Massive ETL trace file which I can't get rid of

[Pho]

A few months back I was having slow start-up issues on my media PC and I installed the Windows Performance Toolkit so I could run Windows Performance Recorder. In short it didn't ever seem to work properly for me.

I've uninstalled it, re-installed it, ran all the wpr -cancel, wpr -remove, xperf -cancel, xperf -remove and so forth commands I could find which are meant to disable logging but these files still keep coming back.

They're locked by the system process and whatever driver it's using causes conflicts with process monitor / process explorer so I can't run them to stick a trace on to see what process is writing to them (are there any other tools which work similarly?). If I delete them they reappear when I refresh explorer but will go when I reboot. But then a new file starts tracing and slowly eating my disk space up until there 0MB free again .

Anyone have any ideas? I'm stumped, and re-installing is a bit of a pain .

 

[Deleted member 77746]

yeh unlocker 1.9.2

 

[Deviant-4]

try listing all the current WPR loggers;
xperf -loggers | find /i "WPR"

Then stop the logger;
xperf -stop "WPR_initiated......"

Then with a bit of luck you should be able to delete the trace file.

 

[Pho]

yeh unlocker 1.9.2

I believe it's being held by a driver so I don't think this will work; I've tried closing it with handle (similar thing) to no avail either.

try listing all the current WPR loggers;
xperf -loggers | find /i "WPR"

Then stop the logger;
xperf -stop "WPR_initiated......"

Then with a bit of luck you should be able to delete the trace file.

When I run this it just hangs without returning. It's done similar before when I've tried xperf -cancel:

C:\Users\Administrator>xperf -loggers
_

I can't even then kill xperf.exe from task manager, or even from system level access (psexec -s -i cmd). In-fact, I have to hard reset the machine to reboot it as it'll then just get stuck when rebooting :/.

If I knew how to manually nuke its driver that would be good but I couldn't figure out which it was.

 

[Deviant-4]

xperf is just a configuration tool, the 'logging' is performed by the kernel itself (hence why the file is locked by process 4).

Re-install WPT, then try the XPERF commands I gave you.

 

[Deleted member 77746]

just format, you could have had it done if you started it when you posted this thread.

 

[Pho]

xperf is just a configuration tool, the 'logging' is performed by the kernel itself (hence why the file is locked by process 4).

Re-install WPT, then try the XPERF commands I gave you.

Ah, I thought the toolkit shipped with a driver to do it - didn't realise it was just a front for the OS. I've never really had to use xperf before to be fair.

A reinstall of the performance toolkit didn't seem to help unfortunately. Still hangs running those commands .

I'll give it a try in safe mode and see what that does.

just format, you could have had it done if you started it when you posted this thread.

Heh true. I'm slightly reluctant because I had a load of issues with my HDMI drivers only doing stereo and I've most forgotten how I got around it. This is also fileserver, PVR etc and has been painstakingly set-up.

Plus, I don't like admitting defeat .

 

[ED209]

do you know what drivers are holding on to the file?

have you tried re booting it in to safe mode and removing it that way?

 

[Pho]

Slightly good news! Managed to boot into safe mode and execute the commands listed by Deviant-4 to stop the logging and delete the files.

There were two loggers active. I stopped them both and a further call to xperf -loggers showed no WPR logs:

Logger Name           : WPR_initiated_WprApp_WPR Event Collector
Logger Id             : c
Logger Thread Id      : 0000000000000074
Buffer Size           : 1024
Maximum Buffers       : 60
Minimum Buffers       : 60
Number of Buffers     : 60
Free Buffers          : 58
Buffers Written       : 13
Events Lost           : 0
Log Buffers Lost      : 0
Real Time Buffers Lost: 0
Flush Timer           : 0
Age Limit             : 0
Log File Mode         : Sequential PersistOnHybridShutdown
Maximum File Size     : 0
Log Filename          : C:\Users\ADMINI~1\AppData\Local\Temp\2\WPR_initiated_WprApp_WPR Event Collector.etl
Trace Flags           : "Microsoft-Windows-PowerCpl":0x1000000000000:0x4+"Microsoft-Windows-WLAN-AutoConfig":0x1000000000200:0xff+"Microsoft-Windows-SleepStudy":0x1000000000000:0x4+"Microsoft-Windows-WinINet":0x1000000000000:0x4+"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4+"Microsoft-Windows-ntshrui":0x1000000000000:0x4+"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4+"Microsoft-Windows-NlaSvc":0x1000000000000:0x4+"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4+0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5+"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4+"Microsoft-Windows-AppHost":0x1000000000000:0x4+"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4+"Microsoft-Windows-IE-F12-Provider":0x1000000000000:0x4+"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4+"Microsoft-Windows-TCPIP":0xffffffffffffffff:0xff+"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4+"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4+"Microsoft-Windows-COMRuntime":0x3:0xff+"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4+"Microsoft-Windows-Search-Core":0x1000000000000:0x4+"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4+e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff+"Microsoft-Windows-DiagCpl":0x1000000000000:0x4+"Microsoft-Windows-stobject":0x1000000000000:0x4+"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4+"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4+"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4+"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4+"Microsoft-Windows-AppReadiness":0x1000000000000:0x4+"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4+"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4+"Microsoft-Windows-VAN":0x1000000000000:0x4+"Microsoft-Windows-Wcmsvc":0x1000000000000:0x4+"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4+"Microsoft-Windows-Netshell":0x1000000000000:0x4+"Microsoft-Windows-ThemeUI":0x1000000000000:0x4+"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4+"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4+"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4+"Microsoft-Windows-Documents":0x1000000000000:0x4+"Microsoft-Windows-PDC":0x1000000000000:0x4+"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4+"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4+36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff+"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff+"Microsoft-Windows-DXP":0x1000000000000:0x4+"Microsoft-Windows-WlanConn":0x1000000000000:0x4+"Microsoft-Windows-UserPnp":0x1000000000000:0x4+"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4+"Microsoft-Windows-HealthCenter":0x1000000000000:0x4+"Microsoft-Windows-Ncasvc":0x1000000000000:0x4+"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4+"Microsoft-JScript":0x1:0xff+"Microsoft-Windows-NWiFi":0x1000000000000:0x4+"Microsoft-Windows-VolumeControl":0x1000000000000:0x4+"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4+"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4+e13c0d23-ccbc-4e12-931b-d9cc2eee27e4:0x98:0x5+"Microsoft-Windows-IME-TIP":0x1000000000000:0x4+"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4+"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4+"Microsoft-Windows-LUA":0x1000000000000:0x4+"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4+"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4+"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4+"Microsoft-Windows-Help":0x1000000000000:0x4+"Microsoft-Windows-Audio":0x1000000000000:0x4+"Microsoft-Windows-WlanPref":0x1000000000000:0x4+"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4+"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4+751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff+"Microsoft-Windows-WCNWiz":0x1000000000000:0x4+"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4+"Microsoft-Windows-WlanDlg":0x1000000000000:0x4+cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff+"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4+"Microsoft-Windows-ComDlg32":0x1000000000000:0x4+"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4+"Microsoft-Windows-Display":0x1000000000000:0x4+"Microsoft-Windows-UxTheme":0x1000000000000:0x4+"Microsoft-Windows-WiFiDisplay":0x1000000000000:0x4+"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4+"Microsoft-Windows-NCSI":0x1000000000000:0xff+8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff+"Microsoft-Windows-DeviceUx":0x1000000000000:0x4+e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff+"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4+"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4+"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff+"Microsoft-Windows-XAML":0x1000000000000:0x4+"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4+"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4+"Microsoft-Windows-Winlogon":0x1000000000000:0x4+"Microsoft-Windows-UI-Search":0x1000000000000:0x4+"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4+"Microsoft-Windows-PowerShell":0x1000000000000:0x4+"Microsoft-Windows-Services":0x1000000000000:0x4+"Microsoft-Windows-RPC":0xffffffffffffffff:0x4+"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4+"Microsoft-Windows-AltTab":0x1000000000000:0x4+"Microsoft-Windows-Win32k":0x1000000002000:0xff+"Microsoft-Windows-Shell-Core":0x1000000000000:0x4+"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff+"Microsoft-Windows-Superfetch":0x1000000000000:0x4+"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4+"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4

Logger Name           : WPR_initiated_WprApp_WPR System Collector#	
Logger Id             : e
Logger Thread Id      : 000000000000007C
Buffer Size           : 1024
Maximum Buffers       : 60
Minimum Buffers       : 60
Number of Buffers     : 60
Free Buffers          : 58
Buffers Written       : 281
Events Lost           : 0
Log Buffers Lost      : 0
Real Time Buffers Lost: 0
Flush Timer           : 0
Age Limit             : 0
Log File Mode         : Sequential Secure PersistOnHybridShutdown SystemLogger
Maximum File Size     : 0
Log Filename          : C:\Users\ADMINI~1\AppData\Local\Temp\2\WPR_initiated_WprApp_WPR System Collector.etl
Trace Flags           : 
PoolTagFilter         : *

I did spot another ETL file created this morning and it looks like it was back again in xperf -loggers however this time I was able to stop and delete it in Windows without needing safe mode. I don't mind writing a script to automate this if need be though.

So cheers, hopefully it's almost sorted .

 

[Deviant-4]

One last thing to check;

xperf -boottrace

C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64>xperf -boottrace
boot trace disabled

If necessary, disable it with;
xperf -boottrace off

C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64>xperf -boottrace off
xperf: error: Disable BootTrace: The system cannot find the file specified. (0x2).

I get an error 'cos I never had it enabled, but I'm sure you get the idea.

 

[Pho]

Cheers, boottrace was off for me too. Just rolled a simple hacky Powershell script to schedule to try and keep it at bay assuming it does come back.

$loggers = xperf -loggers | Select-String "Logger Name" | Select-String -pattern "WPR"

if ($loggers.length -eq 0) {
	Write-Host "Nothing to do"
	break
}

Write-Host "Stopping logs"
foreach ($logger in $loggers) {
	$logName = $logger.toString().Split(":")[1].Trim()

	$loggerPath = (xperf -loggers $logName | Select-String "Log Filename").ToString()
	$loggerPathIndex = $loggerPath.IndexOf(":") + 2
	$filePath = $loggerPath.SubString($loggerPathIndex)
	
	if ($filePath.Length -gt 0) {
		Write-Host "$logName - $filePath"
		
		xperf -stop $logName
		Remove-Item $filePath
	} else {
		Write-Host "$logName has no file"
	}
}

Thanks for your help, much appreciated! Assuming you mostly lurk given your ultra low postcount?

 

[Deviant-4]

Yep, long term lurker here.

In truth there are very few posts where I feel I have sufficient knowledge of the subject to respond to them.

I was active in the Distributed Computing section under a different UserName many years ago.