Event 3 on boot: NT Kernel Log full, error 0xC000000D

HolyHarmonica · 21 Jun 2017

Every time I boot my PC I get this error; an etl file reaches its size limit of 100 MB. I did a little research and it seems that the Kernel Logger is a diagnostic tool which is best started manually. The kernel generates a lot of data fast so the etl file fills up within seconds. How can I figure out how the logger is being started and how to prevent it from starting? Does this sound like a reasonable strategy? Thanks.

Log Name: Microsoft-Windows-Kernel-EventTracing/Admin
Source: Microsoft-Windows-Kernel-EventTracing
Date: 22/6/17 07:28:29
Event ID: 3
Task Category: Session
Level: Error
Keywords: Session
User: SYSTEM
Computer: CoolerMaster-PC
Description:
Session "NT Kernel Logger" stopped due to the following error: 0xC000000D
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" />
<EventID>3</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>14</Opcode>
<Keywords>0x8000000000000010</Keywords>
<TimeCreated SystemTime="2017-06-22T00:28:29.313070700Z" />
<EventRecordID>29596</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="148" />
<Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel>
<Computer>CoolerMaster-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SessionName">NT Kernel Logger</Data>
<Data Name="FileName">C:\Windows\system32\Logfiles\WMI\NT Kernel Logger.etl</Data>
<Data Name="ErrorCode">3221225485</Data>
<Data Name="LoggingMode">5</Data>
</EventData>
</Event>

Ranger4 · 21 Jun 2017

Read through this MS website & there are a few solutions offered.

Event ID: 4, Source: Microsoft-Windows-Kernel-EventTracing, maximum file size for session has been reached.

HolyHarmonica · 22 Jun 2017

Thank you Ranger4. I've started to work through that post.
I have an SSD and SuperFetch is disabled. So, it's not SuperFetch.
In the Performance Monitor console>Data Collector Sets>System Performance I Found NT Kernel
NT Kernel Properties offer no setting for the maximum .etl file size. The file name doesn't match
This logger monitors 5 items in a check list under edit.
The EventLog-System logger has some 10 Kernel trace providers.
I'm headed for home now. I'll have a go at it again tomorrow. Thanks again.

HolyHarmonica · 26 Jun 2017

The link you refered me to suggests:
"increase the max file size! Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot
The MaxFileSize key is a DWORD with a default decimal value of 20. Increase this to, say 60"
Applying this to my situation I would expect to find a key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NT Kernel Logger
but it doesn't exist:

Event 3 on boot: NT Kernel Log full, error 0xC000000D-regautologger.jpg

I searched the registry for "etl" and did not find an entry with "NT Kernel Logger.etl"

Ranger4 · 26 Jun 2017

Hi Geoffrey, it seems you are in the wrong area. In your screen shot you are looking in Circular Kernel Context Logger & you should go lower down to ReadyBoot. The Regedit you need is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot

The MaxFileSize key is a DWORD with a default decimal value of 20. Increase this to, say 60, and the problem will go away.

Perhaps this screen shot may help you as well.

Event 3 on boot: NT Kernel Log full, error 0xC000000D-regedit_maxfilesize.png

HolyHarmonica · 27 Jun 2017

Thanks, I changed it to 60 and I still got the error. The file which is C:\Windows\system32\Logfiles\WMI\NT Kernel Logger.etl I'm deleting this file to see what happens. No error. The file was recreated and has zero bytes. Can anyone explain this? Perhaps it will grow again. Why doesn't it automatically reset? What creates this file?

Ranger4 · 27 Jun 2017

Thanks for getting back. At least you have established that the suggestion I gave did not work & you seem to have found one that does, well done & hopefully it will keep working for you.

HolyHarmonica · 27 Jun 2017

After less than 24 hours the etl file is 40MB. I think it will soon reach the 100MB file limit (I don't know where this limit is).
In Performance Monitor > Data Collection Sets > Event Trace Sessions > NT Kernel Logger, I found I can access properties.
The file name and directory match with the error message.
File> Log mode > Append
Stop Condition all choices are grayed out.
I'll try to change to:
File> Log mode > Circular (requires a non-zero maximum file size) >Apply > error, parameter incorrect (I couldn't change the Stop Condition, it was still grayed out).
Trace Session > Stream mode: File
I searched the registry and can't find "NT Kernel logger" "NT Kernel" or "C:\Windows\system32\Logfiles\WMI"

Ranger4 · 27 Jun 2017

Did you change the ReadyBoot, MaxFileSize from 20 to the suggested 60 in the MS website. You said you had deleted the NT Kernel Logger & other logfiles/WMI etc, so you should not expect to find them.

Just watch to see if that file gets to 100 mb. According the the MS website increasing the ReadyBoot file size should work.

HolyHarmonica · 29 Jun 2017

Ranger4, I tried that again and the C:\Windows\system32\Logfiles\WMI\NT Kernel Logger.etl log became full within 3 days. So, the ReadyBoot logger logs to a different file. I'd like to know what starts the NT Kernel Logger and how to reset the file so I don't get Events 3 and 4.

Event 3 on boot: NT Kernel Log full, error 0xC000000D

Event 3 on boot: NT Kernel Log full, error 0xC000000D

Changing Max Size of NT Kernel etl (log) file.