Question: The C: drive on my Windows 8 machine is clicking away at 1 second intervals, writing to wfpdiag.etl. I’d like to find out why.
Looking at the Resource Monitor and the Sysinternals Process Explorer, I see that it’s PID 4, “System” that is doing the disk access. It’s writing about 32K (1 write) every second.
Here is the constant disk access:
And here is the periodic writing.
The “Writes” number increments once a second. Performance Monitor tells me it’s writing to a file called wpdiag.etl, which I understand to be related to the Windows Firewall. Is there any way I can disable the writing to this file?
Answer: How’s your Japanese: http://blog.livedoor.jp/nichepcgamer/archives/1042899759.html?Leads to a slightly helpful KB entry:https://support.microsoft.com/en-us/kb/3044882
?
Consider the following scenario:
?
- ?
- You have a custom networking application installed on your server.
- The application captures lots of traffic on the wire.
- The server may be using a DHCP-assigned IP address. ?
?
?
?
?
In this scenario, a large volume of disk I/O may be generated when writes are made to the C:WindowsSystem32wfpwfpdiag.etl log. ?This behavior is by design. When the Port Scanning Prevention Filter is triggered, this typically means that there is no process listening on the port. (For security reasons, WFP blocks process listening.) When a connection is tried on a port where there is no listener, WFP recognizes the packet as if it were coming from a port scanner and therefore silently drops the connection. ?If there had been a listener, and the communication was instead blocked because of either malformed packets or authentication, the dropped event would be listed as DROP (not silent), and WFP logging would indicate a different filter ID and name. ?This filter is built in to the Windows Firewall and Advanced Security (WFAS). It is included in Windows Vista, Windows Server 2008, and later versions of Windows.
The workaround listed lets you guess the registry key, where you are supposed to add dword CollectNetEvents with a value of 0 under. ?
Fortunately the blogpost hints at netsh, you can dump an .xml of wfpdiag.etl withnetsh wfp show netevents anddisable it withnetsh wfp set options netevents=off from an elevated prompt, which also creates the aforementioned registry key under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBFEParametersPolicyOptions
?
Note By disabling WFP logging, this only stops the logging of WFP activity in wfpdiag.etl. The Port Scanning Prevention Filter continues to work normally.