Event Viewer Channels & Privacy

Selim GURSU

Selim GURSU

Member
Messages
35
Reaction score
0
Hello all..
In the Settings section, under Event Viewer Channels & Privacy,
I leave the settings as they are in ntlite. I don't change anything. Is there any need to change these settings? Thank you.
 
Some users like to block event logging, because they believe it improves performance. Some logging, like diagnostic or security events, are critical if you're trying to debug system problems. Others like privacy can be skipped.

Windows can run without it. Whether you have a Windows or 3rd-party app that gets annoyed because it can't specific event logs to help it determine what to do is another matter. You can disable logging channels, as long as you understand there's always a risk that missing data can prevent a feature from functioning because it interprets logged data.
 
I leave Event Viewer Channels alone. I run a bat script once a day on my PCs that deletes all the logs to prevent them from growing huge. This is where the supposed performance issues may, or may not, arise. I'm really not sure, but I never needed old logs anyway.

But the Settings->Privacy section is the big one, there is a ton of crap to be disabled there. Lots of the spyware and unwanted apps and features get disabled here.
 
I also kept Event Viewer until Nuhi and I talked about it, and he told me it wasn't very useful, so I deleted it.
It never missed
 
tistou77 said:
I also kept Event Viewer until Nuhi and I talked about it, and he told me it wasn't very useful, so I deleted it.
It never missed
Click to expand...
Indeed, I purge the bugger as well since they don't help me in any sort of way.
 
There are specific Windows functions that work on a publisher/subscriber model. One part of Windows "publishes" events into the channel, and another process listens for specific events. If you completely disable event logging, the pub/sub model stops working. Some part of Windows that self-tune the system behave that way.

Most of the time you don't notice, until you break the one feature that actually cared about the published events.
 
garlin said:
There are specific Windows functions that work on a publisher/subscriber model. One part of Windows "publishes" events into the channel, and another process listens for specific events. If you completely disable event logging, the pub/sub model stops working. Some part of Windows that self-tune the system behave that way.

Most of the time you don't notice, until you break the one feature that actually cared about the published events.
Click to expand...
Happen to know if a feature,programs or whatever that would "care" about it being removed Garlin?
 
Process Monitor and Defender do filtering on ETW events to catch things in progress. Otherwise they would have to intrusively inspect everything in memory, which is an even worse performance hit.

Design issues of modern EDRs: bypassing ETW-based solutions

Disabling some channels like Privacy don't really impact Windows but other channels for system events are obviously more critical for security, because you want to monitor malware based on activity patterns and not just depend on signatures.
 
When I use Process Monitor, it's very fast, I haven't noticed any significant resource consumption.
 
You must log in or register to reply here.
Back
Top