在 Windows 10 资源监视器中,我发现系统进程不断以每秒 30-100KB 的速度写入 C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl。这相当于每年写入 1TB,这对于 SSD 来说并不健康。还有其他日志写入,例如 C:\Windows\System32\LogFiles***。
虽然诊断需要日志,但最好仅在问题发生时才打开。
是否可以尽可能地禁用系统日志以减少 SSD 中的垃圾写入?
答案1
默认情况下,Windows 有一个巨大的日志文件数量,不断写入数据。
两种停止方法一些这种搅动:
停止在 Windows 筛选平台 (WFP) 中记录“审核成功”,仅记录“审核失败”
- 以管理员身份打开 CMD 提示符:按Windows,输入
cmd,按Ctrl++Shift并Enter确认。 - 键入(或复制/粘贴)以下内容并按Enter:
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable
如果成功的话,预计会记录更少的事件。
禁用单个日志
- 打开 Windows 事件查看器:按WindowsR,输入
eventvwr.msc,然后按Enter。 - 向下滚动到
Application and Service Logs、Microsoft、Windows、WFP。 - 右键单击日志进程并选择
Disable Log。
一个按名称搜索事件日志的有用工具是 Nirsoft 的完整事件日志视图。
答案2
去硬核:
如果您想要禁用特定事件日志,请转到事件查看器并右键单击要删除的事件日志。单击Event Properties。
应会打开一个新窗口 - 单击XML view,您将能够看到事件的 GUID。我们将尝试根据此 GUID 在注册表中找到事件日志记录服务。并非所有事件都有此 GUID,并且我们无法在注册表中找到每个 GUID。
获得 GUID 后,我们导航到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System,regedit然后在括号内搜索 GUID。
如果找到它,我们就可以继续更改 Enabled 和 EnabledProperty 键:
"Enabled"=dword:0
"EnableProperty"=dword:0
答案3
我想我知道如何将 NetCore.etl 写入硬盘而不是 SSD。我运行了性能监视器(Windows 应用程序),深入到数据收集器集 | 事件跟踪会话,右键单击 NetCore,单击弹出菜单中的属性,单击目录选项卡,然后浏览到所需的文件夹。时间会告诉我们更改是否是永久性的,但根据资源监视器,目前日志正在写入我的硬盘 E:。
如果希望完全停止编写 NetCore.etl,单击“停止”而不是“属性”可能会停止它。但我不太确定这种改变是否是永久性的。某些应用程序可能会重新启动它,也许是在下次重新启动 Windows 时。如果有人尝试这样做,我希望他/她会在这个帖子中发布结果。
其他几个日志文件可以以类似的方式重定向(或停止)。
答案4
方法 1) 不推荐:禁用“Windows 事件日志”服务并重新启动。但在 win7 上将禁用 TaskScheduler(和碎片整理磁盘)。最糟糕的是在 win10 上将禁用网络列表和设备自动设置。
方法2)以管理员身份运行此批处理:
rem https://docs.microsoft.com/en-us/windows/win32/fwp/auditing-and-logging
rem https://social.technet.microsoft.com/Forums/en-US/ec2b033f-3e9b-4727-88d2-e6e358393734/how-to-disable-stop-windows-filtering-platform-filtering-platform-packet-drop
rem ALL
Auditpol /set /category:* /Success:disable /failure:disable
rem FIREWALL
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
rem https://thesystemengineers.wordpress.com/2014/05/08/the-best-advanced-audit-script-and-advanced-audit-policy-i-use/
rem http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008
auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable
auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable
auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
rem may be enabled on failure
auditpol /set /subcategory:"Other System Events" /success:disable /failure:disable
rem Usually all enabled
auditpol /set /subcategory:"Account Lockout" /success:disable /failure:disable
auditpol /set /subcategory:"Application Generated" /success:disable /failure:disable
auditpol /set /subcategory:"Application Group Management" /success:disable /failure:disable
auditpol /set /subcategory:"Audit Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Authentication Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Authorization Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Certification Services" /success:disable /failure:disable
auditpol /set /subcategory:"Computer Account Management" /success:disable /failure:disable
auditpol /set /subcategory:"Credential Validation" /success:disable /failure:disable
auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:disable
auditpol /set /subcategory:"Directory Service Changes" /success:disable /failure:disable
auditpol /set /subcategory:"Distribution Group Management" /success:disable /failure:disable
auditpol /set /subcategory:"File Share" /success:disable /failure:disable
auditpol /set /subcategory:"File System" /success:disable /failure:disable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable /failure:disable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable /failure:disable
auditpol /set /subcategory:"Kernel Object" /success:disable /failure:disable
auditpol /set /subcategory:"Logoff" /success:disable /failure:disable
auditpol /set /subcategory:"Logon" /success:disable /failure:disable
auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable
auditpol /set /subcategory:"Other Account Logon Events" /success:disable /failure:disable
auditpol /set /subcategory:"Other Account Management Events" /success:disable /failure:disable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:disable /failure:disable
auditpol /set /subcategory:"Process Creation" /success:disable /failure:disable
auditpol /set /subcategory:"Process Termination" /success:disable /failure:disable
auditpol /set /subcategory:"RPC Events" /success:disable /failure:disable
auditpol /set /subcategory:"Registry" /success:disable /failure:disable
auditpol /set /subcategory:"Security Group Management" /success:disable /failure:disable
auditpol /set /subcategory:"Security State Change" /success:disable /failure:disable
auditpol /set /subcategory:"Security System Extension" /success:disable /failure:disable
auditpol /set /subcategory:"Special Logon" /success:disable /failure:disable
auditpol /set /subcategory:"System Integrity" /success:disable /failure:disable
auditpol /set /subcategory:"User Account Management" /success:disable /failure:disable
rem Apply immediatly
gpupdate /force
方法 3) 创建文件夹 C:\TEMP
打开 regedit。导航并将选择器放在此分支 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger 上
右键单击并将选定分支导出到 C:\TEMP\WMI_backup.reg(将保留此作为备份) 右键单击并将选定分支导出到 C:\TEMP\WMI_disable.reg,关闭 regedit 使用 TEXTPAD 编辑器打开 C:\TEMP\WMI_disable.reg:
Search and Replace, enable Regular Expressions, SEARCH:
^(?!("Enabled"|"EnableProperty"|\[|\n|Windows)).+\n
Replace with:
(empty)
REPLACE ALL
Second Search and replace, Search:
dword:.+
Replace with:
dword:00000000
REPLACE ALL
Third (optional) Search and replace, Search:
(^\[.*(?:\n*\h*)*)+(^\[.*)
Replace with:
$+
REPLACE ALL
Save and exit.
应用生成的 .REG,除非以系统用户身份使用 nirsoft advancedrun 输入,否则某些键将不会被应用:
AdvancedRun_x64.exe /EXEFilename "%windir%\regedit.exe" /CommandLine "c:\TEMP\WMI_disable.reg" /RunAs 8 /Run
替换说明:第一个将消除所有不以下列之一开头的行:[; “Enabled”; “EnableProperty”; Windows; (空)
第二次搜索将把所有剩余的执行 dword:xxxxxxxx 更改为 dword:00000000
第三步(可选清理)搜索以 [... 开头的连续行并保留最后一行
方法 4) 操作与方法 3 相同,但使用以下键:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT]
方法 5) 应用此 .REG 文件禁用某些日志,不要重置以下项的启动项:EventLog-Application、EventLog-Security、EventLog-System
Windows Registry Editor Version 5.00
;* no autolog
; https://www.reddit.com/r/Windows10/comments/8lpttt/howto_make_w10_log_less_prune_the_amount_of/
; https://gist.github.com/FadeMind/9500d49948654b50aa870706a8ac9f04
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog]
; Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AppModel]
;+ Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AppPlat]
;+ Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio]
; Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener]
;* Disables %systemroot%\System32\LogFiles\WMI\Diagtrack-Listener.etl
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger]
; Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderApiLogger]
;+ Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DiagLog]
; Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderAuditLogger]
;+ Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\FamilySafetyAOT]
;+ Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog]
;+ Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NtfsLog]
; Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RadioMgr]
;* Disables %SystemRoot%\System32\LogFiles\WMI\RadioMgr.etl
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot]
; Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger]
; Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM]
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog]
; Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WiFiSession]
;+ Disables Event Trace Session in Perfmon Data Collector Sets
"Start"=dword:00000000