locked
Unable to start ETW session RRS feed

  • Question

  • Unable to start ETW session: MMA-ETW-Livecapture-104cdcac-7798-4ce7-a94b-807b4dbaded5
    Host Name: Localhost

    A capture session exists. It must be stopped and deleted before starting a new one, e.g., using Powershell cmdlet Get-NetEventSession, Stop-NetEventSession, Remove-NetEventSession.

    The problem is just that Get-NetEventSession returns another session than the one in the error message and Stop-NetEventSession (and Remove-NetEventSession for that matter) does not recognize neither the session listed in the error message nor the one listed by Get-NetEventSession.

    Tried restart machine, tried uninstall/re-install Message Analyzer, but now completely stuck.

    Please help with some work-around, I need/want the Message Analyzer

    Wednesday, June 5, 2019 2:21 PM

Answers

  • Hello EuroEager,

    You could try the command "logman stop -ets MMA-ETW-Livecapture-104cdcac-7798-4ce7-a94b-807b4dbaded5" and then try to start a trace in Message Analyzer.

    The odd thing is that the unwanted Message Analyzer trace survives a reboot. Do any of the registry key names under HKLM\System\CurrentControlSet\Control\WMI\Autologger look as though they might be related to Message Analyzer?

    Gary


    Wednesday, June 5, 2019 5:16 PM

All replies

  • Hello EuroEager,

    You could try the command "logman stop -ets MMA-ETW-Livecapture-104cdcac-7798-4ce7-a94b-807b4dbaded5" and then try to start a trace in Message Analyzer.

    The odd thing is that the unwanted Message Analyzer trace survives a reboot. Do any of the registry key names under HKLM\System\CurrentControlSet\Control\WMI\Autologger look as though they might be related to Message Analyzer?

    Gary


    Wednesday, June 5, 2019 5:16 PM
  • Hello Gary

    Tried your suggestion, reply:Error: Data collector Set was not found

    But a start attempt at Message Analyzer now lists another guid as the last part of the session name (I might have performed a boot meanwhile).

    Cannot find anything seemingly related to Message Analyzer at your regsitry location.

    This starts to get much more than annoying.

    Ah, I forgot to mention that the error message is perhaps only after upgrade to 1903 ( I am not really sure though).

    EDIT: Of course the message lists the session name of the session which is not cretaed due to the error, anyway cannot stop or delete the exiting session which looks similar to this:

    Get-NetEventSession

    Name               : MMA-ETW-Livecapture-09b38030-2af9-4e62-b436-3130ac381b42
    CaptureMode        : RealtimeRPC
    LocalFilePath      :
    MaxFileSize        : 250 MB
    TraceBufferSize    : 256 KB
    MaxNumberOfBuffers : 16
    SessionStatus      : NotRunning

    and then if trying to stop or delete or even like this:

    Get-NetEventSession | Stop-NetEventSession
    Stop-NetEventSession : The requested object could not be found.
    At line:1 char:23
    + Get-NetEventSession | Stop-NetEventSession
    +                       ~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (MSFT_NetEventSe...48DF955AD6F1}"):root/StandardCimv2/MSFT_NetEventSessi
       on) [Stop-NetEventSession], CimException
        + FullyQualifiedErrorId : MI RESULT 6,Stop-NetEventSession

    Which I find weird, piping an object to Stop-NetEventSession (or Remove-NetEventSession) crashes due to object not existing, how is this possible?

    • Edited by EuroEager Wednesday, June 5, 2019 9:16 PM
    Wednesday, June 5, 2019 9:05 PM
  • Hello EuroEager,

    Your last message left me a little bit uncertain about what you tried.

    When "logman stop -ets MMA-ETW-Livecapture-104cdcac-7798-4ce7-a94b-807b4dbaded5" failed with error "Data Collector Set was not found", did you retry a slightly modified form of the command using the now current session name? 

    Can you post the output of the command "logman query -ets"?

    Gary

    Wednesday, June 5, 2019 9:17 PM
  • I tried again today and saw the same strange message when piping the (Powershell) Get-NetEventSession to the StopNetEventSession, but I also saw that it gave another message when piping to Remove-NetEventSession, namely lack of access rights.

    Started therefore Powershell as admin and was able to remove.
    Could probably done it with logman delete as well, with elevation).

    So all is now ok, except for the strange message at Stop-NetEventSession and the fact that the session existed as a "ghost" session at all, but I can live with that when I know how to kill the ghost

    Thursday, June 6, 2019 11:38 AM
  • Hello EuroEager,

    Thanks for the update - it turns out that your approach was better than mine.

    The Win32 API routines StartTrace, StopTrace, EnableTraceEx2 et al are the low-level interface to Event Tracing for Windows and are used directly by logman.exe. No persistent (registry/file) state is maintained for these ETW sessions.

    The is also a WMI provider root/StandardCimv2/MSFT_NetEventSession (implemented in %SystemRoot%\System32\wbem\NetEventPacketCapture.dll) that can be used to create and control tracing sessions. This provider is used to implement the NetEventPacketCapture PowerShell cmdlets and is also used by Message Analyzer. Some persistent state is maintained for these trace sessions in the registry under HKLM\System\CurrentControlSet\Control\Diagnostics\NetEventCapture.

    So the advantage of using Stop-NetEventSession and Remove-NetEventSession is that the persisted state in the registry is cleaned up too.

    Gary

    Thursday, June 6, 2019 12:56 PM