Share via

Disabling software protection platform service logs in windows 11

john holme 6 Reputation points
2022-01-20T10:26:42.37+00:00

Hi
I'm looking for a way to disable logging events related to software protection service in my windows 11.
Level of these Events is Information, the source of these events is Security-SSP and event ID is 10328.

I was unable to find any Auditpol command to do that. also didn't find any Group Policy setting to do that.

Looking at the properties of this event, Detail tab, in XML view, GUID is {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" and there is a key with this GUID in following registry path :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application
but changing enable from 1 to 0 has no effect even after multiple reboots. Continuous Security-SSP events are still appearing in Event Viewer Application node.

There are also some other events such as RASClients events and ESENT events (is related to Video.UI) and some others which I didn't find a way to disable their logging in event viewer.
.

166874-event-viewer.jpg
.

This is my personal system and I've no concern disabling such loggings. My intent is keeping Event viewer's Application and system node as clean as possible in order to focus on some special events which are related to a certain application.

I'm familiar with custom views in event viewer but custom views are not answer to my question, I just need a way to prevent those events be logged in event viewer.

any help?
Thanks in advance

Windows for business Windows Client for IT Pros User experience Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,916 Reputation points
    2022-01-21T10:26:03.457+00:00

    Hi Johnholme

    For Event ID: 16385 Security-SPP errors, may occur if one or more of the following conditions are true:

    The Task Scheduler service is disabled.

    The Software Protection Platform service is not running under the NETWORK SERVICE account.

    Read permissions for the NETWORK SERVICE account are missing on the following folder:

    C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform

    To resolve this issue, follow these steps:

    Verify that the Task Scheduler service is running.
    Open the Computer Management tool, and then navigate to Configuration -> Task Scheduler -> Task Scheduler Library -> Microsoft -> Windows -> SoftwareProtectionPlatform.
    On the General tab of SoftwareProtectionPlatform, select the security options, and then verify that the Software Protection Platform service is set to use the NETWORK SERVICE account.
    In Windows Explorer, browse to the C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform folder, and then verify that the NETWORK SERVICE account has Read permissions for that folder.
    Restart the Software Protection service if it is running

    --If the reply is helpful, please Upvote and Accept as answer--

  2. abbodi86 4,036 Reputation points
    2022-01-23T15:38:05.987+00:00

    I don't believe event log providers (event publishers) can be disabled 

    wevtutil.exe gp Microsoft-Windows-Security-SPP

    even if you temporary removed this registry key, you still get the events (with error message about missing source) 

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Software Protection Platform Service]
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.