Windows 10: Event ID 1 warning & Event ID 2 error

Hello,
After Fall Creators update I'm seeing 1 error and 1 warning in the Event Viewer which I'm not able to resolve.

Event ID 1
The backing-file for the real-time session "DefenderApiLogger" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers.
Code: <System> <Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" /> <EventID>1</EventID> <Version>0</Version> <Level>3</Level> <Task>1</Task> <Opcode>10</Opcode> <Keywords>0x8000000000000010</Keywords> <TimeCreated SystemTime="2017-10-19T23:02:23.884086800Z" /> <EventRecordID>26</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="136" /> <Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel> <Computer>PC</Computer> <Security UserID="S-1-5-18" /> </System> - <EventData> <Data Name="SessionName">DefenderApiLogger</Data> <Data Name="ErrorCode">3221225864</Data> <Data Name="LoggingMode">411042176</Data> </EventData>[/quote] Event ID 2
Session "" failed to start with the following error: 0xC0000022
Code: <System> <Provider Name="Microsoft-Windows-Kernel-EventTracing" Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}" /> <EventID>2</EventID> <Version>0</Version> <Level>2</Level> <Task>2</Task> <Opcode>12</Opcode> <Keywords>0x8000000000000010</Keywords> <TimeCreated SystemTime="2017-10-19T23:02:24.643823700Z" /> <EventRecordID>27</EventRecordID> <Correlation /> <Execution ProcessID="1536" ThreadID="2096" /> <Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel> <Computer>PC</Computer> <Security UserID="S-1-5-20" /> </System> - <EventData> <Data Name="SessionName" /> <Data Name="FileName" /> <Data Name="ErrorCode">3221225506</Data> <Data Name="LoggingMode">293609474</Data> </EventData>[/quote] I think it is fixable, but don't know where to start. Does anyone have some idea?
Thank you in advance.

:)

 

Netsh network trace error messages

How do I look up and resolve netsh network trace error messages?

I'm having trouble establishing a VPN connection from a Windows 10 client to a remote RRAS server. I see error messages in the client's network trace messages, but I cannot find out what they mean when searching bing or google. These are my error messages:

netsh ras set tracing * enabled

Error: Event ID 12000: RRAS-Provider: From !!!!!SDOWRAPPER.LIB!!!!!!!!!!

Error: Event ID 12000: RRAS-Provider: From !!!!!SDOWRAPPER.LIB!!!!!!!!!!

Error: Event ID 12000: RRAS-Provider: From !!!!!SDOWRAPPER.LIB!!!!!!!!!!

Error: Event ID 6002: RRAS-Provider: RasDeviceGetInfo=603,s=296

Error: Event ID 6002: RRAS-Provider: RasDeviceGetInfo=0,s=296,noParams=3

Error: Event ID 6002: RRAS-Provider: ConnectionId=4,Destination IP=<RAS-SERVER-IP>

Error: Event ID 6000: RRAS-Provider: Add new connection with Id 4 @ index 4

Error: Event ID 6000: RRAS-Provider: Total list of TS Payloads = 1

Error: Event ID 6002: RRAS-Provider: IsPeerCertValidationForEapDiasabled: RegQueryValueEx for IkeAuthTypeNoServerCert failed with 2

Error: Event ID 6002: RRAS-Provider: IsCertSubjectNameCheckDisabled failed: RegQueryValueEx for DisableIKENameEkuCheck failed with 2

Error: Event ID 6000: RRAS-Provider: StartService failed with error: 0

Error: Event ID 6000: RRAS-Provider: SyncEventEntry object with 4 could NOT be found

Error: Event ID 6000: RRAS-Provider: SignalEventHandle failed: 1168

Error: Event ID 6000: RRAS-Provider: Signaling of synchronizing event failed. Error = 1168

Error: Event ID 14000: RRAS-Provider: Allocating Call context 0x000002CFCBA76D08

Error: Event ID 14000: RRAS-Provider: CoId={F4D441ED-8FE3-4F4B-BBD8-4EEBBFB27060}:Ignoring revocation failure checks

Error: Event ID 14000: RRAS-Provider: CoId={F4D441ED-8FE3-4F4B-BBD8-4EEBBFB27060}:GetLinkSpeedForAddr completes with 0 [Tx: 130000000][Rx: 130000000]

Error: Event ID 16000: RRAS-Provider: EapHostPeerQueryInteractiveUIInputFields dwWinError = 0x80420011

type:

eapType: type = 0

dwVendorId = 0

dwVendorType = 0

dwAuthorId = 0

dwReasonCode = 0x57

Error: Event ID 16000: RRAS-Provider: FsmInit for protocol = 80fd failed with error 731

Error: Event ID 16000: RRAS-Provider: Non-LCP packet received when LCP is not opened

Error: Event ID 16000: RRAS-Provider: Packet being silently discarded

Error: Event ID 14000: RRAS-Provider: AsyncSstpDeviceIoControl fails with [1168]

Error: Event ID 14000: RRAS-Provider: CoId={F4D441ED-8FE3-4F4B-BBD8-4EEBBFB27060}:InitiateContextCleanup(0x221)

Error: Event ID 14000: RRAS-Provider: CoId={F4D441ED-8FE3-4F4B-BBD8-4EEBBFB27060}:ReceiveResponseEntity fails with 995

Error: Event ID 14000: RRAS-Provider: CoId={F4D441ED-8FE3-4F4B-BBD8-4EEBBFB27060}:InitiateContextCleanup(0x2001)

Error: Event ID 14000: RRAS-Provider: CoId={F4D441ED-8FE3-4F4B-BBD8-4EEBBFB27060}:InitiateContextCleanup(0x1)

Error: Event ID 14000: RRAS-Provider: CoId={F4D441ED-8FE3-4F4B-BBD8-4EEBBFB27060}:Freeing up call ctx 0x000002CFCBA76D08

Error: Event ID 14000: RRAS-Provider: From !!!!!SDOWRAPPER.LIB!!!!!!!!!!

 

MSINFO, MEMORY.DMP and sys info

I uninstalled Daemon Tools and tried running the game again, PC still force restarted. Here are the new dmp files along with a screenshot of my event viewer which has 2 errors and 1 warning.. errors being a bug check (Event ID 1001) DistributedCOM (Event
ID 10016) and WHEA-Logger (Event ID 19). I know this isn't a support page for the game...but the fact that its restarting my PC when I attempt to launch leads me to believe that the issue is elsewhere.

sys

 

Hi,

Are you using TcpView from Sysinternals ? If so, it looks as if it's a bug.
Further to this look in the registry if you can find this key: Guid="{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}"
and see if the log file size is there and if can increase.
Alternatively, if you do not need the log file for analysis, it can be found under "Users\Username\Appdata\Temp\*.etl and you can delete it.

Cheers, *Wink

 

Hey,

I'm also getting event id 2 & event id 360. So far I'm guessing you guys haven't figured anything out?

 

No, I'm not aware of using anything like that.
Anyway, I have solved Event ID 1 by disabling DefenderApiLogger logging in perfmon, but unfortunately Event ID 2 error is still there and I have no clue what is the root cause.

 

You can disable the logging of event id 2 aswell in event viewer. Though it would be really nice to know what is actually causing it.

 

Firstly I was trying only to increase the max size for DefenderApiLogger from 100MB to 150MB but it did help only for a while, so I've decided to completely disable logging this stuff, but in the source not in the Event viewer.
You are right probably I can disable logging of the Event 2, but I would really like to avoid that, since this is not a solution. Moreover I'm not sure if is possible to disable only this particular event or it will affect all Microsoft-Windows-Kernel-EventTracing events.
There is still a possibilty that it is just a Windows bug which can be solved in the next few cumulative updates.

 

Well I was lucky enough to not have event id 1 showing up but as you can see from my first post I have event id 2 and 360. I feel the same about disabling the logging of certain events completely cause something actually important might get logged but don't have your hopes high that ms is gonna fix some of these issues asap*cry.

 

I managed to find out which proces/service is the root cause. It is svchost.exe - Delivery Optimization service.
So, what can be wrong with this ?

edit:
okay, one more thing... the service is set to automatic (delayed) start and as far as I can see on my second machine it should be running all the time ?
On first machine it stopped after a while, so maybe this is the culprit for this error ? But why did it happen and how to fix it ?

edit:
ok well, it depends on Windows Update advanced settings obviously, but on both machines the setting is the same, so something is not quite right here...
anyway I disabled this option in Windows update, now it has manual Startup type and the error is still there, but this time I am not able to trace it down with the Process ID from the Event, so dead end.

 

I also got the "Event ID 1" with the same description after the FCU. How did you solve it?

 

Well you can try to increase size of the file or disable logging for this.
Click Start - write perfmon - enter - on the left tree click on Data Collector Sets - Startup Event Trace Sessions - find DefenderApiLogger. Right click and properties. On the Stop Condition tab you have Maximum size, so you can increase it.
Or on the Trace Session tab you have checkbox Enabled to disable it.

 

Thanks! *Smile @eddward

 

Found a solution which doesn't require disabling logging.
● Start Perfmon → Data Collector Sets → Startup Event Trace Session → right click Defender API Logger → Properties
● In the Trace Session tab change Stream Mode to File and Real Time
● Select the File tab → under Log Mode tick Circular
Finally click ok.
This solved the issue for me.

 

I'll try your solution *Smile Thanks!