filestracewindowswmi
I occasionally notice in Resource Monitor hard disk activity related to ETL files in the folder C:\Windows\System32\LogFiles\WMI\RtBackup.
Which process/service creates these ETL files and what is their purpose?
Resource Monitor shows "System" as the process which is correct since ETW traces (that is what ETL files are) are created by the kernel. But I am interested in the process that causes the traces to be created.
This happens on Windows 7, by the way.
I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.
To find a specific file, use the menu option Find->Find Handle or DLL... Type in part of the path to the file. The list of processes will appear below.
If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.
Examples
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\" (finds all files opened from drive e:\"c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"
Best Answer
I found the answer myself after digging around some more.
The directory
C:\Windows\System32\LogFiles\WMI\RtBackupstores ETW trace files (extension .etl) for real time event trace sessions. Looking into the RtBackup directory is a little difficult because by default only System has permissions, but my application SetACL Studio can display the contents anyway. When putting the directory's content next to the list of running event trace sessions, one immediately notices the similarities:Not every event trace session generates a file in the directory RtBackup. As the directory's name implies, it stores backups for real time trace sessions. Comparing the list of files in RtBackup to each trace session's properties confirms this: