How to enable diagnostic logging for the Windows Security app

This article describes how to enable diagnostic logging for the Windows Security app.

Applies to:   Windows Server 2016, Windows 10, version 1809
Original KB number:   3155606

Summary

This article describes how to enable diagnostic logging for the Windows Security app in Windows 10.

More information

To enable diagnostic logging for the Windows Security app, save the following content as a *.reg file, and then import the key:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WscLogger]
"GUID"="{FFFAC41B-9B97-4DCA-98CE-611471DF0F85}"
"FileName"="%SystemRoot%\\System32\\LogFiles\\WMI\\WscTrace.etl"
"ClockType"=dword:00000002
"Start"=dword:00000001
"Status"=dword:00000000
"MaxFileSize"=dword:00000000
"FlushTimer"=dword:00000001
"LogFileMode"=dword:10000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WscLogger\{1B0AC240-CBB8-4d55-8539-9230A44081A5}]
"Enabled"=dword:00000001
"EnableFlags"=dword:0000ffff
"EnableLevel"=dword:0000000f
"MatchAnyKeyword"=hex(b):ff,ff,ff,ff,00,00,00,00

For information about how to import registry data, see Import some or all of the registry.

The resulting log files are designed to be consumed by internal Microsoft teams, and they cannot be converted for use by using public tools.

After you create these keys, you have to restart the computer, and then data capture will start immediately. The data capture will occur across reboots and operating system upgrades.

To stop logging, change the Enabled value under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WscLogger{1B0AC240-CBB8-4d55-8539-9230A44081A5}