Windows has always been annoying always wanting to collect lots of your information. This new version of Windows is no exception. If you search your hard drive for *.ETL files you will come up with maybe 100 of them, give or take a few. Before I deleted them, I copied them all to a directory on another partition to take a look at what was in them. There were some dupe names and I should have used Xcopy to preserve the directory structure, but didn't, so some files were probably copied over multiple times. Once all the files were deleted I re-booted and only a few came back. I'm sure more will appear as time goes on, but since my system is only a few days old, I figured there were just too many of them. The new Media Creation Tool that Windows put together to make creating a Windows 10 ISO, has another program buried within it called DiagTrackRunner and here's a snippet from the log that it send to MS after it creates your new Windows 10 ISO. It might still be active sending the other *.ETL files, but I can't say for sure one way or the other. Code: Copy telemetry file: source folder: C:\$WINDOWS.~BT\Sources\Panther, destination folder: C:\ProgramData\Microsoft\Diagnosis\ETLLogs 2015-07-30 19:18:36, Info Copy etl files: source: C:\$WINDOWS.~BT\Sources\Panther\DlTel-Merge.etl, destination: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl 2015-07-30 19:18:36, Info Diagtrack service is running 2015-07-30 19:18:36, Info Restart Diagtrack service successfully 2015-07-30 19:18:36, Info SP Closing Panther Logging It doesn't look like it has caused any problems, and I fully expect them all to come back at some time in the future, and I just might create a startup cmd to del c:\*.etl /s on startup. Here's the before and after:
psexec.exe -i -s -d cmd.exe whoami /user del X:\*.etl But I don't know how to operate the switches for silent. How can you make it to where at startup, the system automatically executes a cmd with SYSTEM privileges and runs the commands Now i'm stuck...
Yea. That one did the trick. Forget about it. It doesn't work I thought it did for a second cause it said NO FILES FOUND Sorry about the incovenience.
Still interesting: Code: c:\Windows\System32\LogFiles\WMI\LwtNetLog.etl Zugriff verweigert c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl Zugriff verweigert c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl Zugriff verweigert c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Zugriff verweigert c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagtrack-Listener.etl Zugriff verweigert c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Zugriff verweigert c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Zugriff verweigert c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Zugriff verweigert c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl Zugriff verweigert c:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTWFP-IPsec Diagnostics.etl Zugriff verweigert c:\Windows\System32\wfp\wfpdiag.etl Zugriff verweigert
In the end it shows that the Telemetry in general needs a MDL made Kill-Switch. Better than chasing it's symptoms.
As far as I can determine there are only 4 files that refuse to be deleted: Code: C:\Windows\system32>del \*.etl /s C:\Users\Al\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppTracing.etl Access is denied. C:\Windows\System32\LogFiles\WMI\LwtNetLog.etl Access is denied. C:\Windows\System32\LogFiles\WMI\Wifi.etl Access is denied. C:\Windows\System32\wfp\wfpdiag.etl Access is denied. Pretty much a kluge but running del c:\*.etl /s periodically seems to be the easiest way to get the job done. It would be nice to be able to automate it with a script, but it's a simple batch file that can be placed on your desktop and run whenever you happen to notice it. Although I await a more elegant solution from the MDL members. .
wfpdiag.etl is so locked down I can't even take effective permission on it. Near impossible Appdata\local files have been successfully deleted... The impossible has become the possible I deleted everything except for wfpdiag.etl Let me check services now... To see what's causing the issue
Would make sense to check what service is locking what file, as long as it's running, spares the hit 'n miss .
FWIW the ETL logs aren't new. I just checked my Win-7 system and there were plenty of them, 70+ but this time I xcopy'ed them all to another partition. The results were eye opening especially in the C:\windows\system32\wdi directory. It looks like there is an entry for every day, so it's possible that you could have hundreds of the Snapshot.etl logs stored in there over time. Since I fall back on a known good image once a month there aren't that many. I fact this month I restored the base image from 7/12 so that's the earliest date. I will be interesting to monitor the growth of these files in C:\windows\system32\wdi over time in both my Win-7, and Win-10 systems. I don't know what process or service in Win-7 or Win-10 is creating these log files, nor do I know what they are used for, or if they are sent to MS. Here's what it looks like. Note this is a Win-7 system.