Windows Temp folder flooded with "computer name-yyyMMdd-hhmm.log" files

Posted on 2023-06-08 by guenni

Windows[German]Another problem in Windows: A German blog reader pointed out to me that besides the Aria-debug-xxx.log files I recently discussed, on some machines the TEMP folder is flooded with other log files. These are named according to the scheme computer-name-yyyMMdd-hhmm.log. According to my research, the Office Click-to-Run service is likely involved in generating these nonsensical log files.

Advertising

A reader send me a mail

I had reported in the May 2023 blog post Windows temp folder flooded with Aria-debug-xxx.log files that a user had noticed that his Windows Temp folder was being flooded with several GByte-sized log files named Aria-debug-xxx. It may also affect the TEMP folder in the user's profile, as I read here. Based on the article Mark Heitbrink contacted me by mail and wrote:

Hi,

in addition to the Aria* files I could offer files with the scheme "Computername-yyyMMdd-hhmm.log" with 56KB. Sometimes a bit bigger, rarely smaller.

There are 25-35 files created per day and the first one already directly mach the start. In the first 5 minutes about 4 pieces, then every 30-45 minutes (approximately).

Strictly speaking it is a json
Name: Office.Telemetry.DynamicConfig.ParseJsonConfig

Do you know which task is doing this?

I found the following screenshot of a folder with these .log files on the internet and included it here in the blog for explanation.

.log-Dateien im Temp-Ordner
.log files in the temp folder, source: Technet

Adhoc I could not do anything with this information, because I had not come across these files yet. But then I did some research on the Internet.

Many hits in the Internet

A search on the Internet found several sites that refer to these log files in the Windows Temp folder. On SuperUser.com I found this 7 years old post, where a user writes:

Advertising

I took a look in my c:\windows\temp directory and I found lots of file.log files. The names are built with this syntax: Machinename-YYYYMMDD-XXXX.log.

And I found this:


Timestamp   Process TID Area    Category    EventID Level   Message Correlation
01/30/2016 12:43:10.754 OFFICEC2 (0xde8)    0xb6c       Click-To-Run Telemetry  aqkhc   Medium  {"MachineID":"a3c8037bfedf40479c3023588639eb6d","SessionID":"b292f44b-e5a6-41c3-a68e-000582c1e920","GeoID":"84","Ver":"0.0.0.0","ExeVer":"15.0.4787.1002","SecuritySessionId":"0","ModulePath":"C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe","CommandLine":"/update SCHEDULEDTASK displaylevel=False","Bitness":"64","IntegrityLevel":"0x4000"}  
01/30/2016 12:43:10.754 OFFICEC2 (0xde8)    0xb6c       Click-To-Run Telemetry  aqkhe   Medium  {"MachineID":"a3c8037bfedf40479c3023588639eb6d","SessionID":"b292f44b-e5a6-41c3-a68e-000582c1e920","GeoID":"84","Ver":"0.0.0.0","OSVersion":"6.2","SP":"0","ProductType":"1","ProcessorArch":"9","Locale":"1036"}   
01/30/2016 12:43:10.770 OFFICEC2 (0xde8)    0xb6c       Click-To-Run Telemetry  amebh   Medium  ClientExe complete. {"MachineID":"a3c8037bfedf40479c3023588639eb6d","SessionID":"b292f44b-e5a6-41c3-a68e-000582c1e920","GeoID":"84","Ver":"15.0.4787.1002","Action":"1","Result":"0"}   
01/30/2016 12:43:10.770 OFFICEC2 (0xde8)    0xb6c       Logging Liblet  aqc99   Medium  Logging liblet uninitializing.

Most of the files are this long but some are much longer. All the logs turn around OFFICE2. Could those logs files come from a malicious program?

So the user has the same case as Mark describes. The log excerpt above already suggests that it is somehow related to the telemetry of the Office Click-to-Run service. Also in the Technet forum you can find this thread from 2017 where someone describes the effect. Someone there left the following information:

Based on my deep research, The Microsoft Office ClickToRun Service (ClickToRunSvc) helps manage resource coordination, background streaming, and system integration of Microsoft Office products. As far as I know, this service is required to run during the use of any Microsoft Office program, so you cannot just stop it permanently.

It is confirmed that it is Microsoft Office ClickToRun Service (ClickToRunSvc), which is supposed to help Office manage resource coordination, background streaming and system integration of Microsoft Office products. If you turn off the service, no .log files are written – but then Office stops working. The Technet forum post here addresses this issue.

o far I haven't found an option to turn off this logging (the post here only describes how to change the log level). There are hints in this post as well, whether they do anything I can't currently test.

Policies do not help

Mark Heitbrink also did some web searching and came across the support post Use policy settings to manage privacy controls for Microsoft 365 Apps for enterprise. He writes about it:

 I have already deactivated the log options via the two outdated GPO policies:

User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Tools | Options | General | Service Options
Online Content und Service Level-Options
–>  Starting with Version 1904, configuring these two existing policy settings will have no effect on Microsoft 365 Apps for enterprise. They are no longer applicable because their functionality is replaced by these new policy settings:

Allow the use of connected experiences in Office that analyze content
Allow the use of connected experiences in Office that download online content
Allow the use of additional optional connected experiences in Office
Allow the use of connected experiences in Office


Click to zoom

So it doesn't seem to help. Have any of you found a solution to stop logging.

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in issue, Office, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *