Kernel-EventTracing Event ID 32

Question

Kernel-EventTracing Event ID 32

ms 11

Hi, I have a lot events with id 32 (Kernel-EventTracing/Admin)
I can't find anything about that, any idea?
Detailed event description below:

Log Name: Microsoft-Windows-Kernel-EventTracing/Admin
Source: Microsoft-Windows-Kernel-EventTracing
Date: 10.12.2021 10:42:07
Event ID: 32
Task Category: Provider
Level: Warning
Keywords: Provider,Session
User: SYSTEM
Computer: w2k22
Description:
Failed to look up debug info for provider {c85ab4ed-7f0f-42c7-8421-995da9810fdd} from process 93323264 for session "圼送 fh". Error: Unknown NTSTATUS Error code: 0xb70c3577. Either the debug data could not be found, or the debug data is inaccessible because the image registering the provider is malformed.
Event Xml:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Kernel-EventTracing' Guid='{b675ec37-bdb6-4648-bc92-f3fdc74d3ca2}'/><EventID>32</EventID><Version>0</Version><Level>3</Level><Task>3</Task><Opcode>0</Opcode><Keywords>0x8000000000000030</Keywords><TimeCreated SystemTime='2021-12-10T09:42:07.1171368Z'/><EventRecordID>44120</EventRecordID><Correlation/><Execution ProcessID='3464' ThreadID='11652'/><Channel>Microsoft-Windows-Kernel-EventTracing/Admin</Channel><Computer>w2k22</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='ProviderGuid'>{c85ab4ed-7f0f-42c7-8421-995da9810fdd}</Data><Data Name='SessionName'>圼送 fh</Data><Data Name='ProcessId'>93323264</Data><Data Name='Status'>3071030647</Data></EventData></Event>

Mihai Sarbulescu 26 Reputation points

2022-04-05T14:35:31.197+00:00

What is happening here is that a jitted (into VirtualAlloc) block of code has registered an ETW Provider that has its callback in the jitted region AND the provider is one that has binary tracking enabled, and ETW is using the address of the callback to locate the image it is located in - due to the fact that it's jitted code and not an actual image, it does not have a PE header (no image information) - thus of course we don't even end up trying to check DEBUG Directory and RSDS (as this does not exist without image information of course ...).

.NET JIT compiler will uses VirtualAlloc() with PAGE_EXECUTE_READWRITE protection flag to allow the jitted code to be executed. This is something that happens inside the MonitoringHost.exe process(es) for example.

From the point of view of "correctness", the ETW component raises the Warning Event 32 correctly, that it does not find any PE header (no image information) for that jitted code that has registered a provider – however, the event is confusing in this situation.

NOTE: There is a small issue in raising the event (which is unrelated to why we are raising it) and that is why we are seeing those characters there, but the actual error code for this is: STATUS_SECTION_NOT_IMAGE (0xc0000049).

The event should be ignored.
Mihai Sarbulescu 26 Reputation points

2022-04-05T14:35:51.68+00:00

There is a workaround of disabling auto-starting of SCOM ETW trace on service startup of the Agent service which should make these events (Warning 32) go away (unless manually started when needed for troubleshooting (StartTracing.cmd) – which should be something that does not happen often at all):

1) Create this Registry Key / value on all impacted WS 2022 Servers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Tracing]
"DisableAutoTracing"=dword:00000001

2) Open an Administrative command prompt and go to C:\Program Files\Microsoft Monitoring Agent\Agent\Tools (or Server path) and run StopTracing.cmd

3) Restart the Microsoft Monitoring Agent (HealthService.exe) service
ms 11 Reputation points

2022-04-11T11:33:53.817+00:00

thats right, after adding registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Tracing]
"DisableAutoTracing"=dword:00000001

new events 32 stopped appears
thanks for explanation and workaround

6 answers

Your answer

Mihai Sarbulescu 26 Reputation points

2022-04-05T14:35:31.197+00:00

What is happening here is that a jitted (into VirtualAlloc) block of code has registered an ETW Provider that has its callback in the jitted region AND the provider is one that has binary tracking enabled, and ETW is using the address of the callback to locate the image it is located in - due to the fact that it's jitted code and not an actual image, it does not have a PE header (no image information) - thus of course we don't even end up trying to check DEBUG Directory and RSDS (as this does not exist without image information of course ...).

.NET JIT compiler will uses VirtualAlloc() with PAGE_EXECUTE_READWRITE protection flag to allow the jitted code to be executed. This is something that happens inside the MonitoringHost.exe process(es) for example.

From the point of view of "correctness", the ETW component raises the Warning Event 32 correctly, that it does not find any PE header (no image information) for that jitted code that has registered a provider – however, the event is confusing in this situation.

NOTE: There is a small issue in raising the event (which is unrelated to why we are raising it) and that is why we are seeing those characters there, but the actual error code for this is: STATUS_SECTION_NOT_IMAGE (0xc0000049).

The event should be ignored.
Mihai Sarbulescu 26 Reputation points

2022-04-05T14:35:51.68+00:00

There is a workaround of disabling auto-starting of SCOM ETW trace on service startup of the Agent service which should make these events (Warning 32) go away (unless manually started when needed for troubleshooting (StartTracing.cmd) – which should be something that does not happen often at all):

1) Create this Registry Key / value on all impacted WS 2022 Servers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Tracing]
"DisableAutoTracing"=dword:00000001

2) Open an Administrative command prompt and go to C:\Program Files\Microsoft Monitoring Agent\Agent\Tools (or Server path) and run StopTracing.cmd

3) Restart the Microsoft Monitoring Agent (HealthService.exe) service
ms 11 Reputation points

2022-04-11T11:33:53.817+00:00

thats right, after adding registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Tracing]
"DisableAutoTracing"=dword:00000001

new events 32 stopped appears
thanks for explanation and workaround

Answer 1

ms 11

Hi,
Event is related with SCOM. In each hour show 24-33 events with id 32, in each time three same warning with different session provider, always the same:

c85ab4ed-7f0f-42c7-8421-995da9810fdd
36cd7b6e-631a-42e1-a3c0-d436ac41bc61
c7a7ea08-da1f-4681-bbaa-5522771e0711

after tuning on maintenance mode from SCOM console (not service agent on server), event stoped showing, now after more than 1 hours no new logs.
I guess that is related with some healt monitor, mayby it is not compatible with Windows Server 2022 yet? (this server is not only server in my enviroment with w2k22 and scom agent installed, the rest not raport event 32, but each server have diferent roles and apps).

ms 11 Reputation points

2021-12-14T10:11:33.973+00:00

so because the root of a problem isn't malware then I mark this problem as false positive, which ignore for now

Answer 2

Hello @ms ,

When a DLL registers an event provider, the event tracing mechanism tries to extract some information from the "debug directory" in the PE header of the DLL. This information is added to the trace data as a ProviderBinaryPath event:

My guess is that some (probably non-Microsoft) DLL is present on the system and a trace provider in that DLL is being started; furthermore, that DLL probably either does not contain a debug directory, or contains a debug directory without an CodeView RSDS format entry.

The Chinese characters are probably harmless too. My guess is that the format string for the event specifies that a Unicode (UTF-16LE) string is required for the SessionName value but a UTF-8/ASCII string is being provided (a bug). UTF-8 encodings, when decoded as UTF-16 normally returns Chinese characters (due to the positions of the various character sets in Unicode).

Gary

Answer 3

ms 11

Hi, thx for sugestions.
I didn't find solution yet. This server is RDS terminal, do some chinese signs like ' 圼送' in log are disturbing. Google translate says that means 'send' what i again disturbing. I tried to track down the source process but without lack, work in progress.

0 comments

Answer 4

Hello

Thank you for your question and reaching out.

Event id is 2. Always lots of threads have the same event and it should be harmless and can be safely ignored.

It may be related to your cloud storage. For example One drive. It may have given you this prompt when you started.
So I consider that you could check the information about Onedrive below to check.

Also try Disable any third party Antivirus you may have for temporary.

https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/kernel-eventtracing-error/d2d84f10-66ba-4983-aa82-f2f05292c649

--If the reply is helpful, please Upvote and Accept as answer--

Answer 5

Anonymous

Read on here.
https://learn.microsoft.com/en-us/archive/msdn-magazine/2007/april/event-tracing-improve-debugging-and-performance-tuning-with-etw

--please don't forget to upvote and Accept as answer if the reply is helpful--

Anonymous

2021-12-12T13:48:04.2+00:00

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--

Share via

Kernel-EventTracing Event ID 32

6 answers

Your answer