Windows 8 PID4 Constantly Writing to "wfpdiag.etl"

windows hard-drive

Solution 1:

How's your Japanese: http://blog.livedoor.jp/nichepcgamer/archives/1042899759.html?
Leads to a slightly helpful KB entry: https://support.microsoft.com/en-us/kb/3044882

Consider the following scenario:

  • You have a custom networking application installed on your server.
  • The application captures lots of traffic on the wire.
  • The server may be using a DHCP-assigned IP address.

In this scenario, a large volume of disk I/O may be generated when writes are made to the C:\Windows\System32\wfp\wfpdiag.etl log.
This behavior is by design. When the Port Scanning Prevention Filter is triggered, this typically means that there is no process listening on the port. (For security reasons, WFP blocks process listening.) When a connection is tried on a port where there is no listener, WFP recognizes the packet as if it were coming from a port scanner and therefore silently drops the connection.
If there had been a listener, and the communication was instead blocked because of either malformed packets or authentication, the dropped event would be listed as “DROP” (not silent), and WFP logging would indicate a different filter ID and name.
This filter is built in to the Windows Firewall and Advanced Security (WFAS). It is included in Windows Vista, Windows Server 2008, and later versions of Windows.

The workaround listed lets you guess the registry key, where you are supposed to add dword CollectNetEvents with a value of 0 under.

Fortunately the blogpost hints at netsh, you can dump an .xml of wfpdiag.etl with
netsh wfp show netevents and
disable it with
netsh wfp set options netevents=off from an elevated prompt, which also creates the aforementioned registry key under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Parameters\Policy\Options

Note By disabling WFP logging, this only stops the logging of WFP activity in wfpdiag.etl. The Port Scanning Prevention Filter continues to work normally.

Solution 2:

Do you have software called Windows7FirewallControl from Sphinx? Software site: http://www.sphinx-soft.com/Vista/index.html

Some have reported that it was responsible for this write pattern: http://www.vistax64.com/vista-security/68952-wfpdiag-etl-what.html Uninstalling or disabling it stopped the constant write activity to that file.

Related

Maximum Size SDXC card on XP
What happens when Windows 7 system runs out of physical AND pagefile memory?
How to keep rsync over SSH connection permanent - no broken pipe
New build not powering up at all after connecting psu cables to hard drive
Failing to load libGL.so.1 after installing bumblebee
Install rails on Mac OS X
tmux prints "1;2c" whenever I start it or re-attach to a session in cygwin
merge two rows in excel worksheet where one cell has same content but other cells have different content
How do I remove non-ASCII characters from filenames?
Solution to remember a window's size and position for laptop built-in monitor vs external monitor on Windows?
how to paste from byobu's screen buffer (ubuntu 12.04 64bit)
Replacing the pager inside vim?