Kernel-EventTracing Event ID 1 Warning issue since last week. Any fix?

Hello, I started getting this new warning in my event viewer for the first time last week since installing Windows 10 Pro over a year ago.

I'm getting "The backing-file for the real-time session "DiagLog" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers."


My Windows 10 version is 1903 (OS Build 18362.720). This started all of a sudden on the 17th of December. In the middle the warning didn't come. But yesterday and today it came back again. I thought it will resolve by itself. But unfortunately it seems that there is some sort of issue.

How do I make the space available?! Because if I erase the event log history, it won't solve anything as these warnings will still come. I tried googling the issue, but couldn't really find a solution. Has anyone else experienced this and found a fix for this?

Check the Event Viewer settings and check
a. Press Windows and R keys together.
b. Type in eventvwr,msc and press enter.
c. Do a right-click over the log (For example, System or Application etc.)
d. Select Properties, you will be able to see Size and other options are there.
e. Ensue that these are checked
- Enable logging
- Over write events as needed.

g. You can also increase the size of the Maximum log size.
h. Save the changes.

@BLaZiNgSPEED You might want to see this (post#12), in the thread below. That solution used to work for me for eliminating Event 1. It worked for a long time, but it stopped working after updating Windows on Dec 8th (19042.685).

Event ID 1 warning & Event ID 2 error

That solution doesn't work anymore but perhaps you ll like to read that thread. It might give you some ideas on what to try. For a couple of days, I tried other solutions, like increasing size, etc. But doing this changes, triggered other errors, including, bringing back Event 2, which I am used to seeing about one or two of those a month. So, I decided to leave this be. Forget about it, and live for now with Event 1. FWIW, I am seeing one of this events every time the computer cold starts or reboots. This are nothing Warnings so is not worth it to me trading one warning for another or spending a lot of time trying to fix something that doesn't really need to be fixed.

Bo

Okay, I have made a couple of experiments. I opened Performance Monitor- Startup Event Trace Sessions and then right clicked on DiagLog went to Properties and then Trace Session tab and unchecked the Enabled box and disabled it.

After restarting the computer twice so far the warning did not show. Then I enabled it again and the warning came back.

Then finally I went to C:\Windows\System32\LogFiles\WMI\RtBackup and found EtwRTDiagLog.etl and I saw it was 102+Mb in size. I deleted this file restarted, no warnings yet.

I then made the experiment and re-enabled DiagLog session again and then restarted the PC again and this time EtwRTDiagLog.etl recreated itself again and this time file size is 68KB in size and no warning in event viewer.

The thing is, I did delete this file last week and the warning only disappeared for around 1 week before it came back again. It seems this file size goes to over 100+MB quickly. Can you verify what size everyone else has for the EtwRTDiagLog.etl file in C:\Windows\System32\LogFiles\WMI\RtBackup ?

Also if I have DiagLog disabled in Performance Monitor, what are the implications of it? Is it important anyway? What is the purpose of this trace session? Because if it is not important, I would be happy to have it disabled that way the warning will never come.

Btw, Defender API Logger is disabled by default in my system, perhaps because I have Windows defender disabled. It doesn't apply for me as mine is related to the DiagLog session.

- - - Updated - - -

Ok, so I did a windows system restore a few hours ago from last month and it made zero difference! It was a complete waste of time.

However, I have found that increasing the Maximum log size to 200 MB in Perfmon does eliminate the warning.

Basically by default the memory log is set to 100 MB.

As we can see here the EtwDiagLog.etl file increased to 102,091 KB, which is the equivalent of 102 MB. As it exceeded over 100 MB in memory, this is why the warning is triggered. After increasing the memory log to 200 MB the warning did not appear on reboot.

The problem is that for some odd reason this file jumps very quickly. After each PC restart this file increases by 26 MB in size. After another restart it goes to 52 MB then 78 MB and after that to 102 MB and so on until it exceeds over 100+ MB again.

I've seen it hit 128MB. I deleted the file and upon restart it was 68 KB in size then it quickly jumped again to 26,046 KB.

I've never had any awareness of this in the past. All I know is that this is the first time I've seen this warning in the last 2 years since using Windows 10.

The file size jumps in sequences of 26 MB upon each restart of Windows! This means that even if we did increase the file size I believe the warning will ultimately return again as the file size will not cease to stop increasing.

Disabling DiagLog as a tracing session is probably going to stop the warnings from getting triggered permanently. But I don't know the importance of this session. If someone can confirm it isn't important then I will be happy to disable it. I have not found any info on this anywhere on the web.

After further investigation. I have found out the cause of this spike in size of this file!

It is related to the Diagnostic Policy Service and Diagnostic Policy Host. I had them disabled. After enabling these services, immediately EtwRTDiagLog.etl dropped to 1KB 72 bytes and has remained there since!



Basically disabling Diagnostic Policy Service and Diagnostic Policy Host causes this abnormal size jump of this file. I was not aware of this. I found out that roughly an increase of 130KB in size every day. So within 100 days or so this warning will come.

The cause of the 26MB size jump was related to CCleaner. When using CCleaner to erase temporary files this file jumped to 26 and then 52MB, etc.

But with Diagnostic Policy Service and Diagnostic Policy Host services running the file remains at 1KB and does not increase.

If you want to have Diagnostic Policy Service and Diagnostic Policy Host disabled as services, you must disable DiagLog from Performance Monitors trace session. Otherwise it will eventually trigger this warning.

The irony is that enabling Diagnostic Policy Service immediately drops the file size to 1KB. You don't need to delete the file and restart the computer. I found out this wrong information somewhere on the web. Guess they aren't aware that they have disabled Diagnostic Policy Service and that is what's triggering the size increase and eventual warning!