none
shutdown service : etl trace RRS feed

  • Question

  • temporary, i want to stop .etl trace

    it's possible to use administrative tools services for shutdown etl trace like :

    VsEtwService120

    Wecsvc

    WdiSystemHost

    EventLog

    pla

    diagnosticshub.standardcollector.service

    DPS

    WdiServiceHost

    EventSystem

    VSStandardCollectorService150

    wmiApSrv

    CoreMessagingRegistrar

    ShellHWDetection

    DiagTrack

    PerfHost

    SENS

    WerSvc

    Winmgmt

    but do Wecsvc or eventlog are the best choice for unload all etl trace and all session are off line ? the problem is if not i load my script on offline user session using a tool like windows pe. 

     


    • Edited by poulpi Wednesday, December 4, 2019 4:31 PM
    • Moved by Carey FrischMVP Friday, December 6, 2019 6:05 AM Relocated
    Wednesday, December 4, 2019 4:14 PM

Answers

All replies

  • Hi

    For further help, I suggest you submit a new case on  script center forum directly as they will be more professional on your issue.

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us.

    Thanks for your understanding and cooperating.

    Best Regards

    Kiki


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 5, 2019 6:10 AM
  • but do Wecsvc or eventlog are the best choice for unload all etl trace and all session are off line ?

     


    i try in a next time...

    there's no programmation in my ask... or answer of my ask : or it's impossible like i show, i don't know. please doesn't use of your administrator's authority, it's often a bad idea.

    use administrator if there are injury, if i want to go on other billboard, i choose to duplicate,  thanks.


    Friday, December 6, 2019 7:08 PM
  • There must be a language barrier, because there seems to be a disjointed stream of thoughts about a service (I am guessing?) that make no sense.

    Sorry but you'll need to get someone to translate for you.


    -- Bill Stewart [Bill_Stewart]

    Friday, December 6, 2019 9:26 PM
    Moderator
  • Use event viewer to turn off trace for any log set to trace.

    Read event viewer documentation to learn how to manage event log trace.

    https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63


    \_(ツ)_/

    • Marked as answer by poulpi Wednesday, December 11, 2019 12:00 AM
    Friday, December 6, 2019 10:11 PM
  • https://docs.microsoft.com/fr-fr/windows-hardware/drivers/devtest/about-event-tracing-for-drivers

    ETW providers can raise events and can publish them to the Windows Event Log or can write their events to an ETW session, which gets written to a trace file or delivered to real-time consumer.

    Saturday, December 14, 2019 9:06 PM
  • i don't undertsand, please do you have a script explaining : how to shutdown etl ?

    or change directory

    etl goes on my hard drive ,

    windows reverse my batch job on other ramdisk and continue to produce etl in the same directory

    netcore isn't kernel etl, please can you indicate kernel etl for confirm

    but in this directory, there aren't kernel etl, isn't it ?

    C:\Windows\System32\LogFiles\WMI

    how do you change kernel log directory ?

    please keep unlock this post until there are better solve approved by me... 


    Thursday, January 2, 2020 2:02 PM
  • We have no idea what you are asking. What ETL are you trying to manage.  Most ETL logs are not manageable by users and are created and managed by the system.

    Carefully read the following link:

    How to ask questions in a technical forum

    The following will help set your expectations:

    This Forum is for Scripting Questions Rather than      script requests


    \_(ツ)_/

    Thursday, January 2, 2020 2:16 PM
  • there are several etl., the most redondant is NetCore.etl

    he write always on my hard drive... it's perhaps a quality developement but not on my hard drive like this.

    netcore isn't a kernel log ?

    i use tracelog on cmd for move directory and windows undo my job, it's a trouble.

    please test on this small example (perhaps you know...) : move directory log of netcore.etl, what's your issue

    or key ?


     

    Thursday, January 2, 2020 9:38 PM
  • Net.Core is not a current Windows module but is part of PS 6-7. Post in the Net Core project on GitHub to find out if what you ask is possible. It is not a scripting issue.  The configuration for Net.Core ETL is likely in an XML file in one of the folders for Net.Core.


    \_(ツ)_/

    Thursday, January 2, 2020 11:08 PM
  • i've seen this somewhere : but i remember : where's this xml file ? not on the directory,

    C:\Windows\System32\LogFiles\WMI

    he doesn't exist ! do you have a path of the folders for Net.Core ?

    it's possible to create the xml file but the etl works without xml...

    is it necessary to create the xml file and after he manage the etl concerned ? 

    i test this and i return in a next time.

    Friday, January 3, 2020 2:18 PM
  • Hi

    Keep us updated with your progress.

    Best regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 6, 2020 1:58 AM
  • there are a new way in performance analyzer :

    there are event tracking session and startup event trace session

    perhaps a bug but after several manipulation, now i can change and he stay :

    i change the directory on the same disk for session startup and it's ok before he reject this by unauthorized

    permission.

    i continue to see.

    but what's the permission security to using for change directory access permission ?

    ...TRACELOG_CREATE_ONDISK
    Allows the user to start or update a session that writes events to a log file. Set this permission on the session's GUID.
    ?

    https://docs.microsoft.com/en-us/windows/win32/api/evntcons/nf-evntcons-eventaccesscontrol

    i use method supplied by microsoft but you can stop by changing permission to all, i test in a next time.

     


    • Edited by poulpi Friday, January 10, 2020 10:55 PM
    Friday, January 10, 2020 10:49 PM