Since Sunday, 02.06.2022, SenseNdrPktmon maximum size warning occurs on all virtual machines

Mathew Jung 126

Hello,

Ever since Sunday, the 6th of February, all of our Azure virtual machines have been reporting the following warning:

The message is:

The backing-file for the real-time session "SenseNdrPktmon" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available. This error is often caused by starting a trace session in real-time mode without having any real-time consumers.

From what we can tell, it is an issue with Windows Defender performance monitors. However, we cannot figure out how to fix the issue. We have patched and rebooted several virtual machines, but the event is still logged.

There are also some additional "Sense" events logged:

Session "SenseEventLog" failed to start with the following error: 0xC0000035

Session "SenseIRDebugLogger" failed to start with the following error: 0xC0000035

Any assistance with figuring out how to stop these events from occurring is greatly appreciated.

Thank you,

Mathew

vipullag-MSFT 24,206 Reputation points Microsoft Employee

2022-02-14T07:08:57.947+00:00

@Mathew Jung

Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

This issue needs deeper investigation. Support team will be able to check and help on this. I would recommend you to open a azure support case.

If you don't have the ability to open a technical support ticket, please let me know I can further help you opening a support case.
Mathew Jung 126 Reputation points

2022-02-15T17:43:03.2+00:00

I have opened case #2202150040007477

Thank you for your assistance.

29 answers

David 86 Reputation points

2023-01-24T10:12:44.6266667+00:00

Okay for the purpose of us trying to sort out this shambles, here's today's update from MS Premier Support (we're about a year into trying to figure this out...)

As for the information received by the product group, the root cause for this scenario is the fact that the 3rd-party service is backing up this file, in conjunction with frequent file changes due to captured network traffic going through this file. To mitigate this, they suggest adding a File Filter on this file path in Acronis Cyber Protect backup service. Here's the official documentation [https://www.acronis.com/en-us/support/documentation/AcronisCyberProtect_15/#file-filters.html The file is located at: "C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTSenseNdrPktmon.etl"

So what they're saying is that EtwRTSenseNdrPktmon.etl is capturing packets and therefore changing continuously. Acronis is backing it up to an external server; therefore creating packets. So there's a cyclical generation of traffic going on.

You'd assume that the big boys would all play nicely together and we could get some actual work done...

I've added that filter now on 2 VM's and will monitor over the next few days.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Goce Dimitroski 41 Reputation points

2023-02-01T00:05:28.4866667+00:00

Have you heard anything back from Premier Support. This is also causing us issue with Azure ASR. I tried to see if we could try and divert the logging of the file to a different location eg the temp disk. But can't see how I can change it.
Please sign in to rate this answer.
Steffan Røstvig 16 Reputation points

2023-02-01T14:03:51.31+00:00

Our ticket is still open. They are investigating. Last update was 30th January.

Steffan Røstvig 16 Reputation points

2023-02-01T14:05:26.6866667+00:00

I recommend just running pktmon stop to stop the logging. It does not seem to be harmfull or cause any problems.

Goce Dimitroski 41 Reputation points

2023-02-01T20:45:37.3066667+00:00

Hmm we are also logging a call about this.
Sign in to comment
Steffan Røstvig 16 Reputation points

2023-02-06T08:39:55.3166667+00:00

We got a message from premier support this morning saying they have updated something..
I have not been able to locate any vms with the problem today. How is it looking for you people?
Please sign in to rate this answer.
Goce Dimitroski 41 Reputation points

2023-02-06T21:44:41.8066667+00:00

We still have the issue .

Steffan Røstvig 16 Reputation points

2023-02-21T12:46:43.54+00:00

"RCA" from the support team:

👇

As per the update, team has fixed the issue. Please refer the below technical RCA as you have requested.

Technical explanation:

SenseNdrPktmon is the name of the ETW Session that SenseNdr has with Pktmon for capturing network traffic.

EtwRTSenseNdrPktmon is the temporary file used for backing that RealTime session, created by default and used by ETW.

The load on that backing file is a direct result of the network load that Pktmon captures.

The file size is limited, so ETW is consistently creating/removing events from the file content.

Thus, it's plausible that in a server that is exposed to a high volume of network traffic consistently would eventually cause this file to fill up and trigger a high disk usage.
Sign in to comment
Richard Grant 0 Reputation points

2023-04-12T19:37:46.8333333+00:00

Is anyone still having this issue? We are experiencing high writes on our storage, especially on our rras vm's with 2 NICs and high network throughput. 'Pktmon.exe unload', instantly drops the 5MB writes to near nothing for around 20mins, when I'm guessing the defender policy refreshes.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment