This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 15%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBR%3C/text%3E%3C/svg%3E)
Today we found out something I've never seen before but might already be there for a long time and seems to happen on all windows agents.
A windows agent (2019ur3) always creates trace files in C:\Windows\Logs\OpsMgrTrace upon starting which may grow till about 100MB per file.
Running the stoptracing.cmd command doesn't resolve this, the files just start over again on agent startup.
Probably caused by a few txt files in C:\Program Files\Microsoft Monitoring Agent\Agent\Tools
Like this one: TracingGuidsAPM.txt
If i remove the file and restart this seems to stop that tracing.
Further in the eventlog "Microsoft-Windows-Kernel-EventTracing/Admin" i see errors like this that relate to the tracing:
Error
EventID 2
Session "TracingGuidsApmConnector" failed to start with the following error: 0xC0000035
Now my questions are
Hi Ronald (@Berg, Ronald van den ),
here are my comments to your questions:
Is it normal that these traces run out of the box and should i keep them enabled and why?
Yes, this is by default (tracing is runnning). The SCOM ETL Tracing is enabled by defaultl, but runs on a lower logging level. This also why, if you want to do a VERBOSE tracing, you first need to stop the current (default) one (stoptracing.cmd) and enable the VERBOSE after that (starttarcing.cmd VER).
Leaving the trace running does not seem to be an issue as the file that is written is circular and gets overwritten. If you stop ti, suing "stoptracing.cmd" it will start again on the next service rstart. Still, if you decide to stop it, here is how you do it:
Use diagnostic tracing in System Center Operations Manager and in System Center Essentials
https://learn.microsoft.com/en-us/troubleshoot/system-center/scom/use-diagnostic-tracing
Do i need to take action on that error event and what may that be?
ETL tracing is done based on the so called Tracing GUIDs, which uniquely identify the components that needs to be traced. In this case the event states that a certin Tace provider session could not be started. The error resolves to "STATUS_OBJECT_NAME_COLLISION". If I am no mistaken you can stop those events, by doing some registry key adjustments to:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System{b675ec37-bdb6-4648-bc92-f3fdc74d3ca2}
Please check those:
Fix “Error Code: 0XC0000035” Kernel Event Tracing on Windows?
https://appuals.com/kernel-event-tracing-error-0xc0000035-windows/
and
Session "PerfDiag Logger" failed to start error: 0xC0000035 Event ID 2, any clues?!
Here are a couple of references to support the facts:
Tracing SCOM Workflows with PowerShell
https://monitoringguys.com/2020/12/15/tracing-scom-workflows-with-powershell/
Use diagnostic tracing in System Center Operations Manager and in System Center Essentials
https://learn.microsoft.com/en-us/troubleshoot/system-center/scom/use-diagnostic-tracing
How to collect and analyze a SCOM (System Center Operation Manager) ETL Trace in depth. Version Independent
I hope I could help out.
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov