Windows 10 Event Logs

Discussion in 'Windows 10' started by Palladin, Mar 31, 2023.

  1. raptorddd

    raptorddd MDL Addicted

    Aug 17, 2019
    701
    263
    30
  2. raptorddd

    raptorddd MDL Addicted

    Aug 17, 2019
    701
    263
    30
  3. Blueingreen

    Blueingreen MDL Junior Member

    Mar 18, 2015
    74
    46
    10
    Interesting, but there's a downside: stopping “Windows-Kernel-Licensing-StartService-Trigger” Trace Provider moves Office into unlicensed status. Possibly Windows as well.
    I had managed to stop and delete UBPM running Performance Monitor as TrustedInstaller, but - let alone the Office issue - gave up because it is restored on next reboot anyway.
    A few trace sessions seem critical and cannot be turned off easily. Pretty stubborn stuff.

    My list (LTSC 2021):

    Data Collector Set Type Status
    -----------------------------------------------------------------------------------
    Eventlog-Security Trace Running
    EventLog-Application Trace Running
    EventLog-System Trace Running
    UserNotPresentTraceSession Trace Running
    UBPM Trace Running
     
  4. Ace2

    Ace2 MDL Expert

    Oct 10, 2014
    1,547
    1,296
    60
    #84 Ace2, May 2, 2023
    Last edited: May 2, 2023
    MY Windows 10 EnterpriseS (OS Build 19041.1)

    Code:
    Windows Event Log:
    sc config EventLog start= disabled
    
    Network List Service:
    sc config netprofm start= disabled
    
    Network Location Awareness:
    sc config NlaSvc start= disabled
    
    Goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc / DependOnService remove EventLog
    
    Run %windir%\system32\compmgmt.msc with PowerRun
    
    Goto Performance\Data Collector Sets\
    
    Event Trace Sessions
    Startup Event Trace Sessions
    
    Disable all & Restart PC.
    
    NOTES:
    Eventlog-Security will NOT disable.
    Code:
    Event Trace Sessions:
    
    Name Status:
    
    UBPM Running
    UserNotPresentTraceSession Running
    SgrmEtwSession Running
    
    
    *
    
    Startup Event Trace Sessions:
    
    Name Status:
    
    AutoLogger-Diagtrack-Listener Disabled
    Cellcore Disabled
    Circular Kernel Context Logger Disabled
    CloudExperienceHostOobe Disabled
    DataMarket Disabled
    DiagLog Disabled
    EventLog-Application Disabled
    EventLog-Security Disabled
    EventLog-System Disabled
    LwtNetLog Disabled
    Mellanox-Kernel Disabled
    Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace Disabled
    Microsoft-Windows-Setup Disabled
    NBSMBLOGGER Disabled
    NetCore Disabled
    NtfsLog Disabled
    PEAuthLog Disabled
    RadioMgr Disabled
    RdrLog Disabled
    ReadyBoot Enabled
    SetupPlatform Disabled
    SetupPlatformTel Disabled
    SpoolerLogger Disabled
    TCPIPLOGGER Disabled
    TileStore Disabled
    Tpm Disabled
    UBPM Disabled
    WdiContextLog Disabled
    WFP-IPsec Trace Disabled
    WiFiDriverIHVSession Disabled
    WiFiDriverIHVSessionRepro Disabled
    WiFiSession Disabled
    WinPhoneCritical Disabled
    
     
  5. raptorddd

    raptorddd MDL Addicted

    Aug 17, 2019
    701
    263
    30
    how do you run this.? powershell as admin or trust installer.? i did trust unstaller and still some are running

    Capture.PNG
     
  6. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    3,901
    5,494
    120
    how you managed to install updates?
    w.u. won't run if you disable this.
    sc config EventLog start= disabled

    do you install updates manually?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Ace2

    Ace2 MDL Expert

    Oct 10, 2014
    1,547
    1,296
    60
    Trusted Installer
     
  8. Ace2

    Ace2 MDL Expert

    Oct 10, 2014
    1,547
    1,296
    60
    I don't install updates ever, never have.
    Only show installing updates on [Windows Editions Reconstruction Project] to show image can still be updated.;)
     
  9. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    3,901
    5,494
    120
    ok ... so I must guess it is an offline system ... :confused:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Ace2

    Ace2 MDL Expert

    Oct 10, 2014
    1,547
    1,296
    60
    No
    Online, used for google, movies, tv shows, youtube and so on... and some older game's.
     
  11. haz367

    haz367 MDL Addicted

    Jan 11, 2020
    802
    1,456
    30
    This piece of code disabled (all) "Startup Event Trace Sessions" on a live system. No TI used.

    Code:
    @echo off
    
    REM * Disable Other (Telemetry) LOGGERS
    ECHO:
    
    FOR %%I in (InstallInfoCheck,ARPInfoCheck,MediaInfoCheck,FileInfoCheck) DO (
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Tracing" /V %%I /T REG_DWORD /D 0 /F >NUL
    )
    
    ECHO:
    
    REM This >>
    
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\AITEventLog" /V Start /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Audio" /V Start /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Circular Kernel Context Logger" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\DiagLog" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Microsoft-Windows-Setup" /V Start /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\EventLog-AirSpaceChannel" /V Start /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\NBSMBLOGGER" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\NtfsLog" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\PEAuthLog" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\PerfPipeUserSession:0" /V Start /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\PerfPipeUserSession:1" /V Start /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\PerfPipeUserSession:2" /V Start /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\PerfPipeUserSession:3" /V Start /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\RAC_PS" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\RdrLog" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\ReadyBoot" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\TCPIPLOGGER" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Tpm" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\UBPM" /V Start /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\WdiContextLog" /V "Start" /T REG_DWORD /D 0 /F >NUL
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\WFP-IPsec Trace" /V "Start" /T REG_DWORD /D 0 /F >NUL
    

    Not sure about the ones u posted in the screenshot?!

    Verify
    Code:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger
    Add the ones u see in the screenshot and re-apply the script to see if those are disabled...

    Have pfun :p
     
  12. haz367

    haz367 MDL Addicted

    Jan 11, 2020
    802
    1,456
    30
    EventLog-System Trace Running

    Seems stubborn on an old x86 system... :p
     
  13. raptorddd

    raptorddd MDL Addicted

    Aug 17, 2019
    701
    263
    30
    they dont show up in HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger
    only MpWppTracing-07202016-140038-00000003-ffffffff but still its running.. i can set all to disable on start up but theyll show running on event trace session.

    i need to clean install windows but i would like to know how to stop them instead i think they cant be disaabled..
    i already tried the scheduler task but am pretty sure am doing something wrong.

    i created xml file ... have nsudo in c:windows and created a cmd file place it in c:windows
    open task scheduler import the xml. and i gues thats it.. but this code

    Code:
    schtasks /Create /F /TN "Disable UBPM Logging" /XML C:\Disable_UBPM_LOG.xml

    i dont know what to do with the code above...

    without using code above
    i run scheduler restarted but then scheduler and computer mangament doesnt open... i have to go into safe mode and delete the cdm file in c:windows

    and if i find a way to have it stop how can i do the same for the ones running in he p[icture.???
     
  14. haz367

    haz367 MDL Addicted

    Jan 11, 2020
    802
    1,456
    30
    #94 haz367, May 3, 2023
    Last edited: May 3, 2023
    Some of the ones you showed here in the screenshot, are not on my system. Either an old x86 that i always use... Or a fresh Windows 7 system. Some could be added from other software?!

    The others as showing in the screenshot must be disabled by running that piece of code i posted, as they are disabled here after running the batch file, except for EventLog-System on my old x86 system (I did run the batch on a live system) I never tested this before on this one...

    On a fresh Windows 7 install with a specialize.cmd/setupcomplete.cmd...All are disabled, only UBPM is running on that system as you could see from the screenshot i posted before.

    Must be something in those scripts. Can't say for sure atm, must redo to see... :p

    About the Task Scheduler script:

    1) Save NSudoLC.exe into C:\Windows\System32
    2) Save the batch into C:\Windows
    3) Save the XML somewhere you like...
    4)Then run the SCHTASKS command and point it to the XML

    After rebooting the system, the task runs hidden on startup and removes (atleast) the UBPM one...
     
  15. raptorddd

    raptorddd MDL Addicted

    Aug 17, 2019
    701
    263
    30
    thanks
    i got it... but i could only get rid of UserNotPresentTraceSession as UBPM is needed for windows update..
    am going to clean install..
     
  16. haz367

    haz367 MDL Addicted

    Jan 11, 2020
    802
    1,456
    30
    #96 haz367, May 3, 2023
    Last edited: May 3, 2023
    deleted...
     
  17. haz367

    haz367 MDL Addicted

    Jan 11, 2020
    802
    1,456
    30
    Hey :)

    After running an older LTSC 2019 to see if UBPM is required for WU to work. Although it;s really slow scanning there... :p WU works just fine if that one is disabled. Not sure about the rest

    Code:
    NSudoLC -U:T -P:E logman stop -n WindowsUpdate.20230504.012953.133.1 -ets
    NSudoLC -U:T -P:E logman stop -n 8696EAC4-1288-4288-A4EE-49EE431B0AD9 -ets
    NSudoLC -U:T -P:E logman stop -n UserNotPresentTraceSession -ets
    NSudoLC -U:T -P:E logman stop -n EventLog-System -ets
    NSudoLC -U:T -P:E logman stop -n EventLog-Application -ets
    
     
  18. raptorddd

    raptorddd MDL Addicted

    Aug 17, 2019
    701
    263
    30
    you are right it does work... i just tested UBPM id disabled.. but why i said it didnt work before.... well when you disable and restart then trying to open computer managment and see all the traces it just doesnt open.... then i tried and open windows update... same blank screen and loading bar.... but i was doing something else when all of the sudden computer managment open it took like a minute or more to open.. then check no UBPM is gone.. then i open windows update and this time it shows availble updates ect.
    thanks i ran a script i was just testing.. so clean install again....