the list if I check "Show only enabled
providers".

So I guess the question is how do I enable the Windows Kernel Trace
provider?

Is it disabled by default? Or is it just broken?

Nick
 
N

NickvW

NickvW said:
Why can't I run a trace log in Windows XP Professional + SP2 for TCP/IP
events using the system provider?

I am logged on as a member of the Administrators group but when I try to
start a trace log I get the error

"The myTraceLog log or alert has not started. Refresh the log or alert
list to view current status, or see the application event log for any
errors. Some logs and alerts might require a few minutes to start,
especially if they include many counters."

In the application log I get a Warning with Event ID 2014 from SysmonLog.

"Unable to start the trace session for the myTraceLog2 trace log
configuration. The Kernel trace provider and some application trace
providers require Administrator privileges in order to collect data. Use
the Run As option in the configuration application to log under an
Administrator account for these providers. System error code returned is
in the data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp."

The system error code returned is
0000: 05 00 00 00

Under Provider Status it appears that the Windows Kernel Trace provider is
not enabled i.e. it disappears from the list if I check "Show only enabled
providers".

So I guess the question is how do I enable the Windows Kernel Trace
provider?

Is it disabled by default? Or is it just broken?

Nick

OK fixed it. You have to use the Run As: field and enter your credentials
explicitly. Just leaving it as <Default> doesn't work even if you are
logged on as an Administrator. Doh.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top