Message

Session "%1" failed to write to log file "%2" with the following error: %3

Fields

Message

The backing-file for the real-time session "%1" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers.

Fields

Example Event

system:
  provider: Microsoft-Windows-Kernel-EventTracing
  guid: B675EC37-BDB6-4648-BC92-F3FDC74D3CA2
  event_source_name: ''
  event_id: 1
  version: 0
  level: 3
  task: 1
  opcode: 10
  keywords: 9223372036854775824
  time_created: '2023-11-06T00:46:15.355055+00:00'
  event_record_id: 16
  correlation: {}
  execution:
    process_id: 4
    thread_id: 5348
  channel: Microsoft-Windows-Kernel-EventTracing/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  SessionName: EventLog-Microsoft-Windows-Sysmon-Operational
  ErrorCode: 3221225864
  LoggingMode: 427819392
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Session "%1" failed to start with the following error: %3

Fields

Example Event

system:
  provider: Microsoft-Windows-Kernel-EventTracing
  guid: B675EC37-BDB6-4648-BC92-F3FDC74D3CA2
  event_source_name: ''
  event_id: 2
  version: 0
  level: 2
  task: 2
  opcode: 12
  keywords: 9223372036854775824
  time_created: '2023-11-06T06:23:40.046454+00:00'
  event_record_id: 4
  correlation: {}
  execution:
    process_id: 4
    thread_id: 236
  channel: Microsoft-Windows-Kernel-EventTracing/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  SessionName: PerfDiag Logger
  FileName: ''
  ErrorCode: 3221225525
  LoggingMode: 8388736
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Session "%1" stopped due to the following error: %3

Fields

Message

The maximum file size for session "%1" has been reached. As a result, events might be lost (not logged) to file "%2". The maximum files size is currently set to %5 bytes.

Fields

Message

An error was encountered while tracing session "%2" was switching to the "%1" event log file. Error: %3

Fields

Message

Provider %1 was registered with Event Tracing for Windows.

Fields

Message

Provider %1 was unregistered from Event Tracing for Windows.

Fields

Message

Session "%3" was started.

Fields

Message

Session "%3" was stopped.

Fields

Message

The configuration of session "%3" has been modified.

Fields

Message

The events from session "%3" have been flushed.

Fields

Message

Provider %1 has been enabled to session "%2".

Fields

Message

Provider %1 is no longer enabled to session "%2".

Fields

Message

The security descriptor for session "%3" has been updated.

Fields

Message

Stack correlation event. This event contains a call stack which is associated with a prior event which is correlated by the MatchId.

Fields

Fields

Fields

Message

Error saving soft restart persisted log "%1" Error: %5

Fields

Fields

Fields

Fields

Fields

Message

Error setting traits on Provider %1. Error: %2

Fields

Message

A registration for Provider %1 has joined Provider Group %2

Fields

Message

Provider %1 from process %3 does not have permission to write events to session "%2". Error: %4

Fields

Fields

Message

Failed to read debug info for WPP provider %1 from process %3 for session "%2". Error: %4. The image registering the provider may be malformed or may be an unsupported format (e.g. managed C++). ETW traces for this session will not include the image's debug information.

Fields

Fields

Fields

Fields

Message

The enable state for Provider %1 is about to change on session "%2".

Fields

Message

Provider %1 is about to be disabled from session "%2".

Fields

Message

Capture state requested for provider %1 on session "%2".

Fields

Message

Session "%3" could not be started because LOGGER_FLAG_LARGE_MDL_PAGES is not supported.

Fields

Message

Session "%1" could not be started because because the maximum %2 logging sessions are already active on the system.

Fields

Message

Session "%1" could not be started because because the maximum %2 EVENT_TRACE_SYSTEM_LOGGER_MODE logging sessions are already active on the system.

Fields

Message

Session "%1" could not be started because the process failed its access check to the SessionGuid.

Fields

Message

Session "%1" could not be started because the Memory Partition Handle %2 is invalid.

Fields

Message

Session "%1" failed to create file %2 with error %3.

Fields

Message

Session "%1" could not be started because the process lacks the profiling privilege.

Fields

Message

Group Mask could not be updated for Session "%1", because the requested Group Mask is not supported.

Fields