Kernel-Event Tracing error/System Health Report

jpierce · 10 Jan 2012

I'm setting up a new machine purchased on 1/7. (not sure which specs might be helpful -- W7 Home Premium 64bit SP1/Intel i7-2600K/16GB ram/2 2TB 5400 RPM HD (RAID 0)/64GB SSD/2 AMD Radeon HD 6790 Crossfire)

I've noticed the following errors in the EV each time the computer's rebooted:

Kernel-EventTracing
Event ID 2
Session "" failed to start with the following error: 0xC0000022

The info in the Details window in EV includes "Execution ProcessID 1488". I opened Process Explorer immediately after this last error, and the process associated with 1488 is "svchost". In the extended properties for 1488 in Process Explorer, there's the following list under Services tab:

Base Filtering Engine
Diagnostic Policy Service
Windows Firewall

Not sure if this is connected or not, but I'm unable to run a System Health Report either. Each time it's attempted, the following error pops up: "Error: An error occurred while attempting to generate the report. Access denied."

There used to be another error in Event Viewer that came up with the Kernel-EventTracing error. It was WMI - Event ID 10:

Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

I googled and came across an official MS fixit. The explanation for the error was as follows:

This originated in the Windows 7 SP1 DVD/ISO creation process. There was an issue in the creation process that caused a WMI registration to remain in the DVD/ISO. Since the registration is designed to work only during the DVD/ISO creation process, it fails to run on a live system and causes these events. These events are not indicative of any issue in the system and can be safely ignored. If however you want to prevent these events from getting generated and want to remove this specific WMI registration manually, please follow the steps mentioned in this article for running the workaround script.

I ran the fix, and afterward, the WMI error went away but the Kernel-EventTracing error remains.

I performed a sfc scannow with no errors. Did a chkdsk which also came up clean.

The only other issue I've had is updating the ATI drivers not long out of the box. Had a crash but the installation seems to have gone fine as the driver info is updated and device manager shows them operating correctly.

Thanks for any assistance.

JimLewandowski · 10 Jan 2012

I have also had the Event 2 trace error (Circular Kernel Context Logger/Circular Kernel Session Provider). I never delved into why it's occurring but have seen people's questions on this plastered all over forums. Mine has since gone away.

Is the System Health report the big one that gives you a dozen categories and is basically a "trace" (probably using that above CKCL trace) for 1 minute followed by a capture of that data and then presented in a gui format.

jpierce · 10 Jan 2012

Yes, you are correct regarding the System Health Report. One minute of data collection followed by exhaustive report on diagnostic results.

I've searched to the point where I just keep getting the same links over and over but no apparent resolution. One person said it seems to be a permissions issue but had no specific info. Did the issue seem to resolve itself in your case without any intervention?

JimLewandowski · 10 Jan 2012

jpierce said:

Yes, you are correct regarding the System Health Report. One minute of data collection followed by exhaustive report on diagnostic results.

I've searched to the point where I just keep getting the same links over and over but no apparent resolution. One person said it seems to be a permissions issue but had no specific info. Did the issue seem to resolve itself in your case without any intervention?

My errors stopped (cant' recall if I had event 2 and event 3 events). No intervention on my part. I thought it was a timing issue for this error as if the start trace is occurring too early in a boot/logon process. Ironically, I've been playing with trace sessions for over a week now so have been playing with the CKCL trace.

I wonder if it's a .evt or .evtx file problems. I believe the MSE event that causes a OOBE trace to FAIL has a solution to delete the .evt or .evtx log file (been posted on this forum in fact)). Find the path for the CKCL and delete the .evt or evtx for it. Can't hurt.

However, before you delete the .evt, Start ORB - Search - perfmon and start permfon up. Click the tree to get to the trace sessions (one branch is running traces, other is all configured traces). In the running one, look at the status of the CKCL one. Is it stopped or has it been started successfully after the event 2 problem. The MSE problem started in October for me and continues. I have to try the delete .evt .evtx solution to see if i goes away.

jpierce · 10 Jan 2012

Thanks for your help. CKCL is running.

In searching for an answer to this problem, I've come across similar but slightly different versions of the issue (such as Session "Circular Kernel Context Logger" has failed to start with the following error(s) 0xC0000035, whereas my specific error is Session "" failed to start with the following error: 0xC0000022). I've looked back through the EV and there were 3 instances of Event ID 2 error in mid-Dec, a month before I purchased the machine; there were none the first time I booted up, but then shortly after (1/8/12 2:06 pm) the error cropped up and continues to appear at every boot. Has to be a simple tweak or permission change somewhere. Congrats on having the issue resolved in your case. I hope to be able to say the same one of these days!

JimLewandowski · 10 Jan 2012

I think I got it. It's a timing issue. As a comparison, it now dawned on me re: the 3002 event for MSE. Sometimes when my desktop comes up, in the system tray, the MSE icon will be red for a few seconds, then turn green. Most times it's green already. Someone mentioned the solution for this is to have the MSE service be a "late starter" such that the Network initialization will be complete before it launches.

I bet CKCL is a similar problem. It's a "ghost" error that's not really ever a problem. If you get the error AND CKCL is now running, it implies it retries until successful. If we could find the service that issues the equivalent of a LOGMAN START TRACE CKCL command, we could delay that one at startup, too.

While it's great Windows has this fancy, robust event log, it's always tough to tell what's a real bona-fide error and which are "temporary".

jpierce · 10 Jan 2012

Interesting thought! I haven't seen anything specific to CKCL in any error messages but I have to admit I'm far from techy :)

Since my last post, I was trying to think of what could have changed between that first beautiful boot of a new machine and now. The only thing I could think of is I was asked to install ESET Nod32 (I believe that's the name), an antivirus. Didn't want it as I prefer Avast, so I chose not to install it. I can't recall exactly what happened after that but I vaguely recall a slight hiccup. I've searched to make sure there are no traces left, but I wonder if it did anything to any settings? It can't be Avast that's responsible because I didn't install that until 24 hours after the error first appeared, and I've also disabled it to make sure it wasn't causing problems (and also, there were 3 instances of Event ID 2 in Dec before machine was purchased).

Process Explorer pointed toward "Diagnostic Policy Service" which would seem to be related to System Health Report, which won't run. The Diagnostic Policy Service is set to automatic and is running, so I have no idea why that particular PID would be flagged by EV.

I will try deleting the files you indicated and see if it makes a difference. Again, thanks for your input, much appreciated!

JimLewandowski · 10 Jan 2012

jpierce said:

Since my last post, I was trying to think of what could have changed between that first beautiful boot of a new machine and now. The only thing I could think of is I was asked to install ESET Nod32 (I believe that's the name), an antivirus. Didn't want it as I prefer Avast, so I chose not to install it. I can't recall exactly what happened after that but I vaguely recall a slight hiccup. I've searched to make sure there are no traces left, but I wonder if it did anything to any settings? It can't be Avast that's responsible because I didn't install that until 24 hours after the error first appeared, and I've also disabled it to make sure it wasn't causing problems (and also, there were 3 instances of Event ID 2 in Dec before machine was purchased).

Process Explorer pointed toward "Diagnostic Policy Service" which would seem to be related to System Health Report, which won't run. The Diagnostic Policy Service is set to automatic and is running, so I have no idea why that particular PID would be flagged by EV.

I will try deleting the files you indicated and see if it makes a difference. Again, thanks for your input, much appreciated!

Nothing changed on my PC to be getting the MSE event 3002 event errors. But, it makes sense that if it's waiting for network which can vary (asynchronous event) the time it takes to complete. But you seem to be saying you can't run the health check at all even though CKCL is running as well as the DPS service.

One more thing. If you look at the ACTIVE traces in the perfmon.exe, there is one that has a suffix on it of YYYYMMDD_00001 or something. I think this is the one responsible for Health Report as if you look in that SAME tree on perfmon and click "saved reports" or something similar, you can see the YYYYMMDD_00001 of the last time you did a health check which I bet uses that suffix on the .etl file.

jpierce · 10 Jan 2012

Ah ok I will look into that, thanks!

jpierce · 10 Jan 2012

JimLewandowski said:

Nothing changed on my PC to be getting the MSE event 3002 event errors. But, it makes sense that if it's waiting for network which can vary (asynchronous event) the time it takes to complete. But you seem to be saying you can't run the health check at all even though CKCL is running as well as the DPS service.

One more thing. If you look at the ACTIVE traces in the perfmon.exe, there is one that has a suffix on it of YYYYMMDD_00001 or something. I think this is the one responsible for Health Report as if you look in that SAME tree on perfmon and click "saved reports" or something similar, you can see the YYYYMMDD_00001 of the last time you did a health check which I bet uses that suffix on the .etl file.

I found the report you referred to on the old machine. It brought up the System Health Report I did as a test earlier today (very cool :)). However, there are no entries on the new machine. I came across the diagnosis .evtx which lists each time I tried to perform a System Health Report, and each time results in an error message: "Data collector set system\System Diagnostics failed to start as (PC name\user name) with error code 0x80030005" which I believe is just the expected "access denied" error.

Hopefully it will work itself out. In the meantime, I'll keep digging. If you or anyone else has more suggestions, I'll be very grateful. Thanks.