I really take care of all my workstations, But recently i notice a process keep popping up, i Google this, none seem to give a convincing yet proper answer. Should i allow this process? Can i know what process this is?
Thanks comodo forums & gurus
[tr][td]2011-08-16 23:04:28 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:06:28 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:06:29 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:06:57 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:06:57 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:06:57 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:07:03 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:07:03 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:07:03 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:07:10 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
2011-08-16 23:07:10 System Modify File C:\Windows\system32\Logfiles\WMI\RtBackup\EtwRTNT Kernel Logger.etl
An .etl file is an Event Trace Log file and ETW stands for Event Tracing for Windows. Basically these are log file generated by WMI (Windows Management Instrumentation). These are normal, however, it’s curious these files are being generated so frequently. Are you running D+ in Paranoid mode?
Just a thought. As the problem is recent, it could be that MS has messed up during the last update the permissions related to this folder used to log windows events.
You can try to rename it with unlocker (Download Unlocker 1.9.2 for Windows - Filehippo.com). On reboot Windows will recreate the original RtBackup folder with the correct permissions and you can delete the copied one.
To understand the namespace syntax, you can take a read through this article. Once you understand the syntax you can use the information contained in the link you posted to remove the file.
There’s some additional information about removing files with reserved names in the win32 namespace here specifically section 5.
I"m having the same issue with this system folder. How do I correct the problem?
D+: Safe Mode
Folder: C:\Windows\system32\Logfiles\WMI\RtBackup
Filename: EtwRTMsMpPsSession.etl
Recent Windows Update: Yes / DEC 14-15
OS: Vista HP 32 - Sp2
The first thing I’d try to do, is see what’s in the log file. You should be able to do this using event viewer. Just run eventvwr.msc from the start menu, select Action/Open Saved Log. Navigate to the folder mentioned above and select EtwRTMsMpPsSession.etl. If it won’t let you open the file directly, because of permissions, you should be able to copy the file to a different location and take ownership.
