Solved Event 3 on boot: NT Kernel Log full, error 0xC000000D

[HolyHarmonica]

This morning I found the etl file at 5MB. I rebooted and the size didn't change (except for the date and time). When I try to open it with Event Viewer, it says the file is corrupt. I wonder if something is writing to it. And today, in the Performance Monitor, Event Trace Sessions, the NT Kernel Logger is not there. I have a number 3 Event, "Session 'NT Kernel Logger' stopped due to the following error: 0xC000000D

 

[Ranger4]

Have a look at this MS website.

Windows 7 Home Basic - Error Code 0xC000000D - Microsoft Community

If that solution does not help you, then perhaps you should consider reformatting your hard drive & reinstalling Windows.

 

[HolyHarmonica]

Dear Ranger 4. Well, that solution is indirectly applicable to my situation; I do not have a difficulty with EppOobe.etl I will continue to monitor NT Kernel Logger.etl Perhaps I'll discover the program or service which is actually triggering it.

 

[HolyHarmonica]

This morning I do not have an Event 2 or 3. The NT Kernel Logger.etl file is 51 MB and is readable (full of Event 0, Op Code 5, 10(mostly) and 14). In the Performance Monitor> Data Collector Sets > Event Trace Sessions, NT Kernel Logger is present and running. It's Properties > File > Log Mode > is set to "Append". This is different than the Circular, the last time I had access to it. I would still like to know how to control this Logger.
I did a Scan Disk with no errors.

 

[Ranger4]

These websites might be worth looking at.

NT Kernel Logger - 0xC0000188 |Intel Communities

Queencreek causing NT Kernel errors - Intel is ... |Intel Communities

NT Kernel logger

Configuring and Starting the NT Kernel Logger Session (Windows)

 

[HolyHarmonica]

Thanks very much Ranger 4. I took care of Intel's QueenCreek etl generator last month, so the first 2 suggestions don't apply. The last 2 are very useful though. So, it looks like the Global Logger is what starts the NT Kernel Logger (I guess they're actually the same). In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger, Log File Mode. The current value of this is 5 which seems to be 1 + 4 (Ref: Logging Mode Constants https://msdn.microsoft.com/en-us/library/windows/desktop/aa364080(v=vs.85).aspx) sequential + append. I think I'd like to set it to 2, Circular. I'll try to set it the LogFileMode to 2 and Start to 1.
Thanks a lot. I wonder why I didn't find these in my web crawling. I appreciate your time in finding these for me.

 

[Ranger4]

You are welcome & thanks for getting back. Glad to have been of some help & thanks for marking the thread as solved.

 

[HolyHarmonica]

This morning on boot I find that the NT Kernel Logger.etl file size is 0 bytes. The NTKL is running. The log file mode is set to circular and the max file size is 100 MB. I think that the logger should be logging something as it did before.

 

[Ranger4]

Lets see what happens with everything as it is. At least with it showing zero you shouldn't receive the constant warning you were getting before.

 

[HolyHarmonica]

Another day of no error and no logging. I could use a little expertise in choosing an appropriate logging mode constant. Reference post #26.

 

[Ranger4]

I can't offer any help on an appropriate logging mode as I have never experienced this problem, but as it seems to working well I would just leave it as it is & not get too concerned about it.