excessive writing on system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl can I stop it?

Hi
i have noticed a huge writing on system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl

i'm talking about 5GB in few minutes , computer idle , with nod32 disabled and i have tried to install it

but the same results , windows 10 pro 64bit

i tried to stop the even log but it continues to write

is there a way to stop it?
thanks

 

Appears you're not alone on this one: http://www.geekstogo.com/forum/topic/371746-etwrtnt-kernel-loggeretl-writing-reading-all-the-time/ . OP was pointing at 1803 at the culprit. I am running 1803 and haven't noticed like activity but have not been specifically monitoring for it.

It also manifests on Win 7, it appears. Someone came up with an innovative but extremely risky way of eliminating it there: https://hackerspace.kinja.com/an-experiment-with-event-trace-log-files-1798487547

 

hi
yes it's preseny on w7 , w8/8.1 and w10 even before 1803
the solution is very risky
but is there no registy way to block it
have you the same problem?
thanks

 

Here's an explanation for the activity on Win 7 but no solution on how to prevent it: https://serverfault.com/questions/237637/what-is-stored-in-windir-system32-logfiles-wmi-rtbackup

Not that I am aware of.

 

hi

have you tried FileActivityWatch and AppReadWriteCounter ,they are 100% portable
might you give a look?
thanks

 

Start - Run - perfmon - Check, which traces are running and stop them for testing, you can even disable most event traces from starting.

 

Well I don't know if I have this going or wtf this is about. So I'll keep an eye out here so maybe someone can unscramble this.

 

hi @TairikuOkami
about UBPM , i can't stop , i get an error access denied

in the first screenshot you have few items and i can see in the second you have disabled all of them
about performance monitor i run as administrator
even i have added me in the
https://i.imgur.com/SchmTwT.png
according https://support.microsoft.com/en-us...y-to-access-the-performance-monitor-perfmon-e
thanks

 

I did not mean UBPM exactly, check for something called "EtwRTNT Kernel Logger" in Startup Event traces and disable it, if it is there.

 

mantra,

the first thing you need to check (without disabling anything based on blanket recommendations) is the Circular Kernel Context Logger in Performance Monitor. It's trace session's mode should be set as "buffered" (not "file"). This looks like the logger is writing to a file, which it should not do.
Also check Event Viewer in Administrative Events and Kernel-EventTracing (under Apps & Services\Microsoft\Windows) for any errors/warnings that may relate to this.

 

hi

it's buffered
and in

i have this warning

thanks

Hi
i haven't something called "EtwRTNT Kernel Logger"
screenshots https://i.imgur.com/dydkKo5.png


https://i.imgur.com/YdjsNNs.png
thanks
@Seer @TairikuOkami @zapjb
have you tried FileActivityWatch and AppReadWriteCounter ?
after few minutes it did increase to several GB , just reboot right now and took a screenshot
https://i.imgur.com/hXdN5Sv.png

 

Strongly recommend you back up the registry before doing this lest you bork something. Others appear to have done the following to stop out of control logging activity.

Go to this registry key using regedit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger. Look for a subkey beginning with "EtwRTNT."

If such a key exists, open it. It should have a "Start" value listed with value that is set to 1. Change the value to 0. Reboot. This should stop the logging.

The real question is what created this log and why is that constantly accessing it. Saw something on the web about a malfunctioning Intel driver but virtually no postings exist as to the origins of this log and what created it.

 

Si.
Disabling logging does not stop the cause. I think everything should be left as is until the culprit is found.

 

I wish you luck on that one. I searched "far and wide" and came up with zip as to cause.

 

Same here. Everyting points to a 3rd party app.

 

I've been having the NT Kernel Logger error (failed to start) on my system whenever I start TCPView (or CurrPorts) for months. Based on that and the info I found online, I pointed at 3rd party.
mantra, have you updated any drivers recently?

 

There is the possibility this is malware related.

MRG in its last Online Banking Protection test used a simulated Event Tracing CLI test. I can't post an extract of the test but you can read about it here: https://www.mrg-effitas.com/wp-content/uploads/2018/06/MRG-Effitas-2018Q1-Online-Banking.pdf

A Cyberpoint POC involving USB access is here: https://www.cyberpointllc.com/posts/cp-logging-keystrokes-with-event-tracing-for-windows-etw.html

 

I doubt it. I know mantra, he would be able to recognize that.

 

No problem here using either on Win 10 x(64) 1803.

 

This may be driver specific.
Let's see what mantra has to say.

 

Here's another technique based on the SANS series: Wipe the drive! Stealthy Malware Persistence - Part 3. Bottom line is we have an unknown event log being generated by an unknown process.

https://isc.sans.edu/forums/diary/Wipe the drive Stealthy Malware Persistence Part 3/15448/

 

Anything's possible, but this then -

needs to be clarified.

 

Yeah, I noticed that and didn't know what to make of it. Hopefully he meant he temporarily disabled NOD32 thinking that might be the source of the logging activity.

If it meant that he can't install NOD32, then we can assume this activity is malware based.

 

hi
thank to all of you
no i have no malware on my pc , under w7 there is no issue , no i haven't update any drivers

about eset antivirus , i thought it was the culprit , so i have disabled ->reboot and checked ->same problem
i have uninstalled it -reboot checked -> same problem
thanks