Event ID 3, Circular Kernel Context logger stopped

2018-10-06

Question

_{Saturday, October 6, 2018 9:07 AM}

This file, "C:\WINDOWS\system32\WDI\LogFiles\ShutdownCKCL.etl", is set by default to Max 20 MB and neither circular or append options are allowed. The file, for some reason, is extremely protected.

Now in my case the file grows very fast and fills the event log pretty much, consequently I need to set the file, at least to Max 40 MB or leave it to the original 20 MB and set it to circular.

There is someone who can solve this mystery.

** **

The maximum file size for session "Circular Kernel Context Logger" has been reached. As a result, events might be lost (not logged) to file "C:\WINDOWS\system32\WDI\LogFiles\ShutdownCKCL.etl". The maximum files size is currently set to 20971520 bytes.

Source: Kernel-EventTracing. Event ID 4.

Session "Circular Kernel Context Logger" stopped due to the following error: 0xC0000188

Source: Kernel-EventTracing. Event ID 3.

The protection in the registry is also extremely tied the only one with write permission is Trustedinstaller. The owner is set to System but no write permission.

All replies (7)

_{Sunday, October 21, 2018 2:27 PM ✅Answered}

did you perhaps use some tool to analyze shutdown performance?
f.e. in Windows Performance Recorder, running Performance Scenario: Shutdown.
Or directly use xperf? Perhaps some 3rd party tool?
This will of course increase the size of the shutdown trace file,
but should normally only affect a predefinded number of shutdowns.

And I don't think the file is protected, it is only not deleteable as long as it is in use by the logger.

Hi Eckis,

Thank you very much for your answer.

I did not use any tool, it all started with a fresh install of Windows 10 version 1803.

The problem was just that ShutdownCKCL grew unusually large after a few shutdowns. I have not found out why, although I have Investigated the issue deeply.

I've fixed the problem by increasing/calibrating the values in
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ Diagnostics \ Performance \ ShutdownCKCLSettings and
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet \ Control \ Diagnostics \ Performance \ ShutdownCKCLSettings
Key MaxFileSize until the issue was resolved.

It is true that Maxfilesize can be edited in GUI when the logger is not in use but at first restart, the value will return to default MaxFileSize of 20 MB.

_{Monday, October 8, 2018 9:54 AM | 1 vote}

Hi,

According to the current situation, I suggest that you set file size by the following steps:

1. Open the Start Menu and search for cmd.

2. Right-click on the search result titled **cmd **and click on Run as administrator.

3. Type **perfmon.msc /s **and press Enter.

4. The **Performance Monitor **should now show up on your screen. In the left pane of the Performance Monitor, double-click on **Data Collector Sets **to expand it.

5. Click on **Startup Event Trace Sessions **under Data Collector Sets.

6. In the right pane of the Performance Monitor, locate the **ReadyBoot **entry and double-click on it.

7. Navigate to the **Stop Condition **tab and replace whatever is in the **Maximum Size **field with 40.

8. Click on **Apply **and then on OK, close the Performance Monitor, close the elevated Command Prompt and **restart **your computer.

Hope these are helpful.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

_{Monday, October 8, 2018 11:12 AM}

Thank you very much for your reply.

I use only Solid-State Drivers, so I do not need SuperFetch or ReadyBoot, and as a result they are both Disabled by default at Windows installation time. Thus, we can exclude these two.

In my case the truly problem relates only to ShutdownCKCL.etl.

For some reason this file is extremely protect against any attempt to change its setup. However, there is an option: When the file is in zero byte, you can stop Circular Kernel Context Logger as it becomes available in Event Trace Sessions, and you can configure the file to your own needs, but it will only last one session as soon as the computer is shut down and restarted, all file setup will be returned to the original defaults.

Why do I want to have control just over that file? Because it fills my Event Log with useless messages. ShutdownCKCL.etl becomes filled with useless events that contain just thousands of empty events Log dialog box; for what purpose? It is hard to understand.

And her comes so my question:

Can you help me to find a way to control ShutdownCKCL.etl ?

Do you thing honestly there is a way to control this file?

Is possible to stop ShutdownCKCL.etl permanently so it leaves my event log in peace?

NB! I have ShutdownCKCL.evtx so you can see with your own eyes, the stupid content of this file. If I’m allowed to upload the file I will attach it on the post.

_{Saturday, October 20, 2018 2:44 PM}

Thank you very much for your reply.

I use only Solid-State Drivers, so I do not need SuperFetch or ReadyBoot, and as a result they are both Disabled by default at Windows installation time. Thus, we can exclude these two.

In my case the truly problem relates only to ShutdownCKCL.etl.

For some reason this file is extremely protect against any attempt to change its setup. However, there is an option: When the file is in zero byte, you can stop Circular Kernel Context Logger as it becomes available in Event Trace Sessions, and you can configure the file to your own needs, but it will only last one session as soon as the computer is shut down and restarted, all file setup will be returned to the original defaults.

Why do I want to have control just over that file? Because it fills my Event Log with useless messages. ShutdownCKCL.etl becomes filled with useless events that contain just thousands of empty events Log dialog box; for what purpose? It is hard to understand.

And her comes so my question:

Can you help me to find a way to control ShutdownCKCL.etl ?

Do you thing honestly there is a way to control this file?

Is possible to stop ShutdownCKCL.etl permanently so it leaves my event log in peace?

NB! I have ShutdownCKCL.evtx so you can see with your own eyes, the stupid content of this file. If I’m allowed to upload the file I will attach it on the post.

hank you very much for your reply.

I use only Solid-State Drivers, so I do not need SuperFetch or ReadyBoot, and as a result they are both Disabled by default at Windows installation time. Thus, we can exclude these two.

In my case the truly problem relates only to ShutdownCKCL.etl.

And her comes so my question:

Can you help me to find a way to control ShutdownCKCL.etl ?

Do you thing honestly there is a way to control this file?

Is possible to stop ShutdownCKCL.etl permanently so it leaves my event log in peace?

NB! I have ShutdownCKCL.evtx so you can see with your own eyes, the stupid content of this file. If I’m allowed to upload the file I will attach it on the post.

_{Sunday, October 21, 2018 9:44 AM}

did you perhaps use some tool to analyze shutdown performance?
f.e. in Windows Performance Recorder, running Performance Scenario: Shutdown.
Or directly use xperf? Perhaps some 3rd party tool?
This will of course increase the size of the shutdown trace file,
but should normally only affect a predefinded number of shutdowns.

And I don't think the file is protected, it is only not deleteable as long as it is in use by the logger.

_{Tuesday, July 2, 2019 11:07 PM}

I know this is an old thread but...

I am unable to change the key maxfilesize in the registry, even though I stopped the logger.

" error writing the value new contents."

In my case, I am trying to edit the PerfDiag logger. And when I tried to edit in the GUI, the value returns to default ( as you stated above).

Thanks

marymmcc

_{Wednesday, May 20, 2020 2:39 PM}

Use translator :)

Мое решение этой проблемы (у меня Win10 x64 20H1 b19041.264).

Исправим 2 ветки реестра:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\ShutdownCKCLSettings

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Diagnostics\Performance\BootCKCLSettings

1. Чтобы вы смогли изменять параметры в этой ветке реестра, вы должны стать владельцем этой ветки

(инструкции по ссылке ниже

https://answers.microsoft.com/ru-ru/windows/forum/windows_10-performance/%d0%bf%d0%b0%d1%80%d0%b0%d0%bc%d0%b5%d1%82%d1%80/6c577953-693e-4227-a5db-65734b3d7169

мне нельзя пока вставлять ссылки и картинки, поэтому скопируйте и вставьте в новой вкладке)

2. В обеих ветках исправьте ключи:

в ключе LogFileMode установите 2 (это циклическая запись в файл, т.е. при достижении MaxFileSize будет удалять старые записи и записывать новые

(источник информации про LogFileMode по ссылке ниже

https://docs.microsoft.com/en-us/windows/win32/etw/logging-mode-constants

А API про Event Tracing по ссылке ниже

https://docs.microsoft.com/en-us/windows/win32/etw/configuring-and-starting-an-autologger-session

)

в ключе MaxFileSize установите 10 (размер файла в МБ. 10 МБ потому что внутри этих журналов полная фигня :)

3. Один раз перезагрузитесь и проверьте размер файла C:\Windows\System32\WDI\LogFiles\BootPerfDiagLogger.etl

4. Выключите и включите компьютер и проверьте размер файла C:\Windows\System32\WDI\LogFiles\ShutdownPerfDiagLogger.etl (или ShutdownCKCL.etl, в зависимости от того, что у вас указано в параметре FileName).

У меня в журнале Microsoft-Windows-Kernel-EventTracing/Admin Предупреждения и Ошибки больше не появлялись.

=========

PS: В журнале Microsoft-Windows-Kernel-EventTracing/Admin ошибка 0xC0000188 пропала, но появилась ошибка "Не удалось начать сеанс "PerfDiag Logger" из-за следующей ошибки: 0xC0000035".

Когда найду решение ошибки 0xC0000035 напишу здесь ещё раз. :)

Share via

Event ID 3, Circular Kernel Context logger stopped

Question

All replies (7)

Additional resources