Difficulty finding Log/Files

Status
Not open for further replies.

srsust

Posts: 15   +0
Anybody have an idea what this is?

I must have set-up a logging file without setting limits, but for the life of me I can't remember where. This one has reached 4.5 gigs.

WINDOWS\system32\LogFiles\WMI\trace.log

I'd really like to get rid of this monster, or at least set some limits, but not knowing what's controlling it, I'm afraid to just delete it. Anybody have a suggestion on how I should proceed?

Thanks.
SRS:confused:
 
4.5 gigs?! :eek:

Sorry, I have no idea what it is, and I can't find one on my computer. What OS is that you are using?

Here's a link (not sure if it works for you) to Microsoft's support page on trace logs. I hope this helps.

Oh, and welcome to 3DSpotlight. :)
 
Do you have a firewall program like ZoneAlarm or BlackIce ?

They both have LogFiles but I've never seen them get that big ( & generally they create this logfile in their install directory, not in winnt\system32 ).

Maybe it's a Service that you are running. Try looking in Start Menu -> Progams -> Administratives Tools -> Services

You could also try running a Scandisk, it could be a partition error giving the wrong size or something...
 
You guys are great!

Thanks to all of you for responding so quickly.

Whack0, I followed your link and checked for trace logs under Performance on my system. It was blank.

Didou, I'm going to run scandisk right after I post this.

Interesting note: The file seems to have returned to zero as of this morning.:confused:

Anyway, thanks again.

SRS
 
Oops!

Can't forget Mictlantecuhtli. I'm running XP-Pro. Event viewer shows nothing relevant. Ugh!

Thanks,
SRS
 
Persistent unwanted trace.log file

Thank you all for troubling to help me.

1. WMI Control under Services and Applications has logging active, but with a 64Kb limit on the file.

2. Performance Logs and Alerts under Services and Applications is set to manual, but has not been started.

3. The system will not permit me to rename or delete the file.

4. Task Scheduling is set to automatic, and has been started, but I can find no indication of any logging.

5. Windows Management Instrumentation and Event Logging are set to start automatically and show as started but, again, I can't find where either is set to unlimited logging.

6. I believe SYSMON in XP is Performance Monitor, a sample of which is automatically set up when XP is installed (I have no "Start>prog>acc>system tools>sysmon"). I haven't done anything with this, but in any event the log file is set to "C:\PerfLogs\System_Overview.blg" and my problem is with "\WINDOWS\system32\LogFiles\WMI\trace.log" (at this moment 2.5 gigs).

7. I was finally able to get a look at the very beginning of the trace.log file, and have attached what I found there. Perhaps this will give you a clue to identify where I might go from here.

Thanks again,
SRS
 

Attachments

  • tracelogfile.txt
    7 KB · Views: 35
Have you checked the end of the file? Stuff is usually added to the end.
I don't have much ideas about this.. looks like a debug kernel to me. Have you tried disabling performance counters with Exctrlst? I don't know if that helps in this case though.
 
I'm downloading the Exctrlst tool concurrently with this message and will report results tomorrow.

Thanks much,
SRS
 
Activity Report

Reporting my latest efforts:

1. I downloaded the Exctrlst tool and disabled reporting. I then rebooted and found that the TRACE.LOG file was still being created and grew rapidly.

2. I found the following in the TRACE.LOG file:

N T K e r n e l L o g g e r C : \ W I N D O W S \ S y s t e m 3 2 \ L o g F i l e s \ W M I \ t r a c e . l o g

\ D e v i c e \ H a r d d i s k V o l u m e 1 \ W I N D O W S \ S y s t e m 3 2 \ L o g F i l e s \ W M I \ t r a c e . l o g

\ D e v i c e \ N e t B T _ T c p i p _ { 8 1 1 E 9 E 3 9 - 9 9 1 2 - 4 A 0 2 - 9 C 8 0 - A 8 6 4 8 F E 1 3 C F 6 } ]?

3. Assuming that the "NT Kernel Logger" was creating the file, I unsuccessfully attempted to find a relevant entry in "Administrative Tools."

If I'm correct and the TRACE.LOG file is being created by the NT Kernel Logger, I assume I can limit the file's size if I can find the control for that logger. Any ideas?

Thanks,
SRS
 
Try looking in the Performance application under the Administration Tools folder. See whether if there are any Counter Logs or Trace Logs running and check the size of the log file limit on each of the running ones if any.
 
As indicated in my last post, I looked through everything in "Administrative Tools" but could find nothing associated with the TRACE.LOG file, nor was there anything running without a reasonable limit on the log file. Any idea on how to access the NT Kernel Logger, which seems to be the culprit?

Thanks,
SRS
 
I think you've taken us a step in the right direction.

I downloaded the tracelog application and, using the query command, appear to have confirmed that the TRACE.LOG file in question is, indeed, being created and updated by the NT KERNEL LOGGER. Unfortunately, I've been unsuccessful in determining how to go about changing the parameters used by the NT KERNEL LOGGER, either for the current session or permanently, and would appreciate any suggestions along these lines. Attached is the tracelog report, preceded by the report I get when I try to change parameters.

Thanks much,
SRS
 

Attachments

  • doswindow.jpg
    doswindow.jpg
    62.9 KB · Views: 25
Good to know it was helpful. I'm not sure I can decipher what's going on with the JPG file you posted.

Anyway, try finding for a way to disable the logging.
 
Mictlantecuhtli,

As indicated in the attachment, I keep getting "The parameter is incorrect" report and the subsequent query shows nothing is changed. Perhaps you could post a command line that would work. Attached is a shot of the help message.

Thanks,
SRS
 

Attachments

  • doswindow.jpg
    doswindow.jpg
    99 KB · Views: 14
Have you tried:

tracelog -stop "NT Kernel Logger"

If that doesn't work try:

tracelog -x

And if that doesn't work try:

tracelog -l

And print the output here. We'll see what happens...
 
I agree with Lokem, as it's NT Kernel Logger it should stop with -stop "NT Kernel Logger" . However, there was a line
"Enabled tracing: Process Thread Disk File HardFaults ImageLoad", they could be disabled with -noprocess -nothread -nodisk (well, 3 of them).
 
EXTREME apologies. I've been gone for 10 days. I'll try your suggestions and post the results.

Thanks much,
SRS
 
Well, I think we're getting somewhere. Your suggestion worked, but only for the current session, as far as I can tell. After re-booting, there's the TRACE.LOG file, growning as usual. What a hassle, particularly because TRACELOG.EXE is a DOS program. In any event, I'd hate to think the only resolution was to turn off the logging only after the system finished booting each time. That's got to slow things down during the boot process.

I've heard that others have encountered the same problem after trying BOOTVIS from MS. I did that back in January, but it didn't work (told me I didn't have a hard drive, or something), so I deleted it. But, I suppose it's possible that it left something behind. I've used REGCLEANER, but it apparently didn't identify anything on automatic, and I wasn't able to identify anything visually on manual. Oh, well . . .

Any other ideas will be very welcome, though. You guys have been great.

Thanks again,
SRS
 
Still no luck huh? This is harder to track down than I expected. What keywords did you try to find when running RegCleaner?
 
Actually, I didn't use any key words. I simply went through every single line in all sections looking for anything that might be relevant. Nada. :(

As before, any other suggestions will be most welcome.

Thanks,
SRS

P.S. By the way, I wonder if you might know how I can get into the system location where the command lines are stored for the options displayed when you right-click a file or folder in Windows Explorer? I switched to McAfee corporate edition, which doesn't provide a program file name I can use in other programs, like GetRight, to run a scan automatically when a file is downloaded. As a consequence, I have to remember to manually run a scan after I'm through with what I'm doing at the moment. Please let me know, when you have an opportunity, if this is something you're familiar with.

Thanks again for all your help.
SRS
 
Actually, I didn't use any key words. I simply went through every single line in all sections looking for anything that might be relevant. Nada. :(

Gasp... You went through the ENTIRE registry? Wow... That's amazing! Perhaps you can try finding again. This time, use the search feature. You'll never know what you missed out. Try looking for something like:

tracelog.exe
trace.log

There's also a possibility that the program is started somewhere in the startup menu. Load up msconfig under the Run menu and click on the StartUp folder. See if there's any menu item which resembles the aformentioned tracelog items.

P.S. By the way, I wonder if you might know how I can get into the system location where the command lines are stored for the options displayed when you right-click a file or folder in Windows Explorer? I switched to McAfee corporate edition, which doesn't provide a program file name I can use in other programs, like GetRight, to run a scan automatically when a file is downloaded. As a consequence, I have to remember to manually run a scan after I'm through with what I'm doing at the moment. Please let me know, when you have an opportunity, if this is something you're familiar with.

Are you referring to the file location of the program? Which in this case the McAffee's virus scan executable program file?
 
trac.log

#Hi !
Guess, i found your problem with the huge trace.log file.
Did you use bootvis.exe from microsoft.
Yes?--> Start the programm and stop tracing, found in the menu
please let me know whether this solved your problem or not.
ciao -javagif-
 
Status
Not open for further replies.
Back