Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Event 3 on boot: NT Kernel Log full, error 0xC000000D

21 Jun 2017   #1
HolyHarmonica

 
Event 3 on boot: NT Kernel Log full, error 0xC000000D

Every time I boot my PC I get this error; an etl file reaches its size limit of 100 MB. I did a little research and it seems that the Kernel Logger is a diagnostic tool which is best started manually. The kernel generates a lot of data fast so the etl file fills up within seconds. How can I figure out how the logger is being started and how to prevent it from starting? Does this sound like a reasonable strategy? Thanks.

Log Name: Microsoft-Windows-Kernel-EventTracing/Admin
Source: Microsoft-Windows-Kernel-EventTracing
Date: 22/6/17 07:28:29
Event ID: 3
Task Category: Session
Level: Error
Keywords: Session
User: SYSTEM
Computer: CoolerMaster-PC
Description:
Session "NT Kernel Logger" stopped due to the following error: 0xC000000D
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" />
<EventID>3</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>2</Task>
<Opcode>14</Opcode>
<Keywords>0x8000000000000010</Keywords>
<TimeCreated SystemTime="2017-06-22T00:28:29.313070700Z" />
<EventRecordID>29596</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="148" />
<Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel>
<Computer>CoolerMaster-PC</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SessionName">NT Kernel Logger</Data>
<Data Name="FileName">C:\Windows\system32\Logfiles\WMI\NT Kernel Logger.etl</Data>
<Data Name="ErrorCode">3221225485</Data>
<Data Name="LoggingMode">5</Data>
</EventData>
</Event>


My System SpecsSystem Spec
.
21 Jun 2017   #2
Ranger4

Windows 7 Home Premium 64 bit sp1
 
 

My System SpecsSystem Spec
22 Jun 2017   #3
HolyHarmonica

 

Thank you Ranger4. I've started to work through that post.
I have an SSD and SuperFetch is disabled. So, it's not SuperFetch.
In the Performance Monitor console>Data Collector Sets>System Performance I Found NT Kernel
NT Kernel Properties offer no setting for the maximum .etl file size. The file name doesn't match
This logger monitors 5 items in a check list under edit.
The EventLog-System logger has some 10 Kernel trace providers.
I'm headed for home now. I'll have a go at it again tomorrow. Thanks again.
My System SpecsSystem Spec
.

26 Jun 2017   #4
HolyHarmonica

 
Changing Max Size of NT Kernel etl (log) file.

The link you refered me to suggests:
"increase the max file size! Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot
The MaxFileSize key is a DWORD with a default decimal value of 20. Increase this to, say 60"
Applying this to my situation I would expect to find a key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NT Kernel Logger
but it doesn't exist:
Event 3 on boot: NT Kernel Log full, error 0xC000000D-regautologger.jpg

I searched the registry for "etl" and did not find an entry with "NT Kernel Logger.etl"


My System SpecsSystem Spec
26 Jun 2017   #5
Ranger4

Windows 7 Home Premium 64 bit sp1
 
 

Hi Geoffrey, it seems you are in the wrong area. In your screen shot you are looking in Circular Kernel Context Logger & you should go lower down to ReadyBoot. The Regedit you need is:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot

The MaxFileSize key is a DWORD with a default decimal value of 20. Increase this to, say 60, and the problem will go away.

Perhaps this screen shot may help you as well.

Event 3 on boot: NT Kernel Log full, error 0xC000000D-regedit_maxfilesize.png


My System SpecsSystem Spec
27 Jun 2017   #6
HolyHarmonica

 

Thanks, I changed it to 60 and I still got the error. The file which is C:\Windows\system32\Logfiles\WMI\NT Kernel Logger.etl I'm deleting this file to see what happens. No error. The file was recreated and has zero bytes. Can anyone explain this? Perhaps it will grow again. Why doesn't it automatically reset? What creates this file?
My System SpecsSystem Spec
27 Jun 2017   #7
Ranger4

Windows 7 Home Premium 64 bit sp1
 
 

Thanks for getting back. At least you have established that the suggestion I gave did not work & you seem to have found one that does, well done & hopefully it will keep working for you.
My System SpecsSystem Spec
27 Jun 2017   #8
HolyHarmonica

 

After less than 24 hours the etl file is 40MB. I think it will soon reach the 100MB file limit (I don't know where this limit is).
In Performance Monitor > Data Collection Sets > Event Trace Sessions > NT Kernel Logger, I found I can access properties.
The file name and directory match with the error message.
File> Log mode > Append
Stop Condition all choices are grayed out.
I'll try to change to:
File> Log mode > Circular (requires a non-zero maximum file size) >Apply > error, parameter incorrect (I couldn't change the Stop Condition, it was still grayed out).
Trace Session > Stream mode: File
I searched the registry and can't find "NT Kernel logger" "NT Kernel" or "C:\Windows\system32\Logfiles\WMI"
My System SpecsSystem Spec
27 Jun 2017   #9
Ranger4

Windows 7 Home Premium 64 bit sp1
 
 

Did you change the ReadyBoot, MaxFileSize from 20 to the suggested 60 in the MS website. You said you had deleted the NT Kernel Logger & other logfiles/WMI etc, so you should not expect to find them.

Just watch to see if that file gets to 100 mb. According the the MS website increasing the ReadyBoot file size should work.
My System SpecsSystem Spec
29 Jun 2017   #10
HolyHarmonica

 

Ranger4, I tried that again and the C:\Windows\system32\Logfiles\WMI\NT Kernel Logger.etl log became full within 3 days. So, the ReadyBoot logger logs to a different file. I'd like to know what starts the NT Kernel Logger and how to reset the file so I don't get Events 3 and 4.
My System SpecsSystem Spec
Reply

 Event 3 on boot: NT Kernel Log full, error 0xC000000D




Thread Tools




Similar help and support threads
Thread Forum
Boot Configuration Error 0xc000000d
I recently tried to turn on my pc and the boot manager screen is up and no matter what i do for several days now i cant get past this screen someone please help ive tried everything
General Discussion
Error code 0xc000000d in event viewer. Causing computer to shut down?
Hello, Recently my computer has been shutting down without warning. I could be doing anything from playing far cry 4 to browsing the web. I looked into the event viewer and found the following error: 0xc000000d. I've looked into it but it sounds like everyone else who has that same issue can't...
BSOD Help and Support
Event 41 kernel Power error
Hi, a few weeks ago I begun experiencing sudden computer crashes when running select games on my Sony Vaio Win7 laptop. It all began with a BSOD(happened once in a while so I ignored it) and now it just suddenly crashes with no BSOD and no error report, other than a reported event 41 in the event...
BSOD Help and Support
Kernel error Event id 41
Hi everyone.. im not sure where to post this..i need some help here.. Here's the scenario: When i first got my computer,there wasnt any noise during startup..there's some sort of noise when it starts up now,been at it for months..that doesnt really bother me.. Today,i was playing an online...
BSOD Help and Support
help event id 41 kernel power error
My laptop just freezes. I have check event viewer and mostly found error is event id 41 source kernel-power following details The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly. Another...
BSOD Help and Support


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 06:31.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App