Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Event 3 on boot: NT Kernel Log full, error 0xC000000D

06 Jul 2017   #11
HolyHarmonica

 

I searched for ".etl" in the registry and can't find one associated with "kernel." NT Kernel Logger.etl is not reset to zero at shutdown/boot. The logger starts (or tries to) at boot. I really don't know what it is logging nor why it is logging so much. I'd like to prevent it from starting (disable or set to manual) and have an easy way to reset the file to zero when it gets full.


My System SpecsSystem Spec
.
06 Jul 2017   #12
HolyHarmonica

 

The NT Kernel Logger is explained nicely here:
https://docs.microsoft.com/en-us/win...-trace-session
It seems that it is a diagnostic tool that should only be run when called for. So, I'd like to know how to prevent it from starting. What triggers it? This is a very interesting thread which explains that NT Kernel Logger is used by diagnostic software that is installed (In this case Willamette service from Intel).
https://superuser.com/questions/1011...lready-running
Looking at my list of Services, I do not have any from Intel that look suspicious. I do have 3 diagnostic services:
Diagnostic Policy Service (startup is Automatic)
Diagnostic Service Host (startup is Manual)
Diagnostics Tracking Service (startup is Automatic)
These are all currently started.
Diagnostic System Host is not started and startup is Manual.
(Windows Event Log is started; it might be related in that this is a logging service)
[Although NT Kernel Logger is stopped; the service or program that started it might still be running]
Another computer has the same services running and not Events 3 and 4
I used msconfig to check Startup items (and services again) and saw nothing suspicious (no obvious diagnostic tools).
The Performance Monitor now shows NT Kernel in System Diagnostics and Performance only with no modifiable options that I can tell.
My System SpecsSystem Spec
07 Jul 2017   #13
HolyHarmonica

 

The NT Kernel Logger is explained nicely here:
https://docs.microsoft.com/en-us/win...-trace-session
It seems that it is a diagnostic tool that should only be run when called for. So, I'd like to know how to prevent it from starting. What triggers it? This is a very interesting thread which explains that NT Kernel Logger is used by diagnostic software that is installed (In this case Willamette service from Intel).
https://superuser.com/questions/1011...lready-running
Looking at my list of Services, I do not have any from Intel that look suspicious. I do have 3 diagnostic services:
Diagnostic Policy Service (startup is Automatic)
Diagnostic Service Host (startup is Manual)
Diagnostics Tracking Service (startup is Automatic)
These are all currently started.
Diagnostic System Host is not started and startup is Manual.
(Windows Event Log is started; it might be related in that this is a logging service)
[Although NT Kernel Logger is stopped; the service or program that started it might still be running]
Another computer has the same services running and not Events 3 and 4
I used msconfig to check Startup items (and services again) and saw nothing suspicious (no obvious diagnostic tools).
The Performance Monitor now shows NT Kernel in System Diagnostics and Performance only with no modifiable options that I can tell.
I found Realtec's ethernet diagnostic tools had been installed. Finding no way to disable them, I uninstalled this program. I still got Event 3/4. I deleted the etl log file and it was recreated at next boot - 0 bytes. On the next reboot it was 7MB. At this rate it will take 13 boots to reach its limit.
My System SpecsSystem Spec
.

07 Jul 2017   #14
torchwood

W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
 
 

Hi HH,

sounds like you've got boot logging enabled.

Control panel >> administration tools >> system config > boot uncheck log.

its a troubleshooting tool and by default its OFF, unchecked

Roy
My System SpecsSystem Spec
07 Jul 2017   #15
HolyHarmonica

 

Thanks Roy, I looked and Boot Log is unchecked. I think that is a pretty good guess though. I rebooted to check something else and the etl file is at 36MB already. Thanks for thinking. Please give me some more ideas about how to tackle this problem. How can I narrow it down? I'm headed home now. I should check in over the weekend.
My System SpecsSystem Spec
07 Jul 2017   #16
HolyHarmonica

 

The file grow by about 6 MB at each boot. I used Event viewer to open and look at the contents. They were all (empty) Information Level events from yesterday from about an 8 minute period. I don't understand why this log file is increasing in size with events from yesterday at each boot. What could make it start and make it stop? What should it do when the file is full? It seems to be appending to a file. Overwriting seems more appropriate. It could be that the file size growth depends on the time between boot and login.
My System SpecsSystem Spec
07 Jul 2017   #17
Ranger4

Windows 7 Home Premium 64 bit sp1
 
 

I found this MS link from the website that you referenced in Post #13. It might help you.

Tracelog Command Syntax | Microsoft Docs

Also this one as well.

NT Kernel Logger Trace Session | Microsoft Docs

And this one.

Example 12 Starting an NT Kernel Logger Session | Microsoft Docs

One these MS web pages there is a menu on the LH side that you can scroll trough for possibly more help.
My System SpecsSystem Spec
07 Jul 2017   #18
HolyHarmonica

 

Good morning from a very green and wet village in Northeastern Thailand Ranger 4. I dug around and found that Tracelog and Traceview are part of Windows Development Kit (WDK) or other development tools which I don't have (these commands are not recognized in a command prompt window). I believe I can start (and stop) an NT Kernel Logger session using Logman (it is recognized in a command prompt window). Fortunately right now I do not appear to have a problem that requires an NT Kernel Trace; so I don't need to know how to start a trace. What I need to know is how to manage the NT Kernel Logger.etl file. That might involve changing the NTKL parameters of what ever program or service is running the NTKL. I'd like to set a parameter to tell it to over write the etl file at each run. I'm not sure if there is any other useful strategy besides this. It would be nice if it could keep the last 100 MB of the file (append and delete the beginning of the file). I don't know if there is a way to do that though. So, I have to find a way to change the parameters of the NT Kernel Logger session that starts on boot. I tried checking boot log and rebooting and then unchecking it and rebooting but that didn't work. I'll dig some more. More ideas are welcome.
My System SpecsSystem Spec
08 Jul 2017   #19
HolyHarmonica

 

Logman does basically the same things as Performance Monitor Data Collector Sets Properties Dialog Box. In the System Folder there are two sets which show the NT Kernel Trace - The System Diagnostics Set and the System Performance Set. The properties of the NT Kernel Trace(s) show a file of a different name and a different example directory. I don't think that these are the ones that generate the .etl file that becomes too large. The Set's themselves have two interesting items on their context menus: Data Manager and Properties.
OK, so today I look at the other DCS folders and the Event Trace Sessions has NT Kernel Logger (running). Ah Ha; that's the one that's logging to this growing file. Low and behold, this morning it has grown from 79 to 99 MB. CKCL began giving out Event 2, "failed to start" messages about 10:51. That is when a new user logged on. It's lunch time; I'll be back later.
My System SpecsSystem Spec
08 Jul 2017   #20
HolyHarmonica

 

OK,in Performance Monitor, I stopped the NTKL. In Properties > File > Log mode I changed "Append" to "Circular". "Overwrite" was grayed out. It seems to work. The file size was set to 0 and is now growing.
It seems kind of funny to me that this Event Trace Sessions, NT Kernel Logger logs just information level events of OpCode: 22, 21 and 15. The sole trace provider is Windows Kernel Trace. I wonder why it is even here. I wonder what starts it.
My System SpecsSystem Spec
Reply

 Event 3 on boot: NT Kernel Log full, error 0xC000000D




Thread Tools




Similar help and support threads
Thread Forum
Boot Configuration Error 0xc000000d
I recently tried to turn on my pc and the boot manager screen is up and no matter what i do for several days now i cant get past this screen someone please help ive tried everything
General Discussion
Error code 0xc000000d in event viewer. Causing computer to shut down?
Hello, Recently my computer has been shutting down without warning. I could be doing anything from playing far cry 4 to browsing the web. I looked into the event viewer and found the following error: 0xc000000d. I've looked into it but it sounds like everyone else who has that same issue can't...
BSOD Help and Support
Event 41 kernel Power error
Hi, a few weeks ago I begun experiencing sudden computer crashes when running select games on my Sony Vaio Win7 laptop. It all began with a BSOD(happened once in a while so I ignored it) and now it just suddenly crashes with no BSOD and no error report, other than a reported event 41 in the event...
BSOD Help and Support
Kernel error Event id 41
Hi everyone.. im not sure where to post this..i need some help here.. Here's the scenario: When i first got my computer,there wasnt any noise during startup..there's some sort of noise when it starts up now,been at it for months..that doesnt really bother me.. Today,i was playing an online...
BSOD Help and Support
help event id 41 kernel power error
My laptop just freezes. I have check event viewer and mostly found error is event id 41 source kernel-power following details The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Another...
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:58.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App