Logging WMI Activity

The WMI log files are no longer supported. Starting with WindowsВ Vista, WMI uses Event Tracing for Windows (ETW) and events that are available through the Event Viewer UI or the Wevtutil command line tool. For more information, see the ETW provider and the Wevutil command-line documentation.

The following sections are discussed in this topic:

WMI Log Files Before Windows Vista

The log files created by WMI and various providers record: events, trace or diagnostic data, errors, and various activities. Only administrators have read access to the WMI log folder found at %windir%\system32\wbem\logs.

Only WMI core components or WMI providers write to log files. You can only read or view the data in these logs for diagnostic purposes. You can create and store your own log files in the WMI log directory.

Logging Activities for WMI Core Components Before Windows Vista

These files do not contain a consistent format that is suitable for reading programmatically. For more information about specific logs, see WMI Log Files.

Logging activities for WMI core components occurs when the following registry keys are set:

Changes to the logging level registry value take effect immediately. No restart of the WMI service is necessary.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging = 2

The following list lists the logging levels that can be defined in the registry.

Logging level	Description
0	No Logging
1	Log only errors
2	Verbose Logging (default)

Log file location

For changes to log file location to take effect, restart the WMI service.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory = %windir%\system32\wbem\logs

Maximum log file size, in bytes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Log File Max Size = 65536

You can change these registry key values through the Registry Editor or through the WMI snap-in for the Microsoft Management Console.

To set the logging level for WMI before WindowsВ Vista

1. Click Start, and then click Run.
2. Type wmimgmt.msc
3. On the Action menu, click Properties.
4. On the Logging tab, set the logging level to Disabled, Enabled, or Verbose.
5. In Location:, type the path to the log file folder and in Maximum size (bytes):, set the maximum size, in bytes, of the log file.

For more information about setting the log file properties, see the online Help for the WMI Control application.

Logging Activities for WMI Provider Components Before Windows Vista

When logging for WMI core components is enabled, logging is also enabled for any provider with logging capabilities.

The following list lists the required values.

File

Full path and file name of the log file. The default value is %windir%\system32\wbem\logs. The Type named value must be set to = File for this named value to be used.

Level

A 32-bit logical mask that defines the type of debugging output generated by the provider. This value is provider-dependent. The default value is 0 (zero).

MaxFileSize

Maximum file size, in bytes, of the log file. This integer value must be in the range 1024 to 2^32-1. When the file size exceeds this value, the file is renamed to

filename and a new, empty log file is created. The disk space required for the log file is twice the value of MaxFileSize. The default value is 65,535.

Type

Can be set to = File or = Debugger. If set to = File, the trace information is written to the log file specified in the File named value. The default value is = File.

For example, to log query and get instance calls from the View Provider, use the following registry key values. The log will be located in the log folder and will be the default file size.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Logging\ViewProvider\File = C:\Windows\system32\WBEM\Logs\ViewProvider.log

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Logging\ViewProvider\Level = 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Logging\ViewProvider\MaxFileSize = 65535

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\PROVIDERS\Logging\ViewProvider\Type = File

For your own providers with logging capabilities, you need to write the necessary registry keys and values to enable logging.

Windows 10 activity history and your privacy

Activity history helps keep track of the things you do on your device, such as the apps and services you use, the files you open, and the websites you browse. Your activity history is stored locally on your device, and if you’ve signed in to your device with a Microsoft account and given your permission, Windows sends your activity history to Microsoft. Microsoft uses the activity history data to provide you with personalized experiences (such as ordering your activities based on duration of use) and relevant suggestions (such as anticipating what your needs might be based on your activity history).

The following Windows 10 features use your activity history. Be sure to refer back to this page following future releases and updates to Windows to learn what additional services and features use your activity history:

Timeline. See a timeline of activities and be able to resume those activities from your device. For example, let’s say that you were editing a Word document on your device, but you were unable to finish before you had to leave the office for the day. If you selected the Store my activity history on this device check box on the Activity history settings page, you would see that Word activity in your timeline the following day, and for the next several days, and from there, you could resume working on it. If you selected the Send my activity history to Microsoft check box and you were unable to finish before you had to leave the office for the day, not only would you see that Word activity in your timeline for up to 30 days, but you could also resume working on it later from another device.

Cortana. When collecting activity history only on your device, Cortana lets you pick up where you left off on that device. If you choose to send your activities to the cloud, you can pick up where you left off with activities you started on other devices. Cortana will notify you about those activities so you can resume them quickly on your device, and with sync turned on, across your other devices. Note that for the cross-device “Pick up where you left off” experience to work you need to have the Browsing history permission turned On in Cortana. To do this, open Cortana’s home from the search box on the taskbar, and then select Settings > Cortana > Permissions > Manage the information Cortana can access from this device > Browsing history.

Microsoft Edge. When you use Microsoft Edge, your browsing history will be included in your activity history. Activity history will not be saved when browsing with InPrivate tabs or windows.

If you’ve signed in to your device with a Microsoft account and enabled the setting to send Microsoft your activity history, Microsoft uses your activity history data to enable cross-device experiences. So even when you switch devices, you will be able to see notifications about your activities and resume them. For example, your activity history can also be sent to Microsoft when using another Windows 10 device or certain Microsoft apps on an iOS or Android device. You can continue activities that you started from those other devices on your Windows device. Initially, this will be limited to Microsoft Edge mobile, but will soon include Office mobile apps like Word, Excel, and PowerPoint.

Microsoft will also use your activity history to improve Microsoft products and services when the setting for sending your activity history to Microsoft is enabled. We do this by applying machine-learning techniques to better understand how customers in general use our products and services. We also diagnose where customers encounter errors and then help fix them.

Regarding multiple accounts: Activity history is collected and stored locally for each local account, personal Microsoft account (MSA), or work or school account (AAD) that you have associated with your device in Settings > Accounts > Email & accounts. When you choose to send your activity history to Microsoft, activities from the primary account on that device are sent to Microsoft. If you have more than one device, and you have multiple accounts on one or more of those devices, you can see activity history from your second device’s primary account on the first device (as a secondary account). You can also see these accounts under Settings > Privacy > Activity history, where you can filter out activities from specific accounts from showing in your timeline. Hiding an account does not delete the data on the device, nor in the cloud. See the following section for more details on managing your data.

To learn more about how Microsoft products and services use this data to personalize experiences while respecting your privacy, see the Privacy Statement.

Manage activity history settings

On your device

To stop saving activity history locally on your device, select Start , then select Settings > Privacy > Activity history. On this page, clear the Store my activity history on this device check box.
Open Activity history settings

If you turn this setting off, you won’t be able to use any of the on-device features that rely on activity history, such as your timeline or Cortana’s “Pick up where you left off” feature. You will still be able to see your browsing history in Microsoft Edge.

In previous versions of Windows, this setting was called Let Windows collect my activities from this PC.

To stop sending your activity history to Microsoft, select Start , then select Settings > Privacy > Activity history. On this page, clear the Send my activity history to Microsoft check box.

If you turn this setting off, you won’t be able to use a full 30 days in your timeline or get cross-device activity experiences.

In previous versions of Windows, this setting was called Let Windows sync my activities from this PC to the cloud.

Windows has additional privacy settings that control whether app activity and browsing history data is sent to Microsoft, such as the Diagnostic data setting.

If you have a personal Microsoft account (MSA), you can manage the activity history data that is associated with your Microsoft account in the cloud by selecting Manage my Microsoft account activity data. Once you’ve signed in to the privacy dashboard, select the Activity history tab, and then select the data you want to manage.

If you have a work or school account, you can clear and delete both the activity history stored on your device and sent to the Microsoft cloud. Select Start , then select Settings > Privacy > Activity history. Under Clear activity history, select Clear.

If you have multiple accounts, and your work or school account (AAD) is the primary account on the device, then clearing your activity history will delete any of your work and/or school (AAD) activity history that is synced to the cloud. To manage your personal Microsoft account (MSA) activity history data in the cloud, select Manage my Microsoft account activity data. If you have multiple accounts (MSA/AAD) but your personal account (MSA) is your primary account on the device, and you want to delete your AAD activities, go to your other device where your work/school (AAD) account is primary, and then clear your activity history on that device.

In your timeline, you can clear individual activities, or all activities from an individual day. To do so, right-click an activity and select the option you prefer.

On your mobile device (iOS and Android)

Some apps like Microsoft Edge mobile (iOS and Android) will let you turn off browser history sharing. For other apps like Microsoft Office, you can sign out of the app from which you no longer want to send activity history to Microsoft. You can manage activity history data that is stored in the cloud for your Microsoft account by selecting Manage my Microsoft account activity data.

Windows Setup Log Files and Event Logs

Windows® Setup creates log files for all actions that occur during installation. If you are experiencing problems installing Windows, consult the log files to troubleshoot the installation.

WindowsВ Setup log files are available in the following directories:

Log location before Setup can access the drive.

Log location when Setup rolls back in the event of a fatal error.

Log location of Setup actions after disk configuration.

Used to log Plug and Play device installations.

Location of memory dump from bug checks.

Location of log minidumps from bug checks.

Location of Sysprep logs.

WindowsВ Setup Event Logs

WindowsВ Setup includes the ability to review the WindowsВ Setup performance events in the Windows Event Log viewer. This enables you to more easily review the actions that occurred during WindowsВ Setup and to review the performance statistics for different parts of WindowsВ Setup. You can filter the log so as to view only relevant items that you are interested in. The WindowsВ Setup performance events are saved into a log file that is named Setup.etl, which is available in the %WINDIR%\Panther directory of all installations. To view the logs, you must use the Event Viewer included with the Windows media that corresponds to the version of the customized image that you are building.

To view the logs on a computer that does not include the corresponding kit, you must run a script from the root of the media that installs the Event Trace for Windows (ETW) provider. From the command line, type:

where D is the drive letter of the Windows DVD media.

To view the WindowsВ Setup event logs

Start the Event Viewer, expand the Windows Logs node, and then click System.

In the Actions pane, click Open Saved Log and then locate the Setup.etl file. By default, this file is available in the %WINDIR%\Panther directory.

The log file contents appear in the Event Viewer.

To Export the log to a file

From the command line, use the Wevtutil or Tracerpt commands to save the log to an .xml or text file. For information about how to use these tools, see the command-line Help. The following commands show examples of how to use the tools:

Log file location	Description