I occasionally notice in Resource Monitor hard disk activity related to ETL files in the folder C:\Windows\System32\LogFiles\WMI\RtBackup.
Which process/service creates these ETL files and what is their purpose?
Resource Monitor shows "System" as the process which is correct since ETW traces (that is what ETL files are) are created by the kernel. But I am interested in the process that causes the traces to be created.
This happens on Windows 7, by the way.
I found the answer myself after digging around some more.
The directory C:\Windows\System32\LogFiles\WMI\RtBackup stores ETW trace files (extension .etl) for real time event trace sessions. Looking into the RtBackup directory is a little difficult because by default only System has permissions, but my application SetACL Studio can display the contents anyway. When putting the directory's content next to the list of running event trace sessions, one immediately notices the similarities:
Not every event trace session generates a file in the directory RtBackup. As the directory's name implies, it stores backups for real time trace sessions. Comparing the list of files in RtBackup to each trace session's properties confirms this:
I was hoping this would be an easy answer, but I guess I would have to force a read/write of the file or know when it is happening. In any event, this is what I tried hoping for a quick one-off. You will need the handle utility from SysInternals.
\path\to\handle.exe | find /i "etl"
Good luck and happy hunting.
