Windows 10: Event ID 1 warning & Event ID 2 error

Page 1 of 2 12 LastLast
  1.    19 Oct 2017 #1

    Event ID 1 warning & Event ID 2 error


    Hello,
    After Fall Creators update I'm seeing 1 error and 1 warning in the Event Viewer which I'm not able to resolve.

    Event ID 1
    The backing-file for the real-time session "DefenderApiLogger" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers.
    Code:
    <System>
    
         <Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" /> 
    
        <EventID>1</EventID> 
    
        <Version>0</Version> 
    
        <Level>3</Level> 
    
        <Task>1</Task> 
    
        <Opcode>10</Opcode> 
    
        <Keywords>0x8000000000000010</Keywords> 
    
        <TimeCreated SystemTime="2017-10-19T23:02:23.884086800Z" /> 
    
        <EventRecordID>26</EventRecordID> 
    
        <Correlation />  
    
        <Execution ProcessID="4" ThreadID="136" />  
    
        <Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel>  
    
        <Computer>PC</Computer> 
    
        <Security UserID="S-1-5-18" /> 
    
       </System>
    
      - <EventData>
    
         <Data Name="SessionName">DefenderApiLogger</Data>  
    
        <Data Name="ErrorCode">3221225864</Data>  
    
        <Data Name="LoggingMode">411042176</Data>  
    
       </EventData>
    Event ID 2
    Session "" failed to start with the following error: 0xC0000022
    Code:
     <System>
    
         <Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" /> 
    
        <EventID>2</EventID> 
    
        <Version>0</Version> 
    
        <Level>2</Level> 
    
        <Task>2</Task> 
    
        <Opcode>12</Opcode> 
    
        <Keywords>0x8000000000000010</Keywords> 
    
        <TimeCreated SystemTime="2017-10-19T23:02:24.643823700Z" /> 
    
        <EventRecordID>27</EventRecordID> 
    
        <Correlation />  
    
        <Execution ProcessID="1536" ThreadID="2096" />  
    
        <Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel>  
    
        <Computer>PC</Computer> 
    
        <Security UserID="S-1-5-20" /> 
    
       </System>
    
      - <EventData>
    
         <Data Name="SessionName"  /> 
    
        <Data Name="FileName"  /> 
    
        <Data Name="ErrorCode">3221225506</Data>  
    
        <Data Name="LoggingMode">293609474</Data>  
    
       </EventData>
    I think it is fixable, but don't know where to start. Does anyone have some idea?
    Thank you in advance.
      My ComputerSystem Spec

  2.    20 Oct 2017 #2

    Hi,

    Are you using TcpView from Sysinternals ? If so, it looks as if it's a bug.
    Further to this look in the registry if you can find this key: Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}"
    and see if the log file size is there and if can increase.
    Alternatively, if you do not need the log file for analysis, it can be found under "Users\Username\Appdata\Temp\*.etl and you can delete it.

    Cheers,
      My ComputersSystem Spec

  3.    20 Oct 2017 #3

    Hey,

    I'm also getting event id 2 & event id 360. So far I'm guessing you guys haven't figured anything out?
      My ComputerSystem Spec

  4.    20 Oct 2017 #4

    fdegrove said: View Post
    Are you using TcpView from Sysinternals ? If so, it looks as if it's a bug.
    No, I'm not aware of using anything like that.
    Anyway, I have solved Event ID 1 by disabling DefenderApiLogger logging in perfmon, but unfortunately Event ID 2 error is still there and I have no clue what is the root cause.
      My ComputerSystem Spec

  5.    20 Oct 2017 #5

    You can disable the logging of event id 2 aswell in event viewer. Though it would be really nice to know what is actually causing it.
      My ComputerSystem Spec

  6.    20 Oct 2017 #6

    Firstly I was trying only to increase the max size for DefenderApiLogger from 100MB to 150MB but it did help only for a while, so I've decided to completely disable logging this stuff, but in the source not in the Event viewer.
    You are right probably I can disable logging of the Event 2, but I would really like to avoid that, since this is not a solution. Moreover I'm not sure if is possible to disable only this particular event or it will affect all Microsoft-Windows-Kernel-EventTracing events.
    There is still a possibilty that it is just a Windows bug which can be solved in the next few cumulative updates.
      My ComputerSystem Spec

  7.    20 Oct 2017 #7

    Well I was lucky enough to not have event id 1 showing up but as you can see from my first post I have event id 2 and 360. I feel the same about disabling the logging of certain events completely cause something actually important might get logged but don't have your hopes high that ms is gonna fix some of these issues asap.
      My ComputerSystem Spec

  •    20 Oct 2017 #8

    I managed to find out which proces/service is the root cause. It is svchost.exe - Delivery Optimization service.
    So, what can be wrong with this ?

    edit:
    okay, one more thing... the service is set to automatic (delayed) start and as far as I can see on my second machine it should be running all the time ?
    On first machine it stopped after a while, so maybe this is the culprit for this error ? But why did it happen and how to fix it ?

    edit:
    ok well, it depends on Windows Update advanced settings obviously, but on both machines the setting is the same, so something is not quite right here...
    anyway I disabled this option in Windows update, now it has manual Startup type and the error is still there, but this time I am not able to trace it down with the Process ID from the Event, so dead end.
    Last edited by eddward; 20 Oct 2017 at 18:03.
      My ComputerSystem Spec

  •    21 Oct 2017 #9

    I also got the "Event ID 1" with the same description after the FCU. How did you solve it?
      My ComputerSystem Spec

  •    21 Oct 2017 #10

    Well you can try to increase size of the file or disable logging for this.
    Click Start - write perfmon - enter - on the left tree click on Data Collector Sets - Startup Event Trace Sessions - find DefenderApiLogger. Right click and properties. On the Stop Condition tab you have Maximum size, so you can increase it.
    Or on the Trace Session tab you have checkbox Enabled to disable it.
      My ComputerSystem Spec


  •  
    Page 1 of 2 12 LastLast

    Related Threads
    Event Warning 64 in General Support
    Have a certificate expired or soon to expire and it belongs to google portablewares; I can bring it up in the mmc but when I try to get new key it says enrollment error. Do I need this certificate or just ignore the warning. Is it possible that when...
    I have updated Windows 10 Pro to the Creators update. I have had a few event viewer errors which I managed to fix. But I don't know what this one is, I guess everyone is seeing it, does anyone knoe how is it resolved? Thanks. "Windows Hello for...
    Event ID Error Event 137, Kernel-Power in Performance & Maintenance
    The system firmware has changed the processor's memory type range registers (MTRRs) across a sleep state transition (S4). This can result in reduced resume performance. Just browsing through my Event Viewer trying to knock out and solve any...
    Solved Event Error ID 10016 in Event Viewer... in Performance & Maintenance
    Windows 10 Home 64 bit ASUS X540LA Notebook What is going on here and what is the best for dealing with this? The AppID seems to be designating RuntimeBroker, but I have done everything so far to correct this error. What am I missing? Log...
    Event ID 5 Kernel-General error in Event Viewer in AntiVirus, Firewalls and System Security
    Welcome, I have a problem. Every day I have this error in event viewer, system log: {Registry Hive Recovered} Registry hive (file):\??\C:\ProgramData\Malwarebytes\Malwarebytes...
    Our Sites
    Site Links
    About Us
    Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

    Designer Media Ltd
    All times are GMT -5. The time now is 01:36.
    Find Us