need someone to look up some system info on your PC

JimLewandowski · 14 Jan 2012

I mucked with my Circular Kernel Context Logger to get some trace data and now it won't start when Win 7 boots. I reset what I recall changing, but I do remember changing some security as the output .etl dataset couldn't be read or takeown'ed by me. However, if I manually start it (right-click START) it does start successfully. Maybe I'm admin (owner of CKCL) and I can thus start it, but the SYSTEM (security/SID) can't??

Control Panel > Administrative Tools > Performance Monitor.

Expand - Data Collector Reports.

Left-click on - Start Event Trace Sessions.

Left-Click once - Circular Kernel Context Logger to highlight it. Then right-click to get context menu, and then click on Properties.

Applet open

Now, click on - Security tile OR Security tab at the top. Then click on Advanced tile.

On this applet, click the Owner tab. What does it list for current owner?

Brink · 14 Jan 2012

Hello Jim,

Here's what I have as the owner. Hope it helps. :)

The SYSTEM group as all permission options checked but the first one below for me.

need someone to look up some system info on your PC-owner.jpg

DMHolt57 · 14 Jan 2012

Administrators is listed as Owner....

JimLewandowski · 14 Jan 2012

Aha.

Yours has DPS (Diagnostic Policy Service) and WdiServiceHost. Maybe because your Win7 Ultimate?

All security for all my Event Traces are listed are pretty much the same (all checked BUT the first box).

Mine has (but most others look this way):

SYSTEM
LOCAL SERVICE
NETWORK SERVICE
Admin (Jim/GLH)
Network Configuration Operators (Jim/GLH)

Maybe I need to add DPS since it might be the service that starts this. I checked other running (via boot, not of my control) traces and see DPS on one.

But, I'm 100% sure I didn't do anything with security other than add a checkmark to Admin (in an attempt to get access to the CKCL.etl file in my local non-OS directory - this DID work).

I'm stumped. I knew modifying it and trying to set it back would neuter it. But, again, I can start it manually and no problems at all. It is set to enabled.....

JimLewandowski · 14 Jan 2012

Would someone be kind enough to STOP the CKCL via the EVENT TRACE SESSIONS branch (it will say RUNNING next to it). Left-click to highlight, right-click to select STOP.

CLOSE the performance monitor window and come all the way back in again (idiosynchracy of perfmon GUI - clicking ACTION > REFRESH won't work for a few minutes).

Go to the original Event Trace Session branch (the ones listed as RUNNING) again and verify that CKCL is physically gone from the list.

If so, go to Startup Event Trace Session branch (the ones listed as enabled/disabled), right-click CKCL and select Properties. What do you have in the lower pane by Keywords(Any) (1st row). My value setting is 0x2005. I now recall, I think this needs to be 0x0000 and I bet whoever starts this adds those keywords in the fly by the equivalent of the logman command.

And it might explain my event ID error for a trace session named "" with 0xC000000D (D/13 is supposed to be invalid parameters).

Afterwards, right-clicking and selecting START should fire it up again. But the keyword thing is peculiar as if yours IS 0x0000, restarting it may simply have a CKCL running by not collecting anything (i.e. parms are provided via LOGMAN command internally in Win7).

Brink · 14 Jan 2012

It would think that you should also have DPS and WdiServiceHost listed in addition like mine above.

need someone to look up some system info on your PC-dps.jpg

need someone to look up some system info on your PC-wdiservicehost.jpg

Inline :)

JimLewandowski said:

Go to the original Event Trace Session branch (the ones listed as RUNNING) again and verify that CKCL is physically gone from the list.

Yep, gone afterwards.

If so, go to Startup Event Trace Session branch (the ones listed as enabled/disabled), right-click CKCL and select Properties. What do you have in the lower pane by Keywords(Any) (1st row). My value setting is 0x2005. I now recall, I think this needs to be 0x0000 and I bet whoever starts this adds those keywords in the fly by the equivalent of the logman command.

And it might explain my event ID error for a trace session named "" with 0xC000000D (D/13 is supposed to be invalid parameters).

I have 0x0 (Startup Event Trace Session) with the one in Event stopped as above.

need someone to look up some system info on your PC-keywords.jpg

Afterwards, right-clicking and selecting START should fire it up again. But the keyword thing is peculiar as if yours IS 0x0000, restarting it may simply have a CKCL running by not collecting anything (i.e. parms are provided via LOGMAN command internally in Win7).

Fired back up.

JimLewandowski · 14 Jan 2012

I definitely did not delete anything and now thinking back, I would have recognized those "never before seen by me" SIDs/users.

I think the 0x2005 is what's upsetting the restart.

logman is a very, very bizarre interface. If you start CKCL from the command line, it seems to do buffered trace PLUS write to a file even though CKCL is buffered only. And the kicker is the file it writes to is in whatever directory you were in when you issued logman. As I mentioned, with standard security settings, I couldn't read the CKCL.etl file via tracerpt.

I struggled with understanding all this as so much is inconsistent. For example, if you start CKCL with no parms via logman, it will start but will not trace anything honoring the 0x0 keyword setting. But, even if you have those bits set, logman will start CKCL with 0x0 but the right-click GUI start WILL honor the keywords.

Set to 0x00 and will see on next reboot. Thanks.

JimLewandowski · 15 Jan 2012

No go. Still won't start at bootup/logon. Weird.

JimLewandowski · 15 Jan 2012

Anyone have any ideas on how to get this trace working?

Brink · 15 Jan 2012

Jim,

Do you have a restore point available dated before you made changes to the CKCL that you could use?