Difficulty finding Log/Files

By srsust
Mar 11, 2002
  1. Anybody have an idea what this is?

    I must have set-up a logging file without setting limits, but for the life of me I can't remember where. This one has reached 4.5 gigs.


    I'd really like to get rid of this monster, or at least set some limits, but not knowing what's controlling it, I'm afraid to just delete it. Anybody have a suggestion on how I should proceed?

  Whack0

    Whack0 TS Rookie Posts: 166

    4.5 gigs?! :eek:

    Sorry, I have no idea what it is, and I can't find one on my computer. What OS is that you are using?

    Here's a link (not sure if it works for you) to Microsoft's support page on trace logs. I hope this helps.

    Oh, and welcome to 3DSpotlight. :)
  Didou

    Didou Bowtie extraordinair! Posts: 4,274

    Do you have a firewall program like ZoneAlarm or BlackIce ?

    They both have LogFiles but I've never seen them get that big ( & generally they create this logfile in their install directory, not in winnt\system32 ).

    Maybe it's a Service that you are running. Try looking in Start Menu -> Progams -> Administratives Tools -> Services

    You could also try running a Scandisk, it could be a partition error giving the wrong size or something...
  Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,345   +11

    Running XP? Not Win2k Server? Check Event Viewer logs for abnormalities.
  srsust

    srsust TS Rookie Topic Starter

    You guys are great!

    Thanks to all of you for responding so quickly.

    Whack0, I followed your link and checked for trace logs under Performance on my system. It was blank.

    Didou, I'm going to run scandisk right after I post this.

    Interesting note: The file seems to have returned to zero as of this morning.:confused:

    Anyway, thanks again.

  srsust

    srsust TS Rookie Topic Starter


    Can't forget Mictlantecuhtli. I'm running XP-Pro. Event viewer shows nothing relevant. Ugh!

  srsust

    srsust TS Rookie Topic Starter

    Persistent unwanted trace.log file

    Thank you all for troubling to help me.

    1. WMI Control under Services and Applications has logging active, but with a 64Kb limit on the file.

    2. Performance Logs and Alerts under Services and Applications is set to manual, but has not been started.

    3. The system will not permit me to rename or delete the file.

    4. Task Scheduling is set to automatic, and has been started, but I can find no indication of any logging.

    5. Windows Management Instrumentation and Event Logging are set to start automatically and show as started but, again, I can't find where either is set to unlimited logging.

    6. I believe SYSMON in XP is Performance Monitor, a sample of which is automatically set up when XP is installed (I have no "Start>prog>acc>system tools>sysmon"). I haven't done anything with this, but in any event the log file is set to "C:\PerfLogs\System_Overview.blg" and my problem is with "\WINDOWS\system32\LogFiles\WMI\trace.log" (at this moment 2.5 gigs).

    7. I was finally able to get a look at the very beginning of the trace.log file, and have attached what I found there. Perhaps this will give you a clue to identify where I might go from here.

    Thanks again,

    Attached Files:

  Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,345   +11

    Have you checked the end of the file? Stuff is usually added to the end.
    I don't have much ideas about this.. looks like a debug kernel to me. Have you tried disabling performance counters with Exctrlst? I don't know if that helps in this case though.
  srsust

    srsust TS Rookie Topic Starter

    I'm downloading the Exctrlst tool concurrently with this message and will report results tomorrow.

    Thanks much,
  srsust

    srsust TS Rookie Topic Starter

    Activity Report

    Reporting my latest efforts:

    1. I downloaded the Exctrlst tool and disabled reporting. I then rebooted and found that the TRACE.LOG file was still being created and grew rapidly.

    2. I found the following in the TRACE.LOG file:

    N T K e r n e l L o g g e r C : \ W I N D O W S \ S y s t e m 3 2 \ L o g F i l e s \ W M I \ t r a c e . l o g

    \ D e v i c e \ H a r d d i s k V o l u m e 1 \ W I N D O W S \ S y s t e m 3 2 \ L o g F i l e s \ W M I \ t r a c e . l o g

    \ D e v i c e \ N e t B T _ T c p i p _ { 8 1 1 E 9 E 3 9 - 9 9 1 2 - 4 A 0 2 - 9 C 8 0 - A 8 6 4 8 F E 1 3 C F 6 } ]?

    3. Assuming that the "NT Kernel Logger" was creating the file, I unsuccessfully attempted to find a relevant entry in "Administrative Tools."

    If I'm correct and the TRACE.LOG file is being created by the NT Kernel Logger, I assume I can limit the file's size if I can find the control for that logger. Any ideas?

  lokem

    lokem TS Rookie Posts: 672

    Try looking in the Performance application under the Administration Tools folder. See whether if there are any Counter Logs or Trace Logs running and check the size of the log file limit on each of the running ones if any.
  srsust

    srsust TS Rookie Topic Starter

    As indicated in my last post, I looked through everything in "Administrative Tools" but could find nothing associated with the TRACE.LOG file, nor was there anything running without a reasonable limit on the log file. Any idea on how to access the NT Kernel Logger, which seems to be the culprit?

  lokem

    lokem TS Rookie Posts: 672

    Hmm... I've found something related to the NT Kernel Logger. Not sure whether it's relevant as it's for Win2k, but you can give it a shot:


    That command is only available with the resource kit. I've searched in my own WinXP system and I can't find the exe file. Try looking for the same file in yer system and see whether you can find it or not.
  srsust

    srsust TS Rookie Topic Starter

    I think you've taken us a step in the right direction.

    I downloaded the tracelog application and, using the query command, appear to have confirmed that the TRACE.LOG file in question is, indeed, being created and updated by the NT KERNEL LOGGER. Unfortunately, I've been unsuccessful in determining how to go about changing the parameters used by the NT KERNEL LOGGER, either for the current session or permanently, and would appreciate any suggestions along these lines. Attached is the tracelog report, preceded by the report I get when I try to change parameters.

    Thanks much,

    Attached Files:

  Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,345   +11

    Win2k Resource Kit Help files could help now.. doesn't tracelog -? help?
  lokem

    lokem TS Rookie Posts: 672

    Good to know it was helpful. I'm not sure I can decipher what's going on with the JPG file you posted.

    Anyway, try finding for a way to disable the logging.
  srsust

    srsust TS Rookie Topic Starter


    As indicated in the attachment, I keep getting "The parameter is incorrect" report and the subsequent query shows nothing is changed. Perhaps you could post a command line that would work. Attached is a shot of the help message.


    Attached Files:

  lokem

    lokem TS Rookie Posts: 672

    Have you tried:

    tracelog -stop "NT Kernel Logger"

    If that doesn't work try:

    tracelog -x

    And if that doesn't work try:

    tracelog -l

    And print the output here. We'll see what happens...
  Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,345   +11

    I agree with Lokem, as it's NT Kernel Logger it should stop with -stop "NT Kernel Logger" . However, there was a line
    "Enabled tracing: Process Thread Disk File HardFaults ImageLoad", they could be disabled with -noprocess -nothread -nodisk (well, 3 of them).
  srsust

    srsust TS Rookie Topic Starter

    EXTREME apologies. I've been gone for 10 days. I'll try your suggestions and post the results.

    Thanks much,
  srsust

    srsust TS Rookie Topic Starter

    Well, I think we're getting somewhere. Your suggestion worked, but only for the current session, as far as I can tell. After re-booting, there's the TRACE.LOG file, growning as usual. What a hassle, particularly because TRACELOG.EXE is a DOS program. In any event, I'd hate to think the only resolution was to turn off the logging only after the system finished booting each time. That's got to slow things down during the boot process.

    I've heard that others have encountered the same problem after trying BOOTVIS from MS. I did that back in January, but it didn't work (told me I didn't have a hard drive, or something), so I deleted it. But, I suppose it's possible that it left something behind. I've used REGCLEANER, but it apparently didn't identify anything on automatic, and I wasn't able to identify anything visually on manual. Oh, well . . .

    Any other ideas will be very welcome, though. You guys have been great.

    Thanks again,
  lokem

    lokem TS Rookie Posts: 672

    Still no luck huh? This is harder to track down than I expected. What keywords did you try to find when running RegCleaner?
  srsust

    srsust TS Rookie Topic Starter

    Actually, I didn't use any key words. I simply went through every single line in all sections looking for anything that might be relevant. Nada. :(

    As before, any other suggestions will be most welcome.


    P.S. By the way, I wonder if you might know how I can get into the system location where the command lines are stored for the options displayed when you right-click a file or folder in Windows Explorer? I switched to McAfee corporate edition, which doesn't provide a program file name I can use in other programs, like GetRight, to run a scan automatically when a file is downloaded. As a consequence, I have to remember to manually run a scan after I'm through with what I'm doing at the moment. Please let me know, when you have an opportunity, if this is something you're familiar with.

    Thanks again for all your help.
  lokem

    lokem TS Rookie Posts: 672

    Gasp... You went through the ENTIRE registry? Wow... That's amazing! Perhaps you can try finding again. This time, use the search feature. You'll never know what you missed out. Try looking for something like:


    There's also a possibility that the program is started somewhere in the startup menu. Load up msconfig under the Run menu and click on the StartUp folder. See if there's any menu item which resembles the aformentioned tracelog items.

    Are you referring to the file location of the program? Which in this case the McAffee's virus scan executable program file?
  javagif

    javagif TS Rookie


    #Hi !
    Guess, i found your problem with the huge trace.log file.
    Did you use bootvis.exe from microsoft.
    Yes?--> Start the programm and stop tracing, found in the menu
    please let me know whether this solved your problem or not.
    ciao -javagif-
