Case of the Win10 Windows Performance Recorder Trace That Wouldn’t Stop

Disk space kept rapidly disappearing on my C: drive…

Using WinDirStat (https://windirstat.info/) it was evident majority was taken up by 40GB+ ETL files in my TEMP folder.

Running wpr –status showed no traces running

image

Searching registry with RegScanner ( http://www.nirsoft.net/utils/regscanner.html ) for the filename of the filename WPR_initiated_WprApp_WPR Event Collector.etl we found the culprits under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger under keys

  • WPR_initiated_WprApp_WPR Event Collector
  • WPR_initiated_WprApp_WPR System Collector

Checking the GUID subkeys and looking at provider name we could see it was monitoring the following providers:

  • Microsoft-Antimalware-Engine
  • Microsoft-Windows-DNS-Client
  • Microsoft-Windows-URLMon
  • Microsoft-Windows-Shell-Core
  • Microsoft-Windows-NCSI
  • Microsoft-Windows-Kernel-Power
  • Microsoft-Windows-WinINet
  • Microsoft-JScript
  • Microsoft-IEFRAME
  • Microsoft-Windows-BootUX
  • Microsoft-Antimalware-Service
  • IE7
  • Microsoft-Windows-Win32k
  • Microsoft-Antimalware-RTP
  • Microsoft-Windows-WLAN-AutoConfig
  • Microsoft-IE
  • Microsoft-Windows-PDC
  • Microsoft-Windows-Kernel-EventTracing
  • Microsoft-Antimalware-AMFilter
  • Microsoft-Windows-ProcessStateManager
  • Microsoft-Windows-DotNETRuntime
  • Microsoft-Antimalware-Protection
  • Microsoft-Windows-BrokerInfrastructure

Best of all max file size was set to 0 (unlimited):

image

Not sure how this trace got started, but removing the keys stopped it taking up all my disk space…

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Debugging, Windows 10, Windows Performance Recorder and tagged . Bookmark the permalink.

One Response to Case of the Win10 Windows Performance Recorder Trace That Wouldn’t Stop

  1. If you want to do ETW tracing, you should be using UIforETW (Bruce Dawson built it to trace chrome, but it works for everything) – It’d probably prevent things like this from happening – which you can find here: https://github.com/google/UIforETW

    (shameless self-plug)
    Oh, and, if WinDirStat is to slow, you can always try my fork: https://github.com/ariccio/altWinDirStat

    (/shameless self-plug)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s