The %Windir%\System32\LogFiles\WMI\RtBackup directory stores Event Trace Log (ETL) files generated by Windows Management Instrumentation's real-time event tracing framework. These binary logs contain kernel-level instrumentation data captured via ETW (Event Tracing for Windows).
While Resource Monitor shows "System" as the owning process, the actual initiators are typically:
svchost.exehosting WMI service (winmgmt)- Kernel components via
ntoskrnl.exe - Performance monitoring tools like
perfmon.exe
Here's the technical workflow when these files are created:
// Simplified conceptual flow
1. Provider registers with ETW (e.g., Microsoft-Windows-Kernel-Process)
2. Controller enables tracing session
3. Kernel writes events to buffer
4. Consumer requests real-time processing
5. System writes buffer to RtBackup\*.etlTo inspect active sessions creating these files:
logman query -ets
// Sample output:
// "NT Kernel Logger" session (real-time)
// "Circular Kernel Context Logger" sessionFor analyzing existing ETL files:
tracerpt C:\Windows\System32\LogFiles\WMI\RtBackup\*.etl -o output.xml -of XML
// Alternative for CSV:
tracerpt input.etl -o report.csv -of CSVThe disk activity occurs because:
- ETW uses buffered I/O with flush intervals
- High-frequency events (e.g., process creation) generate more writes
- Circular logging maintains constant disk usage
To programmatically detect ETL file creation in this directory:
using System.IO;
using System.Diagnostics;
FileSystemWatcher watcher = new FileSystemWatcher
{
Path = @"C:\Windows\System32\LogFiles\WMI\RtBackup",
Filter = "*.etl",
NotifyFilter = NotifyFilters.LastWrite
};
watcher.Created += (sender, e) =>
{
EventLog.WriteEntry("Application",
$"ETL created: {e.Name} by PID:{Process.GetCurrentProcess().Id}",
EventLogEntryType.Information);
};
watcher.EnableRaisingEvents = true;When observing excessive disk activity:
- Run:
wmic process where (name="svchost.exe") get commandline,processid - Check for WMI activity with:
typeperf "\Process(wmiprvse)\% Processor Time" - Review active providers:
logman query providers
The %Windir%\System32\LogFiles\WMI\RtBackup directory contains Event Trace Log (ETL) files generated by Windows Management Instrumentation (WMI) tracing. These binary files store detailed operational traces of WMI activities and are part of Windows' Event Tracing for Windows (ETW) infrastructure.
While Resource Monitor shows "System" as the owning process (since ETW operates at kernel level), the actual initiator is typically the WinMgmt.exe process (Windows Management Instrumentation service). This service handles WMI operations and creates traces for:
- WMI provider execution
- Query processing
- Event subscription handling
- Namespace operations
You can analyze these traces using Windows Performance Toolkit or programmatically via the TraceEvent library:
// C# example using TraceEvent
using Microsoft.Diagnostics.Tracing;
using Microsoft.Diagnostics.Tracing.Session;
public void AnalyzeRtBackupTraces()
{
string etlPath = @"C:\Windows\System32\LogFiles\WMI\RtBackup\RecentTrace.etl";
using (var source = new ETWTraceEventSource(etlPath))
{
source.Dynamic.All += delegate(TraceEvent data)
{
Console.WriteLine($"EventID: {data.ID} Provider: {data.ProviderName}");
// Add custom processing logic
};
source.Process();
}
}WMI tracing levels are configured in the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LoggingTo completely disable WMI tracing (not recommended for production):
reg add "HKLM\SOFTWARE\Microsoft\WBEM\CIMOM" /v "Logging" /t REG_DWORD /d 0 /fWhen troubleshooting WMI performance issues, you might want to capture a specific trace:
logman start WMITrace -o RtBackup\CustomTrace.etl -p "Microsoft-Windows-WMI" 0xFFFFFFFF 0x5 -ets
# Reproduce your scenario
logman stop WMITrace -etsWindows automatically manages these files with:
- Default maximum size of 256MB
- Up to 16 files retained
- Oldest files deleted when space is needed
You can manually clean them using elevated command prompt:
del /q /f %Windir%\System32\LogFiles\WMI\RtBackup\*.etl