23
20
In Windows 10 Resource Monitor I found that the system process is constantly writing C:\ProgramData\Microsoft\Windows\wfp\wfpdiag.etl at like 30-100KB/s. This equals 1TB write/year which is not healthy for SSD. There are other log write like C:\Windows\System32\LogFiles*** too.
Although logs is needed for diagnostics, it's better to be turned on only when problem has already occured.
Is it possible to disable as much system logs as possible to decrease garbage write amoung to SSD?
jw_
Posted 2020-01-13T01:04:44.377
Reputation: 482
I use Resource Monitor from time to time to find issues. The locations you mention above (Program Data and Windows) are not large on my machine. Run Admin Tools, Disk Cleanup, Cleanup System Files and enable all selections for cleanup. Do this weekly for a bit and see if the folder size for the logs is reasonable. I do not turn system logs off and all that I read supports this position – John – 2020-01-13T01:27:16.353
@John I care total write amount more than space consumption. In my case wfpdiag.etl is only 1MB, this may indicates small size doesn't mean small total amount of write which harm SSD. – jw_ – 2020-01-13T01:37:30.203
I found that "netsh wfp set options netevents = off" can turn the write to wfpdiag.etl off. – jw_ – 2020-01-13T01:38:13.720
Modern SSD's are more reliable than hard drives so there so not be any worry about that – John – 2020-01-13T01:38:35.383
@John SSD have a parameter "TBW" which impact its lifetime too. Consumer 1TB SSD often have like 100TB TBW. – jw_ – 2020-01-13T01:40:20.427
I am not sure I can help further given the constraints and design of Windows logging. My Samsung drive provides up to 2,400 TB TBW which gives it good life – John – 2020-01-13T01:54:24.143
Is this the physical data rate, or to cache? The
C:\suggests the latter, as it refers to a disk partition. – MSalters – 2020-01-13T09:26:39.040Could it be an option to redirect the Logs to another location, maybe an in-memory file or a second HDD or even something like replacing the file with a symlink to something like /dev/null ? This could be easier than disabling all of them. – Falco – 2020-01-13T10:06:59.983
@John I recheck my spec, it is 400TB TBW @ 1T, so the problem is indeed not that much, but really don't want garbage to waste the TBW, and this is only one log – jw_ – 2020-01-13T11:11:40.993
@Falco It's an option, but most log folder can't be renamed/deleted since it is always used by some process, you need to stop the log first to replace it with a symbol link – jw_ – 2020-01-13T11:14:26.000
@MSalters it is the average speed over minutes, so it doesn't matter it is cache or physical. It seems that you can always only get the cache IO speed with standard Windows tools. – jw_ – 2020-01-13T11:17:47.530
2@jw_: It definitely matters. If part of the file is overwritten while still in cache then the original write never hits the disk. This can even happen with caches on the SSD itself (so invisible to the OS). – MSalters – 2020-01-13T11:27:18.763
@MSalters that is a very good point - depending on the cache policy of 1. the logger, 2. File-System-Driver, 3. On Disk Firmware there are at least 3 Levels of Caching, which could prevent any data actually being written to disk at all, while the system is still active, only writing the latest state of the file on shutdown. – Falco – 2020-01-13T12:01:19.413
@Falco MSalters That's interesting, got it now. But there is more concern: What is the cache flush latency when the disk utilization is low and the write queue is very short? May be it just instantly get from file system cache to flash cell and the system may prefer "get it done as soon as possible" policy to get rid the harm of power loss, and since the log data stream is very slow, the chance of instant write is very high. And even more, will the log file be written again and again on the same section between cache flushes? The real TBW could be very near the displayed one, just guess. – jw_ – 2020-01-13T12:33:53.057
13"Although logs is needed for diagnostics, it's better to be turned on only when problem has already occured." Eh?? – Lightness Races with Monica – 2020-01-13T16:43:37.697
@Lightness Races with Monica I mean, for general consumers, commonly there are no problems, and even there are problems, the user don't have the time to check logs and don't want to send logs to MS. And for general users, only problems that occur again and again is treated as a problem. So it may be better to turn log off if possible, and when there are problems and you really need log to solve them, you can turn log on and wait for the next episode. – jw_ – 2020-01-14T02:22:13.080
I think pinging a user requires removing the spaces from their name, e.g. @LightnessRaceswithMonica . – Nat – 2020-01-14T02:26:58.690
@Nat Thanks, got it. – jw_ – 2020-01-14T02:28:13.257
1@Nat Although you're technically correct, you only need the first few characters of their name, and 9 chars are enough, so "@Lightness" works :) – Lightness Races with Monica – 2020-01-14T11:30:18.643
@jw_ Only helps you with recurring/reproducible issues. The whole point of logs is to record data when unexpected things happen. Turning them on after the unexpected thing has happened, is far too late. – Lightness Races with Monica – 2020-01-14T11:31:13.560