{"id":30405,"date":"2023-06-08T00:05:56","date_gmt":"2023-06-07T22:05:56","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=30405"},"modified":"2024-10-05T18:58:26","modified_gmt":"2024-10-05T16:58:26","slug":"windows-temp-folder-flooded-with-host-name-yyymmdd-hhmm-log-files","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/06\/08\/windows-temp-folder-flooded-with-host-name-yyymmdd-hhmm-log-files\/","title":{"rendered":"Windows Temp folder flooded with \"computer name-yyyMMdd-hhmm.log\" files"},"content":{"rendered":"

\"Windows\"[German<\/a>]Another problem in Windows: A German blog reader pointed out to me that besides the Aria-debug-xxx.log<\/em> files I recently discussed, on some machines the TEMP folder is flooded with other log files. These are named according to the scheme computer-name-yyyMMdd-hhmm.log<\/em>. According to my research, the Office Click-to-Run service is likely involved in generating these nonsensical log files.<\/p>\n

<\/p>\n

A reader send me a mail<\/h2>\n

\"\"I had reported in the May 2023 blog post Windows temp folder flooded with Aria-debug-xxx.log files<\/a> that a user had noticed that his Windows Temp<\/em> folder was being flooded with several GByte-sized log files named Aria-debug-xxx<\/em>. It may also affect the TEMP folder in the user's profile, as I read here<\/a>. Based on the article Mark Heitbrink contacted me by mail and wrote:<\/p>\n

Hi,<\/p><\/blockquote>\n

in addition to the Aria* files I could offer files with the scheme \"Computername-yyyMMdd-hhmm.log\" with 56KB. Sometimes a bit bigger, rarely smaller.<\/p>\n

There are 25-35 files created per day and the first one already directly mach the start. In the first 5 minutes about 4 pieces, then every 30-45 minutes (approximately).<\/p>\n

Strictly speaking it is a json
\nName: Office.Telemetry.DynamicConfig.ParseJsonConfig<\/p>\n

Do you know which task is doing this?<\/p><\/blockquote>\n

I found the following screenshot of a folder with these .log files on the internet and included it here in the blog for explanation.<\/p>\n

\".log-Dateien
\n.log files in the temp folder, source:\u00a0Technet<\/a><\/p>\n

Adhoc I could not do anything with this information, because I had not come across these files yet. But then I did some research on the Internet.<\/p>\n

Many hits in the Internet<\/h2>\n

A search on the Internet found several sites that refer to these log files in the Windows Temp folder. On SuperUser.com I found this 7 years old post<\/a>, where a user writes:<\/p>\n

I took a look in my c:\\windows\\temp directory and I found lots of file.log files. The names are built with this syntax: Machinename-YYYYMMDD-XXXX.log.<\/p>\n

And I found this:<\/p>\n

\r\nTimestamp   Process TID Area    Category    EventID Level   Message Correlation\r\n01\/30\/2016 12:43:10.754 OFFICEC2 (0xde8)    0xb6c       Click-To-Run Telemetry  aqkhc   Medium  {\"MachineID\":\"a3c8037bfedf40479c3023588639eb6d\",\"SessionID\":\"b292f44b-e5a6-41c3-a68e-000582c1e920\",\"GeoID\":\"84\",\"Ver\":\"0.0.0.0\",\"ExeVer\":\"15.0.4787.1002\",\"SecuritySessionId\":\"0\",\"ModulePath\":\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\OfficeC2RClient.exe\",\"CommandLine\":\"\/update SCHEDULEDTASK displaylevel=False\",\"Bitness\":\"64\",\"IntegrityLevel\":\"0x4000\"}  \r\n01\/30\/2016 12:43:10.754 OFFICEC2 (0xde8)    0xb6c       Click-To-Run Telemetry  aqkhe   Medium  {\"MachineID\":\"a3c8037bfedf40479c3023588639eb6d\",\"SessionID\":\"b292f44b-e5a6-41c3-a68e-000582c1e920\",\"GeoID\":\"84\",\"Ver\":\"0.0.0.0\",\"OSVersion\":\"6.2\",\"SP\":\"0\",\"ProductType\":\"1\",\"ProcessorArch\":\"9\",\"Locale\":\"1036\"}   \r\n01\/30\/2016 12:43:10.770 OFFICEC2 (0xde8)    0xb6c       Click-To-Run Telemetry  amebh   Medium  ClientExe complete. {\"MachineID\":\"a3c8037bfedf40479c3023588639eb6d\",\"SessionID\":\"b292f44b-e5a6-41c3-a68e-000582c1e920\",\"GeoID\":\"84\",\"Ver\":\"15.0.4787.1002\",\"Action\":\"1\",\"Result\":\"0\"}   \r\n01\/30\/2016 12:43:10.770 OFFICEC2 (0xde8)    0xb6c       Logging Liblet  aqc99   Medium  Logging liblet uninitializing.  \r\n<\/code><\/pre>\n
Most of the files are this long but some are much longer. All the logs turn around OFFICE2. Could those logs files come from a malicious program?<\/p><\/blockquote>\n
So the user has the same case as Mark describes. The log excerpt above already suggests that it is somehow related to the telemetry of the Office Click-to-Run service. Also in the Technet forum you can find this thread<\/a> from 2017 where someone describes the effect. Someone there left the following information:<\/p>\n
Based on my deep research, The Microsoft Office ClickToRun Service (ClickToRunSvc) helps manage resource coordination, background streaming, and system integration of Microsoft Office products. As far as I know, this service is required to run during the use of any Microsoft Office program, so you cannot just stop it permanently.<\/p><\/blockquote>\n
It is confirmed that it is Microsoft Office ClickToRun Service (ClickToRunSvc), which is supposed to help Office manage resource coordination, background streaming and system integration of Microsoft Office products. If you turn off the service, no .log files are written – but then Office stops working. The Technet forum post here<\/a> addresses this issue.<\/p>\n
o far I haven't found an option to turn off this logging (the post here only describes how to change the log level). There are hints in this post<\/a> as well, whether they do anything I can't currently test.<\/p>\n
Policies do not help<\/h2>\n
Mark Heitbrink also did some web searching and came across the support post Use policy settings to manage privacy controls for Microsoft 365 Apps for enterprise<\/a>. He writes about it:<\/p>\n
\u00a0I have already deactivated the log options via the two outdated GPO policies:<\/p>\n
User Configuration\\Policies\\Administrative Templates\\Microsoft Office 2016\\Tools | Options | General | Service Options
\nOnline Content und Service Level-Options
\n–>\u00a0 Starting with Version 1904, configuring these two existing policy settings will have no effect on Microsoft 365 Apps for enterprise. They are no longer applicable because their functionality is replaced by these new policy settings:<\/p>\n
Allow the use of connected experiences in Office that analyze content
\nAllow the use of connected experiences in Office that download online content
\nAllow the use of additional optional connected experiences in Office
\nAllow the use of connected experiences in Office<\/p><\/blockquote>\n
<\/a>
\nClick to zoom<\/p>\n
So it doesn't seem to help. Have any of you found a solution to stop logging.<\/p>\n","protected":false},"excerpt":{"rendered":"
[German]Another problem in Windows: A German blog reader pointed out to me that besides the Aria-debug-xxx.log files I recently discussed, on some machines the TEMP folder is flooded with other log files. These are named according to the scheme computer-name-yyyMMdd-hhmm.log. … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,11,2],"tags":[47,125,194],"class_list":["post-30405","post","type-post","status-publish","format-standard","hentry","category-issue","category-office","category-windows","tag-issue","tag-office","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/30405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=30405"}],"version-history":[{"count":1,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/30405\/revisions"}],"predecessor-version":[{"id":35677,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/30405\/revisions\/35677"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=30405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=30405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=30405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}