如何禁用 Windows 10 系统日志

默认情况下，Windows 有大量的日志文件，不断地写入数据。

有两种方法可以阻止这种搅动：

停止在 Windows 过滤平台 (WFP) 中记录“审核成功”，仅记录“审核失败”

• 以管理员身份打开 CMD 提示符：按Windows，键入cmd，按Ctrl+ Shift+Enter并确认。
• 键入（或复制/粘贴）以下内容并按Enter： auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

如果此操作成功，预计会记录更少的事件。

禁用单个日志

• 打开 Windows 事件查看器：按WindowsR、键入eventvwr.msc并按Enter。
• 向下滚动到Application and Service Logs, Microsoft, Windows, WFP。
• 右键单击日志进程并选择Disable Log。

按名称搜索事件日志的一个有用工具是 Nirsoft 的完整事件日志视图。

去铁杆：

如果要禁用特定事件日志记录，请转到事件查看器并右键单击要删除的事件日志。单击Event Properties。

应该会打开一个新窗口 - 单击XML view，您可以在其中看到事件的 GUID。我们将尝试根据此 GUID 在注册表中查找事件日志记录服务。并非所有事件都有此 GUID，我们无法在注册表中找到每个 GUID。

获得 GUID 后，我们导航到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Systemin regedit，然后在圆括号内搜索我们的 GUID。

如果我们找到它，我们可以继续更改 Enabled 和 EnabledProperty 键：

"Enabled"=dword:0
"EnableProperty"=dword:0

我想我想出了如何将 NetCore.etl 写入硬盘而不是 ssd。我运行了性能监视器（一个 Windows 应用程序），深入到 Data Collector Sets | Event Trace Sessions，右键NetCore，在弹出的菜单中点击Properties，点击Directory选项卡，浏览到想要的文件夹。根据资源监视器的说法，时间会证明更改是否是永久性的，但目前正在将日志写入我的硬盘 E:。

如果希望完全停止编写 NetCore.etl，单击停止而不是属性可能会停止它。但我不太相信这种变化会是永久性的。某些应用程序可能会重新启动它，也许下次重新启动 Windows 时。如果有人尝试这个，我希望他/她能在这个帖子中发布结果。

其他几个日志文件可以以类似的方式重定向（或停止）。

回覆。原始帖子：Windows 事件日志确实会随着时间的推移将大量数据写入磁盘；并且有很多用例非常不希望这样做；例如无法维护的嵌入式系统，磁盘磨损是一个问题，资源非常宝贵，因此尽可能减少所有不必要的 i/o 是可取的。

还有一些用户用例，其中无法控制 Windows 事件日志记录是典型的 Microsoft 方式、用户恶意设计，因为不再有任何简单的方法可以在不需要、不想要并且实际上是一种责任时暂停日志记录。已经有很多迂回的尝试，例如通过暂停线程进行的尝试，但没有一个可以可靠地用于暂停 Windows 事件日志记录。

一种可能适用于只想减少磁盘磨损的方法是使用 Windows UWF 或统一写入过滤器重定向到小型 RAM 磁盘，但要在任何通用计算应用程序中实现这一点，您将编辑广泛的排除列表 - - 这既费时又麻烦，又符合微软的用户恶意体验。

微软对这个问题完全置若罔闻，或者完全漠不关心；开发人员得到相同的罐头 smarmy '让它成为美好的一天' 用户做的回答。因此，任何人发现的任何廉价和肮脏的黑客都将受到欢迎和赞赏。

方法 1) 不推荐：禁用“Windows 事件日志”服务并重新启动。但在 win7 上将禁用 TaskScheduler（和碎片整理磁盘）。win10 上最差的将禁用网络列表和设备自动设置。

方法2）以管理员身份运行此批处理：

      rem https://docs.microsoft.com/en-us/windows/win32/fwp/auditing-and-logging
      rem https://social.technet.microsoft.com/Forums/en-US/ec2b033f-3e9b-4727-88d2-e6e358393734/how-to-disable-stop-windows-filtering-platform-filtering-platform-packet-drop
      rem  ALL
    Auditpol /set /category:* /Success:disable /failure:disable
      rem FIREWALL
    auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
    auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
    auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
    auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
    auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
    auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
    auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
    auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
      rem https://thesystemengineers.wordpress.com/2014/05/08/the-best-advanced-audit-script-and-advanced-audit-policy-i-use/
      rem http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008
    auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable
    auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
    auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable
    auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
    auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
    auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
    auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
    auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
    auditpol /set /subcategory:"SAM" /success:disable /failure:disable
    auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
      rem may be enabled on failure
    auditpol /set /subcategory:"Other System Events" /success:disable /failure:disable
      rem Usually all enabled
    auditpol /set /subcategory:"Account Lockout" /success:disable /failure:disable
    auditpol /set /subcategory:"Application Generated" /success:disable /failure:disable
    auditpol /set /subcategory:"Application Group Management" /success:disable /failure:disable
    auditpol /set /subcategory:"Audit Policy Change" /success:disable /failure:disable
    auditpol /set /subcategory:"Authentication Policy Change" /success:disable /failure:disable
    auditpol /set /subcategory:"Authorization Policy Change" /success:disable /failure:disable
    auditpol /set /subcategory:"Certification Services" /success:disable /failure:disable
    auditpol /set /subcategory:"Computer Account Management" /success:disable /failure:disable
    auditpol /set /subcategory:"Credential Validation" /success:disable /failure:disable
    auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:disable
    auditpol /set /subcategory:"Directory Service Changes" /success:disable /failure:disable
    auditpol /set /subcategory:"Distribution Group Management" /success:disable /failure:disable
    auditpol /set /subcategory:"File Share" /success:disable /failure:disable
    auditpol /set /subcategory:"File System" /success:disable /failure:disable
    auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable /failure:disable
    auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable /failure:disable
    auditpol /set /subcategory:"Kernel Object" /success:disable /failure:disable
    auditpol /set /subcategory:"Logoff" /success:disable /failure:disable
    auditpol /set /subcategory:"Logon" /success:disable /failure:disable
    auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable
    auditpol /set /subcategory:"Other Account Logon Events" /success:disable /failure:disable
    auditpol /set /subcategory:"Other Account Management Events" /success:disable /failure:disable
    auditpol /set /subcategory:"Other Logon/Logoff Events" /success:disable /failure:disable
    auditpol /set /subcategory:"Process Creation" /success:disable /failure:disable
    auditpol /set /subcategory:"Process Termination" /success:disable /failure:disable
    auditpol /set /subcategory:"RPC Events" /success:disable /failure:disable
    auditpol /set /subcategory:"Registry" /success:disable /failure:disable
    auditpol /set /subcategory:"Security Group Management" /success:disable /failure:disable
    auditpol /set /subcategory:"Security State Change" /success:disable /failure:disable
    auditpol /set /subcategory:"Security System Extension" /success:disable /failure:disable
    auditpol /set /subcategory:"Special Logon" /success:disable /failure:disable
    auditpol /set /subcategory:"System Integrity" /success:disable /failure:disable
    auditpol /set /subcategory:"User Account Management" /success:disable /failure:disable
      rem Apply immediatly
    gpupdate /force

方法 3) 创建文件夹 C:\TEMP
打开 regedit。导航并将选择器放置在此分支上 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger
右键单击​​并将选定的分支导出到 C:\TEMP\WMI_backup.reg（将保留此作为备份）右键单击并将选定的分支导出到 C： \TEMP\WMI_disable.reg，关闭 regedit 用 TEXTPAD 编辑器打开 C:\TEMP\WMI_disable.reg：

  Search and Replace, enable Regular Expressions, SEARCH:
^(?!("Enabled"|"EnableProperty"|\[|\n|Windows)).+\n
  Replace with:
(empty)
  REPLACE ALL
  Second Search and replace, Search:
dword:.+
  Replace with:
dword:00000000
  REPLACE ALL
  Third (optional) Search and replace, Search:
(^\[.*(?:\n*\h*)*)+(^\[.*)
  Replace with:
$+
  REPLACE ALL
  Save and exit.

应用生成的 .REG，除非使用 nirsoft advancedrun 作为系统用户输入，否则某些键将不会应用：

AdvancedRun_x64.exe /EXEFilename "%windir%\regedit.exe" /CommandLine "c:\TEMP\WMI_disable.reg" /RunAs 8 /Run

替换说明：第一个将消除所有不以下列之一开头的行：[; “启用”；“启用属性”；视窗; （空的）

第二次搜索会将所有剩余的 Execute dword:xxxxxxxx 更改为 dword:00000000

第三个（可选清理）搜索以 [... 开头的连续行并保留最后一个

方法 4) 与方法 3 相同，但使用密钥：[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT]

方法 5) 应用这个 .REG 文件来禁用某些日志，不要重置 START 的：EventLog-Application、EventLog-Security、EventLog-System

    Windows Registry Editor Version 5.00

    ;* no autolog
    ; https://www.reddit.com/r/Windows10/comments/8lpttt/howto_make_w10_log_less_prune_the_amount_of/
    ; https://gist.github.com/FadeMind/9500d49948654b50aa870706a8ac9f04
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog]
    ; Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AppModel]
    ;+ Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AppPlat]
    ;+ Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Audio]
    ; Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener]
    ;* Disables %systemroot%\System32\LogFiles\WMI\Diagtrack-Listener.etl
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger]
    ; Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderApiLogger]
    ;+ Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DiagLog]
    ; Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\DefenderAuditLogger]
    ;+ Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\FamilySafetyAOT]
    ;+ Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog]
    ;+ Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NtfsLog]
    ; Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RadioMgr]
    ;* Disables %SystemRoot%\System32\LogFiles\WMI\RadioMgr.etl
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot]
    ; Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger]
    ; Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM]
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog]
    ; Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\WiFiSession]
    ;+ Disables Event Trace Session in Perfmon Data Collector Sets
    "Start"=dword:00000000

感谢其他人提供有用的信息，我创建了一个批处理脚本来禁用几乎所有日志。

注意 1：Xbox 应用程序需要游戏服务跟踪日志，因此它不包含在我的脚本中，如果您不使用 Xbox 应用程序，只需将其卸载或禁用游戏服务并重新启动以禁用此类跟踪。

注意 2：即使您禁用相关的事件日志注册表（包含在我的脚本中），UBPM 跟踪也不会禁用。我听说它结合到内核中。

注意 3：脚本必须作为Trustedinstaller运行才能正常工作，否则访问某些密钥会被拒绝。如果您的系统环境变量中有Nsudo路径，则脚本使用 Nsudo 作为 Trustedinstaller 自行运行，否则您需要使用 Nsudo 或 AdvancedRun 等手动运行脚本作为 Trustedinstaller。

这是我的脚本，用于自动查找注册表中的所有记录器并禁用它们（我将其分为 2 部分以便更容易理解，如果您有 Nsudo，请将 2 部分合并到一个批处理文件中，否则您需要将第 2 部分作为 Trustedinstaller 运行手动）：

第 1 部分）检查并作为 Trustedinstaller 运行自身

@echo off
setlocal & set runState=user
whoami /groups | findstr /b /c:"Mandatory Label\High Mandatory Level" > nul && set runState=administrator
whoami /groups | findstr /b /c:"Mandatory Label\System Mandatory Level" > nul && set runState=TISYSTEM
echo [42m Running in state: "%runState%" [0m
if "%runState%"=="TISYSTEM" (goto gotTISYSTEM) else (NSudoLG.exe -U:T -P:E -UseCurrentConsole "%~0" %* && exit /b)
:gotTISYSTEM
echo [42m Running as TtustesInstaller.[0m

第 2 部分）获得 Trustedinstaller 权限（主要工作）

@echo off
echo [33m Auto-find and Disable all WMI\AutoLogger [0m
echo [33m find all Auto-Loggers and set Enabled to 0[0m
for /f "usebackq tokens=1*" %%a in (`reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /s /f "Enabled"^| findstr "HKEY"`) do reg add "%%a %%b" /v "Enabled" /t REG_DWORD /d 0 /f
echo.
echo [33m find all Auto-Loggers and set Start to 0[0m
for /f "usebackq tokens=1*" %%a in (`reg query "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /s /f "Start"^| findstr "HKEY"`) do reg add "%%a %%b" /v "Start" /t REG_DWORD /d 0 /f
echo.
echo.
echo.
echo [33m Auto-find and Disable all WINEVT [0m
echo [33m find all WINEVT items and set Enabled to 0[0m
for /f "usebackq tokens=1*" %%a in (`reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT" /s /f "Enabled"^| findstr "HKEY"`) do reg add "%%a %%b" /v "Enabled" /t REG_DWORD /d 0 /f
echo.
pause
exit

Extra step: some loggings arennt related to windows (like .Net apps that create some logs into C:\USERS\Your_User_Name\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS), how we stop such thing? answer: by fooling windows, i learned it from someone in Ntlite forum, just delete that folder (for example USAGELOGS), then create new text document but without extension and then rename it to that folder name, windows thinks that folder is existed so prevents you and apps from creating new folder with that name so apps cant create logs into that folder :)

im trying to create a script for this part too, i will update my post when it's ready.

更新 1 ：在此处使用新脚本以避免在禁用/启用以太网网络适配器时破坏它的问题。如果您不使用以太网或不禁用它（始终打开），您仍然可以使用旧脚本甚至更多地抑制记录器。