How to disable Windows 10 system log

windows-10 event-log

35,983

Solution 1

By default, Windows has a huge number of log files, constantly writing data.

Two ways to stop some of this churning:

Stop logging "Audit Success" in Windows Filtering Platform (WFP), log only "Audit Failure"

Open the CMD prompt as Administrator: Press Windows, type cmd, press Ctrl+Shift+Enter and confirm.
Type (or copy/paste) the following and press Enter: auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

If this succeeds, expect fewer events to be logged.

Disable individual logs

Open the Windows Event Viewer: press WindowsR, type eventvwr.msc and press Enter.
Scroll down to Application and Service Logs, Microsoft, Windows, WFP.
Right-click on a log process and select Disable Log.

A useful tool to search the Event Logs by name is Nirsoft's Full Event Log View.

Solution 2

Going hardcore:

If you want to disable specific event logging, go to Event Viewer and right-click on an event log you want to get rid of. Click Event Properties.

A new window should open - click XML view, where you'll be able to see the event's GUID. We'll try to find the event logging service in the registry based on this GUID. Not all events have this GUID, and we won't be able to find every GUID in the registry.

After we have our GUID, we navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System in regedit, and we search for our GUID inside curved brackets.

If we find it, we can then proceed to change the Enabled and EnabledProperty keys:

"Enabled"=dword:0
"EnableProperty"=dword:0

Solution 3

I think I figured out how to get NetCore.etl to be written to hard drive instead of ssd. I ran Performance Monitor (a Windows app), drilled down to Data Collector Sets | Event Trace Sessions, right-clicked NetCore, clicked Properties in the menu that popped up, clicked the Directory tab, and browsed to the desired folder. Time will tell if the change is permanent, but at the moment the log is being written to my hard drive E:, according to Resource Monitor.

If one wished to stop the writing of NetCore.etl entirely, clicking Stop instead of Properties would presumably stop it. But I'm less confident that that change would be permanent. Some app might restart it, perhaps the next time Windows is restarted. If anyone tries this, I hope s/he will post the result in this thread.

Several other log files could be redirected (or stopped) in a similar manner.

35,983

jw_

Updated on September 18, 2022

Comments

jw_ almost 2 years

In Windows 10 Resource Monitor I found that the system process is constantly writing C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl at like 30-100KB/s. This equals 1TB write/year which is not healthy for SSD. There are other log write like C:\Windows\System32\LogFiles*** too.

Although logs is needed for diagnostics, it's better to be turned on only when problem has already occured.

Is it possible to disable as much system logs as possible to decrease garbage write amoung to SSD?
- Admin over 4 years
  
  I use Resource Monitor from time to time to find issues. The locations you mention above (Program Data and Windows) are not large on my machine. Run Admin Tools, Disk Cleanup, Cleanup System Files and enable all selections for cleanup. Do this weekly for a bit and see if the folder size for the logs is reasonable. I do not turn system logs off and all that I read supports this position
- Admin over 4 years
  
  @John I care total write amount more than space consumption. In my case wfpdiag.etl is only 1MB, this may indicates small size doesn't mean small total amount of write which harm SSD.
- Admin over 4 years
  
  I found that "netsh wfp set options netevents = off" can turn the write to wfpdiag.etl off.
- Admin over 4 years
  
  Modern SSD's are more reliable than hard drives so there so not be any worry about that
- Admin over 4 years
  
  @John SSD have a parameter "TBW" which impact its lifetime too. Consumer 1TB SSD often have like 100TB TBW.
- Admin over 4 years
  
  I am not sure I can help further given the constraints and design of Windows logging. My Samsung drive provides up to 2,400 TB TBW which gives it good life
- Admin over 4 years
  
  Is this the physical data rate, or to cache? The `C:` suggests the latter, as it refers to a disk partition.
- Admin over 4 years
  
  Could it be an option to redirect the Logs to another location, maybe an in-memory file or a second HDD or even something like replacing the file with a symlink to something like /dev/null ? This could be easier than disabling all of them.
- Admin over 4 years
  
  @John I recheck my spec, it is 400TB TBW @ 1T, so the problem is indeed not that much, but really don't want garbage to waste the TBW, and this is only one log
- Admin over 4 years
  
  @Falco It's an option, but most log folder can't be renamed/deleted since it is always used by some process, you need to stop the log first to replace it with a symbol link
- Admin over 4 years
  
  @MSalters it is the average speed over minutes, so it doesn't matter it is cache or physical. It seems that you can always only get the cache IO speed with standard Windows tools.
- Admin over 4 years
  
  @jw_: It definitely matters. If part of the file is overwritten while still in cache then the original write never hits the disk. This can even happen with caches on the SSD itself (so invisible to the OS).
- Admin over 4 years
  
  @MSalters that is a very good point - depending on the cache policy of 1. the logger, 2. File-System-Driver, 3. On Disk Firmware there are at least 3 Levels of Caching, which could prevent any data actually being written to disk at all, while the system is still active, only writing the latest state of the file on shutdown.
- Admin over 4 years
  
  @Falco MSalters That's interesting, got it now. But there is more concern: What is the cache flush latency when the disk utilization is low and the write queue is very short? May be it just instantly get from file system cache to flash cell and the system may prefer "get it done as soon as possible" policy to get rid the harm of power loss, and since the log data stream is very slow, the chance of instant write is very high. And even more, will the log file be written again and again on the same section between cache flushes? The real TBW could be very near the displayed one, just guess.
- Admin over 4 years
  
  "Although logs is needed for diagnostics, it's better to be turned on only when problem has already occured." Eh??
- Admin over 4 years
  
  @Lightness Races with Monica I mean, for general consumers, commonly there are no problems, and even there are problems, the user don't have the time to check logs and don't want to send logs to MS. And for general users, only problems that occur again and again is treated as a problem. So it may be better to turn log off if possible, and when there are problems and you really need log to solve them, you can turn log on and wait for the next episode.
- Admin over 4 years
  
  I think pinging a user requires removing the spaces from their name, e.g. @LightnessRaceswithMonica .
- Admin over 4 years
  
  @Nat Thanks, got it.
- Admin over 4 years
  
  @Nat Although you're technically correct, you only need the first few characters of their name, and 9 chars are enough, so "@Lightness" works :)
- Admin over 4 years
  
  @jw_ Only helps you with recurring/reproducible issues. The whole point of logs is to record data when unexpected things happen. Turning them on after the unexpected thing has happened, is far too late.
jw_ over 4 years

"netsh wfp set options netevents = off" this works for wfpdiag.etl, too
jw_ over 4 years

Can there be a batch to disable every single log there?
jw_ over 4 years

If already know the log file name, is there a general way to know which entry in the event log viewer to disable? For example, System32\LogFile\WMI\NetCore.etl, there is a WMI entry, no NetCore under that entry, hope it works
jw_ over 4 years

NetCore.etl is still being written after disable the event under Application and Service Logs->Microsoft-> Windows->WMI , can this be stoped using the above method?
DrMoishe Pippik over 4 years

@jw_, to disable ASP.NET logging (NeCore, etc.) see StackOverflow: stackoverflow.com/questions/35251078/…
johny why almost 4 years

after apply both methods (auditpol and 'Disable Log'), there's no change in RAM-use of 'Windows Event Log' in Task Manager. Still near the top. WFP shows only 3: Microsoft-Windows-IKE/Operational, Microsoft-Windows-VPN/Operational, and Operational.
Dolores Stevens almost 4 years

You skipped a step that I haven't been able to figure out. Where you wrote "right-click on an event log you want to get rid of" how does one identify which event log corresponds to the file that Resource Monitor shows is being written to heavily? (For example: C:\Windows\System32\LogFiles\WMI\NetCore.etl) I see no search function in Event Viewer, and I couldn't find NetCore.etl. Is NetCore.etl there somewhere -- a needle in a haystack -- or is it not the kind of log that Event Viewer displays?
GChuf almost 4 years

That could be another question (or questions) on its own. I was never concerned with files in my answer, only events. I think some reverse engineering would be required to find that out, or at least I am not aware of ways to find out which logging service writes to which file. You can always go into EventViewer and try to find the event which corresponds to the contents of your NetCore.etl file.
Dolores Stevens almost 4 years

When I import NetCore.etl into Event Viewer the resulting list seems useless: "unknown" events, etc. A blog ( medium.com/palantir/… ) gave me the idea to run logman.exe: When I ran "logman.exe query NetCore -ets" the output listed many Providers: some have readable names (Network Profile Manager, Microsoft-Windows-SruMon, Network Location Awareness Trace, Microsoft-Windows-NetworkConnectivityStatus) and the rest have names equal to the Provider Guid. Most are set to Level 5 (Verbose).
Dolores Stevens almost 4 years

I think I found how to get NetCore.etl to be written to hard drive instead of ssd. I ran Performance Monitor (a Windows app), drilled to Data Collector Sets | Event Trace Sessions, right-clicked NetCore, clicked Properties, clicked Directory, and browsed to the desired folder. I don't know yet if the change will be permanent. If one wished to stop the writing entirely, clicking Stop instead of Properties would presumably do that, but I'm even less confident that that change would be permanent... some app might restart it, perhaps the next time Windows is restarted.
Dolores Stevens almost 4 years

I found a second way to change the folder where NetCore.etl is written, using logman.exe with appropriate command-line parameters. This technique has a big advantage over the Performance Monitor gui technique since it can be placed in a .bat file and can be run every time Windows starts. I also learned today that the Performance Monitor technique doesn't permanently change the folder, so a Windows startup task that runs logman is the way to do it effectively. Example command line: "logman update trace NetCore -ets -o E:\Windows_System32_LogFiles_WMI\NetCore.etl" (without the quotes)
Quantum about 3 years

it should be noted that you need to be in the C:\Windows\System32 if you don't have env paths resolving correctly or the app aliases are missing, or a handful of other reasons, but if on open per instructions it fails, cd \windows\system32 then the written command in this answer
Community almost 3 years

Please add further details to expand on your answer, such as working code or documentation citations.