Since Sunday, 02.06.2022, SenseNdrPktmon maximum size warning occurs on all virtual machines

Mathew Jung 126

Hello,

Ever since Sunday, the 6th of February, all of our Azure virtual machines have been reporting the following warning:

The message is:

The backing-file for the real-time session "SenseNdrPktmon" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers.

From what we can tell, it is an issue with Windows Defender performance monitors. However, we cannot figure out how to fix the issue. We have patched and rebooted several virtual machines, but the event is still logged.

There are also some additional "Sense" events logged:

Session "SenseEventLog" failed to start with the following error: 0xC0000035

Session "SenseIRDebugLogger" failed to start with the following error: 0xC0000035

Any assistance with figuring out how to stop these events from occurring is greatly appreciated.

Thank you,

Mathew

vipullag-MSFT 24,106 Reputation points Microsoft Employee

2022-02-14T07:08:57.947+00:00

@Mathew Jung

Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

This issue needs deeper investigation. Support team will be able to check and help on this. I would recommend you to open a azure support case.

If you don't have the ability to open a technical support ticket, please let me know I can further help you opening a support case.
Mathew Jung 126 Reputation points

2022-02-15T17:43:03.2+00:00

I have opened case #2202150040007477

Thank you for your assistance.

29 answers

TBlake 6 Reputation points

2022-03-11T15:15:05.25+00:00

HI
I also agree it is an issue with Windows Defender. I was asked by my Azure case manager to disable windows defender, and verify if the issue still existed. SO I went to event manager (that I have not looked at since yesterday morning) and Hmmm the SenseNDR logging error messages have stopped as of 117 PM Eastern Time Yesterday. I go to the task manager and the Sense NDR process that has been in the top 5 of cpu usage for over a month no longer exists anywhere is Task manager. I cannot even find it as a service in Services. I am the only one at this company that has access to this server so I am confident that no one here has changed anything. Any chance you could look at yours for possible the same items? I am thinking an update may have been pushed. I looked at update history and the most recent update was on the 9th and the error stopped on the 10th in the afternoon. I am confident some updates occur without being visible to us. Please let me know what you find. BTW I have NOT disabled Defender......
Thank you
Tim
Please sign in to rate this answer.

1 person found this answer helpful.
Mathew Jung 126 Reputation points

2022-03-11T15:27:41.543+00:00

Looks like the issue has subsided in my environment as well! The last event that was logged was around 17:50 UTC.

I believe an update to Windows Defender resolved the issue, however, I cannot be 100% sure. I don't know the version numbers/history.

I am going to wait a few days before marking this as resolved.

ICheers!
Sign in to comment
Paul 6 Reputation points

2022-10-03T18:35:01.437+00:00

I have this issue on several of my Azure VM's.

It is causing high disk churn which is in turn causing my Azure Site Replication for disaster recovery to stop generating recovery points.

We use Sophos Intercept X for our antivirus solution. My VM's are onboarded to Microsoft Defender for Endpoint as well, which is in forced passive mode via registry key setting. I have disabled device discovery, but event viewer is still getting flooded with event ID 1 for:

"The backing-file for the real-time session "SenseNdrPktmon" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers."
Please sign in to rate this answer.

1 person found this answer helpful.
Pablo 6 Reputation points

2022-10-14T14:31:27.537+00:00

They only way I was able to get the event flooding for Sensendrpktmon to stop was to offboard my VM's from Cloud Defender for Endpoint. Not sure what the deal is here, since we had followed all MS documentation and instruction for how to configure Defender for Endpoint while using a 3rd party AV solution... I'm surprised more people don't have this issue.

Edit: I was wrong about offboarding from Defender for cloud stopping this problem, but I have a bit more info. Something on system startup is causing this pktmon trace. I seem to be able to stop the trace itself by opening powershell as administrator and running 'pktmon stop' which shows a couple active traces, and once those are stopped the event flooding seems to stop as well as the performance issues. Just need to find out what the heck is triggering these pktmon traces on system startup.
Sign in to comment
Steffan Røstvig 16 Reputation points

2022-11-16T10:57:54.597+00:00

Problem is back again today after windows updates..

Constant writes to EtwRTSenseNdrPktmon.etl 6-10MB/s.
Please sign in to rate this answer.

1 person found this answer helpful.
David 86 Reputation points

2022-11-16T11:42:24.297+00:00

I'm seeing exactly the same - after Windows Updates as well.

Steffan Røstvig 16 Reputation points

2022-11-30T12:13:43.747+00:00

Because of this our bandwidth cost are up around 4500USD/month. Each machine is generating about 500GB traffic each day.

David 86 Reputation points

2022-11-30T13:25:40.147+00:00

We've opened a premium support ticket with Microsoft. We've just had a call and tried the following commands from an elevated command prompt:

Pktmon filter remove Pktmon filter add -p 1234

This immediately dropped the disk usage for the etwrtsensendrpktmon service to virtually zero.

Running the following command:

Pktmon filter remove

...brought the high disk usage problem back. I was then informed that this appears to be an infrastructure issue (back-end and not VM) and the appropriate technical team will be notified for further investigation. I will post an update as things progress (fingers crossed).
Sign in to comment
Steffan Røstvig 16 Reputation points

2023-01-25T14:35:05.7933333+00:00

Quick update from our end.

Finally got a premier support ticket opened last week. That being said it has been harder and harder to identify servers with the issue. 👀 Premier support has acknowledged that this is a "known problem" with "several customers" ..

I finally found a server with the issue. 10MB/S constant writes to the ndrpktmon.evt. Was instructed to download the MDE Client Analyzer tool and upload logs to defender support team. Waiting for feedback 🙏
Please sign in to rate this answer.

1 person found this answer helpful.
Steffan Røstvig 16 Reputation points

2023-02-01T14:07:13.55+00:00

Update: Ticket still open. They are investigating.
Our current workaround is just running pktmon stop to stop the logging.
Sign in to comment
Limitless Technology 39,351 Reputation points

2022-02-14T08:22:26.35+00:00

Hi there,

If this is after any recent update try uninstalling them.SenseNdrPktmon is the Data/Session name and there are a lot of reasons that can cause the error SenseNdrPktmon failed to start with the following error 0xC0000035.

This could be due to a corrupted WiFi Driver or Adapter or an issue with the NAT address. Outdated Printer drivers can also cause this error.

Some users have stated that restarting IPv4 and IPv6 services have sorted the issue.

-Open Control Panel and click Network & Sharing Center > Change adapter settings.
-Now, right-click on the connected network and select Properties.
-Untick both Internet Protocol Version 4 and Internet Protocol Version 6.
-Restart and reenable these services.

--If the reply is helpful, please Upvote and Accept it as an answer--
Please sign in to rate this answer.
Mathew Jung 126 Reputation points

2022-02-14T16:40:36.837+00:00

Hello!

Unfortunately, your troubleshooting steps did not resolve the issue. IPv6 has always been disabled in our environment.

Even with a full server reboot, the issue still persists.

Thank you,

Mathew
Sign in to comment