Windows 10 IoT Unified Write Filter Filling Up and Event Logging

Question

Our product is an Industrial Process Controller based on Windows 10 IoT Enterprise 2021 21H2 with 4 or 8 GB of DRAM and 32 GB of eMMC Flash.

Since the controller should run years without rebooting (may reboot more frequently due to security updates evaluated yearly), we can NOT have our industrial controller rebooting due to the UWF filling up. It’s currently set to 1024 MB for the RAM Overlay. Note – eMMC flash drive is not used for the UWF Overlay due to limited program/erase cycles (generally 3,000 per block, but has wear-leveling).

The problem is that the UWF is being consumed by ~1% (8 MB) per day. At this rate, the UWF will be consumed in 100+ days. Currently, there are 2,100 files listed in the RAM Overlay. How do I get Windows to stop writing so many files? I’ll list some of the largest files, but since there are so many and since they seem generic to Windows, there must be some solution to this. Otherwise, if I can’t resolve this, UWF and Windows 10 IoT Enterprise 2021 21H2 is unusable for us…

Excluded from the UWF Ram Overlay is the Windows Event Log, however, some of these logs are updated very frequently and we are concerned about prematurely wearing out the eMMC flash drive due to their limited program/erase cycles. Any way to make the event log a lot less chatty? I’m strongly considering NOT excluding the Windows Event Log from the UWF Ram Overlay due to the eMMC wear concern. Since our application was ported from Windows CE, we never had the Windows Event Log, so losing the logs upon a reboot is not a concern. Will not excluding the Windows Event Log from the UWF Ram Overlay fill it up even faster.

We consider these concerns “Show Stoppers”. Thanks in advance for any help!

UWF Setup:
• uwfmgr.exe overlay set-type ram
• uwfmgr.exe overlay set-size 1024
• uwfmgr.exe overlay set-warningthreshold 922
• uwfmgr.exe overlay set-criticalthreshold 973
• uwfmgr.exe volume protect c:
• uwfmgr.exe file add-exclusion c:\Windows\System32\winevt\Logs
• uwfmgr.exe file add-exclusion c:\Windows\assembly
• uwfmgr.exe file add-exclusion c:\Ctrlr
• uwfmgr.exe file add-exclusion c:\ProgramData\updd\db
• uwfmgr.exe registry add-exclusion "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones"
• uwfmgr.exe registry add-exclusion HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
• uwfmgr.exe registry add-exclusion HKLM\SOFTWARE\Policies\Microsoft\Windows\WiredL2\GP_Policy
• uwfmgr.exe registry add-exclusion HKLM\SYSTEM\CurrentControlSet\services\dot3svc
• uwfmgr.exe registry add-exclusion HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
• uwfmgr.exe registry add-exclusion HKLM\SYSTEM\CurrentControlSet\Control\Nsi

Windows Event Log Frequent Updates:
• Intel Graphics Command Center non-critical errors
• Connect errors to Windows Update (Windows Update is disabled for our custom image)
• Successfully scheduled software protection service logged by Security-SPP
• Licensing checks every 10 seconds (since our device never has access to the internet, they are not activated)
• Credential manager “credentials were read” logged by Microsoft Windows Security Auditing
• PowerShell Engine state changed none to available

UWF Overlay files that are big and growing:

\$BitMap::$DATA 479232
\$Extend\$UsnJrnl:$J:$DATA 7864320
\$Mft::$DATA 17612800
\$Secure:$SDS:$DATA 94208
\ProgramData\Microsoft\Diagnosis\EventStore.db::$DATA 659456
\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log::$DATA 12288
\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx::$DATA 114688
\ProgramData\Microsoft\Windows Defender\Support\MPLog-20220820-112048.log::$DATA 974848
\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220829-152025-00000003-ffffffff.bin::$DATA 5275648
\ProgramData\Microsoft\Windows Security Health\Logs\SHS-08292022-152321-7-7f-19041.1.amd64fre.vb_release.191206-1406.etl::$DATA 45056
\ProgramData\Microsoft\Windows\AppRepository:$I30:$INDEX_ALLOCATION 20480
\ProgramData\Microsoft\Windows\AppRepository\MicrosoftWindows.Client.CBS_120.2212.4180.0_x64__cw5n1h2txyewy.xml::$DATA 8192
\ProgramData\USOShared\Logs\System\NotificationUxBroker.191824a0-fcee-4a68-a078-8ef147a310db.1.etl::$DATA 20480
\ProgramData\USOShared\Logs\System\NotificationUxBroker.25a2d8d8-0783-4d9e-91ff-ff4ce6e165bc.1.etl::$DATA 16384
\ProgramData\USOShared\Logs\System\NotificationUxBroker.538d5a6d-828a-4f92-ac34-c7c08443579f.1.etl::$DATA 20480
\ProgramData\USOShared\Logs\System\NotificationUxBroker.5c955643-5327-4222-8c29-3e73c9279910.1.etl::$DATA 16384
\ProgramData\USOShared\Logs\System\NotificationUxBroker.6711c520-61a7-4f78-add8-8d2dae64b225.1.etl::$DATA 20480
\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2b9528b-ab57-437b-9d93-8fa6c2bd5d4b.1.etl::$DATA 77824
\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.e2b9528b-ab57-437b-9d93-8fa6c2bd5d4b.2.etl::$DATA 28672
\Users\ctrlr\AppData\Local\Comms\UnistoreDB\store.vol::$DATA 12288
\Users\ctrlr\AppData\Local\ConnectedDevicesPlatform\L.ctrlr\ActivitiesCache.db::$DATA 196608
\Users\ctrlr\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db::$DATA 73728
\Users\ctrlr\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db::$DATA 98304
\Users\ctrlr\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db::$DATA 12288
\Users\ctrlr\AppData\Local\Microsoft\Windows\WebCache\V01.log::$DATA 524288
\Users\ctrlr\AppData\Local\Microsoft\Windows\WebCache\V0100002.log::$DATA 393216
\Users\ctrlr\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat::$DATA 573440
\Users\ctrlr\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms::$DATA 16384
\Windows\INF\setupapi.setup.log::$DATA 61440
\Windows\Logs\CBS\CBS.log::$DATA 2580480
\Windows\Logs\CBS\CbsPersist_20220902123833.log::$DATA 3436544
\Windows\Logs\CBS\CbsPersist_20220904164153.log::$DATA 3624960
\Windows\Logs\waasmedic\waasmedic.20220830_133921_295.etl::$DATA 1150976
\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat::$DATA 237568
\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-3698062076-881585960-712817399-1001.dat::$DATA 192512
\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\domgmt.20220904_035950_773.etl::$DATA 65536
\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\domgmt.20220905_035214_941.etl::$DATA 65536
\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\MpCmdRun.log::$DATA 81920
\Windows\System32\LogFiles\WMI\LwtNetLog.etl::$DATA 2756608
\Windows\System32\LogFiles\WMI\Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace.etl::$DATA 65536
\Windows\System32\LogFiles\WMI\NetCore.etl::$DATA 23068672
\Windows\System32\LogFiles\WMI\RadioMgr.etl::$DATA 131072
\Windows\System32\LogFiles\WMI\Wifi.etl::$DATA 1150976
\Windows\System32\MRT.exe::$DATA 40960
\Windows\System32\PerfStringBackup.INI::$DATA 798720
\Windows\System32\SleepStudy\ScreenOn\ScreenOnPowerStudyTraceSession-2022-09-02-13-29-09.etl::$DATA 131072
\Windows\System32\config\TxR{53b39e3d-18c4-11ea-a811-000d3aa4692b}.TxR.4.regtrans-ms::$DATA 360448
\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db-wal::$DATA 638976
\Windows\System32\sru\SRUDB.dat::$DATA 14430208
\Windows\System32\wbem\Repository\OBJECTS.DATA::$DATA 106496
\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx::$DATA 1052672
\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx::$DATA 536576
\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx::$DATA 208896
\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx::$DATA 405504
\Windows\System32\winevt\Logs\Security.evtx::$DATA 6930432
\Windows\Temp\MpCmdRun.log::$DATA 32768

Answer 1

You can limit the size of the eventlog: https://learn.microsoft.com/en-us/answers/questions/451919/event-log-settings-maximum-log-size-kb-windows-ser.html