Description

Session "SessionName" failed to write to log file "FileName" with the following error: ErrorCode.

Message #

Session "%1" failed to write to log file "%2" with the following error: %3

Fields #

Message #

The backing-file for the real-time session "%1" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-EventTracing",
    "guid": "B675EC37-BDB6-4648-BC92-F3FDC74D3CA2",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 10,
    "keywords": 9223372036854775824,
    "time_created": "2023-11-06T00:46:15.355055+00:00",
    "event_record_id": 16,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 5348
    },
    "channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SessionName": "EventLog-Microsoft-Windows-Sysmon-Operational",
    "ErrorCode": 3221225864,
    "LoggingMode": 427819392
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Session "SessionName" failed to start with the following error: ErrorCode.

Message #

Session "%1" failed to start with the following error: %3

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-EventTracing",
    "guid": "B675EC37-BDB6-4648-BC92-F3FDC74D3CA2",
    "event_source_name": "",
    "event_id": 2,
    "version": 0,
    "level": 2,
    "task": 2,
    "opcode": 12,
    "keywords": 9223372036854775824,
    "time_created": "2023-11-06T06:23:40.046454+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 236
    },
    "channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SessionName": "PerfDiag Logger",
    "FileName": "",
    "ErrorCode": 3221225525,
    "LoggingMode": 8388736
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Session "SessionName" stopped due to the following error: ErrorCode.

Message #

Session "%1" stopped due to the following error: %3

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-EventTracing",
    "guid": "B675EC37-BDB6-4648-BC92-F3FDC74D3CA2",
    "event_source_name": "",
    "event_id": 3,
    "version": 1,
    "level": 2,
    "task": 2,
    "opcode": 14,
    "keywords": 9223372036854775824,
    "time_created": "2026-02-10T00:59:54.686730+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 280
    },
    "channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SessionName": "ReadyBoot",
    "FileName": "C:\\Windows\\Prefetch\\ReadyBoot\\ReadyBoot.etl",
    "ErrorCode": 3221225864,
    "LoggingMode": 276824064,
    "FailureReason": 0
  },
  "message": ""
}

Description

The maximum file size for session "SessionName" has been reached. As a result, events might be lost (not logged) to file "FileName". The maximum files size is currently set to MaxFileSize bytes.

Message #

The maximum file size for session "%1" has been reached. As a result, events might be lost (not logged) to file "%2". The maximum files size is currently set to %5 bytes.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-EventTracing",
    "guid": "B675EC37-BDB6-4648-BC92-F3FDC74D3CA2",
    "event_source_name": "",
    "event_id": 4,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 10,
    "keywords": 9223372036854775824,
    "time_created": "2026-02-10T00:59:54.686726+00:00",
    "event_record_id": 3,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 280
    },
    "channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SessionName": "ReadyBoot",
    "FileName": "C:\\Windows\\Prefetch\\ReadyBoot\\ReadyBoot.etl",
    "ErrorCode": 3221225864,
    "LoggingMode": 276824064,
    "MaxFileSize": 20971520
  },
  "message": ""
}

Description

An error was encountered while tracing session "FileName" was switching to the "SessionName" event log file. Error: ErrorCode.

Message #

An error was encountered while tracing session "%2" was switching to the "%1" event log file. Error: %3

Fields #

Description

Provider ProviderName was registered with Event Tracing for Windows.

Message #

Provider %1 was registered with Event Tracing for Windows.

Fields #

Description

Provider ProviderName was unregistered from Event Tracing for Windows.

Message #

Provider %1 was unregistered from Event Tracing for Windows.

Fields #

Description

Session "SessionName" was started.

Message #

Session "%3" was started.

Fields #

Description

Session "SessionName" was stopped.

Message #

Session "%3" was stopped.

Fields #

Description

The configuration of session "SessionName" has been modified.

Message #

The configuration of session "%3" has been modified.

Fields #

Description

The events from session "SessionName" have been flushed.

Message #

The events from session "%3" have been flushed.

Fields #

Description

Provider ProviderName has been enabled to session "SessionName".

Message #

Provider %1 has been enabled to session "%2".

Fields #

Description

Provider ProviderName is no longer enabled to session "SessionName".

Message #

Provider %1 is no longer enabled to session "%2".

Fields #

Description

The security descriptor for session "SessionName" has been updated.

Message #

The security descriptor for session "%3" has been updated.

Fields #

Description

Stack correlation event. This event contains a call stack which is associated with a prior event which is correlated by the MatchId.

Message #

Stack correlation event. This event contains a call stack which is associated with a prior event which is correlated by the MatchId.

Fields #

Fields #

Fields #

Description

Error saving soft restart persisted log "FileName" Error: Status.

Message #

Error saving soft restart persisted log "%1" Error: %5

Fields #

Fields #

Fields #

Fields #

Fields #

Description

Error setting traits on Provider ProviderGuid. Error: ErrorCode.

Message #

Error setting traits on Provider %1. Error: %2

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kernel-EventTracing",
    "guid": "B675EC37-BDB6-4648-BC92-F3FDC74D3CA2",
    "event_source_name": "",
    "event_id": 28,
    "version": 0,
    "level": 2,
    "task": 3,
    "opcode": 25,
    "keywords": 9223372036854778400,
    "time_created": "2026-03-11T06:27:22.550118+00:00",
    "event_record_id": 54,
    "correlation": {},
    "execution": {
      "process_id": 740,
      "thread_id": 808
    },
    "channel": "Microsoft-Windows-Kernel-EventTracing/Admin",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProviderGuid": "77811378-E885-4AC2-A580-BC86E4F1BC93",
    "ErrorCode": 3221225477
  },
  "message": ""
}

Description

A registration for Provider ProviderGuid has joined Provider Group ProviderGroupGuid.

Message #

A registration for Provider %1 has joined Provider Group %2

Fields #

Description

Provider ProviderGuid from process ProcessId does not have permission to write events to session "SessionName". Error: Status.

Message #

Provider %1 from process %3 does not have permission to write events to session "%2". Error: %4

Fields #

Fields #

Message #

Failed to read debug info for WPP provider %1 from process %3 for session "%2". Error: %4. The image registering the provider may be malformed or may be an unsupported format (e.g. managed C++). ETW traces for this session will not include the image's debug information.

Fields #

Fields #

Fields #

Fields #

Description

The enable state for Provider ProviderName is about to change on session "SessionName".

Message #

The enable state for Provider %1 is about to change on session "%2".

Fields #

Description

Provider ProviderName is about to be disabled from session "SessionName".

Message #

Provider %1 is about to be disabled from session "%2".

Fields #

Description

Capture state requested for provider GUID on session "LoggerId".

Message #

Capture state requested for provider %1 on session "%2".

Fields #

Description

Session "SessionName" could not be started because LOGGER_FLAG_LARGE_MDL_PAGES is not supported.

Message #

Session "%3" could not be started because LOGGER_FLAG_LARGE_MDL_PAGES is not supported.

Fields #

Description

Session "SessionName" could not be started because because the maximum MaximumAllowed logging sessions are already active on the system.

Message #

Session "%1" could not be started because because the maximum %2 logging sessions are already active on the system.

Fields #

Description

Session "SessionName" could not be started because because the maximum MaximumAllowed EVENT_TRACE_SYSTEM_LOGGER_MODE logging sessions are already active on the system.

Message #

Session "%1" could not be started because because the maximum %2 EVENT_TRACE_SYSTEM_LOGGER_MODE logging sessions are already active on the system.

Fields #

Description

Session "SessionName" could not be started because the process failed its access check to the SessionGuid.

Message #

Session "%1" could not be started because the process failed its access check to the SessionGuid.

Fields #

Description

Session "SessionName" could not be started because the Memory Partition Handle MemoryPartitionHandle is invalid.

Message #

Session "%1" could not be started because the Memory Partition Handle %2 is invalid.

Fields #

Description

Session "SessionName" failed to create file FileName with error ErrorCode.

Message #

Session "%1" failed to create file %2 with error %3.

Fields #

Description

Session "SessionName" could not be started because the process lacks the profiling privilege.

Message #

Session "%1" could not be started because the process lacks the profiling privilege.

Fields #

Description

Group Mask could not be updated for Session "SessionName", because the requested Group Mask is not supported.

Message #

Group Mask could not be updated for Session "%1", because the requested Group Mask is not supported.

Fields #