Windows 10 Extended Trace Log files (.ETL)

Discussion in 'Windows 10' started by Palladin, Aug 1, 2015.

  1. Palladin

    Palladin MDL Senior Member

    Feb 1, 2014
    335
    139
    10
    #1 Palladin, Aug 1, 2015
    Last edited by a moderator: Apr 20, 2017
    Windows has always been annoying always wanting to collect lots of your information. This new version of Windows is no exception.

    If you search your hard drive for *.ETL files you will come up with maybe 100 of them, give or take a few. Before I deleted them, I copied them all to a directory on another partition to take a look at what was in them. There were some dupe names and I should have used Xcopy to preserve the directory structure, but didn't, so some files were probably copied over multiple times.

    Once all the files were deleted I re-booted and only a few came back. I'm sure more will appear as time goes on, but since my system is only a few days old, I figured there were just too many of them.

    The new Media Creation Tool that Windows put together to make creating a Windows 10 ISO, has another program buried within it called DiagTrackRunner and here's a snippet from the log that it send to MS after it creates your new Windows 10 ISO. It might still be active sending the other *.ETL files, but I can't say for sure one way or the other.

    Code:
     Copy telemetry file: source folder: C:\$WINDOWS.~BT\Sources\Panther, destination folder: C:\ProgramData\Microsoft\Diagnosis\ETLLogs
    2015-07-30 19:18:36, Info                         Copy etl files: source: C:\$WINDOWS.~BT\Sources\Panther\DlTel-Merge.etl, destination: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl
    2015-07-30 19:18:36, Info                         Diagtrack service is running
    2015-07-30 19:18:36, Info                         Restart Diagtrack service successfully
    2015-07-30 19:18:36, Info                  SP     Closing Panther Logging
    
    It doesn't look like it has caused any problems, and I fully expect them all to come back at some time in the future, and I just might create a startup cmd to del c:\*.etl /s on startup. ;)

    Here's the before and after:
     

    Attached Files:

  2. compgen_1534

    compgen_1534 MDL Addicted

    Jul 26, 2015
    510
    272
    30
    I think I got it.

    I opened a comand prompt with SYSTEM privileges and it seems like it deleted them
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    15,691
    22,574
    340
    How you did?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. compgen_1534

    compgen_1534 MDL Addicted

    Jul 26, 2015
    510
    272
    30
    #4 compgen_1534, Aug 1, 2015
    Last edited: Aug 1, 2015
    psexec.exe -i -s -d cmd.exe

    whoami /user

    del X:\*.etl

    But I don't know how to operate the switches for silent. :confused:

    How can you make it to where at startup, the system automatically executes a cmd with SYSTEM privileges and runs the commands
    Now i'm stuck...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Palladin

    Palladin MDL Senior Member

    Feb 1, 2014
    335
    139
    10
    What is psexec.exe :confused:
    Do you mean the one from SysInternals?
     
  6. compgen_1534

    compgen_1534 MDL Addicted

    Jul 26, 2015
    510
    272
    30
    #6 compgen_1534, Aug 1, 2015
    Last edited: Aug 1, 2015
    Yea. That one did the trick.

    Forget about it.

    It doesn't work
    I thought it did for a second cause it said NO FILES FOUND

    :thinking:

    Sorry about the incovenience.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    15,691
    22,574
    340
    #7 s1ave77, Aug 1, 2015
    Last edited by a moderator: Apr 20, 2017
    Still interesting:

    Code:
    c:\Windows\System32\LogFiles\WMI\LwtNetLog.etl
    Zugriff verweigert
    c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl
    Zugriff verweigert
    c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl
    Zugriff verweigert
    c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
    Zugriff verweigert
    c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagtrack-Listener.etl
    Zugriff verweigert
    c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
    Zugriff verweigert
    c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
    Zugriff verweigert
    c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
    Zugriff verweigert
    c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
    Zugriff verweigert
    c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTWFP-IPsec Diagnostics.etl
    Zugriff verweigert
    c:\Windows\System32\wfp\wfpdiag.etl
    Zugriff verweigert
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    15,691
    22,574
    340
    In the end it shows that the Telemetry in general needs a MDL made Kill-Switch. Better than chasing it's symptoms.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. compgen_1534

    compgen_1534 MDL Addicted

    Jul 26, 2015
    510
    272
    30
    Unlock the folders by invoking the takeown commands
    And that fixes the issue in a jiff...

    I think :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    15,691
    22,574
    340
    Kill-Switch + MDL = FTW! :cool2:.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Palladin

    Palladin MDL Senior Member

    Feb 1, 2014
    335
    139
    10
    #11 Palladin, Aug 1, 2015
    Last edited by a moderator: Apr 20, 2017
    (OP)
    As far as I can determine there are only 4 files that refuse to be deleted:

    Code:
    C:\Windows\system32>del \*.etl /s
    C:\Users\Al\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing.etl
    Access is denied.
    C:\Windows\System32\LogFiles\WMI\LwtNetLog.etl
    Access is denied.
    C:\Windows\System32\LogFiles\WMI\Wifi.etl
    Access is denied.
    C:\Windows\System32\wfp\wfpdiag.etl
    Access is denied.
    
    Pretty much a kluge but running del c:\*.etl /s periodically seems to be the easiest way to get the job done. It would be nice to be able to automate it with a script, but it's a simple batch file that can be placed on your desktop and run whenever you happen to notice it.

    Although I await a more elegant solution from the MDL members. :biggrin:

    .
     
  12. compgen_1534

    compgen_1534 MDL Addicted

    Jul 26, 2015
    510
    272
    30
    #12 compgen_1534, Aug 1, 2015
    Last edited by a moderator: Apr 20, 2017
    wfpdiag.etl is so locked down I can't even take effective permission on it.

    Near impossible :thinking:

    Appdata\local files have been successfully deleted...

    The impossible has become the possible :D

    I deleted everything except for wfpdiag.etl

    Let me check services now... To see what's causing the issue
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    15,691
    22,574
    340
    Would make sense to check what service is locking what file, as long as it's running, spares the hit 'n miss :cool2:.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Palladin

    Palladin MDL Senior Member

    Feb 1, 2014
    335
    139
    10
    #14 Palladin, Aug 1, 2015
    Last edited: Aug 2, 2015
    (OP)
    FWIW the ETL logs aren't new. I just checked my Win-7 system and there were plenty of them, 70+ but this time I xcopy'ed them all to another partition. The results were eye opening especially in the C:\windows\system32\wdi directory. It looks like there is an entry for every day, so it's possible that you could have hundreds of the Snapshot.etl logs stored in there over time.

    Since I fall back on a known good image once a month there aren't that many. I fact this month I restored the base image from 7/12 so that's the earliest date. I will be interesting to monitor the growth of these files in C:\windows\system32\wdi over time in both my Win-7, and Win-10 systems.

    I don't know what process or service in Win-7 or Win-10 is creating these log files, nor do I know what they are used for, or if they are sent to MS.

    Here's what it looks like. Note this is a Win-7 system.

    Win-7-etl-logs.png Win-7-etl-logs-left-after-deletion.png