Event ID 1 warning & Event ID 2 error

eddward · 19 Oct 2017

Hello,
After Fall Creators update I'm seeing 1 error and 1 warning in the Event Viewer which I'm not able to resolve.

Event ID 1
The backing-file for the real-time session "DefenderApiLogger" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers.

Code:

<System>

     <Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" /> 

    <EventID>1</EventID> 

    <Version>0</Version> 

    <Level>3</Level> 

    <Task>1</Task> 

    <Opcode>10</Opcode> 

    <Keywords>0x8000000000000010</Keywords> 

    <TimeCreated SystemTime="2017-10-19T23:02:23.884086800Z" /> 

    <EventRecordID>26</EventRecordID> 

    <Correlation />  

    <Execution ProcessID="4" ThreadID="136" />  

    <Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel>  

    <Computer>PC</Computer> 

    <Security UserID="S-1-5-18" /> 

   </System>

  - <EventData>

     <Data Name="SessionName">DefenderApiLogger</Data>  

    <Data Name="ErrorCode">3221225864</Data>  

    <Data Name="LoggingMode">411042176</Data>  

   </EventData>

Event ID 2
Session "" failed to start with the following error: 0xC0000022

Code:

 <System>

     <Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" /> 

    <EventID>2</EventID> 

    <Version>0</Version> 

    <Level>2</Level> 

    <Task>2</Task> 

    <Opcode>12</Opcode> 

    <Keywords>0x8000000000000010</Keywords> 

    <TimeCreated SystemTime="2017-10-19T23:02:24.643823700Z" /> 

    <EventRecordID>27</EventRecordID> 

    <Correlation />  

    <Execution ProcessID="1536" ThreadID="2096" />  

    <Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel>  

    <Computer>PC</Computer> 

    <Security UserID="S-1-5-20" /> 

   </System>

  - <EventData>

     <Data Name="SessionName"  /> 

    <Data Name="FileName"  /> 

    <Data Name="ErrorCode">3221225506</Data>  

    <Data Name="LoggingMode">293609474</Data>  

   </EventData>

I think it is fixable, but don't know where to start. Does anyone have some idea?
Thank you in advance.

fdegrove · 20 Oct 2017

Hi,

Are you using TcpView from Sysinternals ? If so, it looks as if it's a bug.
Further to this look in the registry if you can find this key: Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}"
and see if the log file size is there and if can increase.
Alternatively, if you do not need the log file for analysis, it can be found under "Users\Username\Appdata\Temp\*.etl and you can delete it.

Cheers,

Black Faith · 20 Oct 2017

Hey,

I'm also getting event id 2 & event id 360. So far I'm guessing you guys haven't figured anything out?

eddward · 20 Oct 2017

fdegrove said:

Are you using TcpView from Sysinternals ? If so, it looks as if it's a bug.

No, I'm not aware of using anything like that.
Anyway, I have solved Event ID 1 by disabling DefenderApiLogger logging in perfmon, but unfortunately Event ID 2 error is still there and I have no clue what is the root cause.

Black Faith · 20 Oct 2017

You can disable the logging of event id 2 aswell in event viewer. Though it would be really nice to know what is actually causing it.

eddward · 20 Oct 2017

Firstly I was trying only to increase the max size for DefenderApiLogger from 100MB to 150MB but it did help only for a while, so I've decided to completely disable logging this stuff, but in the source not in the Event viewer.
You are right probably I can disable logging of the Event 2, but I would really like to avoid that, since this is not a solution. Moreover I'm not sure if is possible to disable only this particular event or it will affect all Microsoft-Windows-Kernel-EventTracing events.
There is still a possibilty that it is just a Windows bug which can be solved in the next few cumulative updates.

Black Faith · 20 Oct 2017

Well I was lucky enough to not have event id 1 showing up but as you can see from my first post I have event id 2 and 360. I feel the same about disabling the logging of certain events completely cause something actually important might get logged but don't have your hopes high that ms is gonna fix some of these issues asap

.

eddward · 20 Oct 2017

I managed to find out which proces/service is the root cause. It is svchost.exe - Delivery Optimization service.
So, what can be wrong with this ?

edit:
okay, one more thing... the service is set to automatic (delayed) start and as far as I can see on my second machine it should be running all the time ?
On first machine it stopped after a while, so maybe this is the culprit for this error ? But why did it happen and how to fix it ?

edit:
ok well, it depends on Windows Update advanced settings obviously, but on both machines the setting is the same, so something is not quite right here...
anyway I disabled this option in Windows update, now it has manual Startup type and the error is still there, but this time I am not able to trace it down with the Process ID from the Event, so dead end.

p83 · 21 Oct 2017

I also got the "Event ID 1" with the same description after the FCU. How did you solve it?

eddward · 21 Oct 2017

Well you can try to increase size of the file or disable logging for this.
Click Start - write perfmon - enter - on the left tree click on Data Collector Sets - Startup Event Trace Sessions - find DefenderApiLogger. Right click and properties. On the Stop Condition tab you have Maximum size, so you can increase it.
Or on the Trace Session tab you have checkbox Enabled to disable it.