Logging WMI Activity
Starting with Windows Vista, the WMI service does not use the WMI Log Files. Instead it uses Event Tracing for Windows (ETW) and events that are available through the Event Viewer UI or the Wevtutil command line tool.
The following sections are discussed in this topic:
- WMI Log Files Before Windows Vista
- Logging Activities for WMI Core Components Before Windows Vista
- Logging Activities for WMI Provider Components Before Windows Vista
- Related topics
The log files created by WMI and various providers record: events, trace or diagnostic data, errors, and various activities. Only administrators have read access to the WMI log folder found at %windir%\system32\wbem\logs.
Only WMI core components or WMI providers write to log files. You can only read or view the data in these logs for diagnostic purposes. You can create and store your own log files in the WMI log directory.
Windows 2000: Non-administrators can read logs in the WMI log folder.
These files do not contain a consistent format that is suitable for reading programmatically. For more information about specific logs, see WMI Log Files.
Logging activities for WMI core components occurs when the following registry keys are set:
- Logging level
Changes to the logging level registry value take effect immediately. No restart of the WMI service is necessary.HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WBEM\CIMOM\Logging = 2
The following table lists the logging levels that can be defined in the registry.
Logging level Description 0 No Logging 1 Log only errors 2 Verbose Logging (default)
- Log file location
For changes to log file location to take effect, restart the WMI service.
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory = %windir%\system32\wbem\logs
- Maximum log file size, in bytes
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WBEM\CIMOM\Log File Max Size = 65536
You can change these registry key values through the Registry Editor or through the WMI snap-in for the Microsoft Management Console.
To set the logging level for WMI before Windows Vista
- Click Start, and then click Run.
- Type wmimgmt.msc
- On the Action menu, click Properties.
- On the Logging tab, set the logging level to Disabled, Enabled, or Verbose.
- In Location:, type the path to the log file folder and in Maximum size (bytes):, set the maximum size, in bytes, of the log file.
For more information about setting the log file properties, see the online Help for the WMI Control application.
When logging for WMI core components is enabled, logging is also enabled for any provider with logging capabilities.
Windows XP and Windows 2000: For Windows XP or earlier, provider logging occurs only when specific registry values in the HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WBEM\PROVIDERS\Logging\Provider registry key are set.
The following table lists the required values.
Full path and file name of the log file. The default value is %windir%\system32\wbem\logs. The Type named value must be set to = File for this named value to be used.
A 32-bit logical mask that defines the type of debugging output generated by the provider. This value is provider-dependent. The default value is 0 (zero).
Maximum file size, in bytes, of the log file. This integer value must be in the range 1024 to 2^32-1. When the file size exceeds this value, the file is renamed to ~filename and a new, empty log file is created. The disk space required for the log file is twice the value of MaxFileSize. The default value is 65,535.
Can be set to = File or = Debugger. If set to = File, the trace information is written to the log file specified in the File named value. The default value is = File.
For example, to log query and get instance calls from the View Provider, use the following registry key values. The log will be located in the log folder and will be the default file size.
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WBEM\PROVIDERS\Logging\ViewProvider\File = C:\Windows\system32\WBEM\Logs\ViewProvider.log
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WBEM\PROVIDERS\Logging\ViewProvider\Level = 2
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WBEM\PROVIDERS\Logging\ViewProvider\MaxFileSize = 65535
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\WBEM\PROVIDERS\Logging\ViewProvider\Type = File
Note For your own providers with logging capabilities, you need to write the necessary registry keys and values to enable logging.
Build date: 11/19/2012